[analyzer] Enhance the member expr tracking to account for references.
As per Jordan's suggestion. (Came out of code review for r163261.) llvm-svn: 163269
This commit is contained in:
parent
b4dbc17acd
commit
3245e584db
|
@ -256,6 +256,8 @@ void trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R);
|
|||
const Stmt *GetDerefExpr(const ExplodedNode *N);
|
||||
const Stmt *GetDenomExpr(const ExplodedNode *N);
|
||||
const Stmt *GetRetValExpr(const ExplodedNode *N);
|
||||
bool isDeclRefExprToReference(const Expr *E);
|
||||
|
||||
|
||||
} // end namespace clang
|
||||
} // end namespace ento
|
||||
|
|
|
@ -130,7 +130,7 @@ void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S,
|
|||
}
|
||||
case Stmt::MemberExprClass: {
|
||||
const MemberExpr *M = cast<MemberExpr>(S);
|
||||
if (M->isArrow()) {
|
||||
if (M->isArrow() || bugreporter::isDeclRefExprToReference(M->getBase())) {
|
||||
llvm::raw_svector_ostream os(buf);
|
||||
os << "Access to field '" << M->getMemberNameInfo()
|
||||
<< "' results in a dereference of a null pointer";
|
||||
|
|
|
@ -31,6 +31,13 @@ using namespace ento;
|
|||
// Utility functions.
|
||||
//===----------------------------------------------------------------------===//
|
||||
|
||||
bool bugreporter::isDeclRefExprToReference(const Expr *E) {
|
||||
if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
|
||||
return DRE->getDecl()->getType()->isReferenceType();
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
const Stmt *bugreporter::GetDerefExpr(const ExplodedNode *N) {
|
||||
// Pattern match for a few useful cases (do something smarter later):
|
||||
// a[0], p->f, *p
|
||||
|
@ -54,7 +61,7 @@ const Stmt *bugreporter::GetDerefExpr(const ExplodedNode *N) {
|
|||
return U->getSubExpr()->IgnoreParenCasts();
|
||||
}
|
||||
else if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) {
|
||||
if (ME->isArrow()) {
|
||||
if (ME->isArrow() || isDeclRefExprToReference(ME->getBase())) {
|
||||
return ME->getBase()->IgnoreParenCasts();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=text -verify %s
|
||||
|
||||
struct S {
|
||||
int *x;
|
||||
int y;
|
||||
};
|
||||
|
||||
S &getSomeReference();
|
||||
void test(S *p) {
|
||||
S &r = *p; //expected-note {{Variable 'r' initialized here}}
|
||||
if (p) return;
|
||||
//expected-note@-1{{Taking false branch}}
|
||||
//expected-note@-2{{Assuming pointer value is null}}
|
||||
r.y = 5; // expected-warning {{Access to field 'y' results in a dereference of a null pointer (loaded from variable 'r')}}
|
||||
// expected-note@-1{{Access to field 'y' results in a dereference of a null pointer (loaded from variable 'r')}}
|
||||
}
|
Loading…
Reference in New Issue