[analyzer] Fix unreachable creating PathDiagnosticLocation with widen…

…-loops=true In the original design of the analyzer, it was assumed that a BlockEntrance doesn't create a new binding on the Store, but this assumption isn't true when 'widen-loops' is set to true. Fix this by finding an appropriate location BlockEntrace program points. Patch by Henry Wong! Differential Revision: https://reviews.llvm.org/D37187 llvm-svn: 319333
llvm · Nov 29, 2017 · 9a2c14a · 9a2c14a
1 parent a1f6fbd
commit 9a2c14a
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 0 deletions.
diff --git a/clang/lib/StaticAnalyzer/Core/PathDiagnostic.cpp b/clang/lib/StaticAnalyzer/Core/PathDiagnostic.cpp
@@ -690,6 +690,15 @@ PathDiagnosticLocation::create(const ProgramPoint& P,
     return getLocationForCaller(CEE->getCalleeContext(),
                                 CEE->getLocationContext(),
                                 SMng);
+  } else if (Optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) {
+    CFGElement BlockFront = BE->getBlock()->front();
+    if (auto StmtElt = BlockFront.getAs<CFGStmt>()) {
+      return PathDiagnosticLocation(StmtElt->getStmt()->getLocStart(), SMng);
+    } else if (auto NewAllocElt = BlockFront.getAs<CFGNewAllocator>()) {
+      return PathDiagnosticLocation(
+          NewAllocElt->getAllocatorExpr()->getLocStart(), SMng);
+    }
+    llvm_unreachable("Unexpected CFG element at front of block");
   } else {
     llvm_unreachable("Unexpected ProgramPoint");
   }

diff --git a/clang/test/Analysis/loop-widening-notes.cpp b/clang/test/Analysis/loop-widening-notes.cpp
@@ -0,0 +1,72 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha -analyzer-max-loop 2 -analyzer-config widen-loops=true -analyzer-output=text -verify %s
+
+int *p_a;
+int bar();
+int flag_a;
+int test_for_bug_25609() {
+  if (p_a == 0) // expected-note {{Assuming 'p_a' is equal to null}} 
+                // expected-note@-1 {{Taking true branch}}
+    bar();
+  for (int i = 0;  // expected-note {{Loop condition is true.  Entering loop body}}                    
+                   // expected-note@-1 {{Loop condition is false. Execution continues on line 16}}
+       ++i,        // expected-note {{Value assigned to 'p_a'}} 
+       i < flag_a;
+       ++i) {}
+
+  *p_a = 25609; // no-crash expected-warning {{Dereference of null pointer (loaded from variable 'p_a')}}
+                // expected-note@-1 {{Dereference of null pointer (loaded from variable 'p_a')}}
+  return *p_a;
+}
+
+int flag_b;
+int while_analyzer_output() {
+  flag_b = 100;
+  int num = 10;
+  while (flag_b-- > 0) { // expected-note {{Loop condition is true.  Entering loop body}} 
+                         // expected-note@-1 {{Value assigned to 'num'}} 
+                         // expected-note@-2 {{Loop condition is false. Execution continues on line 30}}
+    num = flag_b;
+  }
+  if (num < 0) // expected-note {{Assuming 'num' is >= 0}} 
+               // expected-note@-1 {{Taking false branch}}
+    flag_b = 0;
+  else if (num >= 1) // expected-note {{Assuming 'num' is < 1}} 
+                     // expected-note@-1 {{Taking false branch}}
+    flag_b = 50;
+  else
+    flag_b = 100;
+  return flag_b / num; // no-crash expected-warning {{Division by zero}} 
+                       // expected-note@-1 {{Division by zero}}
+}
+
+int flag_c;
+int do_while_analyzer_output() {
+  int num = 10;
+  do {   // expected-note {{Loop condition is true. Execution continues on line 47}} 
+         // expected-note@-1 {{Loop condition is false.  Exiting loop}}
+    num--;
+  } while (flag_c-- > 0); //expected-note {{Value assigned to 'num'}}
+  int local = 0;
+  if (num == 0)       // expected-note {{Assuming 'num' is equal to 0}} 
+                      // expected-note@-1 {{Taking true branch}}
+    local = 10 / num; // no-crash expected-warning {{Division by zero}}
+                      // expected-note@-1 {{Division by zero}}
+  return local;
+}
+
+int flag_d;
+int test_for_loop() {
+  int num = 10;
+  for (int i = 0;    // expected-note {{Loop condition is true.  Entering loop body}} 
+                     // expected-note@-1 {{Loop condition is false. Execution continues on line 67}}
+       new int(10),  // expected-note {{Value assigned to 'num'}}
+       i < flag_d;
+       ++i) {         
+    ++num;
+  }
+  if (num == 0) // expected-note {{Assuming 'num' is equal to 0}} 
+                // expected-note@-1 {{Taking true branch}}
+    flag_d += 10;
+  return flag_d / num; // no-crash expected-warning {{Division by zero}} 
+                       // expected-note@-1 {{Division by zero}}
+}