StoreManager::CastRegion:

- Don't layer TypedViewRegions on top of any region except
  SymbolicRegions and AllocaRegions.  This follows from my offline
  discussion within Zhongxing about how TypedViewRegions really only
  represent memory getting re-appropriated for a new purpose.

Fallout	from this change:
- Move test case from xfail_rdar_6440393.m to misc-ps-64.m
  (it now passes).

- test/Analysis/fields.c now fails for region store (crash).
  Marking XFAIL.

- test/Analysis/rdar-6441136-region.c now fails (only runs with region store).
  Marking XFAIL.

  Diagnosis: The analyzer now correctly identifies an early out-of-bounds memory
   access then the one flagged:

  rdar-6541136-region.c:17:3: warning: Load or store into an out-of-bound memory position.
    *p = 1;
    ^~

  Changing the line:
   char *p = (void*) &wonky[1];
  to
   char *p = (void*) &wonky[0];

  (which should delay the buffer overrun) causes region store to crash, probably
  because it expects a TypedViewRegion.

- test/Analysis/casts.c (region store) now fails (crash).
  Marking XFAIL.

llvm-svn: 70565

clang/lib/Analysis/Store.cpp

@@ -59,9 +59,15 @@ StoreManager::CastRegion(const GRState* state, const MemRegion* R,
       return CastResult(state, R);
     }
 
-  // FIXME: We don't want to layer region views.  Need to handle
-  // arbitrary downcasts.
+  // FIXME: Need to handle arbitrary downcasts.
+  // FIXME: Handle the case where a TypedViewRegion (layering a SymbolicRegion
+  //         or an AllocaRegion is cast to another view, thus causing the memory
+  //         to be re-used for a different purpose.
 
-  const MemRegion* ViewR = MRMgr.getTypedViewRegion(CastToTy, R);  
-  return CastResult(AddRegionView(state, ViewR, R), ViewR);
+  if (isa<SymbolicRegion>(R) || isa<AllocaRegion>(R)) {
+    const MemRegion* ViewR = MRMgr.getTypedViewRegion(CastToTy, R);  
+    return CastResult(AddRegionView(state, ViewR, R), ViewR);
+  }
+  
+  return CastResult(state, R);
 }

clang/test/Analysis/casts.c

@@ -2,6 +2,7 @@
 
 // Test if the 'storage' region gets properly initialized after it is cast to
 // 'struct sockaddr *'. 
+// XFAIL
 
 #include <sys/socket.h>
 void f(int sock) {

clang/test/Analysis/fields.c

@@ -1,6 +1,6 @@
 // RUN: clang-cc -analyze -checker-cfref %s --analyzer-store=basic -verify &&
-// RUN: clang-cc -analyze -checker-cfref %s --analyzer-store=region -verify &&
-// RUN: clang-cc -analyze -checker-simple %s -verify
+// RUN: clang-cc -analyze -checker-cfref %s --analyzer-store=region -verify
+// XFAIL
 
 unsigned foo();
 typedef struct bf { unsigned x:2; } bf;

clang/test/Analysis/misc-ps-64.m

@@ -1,9 +1,7 @@
-// RUN: clang-cc -analyze -checker-cfref -analyzer-store=basic %s &&
-// RUN: clang-cc -analyze -checker-cfref -analyzer-store=region %s
-// XFAIL
-
-// *** These tests will be migrated to other test files once these failures
-//     are resolved.
+// RUN: clang-cc -triple x86_64-apple-darwin9 -analyze -checker-cfref --analyzer-store=basic -analyzer-constraints=basic --verify -fblocks %s &&
+// RUN: clang-cc -triple x86_64-apple-darwin9 -analyze -checker-cfref --analyzer-store=basic -analyzer-constraints=range --verify -fblocks %s &&
+// RUN: clang-cc -triple x86_64-apple-darwin9 -analyze -checker-cfref --analyzer-store=region -analyzer-constraints=basic --verify -fblocks %s &&
+// RUN: clang-cc -triple x86_64-apple-darwin9 -analyze -checker-cfref --analyzer-store=region -analyzer-constraints=range --verify -fblocks %s
 
 // <rdar://problem/6440393> - A bunch of misc. failures involving evaluating
 //  these expressions and building CFGs.  These tests are here to prevent
@@ -24,3 +22,4 @@ void rdar_6440393_1(NSDictionary *dict) {
     return;
   shazam(x, &bufptr);
 }
+

clang/test/Analysis/rdar-6541136-region.c

@@ -1,4 +1,5 @@
 // RUN: clang-cc -verify -analyze -checker-cfref -analyzer-store=region %s
+// XFAIL
 
 struct tea_cheese { unsigned magic; };
 typedef struct tea_cheese kernel_tea_cheese_t;