Add checking for zero-sized VLAs.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@60726 91177308-0d34-0410-b5e6-96231b3b80d8
diff --git a/lib/Analysis/GRExprEngine.cpp b/lib/Analysis/GRExprEngine.cpp
index 8a32bfe..fb52067 100644
--- a/lib/Analysis/GRExprEngine.cpp
+++ b/lib/Analysis/GRExprEngine.cpp
@@ -1773,8 +1773,7 @@
if (!D || !isa<VarDecl>(D))
return;
- const VarDecl* VD = dyn_cast<VarDecl>(D);
-
+ const VarDecl* VD = dyn_cast<VarDecl>(D);
Expr* InitEx = const_cast<Expr*>(VD->getInit());
// FIXME: static variables may have an initializer, but the second
@@ -1812,6 +1811,33 @@
}
else
St = StateMgr.BindDecl(St, VD, 0, Count);
+
+
+ // Check if 'VD' is a VLA and if so check if has a non-zero size.
+ QualType T = getContext().getCanonicalType(VD->getType());
+ if (VariableArrayType* VLA = dyn_cast<VariableArrayType>(T)) {
+ // FIXME: Handle multi-dimensional VLAs.
+
+ Expr* SE = VLA->getSizeExpr();
+ SVal Size = GetSVal(St, SE);
+
+ bool isFeasibleZero = false;
+ const GRState* ZeroSt = Assume(St, Size, false, isFeasibleZero);
+
+ bool isFeasibleNotZero = false;
+ St = Assume(St, Size, true, isFeasibleNotZero);
+
+ if (isFeasibleZero) {
+ if (NodeTy* N = Builder->generateNode(DS, ZeroSt, Pred)) {
+ N->markAsSink();
+ if (isFeasibleNotZero) ImplicitZeroSizedVLA.insert(N);
+ else ExplicitZeroSizedVLA.insert(N);
+ }
+ }
+
+ if (!isFeasibleNotZero)
+ continue;
+ }
MakeNode(Dst, DS, *I, St);
}
diff --git a/lib/Analysis/GRExprEngineInternalChecks.cpp b/lib/Analysis/GRExprEngineInternalChecks.cpp
index be72823..8b484ab 100644
--- a/lib/Analysis/GRExprEngineInternalChecks.cpp
+++ b/lib/Analysis/GRExprEngineInternalChecks.cpp
@@ -163,7 +163,7 @@
"Receiver in message expression is an uninitialized value.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
- for (GRExprEngine::UndefReceiversTy::iterator I=Eng.undef_receivers_begin(),
+ for (GRExprEngine::ErrorNodes::iterator I=Eng.undef_receivers_begin(),
End = Eng.undef_receivers_end(); I!=End; ++I) {
// Generate a report for this bug.
@@ -331,6 +331,33 @@
Emit(BR, Eng.explicit_oob_memacc_begin(), Eng.explicit_oob_memacc_end());
}
};
+
+class VISIBILITY_HIDDEN ZeroSizeVLA : public BuiltinBug {
+
+public:
+ ZeroSizeVLA() : BuiltinBug("Zero-sized VLA",
+ "VLAs with zero-size are undefined.") {}
+
+ virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
+ for (GRExprEngine::ErrorNodes::iterator
+ I = Eng.ExplicitZeroSizedVLA.begin(),
+ E = Eng.ExplicitZeroSizedVLA.end(); I!=E; ++I) {
+
+ // Generate a report for this bug.
+ PostStmt PS = cast<PostStmt>((*I)->getLocation());
+ DeclStmt *DS = cast<DeclStmt>(PS.getStmt());
+ VarDecl* VD = cast<VarDecl>(*DS->decl_begin());
+ QualType T = Eng.getContext().getCanonicalType(VD->getType());
+ VariableArrayType* VT = cast<VariableArrayType>(T);
+
+ RangedBugReport report(*this, *I);
+ report.addRange(VT->getSizeExpr()->getSourceRange());
+
+ // Emit the warning.
+ BR.EmitWarning(report);
+ }
+ }
+};
//===----------------------------------------------------------------------===//
// __attribute__(nonnull) checking
@@ -403,5 +430,6 @@
Register(new BadMsgExprArg());
Register(new BadReceiver());
Register(new OutOfBoundMemoryAccess());
+ Register(new ZeroSizeVLA());
AddCheck(new CheckAttrNonNull(), Stmt::CallExprClass);
}