[analyzer] Enhance the member expr tracking to account for references.

As per Jordan's suggestion. (Came out of code review for r163261.) llvm-svn: 163269
2012-09-05 23:41:54 +00:00 · 2012-09-05 23:41:54 +00:00 · 3245e584db
parent b4dbc17acd
commit 3245e584db
4 changed files with 27 additions and 2 deletions
--- a/clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h
+++ b/clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h
@ -256,6 +256,8 @@ void trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R);
 const Stmt *GetDerefExpr(const ExplodedNode *N);
 const Stmt *GetDenomExpr(const ExplodedNode *N);
 const Stmt *GetRetValExpr(const ExplodedNode *N);
+bool isDeclRefExprToReference(const Expr *E);
+

 } // end namespace clang
 } // end namespace ento
--- a/clang/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
@ -130,7 +130,7 @@ void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S,
  }
  case Stmt::MemberExprClass: {
    const MemberExpr *M = cast<MemberExpr>(S);
-    if (M->isArrow()) {
+    if (M->isArrow() || bugreporter::isDeclRefExprToReference(M->getBase())) {
      llvm::raw_svector_ostream os(buf);
      os << "Access to field '" << M->getMemberNameInfo()
         << "' results in a dereference of a null pointer";
--- a/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
+++ b/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
@ -31,6 +31,13 @@ using namespace ento;
 // Utility functions.
 //===----------------------------------------------------------------------===//

+bool bugreporter::isDeclRefExprToReference(const Expr *E) {
+  if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
+    return DRE->getDecl()->getType()->isReferenceType();
+  }
+  return false;
+}
+
 const Stmt *bugreporter::GetDerefExpr(const ExplodedNode *N) {
  // Pattern match for a few useful cases (do something smarter later):
  //   a[0], p->f, *p
@ -54,7 +61,7 @@ const Stmt *bugreporter::GetDerefExpr(const ExplodedNode *N) {
        return U->getSubExpr()->IgnoreParenCasts();
    }
    else if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) {
-      if (ME->isArrow()) {
+      if (ME->isArrow() || isDeclRefExprToReference(ME->getBase())) {
        return ME->getBase()->IgnoreParenCasts();
      }
    }
--- a/clang/test/Analysis/diagnostics/deref-track-symbolic-region.cpp
+++ b/clang/test/Analysis/diagnostics/deref-track-symbolic-region.cpp
@ -0,0 +1,16 @@
+// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=text -verify %s
+
+struct S {
+  int *x;
+  int y;
+};
+
+S &getSomeReference();
+void test(S *p) {
+  S &r = *p;   //expected-note {{Variable 'r' initialized here}}
+  if (p) return;
+               //expected-note@-1{{Taking false branch}}
+               //expected-note@-2{{Assuming pointer value is null}}
+  r.y = 5; // expected-warning {{Access to field 'y' results in a dereference of a null pointer (loaded from variable 'r')}}
+           // expected-note@-1{{Access to field 'y' results in a dereference of a null pointer (loaded from variable 'r')}}
+}