This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
23/23
RegionStore.cpp
-
test/Analysis/
-
Analysis/
1/1
initialization.c
9/10
initialization.cpp

Differential D111654

[analyzer] Retrieve a value from list initialization of multi-dimensional array declaration.
ClosedPublic

Authored by ASDenysPetrov on Oct 12 2021, 9:15 AM.

Download Raw Diff

Details

Reviewers

NoQ
aaron.ballman
steakhal
martong
vsavchenko

Commits

rGa12bfac292db: [analyzer] Retrieve a value from list initialization of multi-dimensional array…

Summary

Add support of multi-dimensional arrays in RegionStoreManager::getBindingForElement. Handle nested ElementRegion's getting offsets and checking for being in bounds. Get values from the nested initialization lists using obtained offsets.

Example:

const int arr[3][2] = {{1, 2}, {3, 4}};
arr[0][0];  // 1
arr[0][1];  // 2
arr[0][2];  // UB
arr[1][0];  // 3
arr[1][1];  // 4
arr[1][-1]; // UB
arr[2][0];  // 0
arr[2][1];  // 0
arr[-2][0]; // UB

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

ASDenysPetrov created this revision.Oct 12 2021, 9:15 AM

Herald added subscribers: manas, dkrupp, donat.nagy and 7 others. · View Herald TranscriptOct 12 2021, 9:15 AM

ASDenysPetrov requested review of this revision.Oct 12 2021, 9:15 AM

Herald added a project: Restricted Project. · View Herald TranscriptOct 12 2021, 9:15 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

ASDenysPetrov edited the summary of this revision. (Show Details)Oct 12 2021, 9:18 AM

ASDenysPetrov added a parent revision: D104285: [analyzer] Retrieve a value from list initialization of constant array declaration in a global scope..Oct 12 2021, 9:20 AM

Harbormaster completed remote builds in B128393: Diff 379073.Oct 12 2021, 10:29 AM

Could you please rebase on top of D111542? That would make the changes direct and clear and the review would be easier.

In D111654#3060822, @martong wrote:

Could you please rebase on top of D111542? That would make the changes direct and clear and the review would be easier.

OK. I'll rebase.

Improved. Rebased on top of D107339.
@martong kind ping.

Harbormaster completed remote builds in B130151: Diff 381562.Oct 22 2021, 8:29 AM

This is an important step towards better handling of global initializer expressions.
I'm looking forward to it. Although, I have concerns to address.

clang/lib/AST/Type.cpp
141–143 ↗	(On Diff #381562)	These comments should be in the header file instead.
149 ↗	(On Diff #381562)	I suspect this not gonna look through typedefs.
clang/lib/StaticAnalyzer/Core/RegionStore.cpp
1750–1761	I dislike this part of code. It has side effects all over the place. Please use immediately called lambdas to describe your intentions in a more pure manner. Besides that, when I see `ElementRegions`, I'm always scared. They sometimes represent reinterpret casts. Since you have dealt with so many casts and region store stuff in the past, I'm assuming you have thought about this here. Although, I'm still scared slightly, and I'd like to have evidence of this thought process. Likely some assertions or at least some comments? Could you @ASDenysPetrov elaborate on this?
1814	I would rather take it by value. They are designed so. A mutable reference is always a bad sign anyway. BTW for a brief moment I thought `reverse()` returns a temporary, but it doesn't, so we don't dangle at least.
1820	Please use the `isNegative()`. And don't have sideffects in conditions. advance the iterator at the end of the `if`. I also think you can eliminate the `I` variable. That way the `getExtValue()` would be guarded by the negativity check. I know that your code would behave the same, but I would find that phrasing slightly easier to follow. This way you could even spare the 2 comment lines.
1824	This is probably a rare case when a `continue` is preferred instead of the `else` statement.
1861–1872	Just spell out `uint64_t` here. We don't win much by using `auto`.
1879–1884	Please, restructure this. Probably negating the condition and returning on that path would do the job.
clang/test/Analysis/initialization.cpp
17–23	Sorry If I was misunderstood in the previous patches. I think, for this instance, the key is that `arr` is `const`, so this TU is supposed to provide this linker symbol, thus any other definitions would violate the ODR. So, the `FIXME` is actually accurate, and we should report `0` here.
56	Does this work if the `= {}` is not present?
99	Uh, this would be a regression. Accessing `Unknown` is not a bug, unlike accessing `Undefined` - which is a clear indication that we must have had UB in the calculation previously, to get this. So, this is slightly similar to llvm poison on that sense.
110	typo

