Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / clang / 899b3de7bc32434fc406f35255cc828ba8372b3d^! / . / lib / Analysis / GRExprEngine.cpp
commit899b3de7bc32434fc406f35255cc828ba8372b3d[log] [tgz]
authorTed Kremenek <kremenek@apple.com>Wed Apr 08 03:07:17 2009 +0000
committerTed Kremenek <kremenek@apple.com>Wed Apr 08 03:07:17 2009 +0000
tree5daccbcf492df6d6147f7f170572e86de1caedd3
parent9fd0b1f845a61e71dd8099f596532d34c519630a [diff] [blame]
New static analyzer check by Nikita Zhuk!

"The attached patch generates warnings of cases where an ObjC message is sent to
a nil object and the size of return type of that message is larger than the size
of void pointer. This may result in undefined return values as described in PR
2718.  The patch also includes test cases."


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68585 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/Analysis/GRExprEngine.cpp b/lib/Analysis/GRExprEngine.cpp
index 487aac0..06d61cc 100644
--- a/lib/Analysis/GRExprEngine.cpp
+++ b/lib/Analysis/GRExprEngine.cpp

@@ -1690,20 +1690,40 @@
     
     if (isFeasibleNull) {
       // Check if the receiver was nil and the return value a struct.
-      if (ME->getType()->isRecordType() &&
-          BR.getParentMap().isConsumedExpr(ME)) {
-        // The [0 ...] expressions will return garbage.  Flag either an
-        // explicit or implicit error.  Because of the structure of this
-        // function we currently do not bifurfacte the state graph at
-        // this point.
-        // FIXME: We should bifurcate and fill the returned struct with
-        //  garbage.                
-        if (NodeTy* N = Builder->generateNode(ME, StNull, Pred)) {
-          N->markAsSink();
-          if (isFeasibleNotNull)
-            NilReceiverStructRetImplicit.insert(N);
-          else
-            NilReceiverStructRetExplicit.insert(N);
+      if (BR.getParentMap().isConsumedExpr(ME)) {
+        if(ME->getType()->isRecordType()) {
+          // The [0 ...] expressions will return garbage.  Flag either an
+          // explicit or implicit error.  Because of the structure of this
+          // function we currently do not bifurfacte the state graph at
+          // this point.
+          // FIXME: We should bifurcate and fill the returned struct with
+          //  garbage.                
+          if (NodeTy* N = Builder->generateNode(ME, StNull, Pred)) {
+            N->markAsSink();
+            if (isFeasibleNotNull)
+              NilReceiverStructRetImplicit.insert(N);
+            else
+              NilReceiverStructRetExplicit.insert(N);
+          }
+        }
+        else {
+          ASTContext& Ctx = getContext();
+          
+          // sizeof(void *)
+          const uint64_t voidPtrSize = Ctx.getTypeSize(Ctx.VoidPtrTy);
+          
+          // sizeof(return type)
+          const uint64_t returnTypeSize = Ctx.getTypeSize(ME->getType());
+          
+          if(voidPtrSize < returnTypeSize) {
+            if (NodeTy* N = Builder->generateNode(ME, StNull, Pred)) {
+              N->markAsSink();
+              if(isFeasibleNotNull)
+                NilReceiverLargerThanVoidPtrRetImplicit.insert(N);
+              else
+                NilReceiverLargerThanVoidPtrRetExplicit.insert(N);
+            }
+          }
         }
       }
     }