[analyzer] Implement pointer arithmetic on constants

Patch by: Rafael Stahl! Differential Revision: https://reviews.llvm.org/D37478 llvm-svn: 315296
2017-10-10 11:01:49 +00:00 · 2017-10-10 11:01:49 +00:00 · 21524676a2
parent 29ffd3f1d9
commit 21524676a2
2 changed files with 36 additions and 0 deletions
--- a/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
+++ b/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@ -922,6 +922,10 @@ SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state,
  if (rhs.isZeroConstant())
    return lhs;

+  // Perserve the null pointer so that it can be found by the DerefChecker.
+  if (lhs.isZeroConstant())
+    return lhs;
+
  // We are dealing with pointer arithmetic.

  // Handle pointer arithmetic on constant values.
@ -937,6 +941,8 @@ SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state,

      // Offset the increment by the pointer size.
      llvm::APSInt Multiplicand(rightI.getBitWidth(), /* isUnsigned */ true);
+      QualType pointeeType = resultTy->getPointeeType();
+      Multiplicand = getContext().getTypeSizeInChars(pointeeType).getQuantity();
      rightI *= Multiplicand;

      // Compute the adjusted pointer.
--- a/clang/test/Analysis/pointer-arithmetic.c
+++ b/clang/test/Analysis/pointer-arithmetic.c
@ -0,0 +1,30 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s
+
+int test1() {
+  int *p = (int *)sizeof(int);
+  p -= 1;
+  return *p; // expected-warning {{Dereference of null pointer}}
+}
+
+int test2() {
+  int *p = (int *)sizeof(int);
+  p -= 2;
+  p += 1;
+  return *p; // expected-warning {{Dereference of null pointer}}
+}
+
+int test3() {
+  int *p = (int *)sizeof(int);
+  p++;
+  p--;
+  p--;
+  return *p; // expected-warning {{Dereference of null pointer}}
+}
+
+int test4() {
+  // This is a special case where pointer arithmetic is not calculated to
+  // preserve useful warnings on dereferences of null pointers.
+  int *p = 0;
+  p += 1;
+  return *p; // expected-warning {{Dereference of null pointer}}
+}