martong added inline comments.Oct 25 2021, 6:59 AM

clang/include/clang/AST/Type.h
2953 ↗	(On Diff #381562)	Could this be a free function (not a member function)? That way we could put it as an implementation detail of `RegionStore.cpp` and we could spare the timely review from the AST code owners.
clang/lib/StaticAnalyzer/Core/RegionStore.cpp
444–446	Could you please add docs to this function? Especially to `ConcreteOffsets` param.
1748–1761	I think this could be implemented in it's own separate function, couldn't it?
1763	Please address this TODO.
1799–1800	Perhaps this hunk could be in an individual implementation function?
clang/test/Analysis/initialization.c
76	Very good!

ASDenysPetrov added inline comments.Oct 26 2021, 7:40 AM

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
1750–1761	Please use immediately called lambdas. I'll do. They sometimes represent reinterpret casts. ... I'm assuming you have thought about this here. Yes. This is my another revision in the stack. You are welcome: D110927
1763	I found the tests: Analysis/MemRegion.cpp Analysis/ctor.mm Analysis/mpichecker.cpp Analysis/string.c They cover this check.

ASDenysPetrov added inline comments.Oct 26 2021, 8:10 AM

clang/test/Analysis/initialization.cpp
17–23	Right. FALSE expected. And it is fixed with the patch. But this case duplicates some more detailed cases I've added below. So I decide to remove it.
56	The compiler (AST) doesn't pass you through without an initializer by emitting a warning. But still there is a case without initializer at the end of the file. Yes, it does work.
99	This is a big problem with casts (in `SValBuilder::evalCast`). I've investigated it. Relates to D89055. IMO the solution will take a separate patch stack. I'm going to fix this next.

ASDenysPetrov added inline comments.Oct 26 2021, 9:12 AM

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
1799–1800	There are two returns inside the loop. That would not such easy to do a separate function for this.

@martong @steakhal
Thank you for your remarks. Updated according to them (at least the best I could do for now).

Harbormaster completed remote builds in B130737: Diff 382361.Oct 26 2021, 9:17 AM

martong added inline comments.Oct 27 2021, 6:23 AM

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
1799–1800	There are two returns inside the loop. That would not such easy to do a separate function for this. I think you could return with an `Optional<SVal>` and then in the call site you could check if the optional is set. `Optional<SVal> areOffsetsOutOfBounds(...)` ? Then in the caller: if (Optional<SVal> CheckResult = areOffsetsOutOfBounds(...)) return *CheckResult;

Please, try to focus on marking inline comments done if you accomplished them.
It takes some time to reevaluate them one-by-one on each update.
Aside from that, I'd like to apply these and play with them but I'm frequently having conflicts applying your patches.

Regarding the patch, I think it's in a pretty good shape, given that you fix the regression I pointed in an inline comment.

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
1810–1811	Can this be empty? If so, the subsequent `.front()` is UB. Put here an assertion if you are sure that it cannot be empty.
clang/test/Analysis/initialization.cpp
17–23	Awesome, thanks!
56	Okay, thanks!
99	I think until you do that we should stick to the previous behavior. Please address this regression, so report `UNKNOWN` for these cases or the correct answer.

I'll do an update soon taking into account all the suggestions.

