[analyzer] Fix a crash on logical operators with vectors.
Do not crash when trying to compute x && y or x || y where x and y are of a vector type. For now we do not seem to properly model operations with vectors. In particular, operations && and || on a pair of vectors are not short-circuit, unlike regular logical operators, so even our CFG is incorrect. Avoid the crash, add respective FIXME tests for later. Differential Revision: https://reviews.llvm.org/D39682 rdar://problem/34317663 llvm-svn: 317700
This commit is contained in:
parent
6edadae34a
commit
5904fba8c9
|
@ -626,6 +626,16 @@ void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred,
|
|||
StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
|
||||
ProgramStateRef state = Pred->getState();
|
||||
|
||||
if (B->getType()->isVectorType()) {
|
||||
// FIXME: We do not model vector arithmetic yet. When adding support for
|
||||
// that, note that the CFG-based reasoning below does not apply, because
|
||||
// logical operators on vectors are not short-circuit. Currently they are
|
||||
// modeled as short-circuit in Clang CFG but this is incorrect.
|
||||
// Do not set the value for the expression. It'd be UnknownVal by default.
|
||||
Bldr.generateNode(B, Pred, state);
|
||||
return;
|
||||
}
|
||||
|
||||
ExplodedNode *N = Pred;
|
||||
while (!N->getLocation().getAs<BlockEntrance>()) {
|
||||
ProgramPoint P = N->getLocation();
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s
|
||||
|
||||
typedef int __attribute__((ext_vector_type(2))) V;
|
||||
|
||||
void clang_analyzer_numTimesReached();
|
||||
void clang_analyzer_eval(int);
|
||||
|
||||
int flag;
|
||||
|
||||
V pass_through_and_set_flag(V v) {
|
||||
flag = 1;
|
||||
return v;
|
||||
}
|
||||
|
||||
V dont_crash_and_dont_split_state(V x, V y) {
|
||||
flag = 0;
|
||||
V z = x && pass_through_and_set_flag(y);
|
||||
clang_analyzer_eval(flag); // expected-warning{{TRUE}}
|
||||
// FIXME: For now we treat vector operator && as short-circuit,
|
||||
// but in fact it is not. It should always evaluate
|
||||
// pass_through_and_set_flag(). It should not split state.
|
||||
// Now we also get FALSE on the other path.
|
||||
// expected-warning@-5{{FALSE}}
|
||||
|
||||
// FIXME: Should be 1 since we should not split state.
|
||||
clang_analyzer_numTimesReached(); // expected-warning{{2}}
|
||||
return z;
|
||||
}
|
Loading…
Reference in New Issue