Fix a few more false positives involving RegionStore and unions, but this time
with array accesses. In the process, refactor some common logic in
RetrieveElement() and RetrieveField() into RetrieveFieldOrElementCommon().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78349 91177308-0d34-0410-b5e6-96231b3b80d8
diff --git a/lib/Analysis/RegionStore.cpp b/lib/Analysis/RegionStore.cpp
index 8cb4d98..48e6de7 100644
--- a/lib/Analysis/RegionStore.cpp
+++ b/lib/Analysis/RegionStore.cpp
@@ -315,6 +315,9 @@
SVal RetrieveLazySymbol(const GRState *state, const TypedRegion *R);
+ SVal RetrieveFieldOrElementCommon(const GRState *state, const TypedRegion *R,
+ QualType Ty, const MemRegion *superR);
+
SValuator::CastResult CastRetrievedVal(SVal val, const GRState *state,
const TypedRegion *R, QualType castTy);
@@ -1053,109 +1056,66 @@
}
}
- // Check if the super region has a default value.
- if (const SVal *D = state->get<RegionDefaultValue>(superR)) {
- if (D->hasConjuredSymbol())
- return ValMgr.getRegionValueSymbolVal(R);
- else
- return *D;
- }
-
- // Check if the super region has a binding.
+ // Check if the immediate super region has a direct binding.
if (const SVal *V = B.lookup(superR)) {
if (SymbolRef parentSym = V->getAsSymbol())
return ValMgr.getDerivedRegionValueSymbolVal(parentSym, R);
if (V->isUnknownOrUndef())
return *V;
-
- // Handle LazyCompoundVals below.
- if (const nonloc::LazyCompoundVal *LVC =
- dyn_cast<nonloc::LazyCompoundVal>(V)) {
- return RetrieveElement(LVC->getState(),
- MRMgr.getElementRegionWithSuper(R,
- LVC->getRegion()));
- }
+
+ // Handle LazyCompoundVals for the immediate super region. Other cases
+ // are handled in 'RetrieveFieldOrElementCommon'.
+ if (const nonloc::LazyCompoundVal *LCV =
+ dyn_cast<nonloc::LazyCompoundVal>(V)) {
+ R = MRMgr.getElementRegionWithSuper(R, LCV->getRegion());
+ return RetrieveElement(LCV->getState(), R);
+ }
+
// Other cases: give up.
return UnknownVal();
}
- // Lazy binding?
- const GRState *lazyBindingState = NULL;
- const MemRegion *LazyBindingRegion = NULL;
- llvm::tie(lazyBindingState, LazyBindingRegion) = GetLazyBinding(B, R);
-
- if (lazyBindingState) {
- assert(LazyBindingRegion && "Lazy-binding region not set");
- return RetrieveElement(lazyBindingState,
- cast<ElementRegion>(LazyBindingRegion));
- }
-
- // Default value cases.
-#if 0
- if (R->hasHeapStorage()) {
- // FIXME: If the region has heap storage and we know nothing special
- // about its bindings, should we instead return UnknownVal? Seems like
- // we should only return UndefinedVal in the cases where we know the value
- // will be undefined.
- return UndefinedVal();
- }
-#endif
-
- if (R->hasStackStorage() && !R->hasParametersStorage()) {
- // Currently we don't reason specially about Clang-style vectors. Check
- // if superR is a vector and if so return Unknown.
- if (const TypedRegion *typedSuperR = dyn_cast<TypedRegion>(superR)) {
- if (typedSuperR->getValueType(getContext())->isVectorType())
- return UnknownVal();
- }
-
- return UndefinedVal();
- }
-
- QualType Ty = R->getValueType(getContext());
-
- return ValMgr.getRegionValueSymbolValOrUnknown(R, Ty);
+ return RetrieveFieldOrElementCommon(state, R, R->getElementType(), superR);
}
SVal RegionStoreManager::RetrieveField(const GRState* state,
const FieldRegion* R) {
- QualType Ty = R->getValueType(getContext());
// Check if the region has a binding.
RegionBindings B = GetRegionBindings(state->getStore());
if (const SVal* V = B.lookup(R))
return *V;
- const MemRegion* superR = R->getSuperRegion();
+ QualType Ty = R->getValueType(getContext());
+ return RetrieveFieldOrElementCommon(state, R, Ty, R->getSuperRegion());
+}
+
+SVal RegionStoreManager::RetrieveFieldOrElementCommon(const GRState *state,
+ const TypedRegion *R,
+ QualType Ty,
+ const MemRegion *superR) {
+
+ // At this point we have already checked in either RetrieveElement or
+ // RetrieveField if 'R' has a direct binding.