Please, try to focus on marking inline comments done if you accomplished them.

In the next update.

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
1799–1800	Great idea.

ASDenysPetrov marked 17 inline comments as done.Oct 28 2021, 8:57 AM

@steakhal @martong Updated according to your comments.
I think I'm done with this patch.

Harbormaster completed remote builds in B131217: Diff 383054.Oct 28 2021, 9:03 AM

ASDenysPetrov edited parent revisions, added: D107339: [analyzer] Retrieve a character from StringLiteral as an initializer for constant arrays.; removed: D104285: [analyzer] Retrieve a value from list initialization of constant array declaration in a global scope..Oct 28 2021, 9:38 AM

ASDenysPetrov edited the summary of this revision. (Show Details)

Added support of aliased types (work with canonical array type).
Added tests aliased types.
Added tests with initialization values in parentheses.

Harbormaster completed remote builds in B131456: Diff 383396.Oct 29 2021, 10:24 AM

Changed test to fix a buildbot failure.

Harbormaster completed remote builds in B131706: Diff 383751.Nov 1 2021, 2:53 AM

ASDenysPetrov added a child revision: D110927: [analyzer] Access stored value of a constant array through a pointer to another type.Nov 1 2021, 9:16 AM

I'm still worried about the fact that you assume that there is a correspondence between ElementRegions and InitListExprs.
I cannot see why this assumption holds, since reinterpret casts might introduce ElementRegions which could mess with this assumption.
Aside from that, I'm okay with the general idea of doing this kind of stuff.

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
1661–1662	If I'm right then this is called the base of the region more often than not. It would be probably a better choice than using `MR`.
1663–1665	IMO this is not a concern in real-life code.
1666–1667	I would prefer returning a pair instead of an output parameter.
1788–1790	I think you can hide this within the `getConstantArrayExtents()`. That is the only function touching this variable anyway. That way you could also spare the comments about `CAT` requiring it to be canonical.

@steakhal Thank you for your suggestion. I'll make corresponding changes.

I'm still worried about the fact that you assume that there is a correspondence between ElementRegions and InitListExprs.
I cannot see why this assumption holds, since reinterpret casts might introduce ElementRegions which could mess with this assumption.

Currently in practice ElementRegions for array element access expression look like InitListExprs structure. But you are right about mess with different casts. That's why I have FIXME's in glob_ptr_index2 and glob_invalid_index6.
Right now I'm working on fixing this stuff. I'm gonna refactor StoreManager::castRegion in a part of ElementRegions to distinguish between array indirections and casts.

In D111654#3109585, @ASDenysPetrov wrote:

@steakhal Thank you for your suggestion. I'll make corresponding changes.

I'm still worried about the fact that you assume that there is a correspondence between ElementRegions and InitListExprs.
I cannot see why this assumption holds, since reinterpret casts might introduce ElementRegions which could mess with this assumption.

Currently in practice ElementRegions for array element access expression look like InitListExprs structure. But you are right about mess with different casts. That's why I have FIXME's in glob_ptr_index2 and glob_invalid_index6.
Right now I'm working on fixing this stuff. I'm gonna refactor StoreManager::castRegion in a part of ElementRegions to distinguish between array indirections and casts.

Awesome! Let's get the minor nits addressed and land it.
Thank you for working on this.

Updated according to @steakhal's comments.

Harbormaster completed remote builds in B132706: Diff 385096.Nov 5 2021, 9:42 AM

Feel free to commit your change given that you fix my final nits.
Yeah, I'm soo bad in review. I should have proposed these previously. Sorry.

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
1641	You don't need to document this. Aside from that consider marking these implementation detail functions `static` if they are not yet in an anonymous namespace - I haven't checked.
1646	I think we will get it :D
1749	The `std::tie()` pattern is probably more readable.

This revision is now accepted and ready to land.Nov 5 2021, 10:53 AM

Updated according to the nits.

@steakhal

Thanks for your effort!

Yeah, I'm soo bad in review. I should have proposed these previously. Sorry.

No, you're not! I'm telling you. Keep it up! :)

Harbormaster completed remote builds in B132990: Diff 385457.Nov 8 2021, 5:39 AM

Closed by commit rGa12bfac292db: [analyzer] Retrieve a value from list initialization of multi-dimensional array… (authored by ASDenysPetrov). · Explain WhyNov 8 2021, 6:18 AM

This revision was automatically updated to reflect the committed changes.

ASDenysPetrov added a commit: rGa12bfac292db: [analyzer] Retrieve a value from list initialization of multi-dimensional array….

ASDenysPetrov mentioned this in D113480: [analyzer] Fix region cast between the same types with different qualifiers..Nov 9 2021, 4:42 AM

ASDenysPetrov mentioned this in rGf0bc7d24882a: [analyzer] Fix region cast between the same types with different qualifiers..Nov 15 2021, 9:23 AM

ASDenysPetrov removed a child revision: D110927: [analyzer] Access stored value of a constant array through a pointer to another type.Nov 19 2021, 10:43 AM

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

RegionStore.cpp

259 lines

test/

Analysis/

initialization.c

39 lines

initialization.cpp

81 lines

Diff 385476

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 Lines • Show All 431 Lines • ▼ Show 20 Lines	StoreRef invalidateRegions(Store store,
InvalidatedRegions *Invalidated,		InvalidatedRegions *Invalidated,
InvalidatedRegions *InvalidatedTopLevel) override;		InvalidatedRegions *InvalidatedTopLevel) override;

bool scanReachableSymbols(Store S, const MemRegion *R,		bool scanReachableSymbols(Store S, const MemRegion *R,
ScanReachableSymbols &Callbacks) override;		ScanReachableSymbols &Callbacks) override;

RegionBindingsRef removeSubRegionBindings(RegionBindingsConstRef B,		RegionBindingsRef removeSubRegionBindings(RegionBindingsConstRef B,
const SubRegion *R);		const SubRegion *R);
Optional<SVal> getConstantValFromConstArrayInitializer(		Optional<SVal>
RegionBindingsConstRef B, const VarRegion VR, const ElementRegion R);		getConstantValFromConstArrayInitializer(RegionBindingsConstRef B,
Optional<SVal> getSValFromInitListExpr(const InitListExpr *ILE,		const ElementRegion *R);
uint64_t Offset, QualType ElemT);		Optional<SVal>
		getSValFromInitListExpr(const InitListExpr *ILE,
		const SmallVector<uint64_t, 2> &ConcreteOffsets,
		QualType ElemT);
		martongUnsubmitted Done Reply Inline Actions Could you please add docs to this function? Especially to `ConcreteOffsets` param. martong: Could you please add docs to this function? Especially to `ConcreteOffsets` param.
SVal getSValFromStringLiteral(const StringLiteral *SL, uint64_t Offset,		SVal getSValFromStringLiteral(const StringLiteral *SL, uint64_t Offset,
QualType ElemT);		QualType ElemT);

public: // Part of public interface to class.		public: // Part of public interface to class.

StoreRef Bind(Store store, Loc LV, SVal V) override {		StoreRef Bind(Store store, Loc LV, SVal V) override {
return StoreRef(bind(getRegionBindings(store), LV, V).asStore(), *this);		return StoreRef(bind(getRegionBindings(store), LV, V).asStore(), *this);
}		}
▲ Show 20 Lines • Show All 1,174 Lines • ▼ Show 20 Lines	if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
if (Result.second)		if (Result.second)
Result.second = MRMgr.getCXXBaseObjectRegionWithSuper(BaseReg,		Result.second = MRMgr.getCXXBaseObjectRegionWithSuper(BaseReg,
Result.second);		Result.second);
}		}