+
+ RegionBindings B = GetRegionBindings(state->getStore());
+
while (superR) {
if (const Optional<SVal> &D = getDefaultBinding(state, superR)) {
if (SymbolRef parentSym = D->getAsSymbol())
return ValMgr.getDerivedRegionValueSymbolVal(parentSym, R);
-
+
if (D->isZeroConstant())
return ValMgr.makeZeroVal(Ty);
-
- if (const nonloc::LazyCompoundVal *LCV =
- dyn_cast<nonloc::LazyCompoundVal>(D)) {
- const FieldRegion *FR =
- MRMgr.getFieldRegionWithSuper(R, LCV->getRegion());
- return RetrieveField(LCV->getState(), FR);
- }
-
+
if (D->isUnknown())
return *D;
-
+
assert(0 && "Unknown default value");
}
- if (const SVal *V = B.lookup(superR)) {
- // Handle LazyCompoundVals below.
- if (isa<nonloc::CompoundVal>(*V))
- break;
- }
-
// If our super region is a field or element itself, walk up the region
// hierarchy to see if there is a default value installed in an ancestor.
if (isa<FieldRegion>(superR) || isa<ElementRegion>(superR)) {
@@ -1168,28 +1128,38 @@
// Lazy binding?
const GRState *lazyBindingState = NULL;
- const MemRegion *LazyBindingRegion = NULL;
- llvm::tie(lazyBindingState, LazyBindingRegion) = GetLazyBinding(B, R);
+ const MemRegion *lazyBindingRegion = NULL;
+ llvm::tie(lazyBindingState, lazyBindingRegion) = GetLazyBinding(B, R);
if (lazyBindingState) {
- assert(LazyBindingRegion && "Lazy-binding region not set");
+ assert(lazyBindingRegion && "Lazy-binding region not set");
+
+ if (isa<ElementRegion>(R))
+ return RetrieveElement(lazyBindingState,
+ cast<ElementRegion>(lazyBindingRegion));
+
return RetrieveField(lazyBindingState,
- cast<FieldRegion>(LazyBindingRegion));
- }
-
-#if HEAP_UNDEFINED
- // FIXME: Is this correct? Should it be UnknownVal?
- if (R->hasHeapStorage())
- return UndefinedVal();
-#endif
+ cast<FieldRegion>(lazyBindingRegion));
+ }
- if (R->hasStackStorage() && !R->hasParametersStorage())
+ if (R->hasStackStorage() && !R->hasParametersStorage()) {
+
+ if (isa<ElementRegion>(R)) {
+ // Currently we don't reason specially about Clang-style vectors. Check
+ // if superR is a vector and if so return Unknown.
+ if (const TypedRegion *typedSuperR = dyn_cast<TypedRegion>(superR)) {
+ if (typedSuperR->getValueType(getContext())->isVectorType())
+ return UnknownVal();
+ }
+ }
+
return UndefinedVal();
-
+ }
+
// All other values are symbolic.
return ValMgr.getRegionValueSymbolValOrUnknown(R, Ty);
}
-
+
SVal RegionStoreManager::RetrieveObjCIvar(const GRState* state,
const ObjCIvarRegion* R) {
diff --git a/test/Analysis/unions-region.m b/test/Analysis/unions-region.m
index d253009..be4f185 100644
--- a/test/Analysis/unions-region.m
+++ b/test/Analysis/unions-region.m
@@ -6,10 +6,9 @@
//
//===----------------------------------------------------------------------===//
-// When using RegionStore, this test case previously had a false positive
-// of a 'pass-by-value argument is uninitialized' warning at the call to
-// 'testA_aux'.
-
+// [testA] When using RegionStore, this test case previously had a
+// false positive of a 'pass-by-value argument is uninitialized'
+// warning at the call to 'testA_aux' and 'testA_aux_2'.
union u_testA {
unsigned i;
float f;
@@ -30,3 +29,13 @@
return swap.f;
}
+// [testB] When using RegionStore, this test case previously had a
+// false positive of a 'pass-by-value argument is uninitialized'
+// warning at the call to 'testB_aux'.
+void testB(int i) {
+ void testB_aux(short z);
+ union { short x[2]; unsigned y; } val;
+ val.y = 10;
+ testB_aux(val.x[1]); // no-warning
+}
+