return Result;		return Result;
}		}

		/// This is a helper function for `getConstantValFromConstArrayInitializer`.
		///
		/// Return an array of extents of the declared array type.
		///
		/// E.g. for `int x[1][2][3];` returns { 1, 2, 3 }.
		steakhalUnsubmitted Done Reply Inline Actions You don't need to document this. Aside from that consider marking these implementation detail functions `static` if they are not yet in an anonymous namespace - I haven't checked. steakhal: You don't need to document this. Aside from that consider marking these //implementation…
		static SmallVector<uint64_t, 2>
		getConstantArrayExtents(const ConstantArrayType *CAT) {
		assert(CAT && "ConstantArrayType should not be null");
		CAT = cast<ConstantArrayType>(CAT->getCanonicalTypeInternal());
		SmallVector<uint64_t, 2> Extents;
		steakhalUnsubmitted Done Reply Inline Actions I think we will get it :D steakhal: I think we will get it :D
		do {
		Extents.push_back(CAT->getSize().getZExtValue());
		} while ((CAT = dyn_cast<ConstantArrayType>(CAT->getElementType())));
		return Extents;
		}

		/// This is a helper function for `getConstantValFromConstArrayInitializer`.
		///
		/// Return an array of offsets from nested ElementRegions and a root base
		/// region. The array is never empty and a base region is never null.
		///
		/// E.g. for `Element{Element{Element{VarRegion},1},2},3}` returns { 3, 2, 1 }.
		/// This represents an access through indirection: `arr[1][2][3];`
		///
		/// \param ER The given (possibly nested) ElementRegion.
		///
		steakhalUnsubmitted Done Reply Inline Actions If I'm right then this is called the base of the region more often than not. It would be probably a better choice than using `MR`. steakhal: If I'm right then this is called the //base// of the region more often than not. It would be…
		/// \note The result array is in the reverse order of indirection expression:
		/// arr[1][2][3] -> { 3, 2, 1 }. This helps to provide complexity O(n), where n
		/// is a number of indirections. It may not affect performance in real-life
		steakhalUnsubmitted Done Reply Inline Actions IMO this is not a concern in real-life code. steakhal: IMO this is not a concern in real-life code.
		/// code, though.
		static std::pair<SmallVector<SVal, 2>, const MemRegion *>
		steakhalUnsubmitted Done Reply Inline Actions I would prefer returning a pair instead of an output parameter. steakhal: I would prefer returning a pair instead of an output parameter.
		getElementRegionOffsetsWithBase(const ElementRegion *ER) {
		assert(ER && "ConstantArrayType should not be null");
		const MemRegion *Base;
		SmallVector<SVal, 2> SValOffsets;
		do {
		SValOffsets.push_back(ER->getIndex());
		Base = ER->getSuperRegion();
		ER = dyn_cast<ElementRegion>(Base);
		} while (ER);
		return {SValOffsets, Base};
		}

		/// This is a helper function for `getConstantValFromConstArrayInitializer`.
		///
		/// Convert array of offsets from `SVal` to `uint64_t` in consideration of
		/// respective array extents.
		/// \param SrcOffsets [in] The array of offsets of type `SVal` in reversed
		/// order (expectedly received from `getElementRegionOffsetsWithBase`).
		/// \param ArrayExtents [in] The array of extents.
		/// \param DstOffsets [out] The array of offsets of type `uint64_t`.
		/// \returns:
		/// - `None` for successful convertion.
		/// - `UndefinedVal` or `UnknownVal` otherwise. It's expected that this SVal
		/// will be returned as a suitable value of the access operation.
		/// which should be returned as a correct
		///
		/// \example:
		/// const int arr[10][20][30] = {}; // ArrayExtents { 10, 20, 30 }
		/// int x1 = arr[4][5][6]; // SrcOffsets { NonLoc(6), NonLoc(5), NonLoc(4) }
		/// // DstOffsets { 4, 5, 6 }
		/// // returns None
		/// int x2 = arr[42][5][-6]; // returns UndefinedVal
		/// int x3 = arr[4][5][x2]; // returns UnknownVal
		static Optional<SVal>
		convertOffsetsFromSvalToUnsigneds(const SmallVector<SVal, 2> &SrcOffsets,
		const SmallVector<uint64_t, 2> ArrayExtents,
		SmallVector<uint64_t, 2> &DstOffsets) {
		// Check offsets for being out of bounds.
		// C++20 [expr.add] 7.6.6.4 (excerpt):
		// If P points to an array element i of an array object x with n
		// elements, where i < 0 or i > n, the behavior is undefined.
		// Dereferencing is not allowed on the "one past the last
		// element", when i == n.
		// Example:
		// const int arr[3][2] = {{1, 2}, {3, 4}};
		// arr[0][0]; // 1
		// arr[0][1]; // 2
		// arr[0][2]; // UB
		// arr[1][0]; // 3
		// arr[1][1]; // 4
		// arr[1][-1]; // UB
		// arr[2][0]; // 0
		// arr[2][1]; // 0
		// arr[-2][0]; // UB
		DstOffsets.resize(SrcOffsets.size());
		auto ExtentIt = ArrayExtents.begin();
		auto OffsetIt = DstOffsets.begin();
		// Reverse `SValOffsets` to make it consistent with `ArrayExtents`.
		for (SVal V : llvm::reverse(SrcOffsets)) {
		if (auto CI = V.getAs<nonloc::ConcreteInt>()) {
		// When offset is out of array's bounds, result is UB.
		const llvm::APSInt &Offset = CI->getValue();
		if (Offset.isNegative() \|\| Offset.uge(*(ExtentIt++)))
		return UndefinedVal();
		// Store index in a reversive order.
		*(OffsetIt++) = Offset.getZExtValue();
		continue;
		}
		// Symbolic index presented. Return Unknown value.
		// FIXME: We also need to take ElementRegions with symbolic indexes into
		// account.
		return UnknownVal();
		}
		return None;
		}

Optional<SVal> RegionStoreManager::getConstantValFromConstArrayInitializer(		Optional<SVal> RegionStoreManager::getConstantValFromConstArrayInitializer(
RegionBindingsConstRef B, const VarRegion VR, const ElementRegion R) {		RegionBindingsConstRef B, const ElementRegion *R) {
assert(R && VR && "Regions should not be null");		assert(R && "ElementRegion should not be null");

		// Treat an n-dimensional array.
		SmallVector<SVal, 2> SValOffsets;
		steakhalUnsubmitted Done Reply Inline Actions The `std::tie()` pattern is probably more readable. steakhal: The `std::tie()` pattern is probably more readable.
		const MemRegion *Base;
		std::tie(SValOffsets, Base) = getElementRegionOffsetsWithBase(R);
		const VarRegion *VR = dyn_cast<VarRegion>(Base);
		if (!VR)
		return None;

		assert(!SValOffsets.empty() && "getElementRegionOffsets guarantees the "
		"offsets vector is not empty.");

// Check if the containing array has an initialized value that we can trust.		// Check if the containing array has an initialized value that we can trust.
// We can trust a const value or a value of a global initializer in main().		// We can trust a const value or a value of a global initializer in main().
const VarDecl *VD = VR->getDecl();		const VarDecl *VD = VR->getDecl();
		martongUnsubmitted Done Reply Inline Actions I think this could be implemented in it's own separate function, couldn't it? martong: I think this could be implemented in it's own separate function, couldn't it?
		steakhalUnsubmitted Done Reply Inline Actions I dislike this part of code. It has side effects all over the place. Please use immediately called lambdas to describe your intentions in a more pure manner. Besides that, when I see `ElementRegions`, I'm always scared. They sometimes represent reinterpret casts. Since you have dealt with so many casts and region store stuff in the past, I'm assuming you have thought about this here. Although, I'm still scared slightly, and I'd like to have evidence of this thought process. Likely some assertions or at least some comments? Could you @ASDenysPetrov elaborate on this? steakhal: I dislike this part of code. It has side effects all over the place. Please use immediately…
		ASDenysPetrovAuthorUnsubmitted Done Reply Inline Actions Please use immediately called lambdas. I'll do. They sometimes represent reinterpret casts. ... I'm assuming you have thought about this here. Yes. This is my another revision in the stack. You are welcome: D110927 ASDenysPetrov: > Please use immediately called lambdas. I'll do. > They sometimes represent reinterpret casts.
if (!VD->getType().isConstQualified() &&		if (!VD->getType().isConstQualified() &&
!R->getElementType().isConstQualified() &&		!R->getElementType().isConstQualified() &&
		martongUnsubmitted Done Reply Inline Actions Please address this TODO. martong: Please address this TODO.
		ASDenysPetrovAuthorUnsubmitted Done Reply Inline Actions I found the tests: Analysis/MemRegion.cpp Analysis/ctor.mm Analysis/mpichecker.cpp Analysis/string.c They cover this check. ASDenysPetrov: I found the tests: - Analysis/MemRegion.cpp - Analysis/ctor.mm - Analysis/mpichecker.cpp…
(!B.isMainAnalysis() \|\| !VD->hasGlobalStorage()))		(!B.isMainAnalysis() \|\| !VD->hasGlobalStorage()))
return None;		return None;

// Array's declaration should have `ConstantArrayType` type, because only this		// Array's declaration should have `ConstantArrayType` type, because only this
// type contains an array extent. It may happen that array type can be of		// type contains an array extent. It may happen that array type can be of
// `IncompleteArrayType` type. To get the declaration of `ConstantArrayType`		// `IncompleteArrayType` type. To get the declaration of `ConstantArrayType`
// type, we should find the declaration in the redeclarations chain that has		// type, we should find the declaration in the redeclarations chain that has
// the initialization expression.		// the initialization expression.
// NOTE: `getAnyInitializer` has an out-parameter, which returns a new `VD`		// NOTE: `getAnyInitializer` has an out-parameter, which returns a new `VD`
// from which an initializer is obtained. We replace current `VD` with the new		// from which an initializer is obtained. We replace current `VD` with the new
// `VD`. If the return value of the function is null than `VD` won't be		// `VD`. If the return value of the function is null than `VD` won't be
// replaced.		// replaced.
const Expr *Init = VD->getAnyInitializer(VD);		const Expr *Init = VD->getAnyInitializer(VD);
// NOTE: If `Init` is non-null, then a new `VD` is non-null for sure. So check		// NOTE: If `Init` is non-null, then a new `VD` is non-null for sure. So check
// `Init` for null only and don't worry about the replaced `VD`.		// `Init` for null only and don't worry about the replaced `VD`.
if (!Init)		if (!Init)
return None;		return None;

// Array's declaration should have ConstantArrayType type, because only this		// Array's declaration should have ConstantArrayType type, because only this
// type contains an array extent.		// type contains an array extent.
const ConstantArrayType *CAT = Ctx.getAsConstantArrayType(VD->getType());		const ConstantArrayType *CAT = Ctx.getAsConstantArrayType(VD->getType());
if (!CAT)		if (!CAT)
return None;		return None;

// Array should be one-dimensional.		// Get array extents.
// TODO: Support multidimensional array.		SmallVector<uint64_t, 2> Extents = getConstantArrayExtents(CAT);
if (isa<ConstantArrayType>(CAT->getElementType())) // is multidimensional
return None;

		steakhalUnsubmitted Done Reply Inline Actions I think you can hide this within the `getConstantArrayExtents()`. That is the only function touching this variable anyway. That way you could also spare the comments about `CAT` requiring it to be canonical. steakhal: I think you can hide this within the `getConstantArrayExtents()`. That is the only function…
// Array's offset should be a concrete value.		// The number of offsets should equal to the numbers of extents,
// Return Unknown value if symbolic index presented.		// otherwise wrong type punning occured. For instance:
// FIXME: We also need to take ElementRegions with symbolic		// int arr[1][2][3];
// indexes into account.		// auto ptr = (int(*)[42])arr;
const auto OffsetVal = R->getIndex().getAs<nonloc::ConcreteInt>();		// auto x = ptr[4][2]; // UB
if (!OffsetVal.hasValue())		// FIXME: Should return UndefinedVal.
return UnknownVal();		if (SValOffsets.size() != Extents.size())
		return None;

// Check offset for being out of bounds.		SmallVector<uint64_t, 2> ConcreteOffsets;
		martongUnsubmitted Done Reply Inline Actions Perhaps this hunk could be in an individual implementation function? martong: Perhaps this hunk could be in an individual implementation function?
		ASDenysPetrovAuthorUnsubmitted Done Reply Inline Actions There are two returns inside the loop. That would not such easy to do a separate function for this. ASDenysPetrov: There are two //returns// inside the loop. That would not such easy to do a separate function…
		martongUnsubmitted Done Reply Inline Actions There are two returns inside the loop. That would not such easy to do a separate function for this. I think you could return with an `Optional<SVal>` and then in the call site you could check if the optional is set. `Optional<SVal> areOffsetsOutOfBounds(...)` ? Then in the caller: if (Optional<SVal> CheckResult = areOffsetsOutOfBounds(...)) return CheckResult; martong:* > There are two //returns// inside the loop. That would not such easy to do a separate function…
		ASDenysPetrovAuthorUnsubmitted Done Reply Inline Actions Great idea. ASDenysPetrov: Great idea.
// C++20 [expr.add] 7.6.6.4 (excerpt):		if (Optional<SVal> V = convertOffsetsFromSvalToUnsigneds(SValOffsets, Extents,
// If P points to an array element i of an array object x with n		ConcreteOffsets))
// elements, where i < 0 or i > n, the behavior is undefined.		return *V;
// Dereferencing is not allowed on the "one past the last
// element", when i == n.
// Example:
// const int arr[4] = {1, 2};
// const int *ptr = arr;
// int x0 = ptr[0]; // 1
// int x1 = ptr[1]; // 2
// int x2 = ptr[2]; // 0
// int x3 = ptr[3]; // 0
// int x4 = ptr[4]; // UB
// int x5 = ptr[-1]; // UB
const llvm::APSInt &OffsetInt = OffsetVal->getValue();
const auto Offset = static_cast<uint64_t>(OffsetInt.getExtValue());
// Use `getZExtValue` because array extent can not be negative.
const uint64_t Extent = CAT->getSize().getZExtValue();
// Check for `OffsetInt < 0` but NOT for `Offset < 0`, because `OffsetInt`
// CAN be negative, but `Offset` can NOT, because `Offset` is an uint64_t.
if (OffsetInt < 0 \|\| Offset >= Extent)
return UndefinedVal();
// From here `Offset` is in the bounds.

// Handle InitListExpr.		// Handle InitListExpr.
// Example:		// Example:
// const char arr[] = { 1, 2, 3 };		// const char arr[4][2] = { { 1, 2 }, { 3 }, 4, 5 };
if (const auto *ILE = dyn_cast<InitListExpr>(Init))		if (const auto *ILE = dyn_cast<InitListExpr>(Init))
return getSValFromInitListExpr(ILE, Offset, R->getElementType());		return getSValFromInitListExpr(ILE, ConcreteOffsets, R->getElementType());

// Handle StringLiteral.		// Handle StringLiteral.
		steakhalUnsubmitted Done Reply Inline Actions Can this be empty? If so, the subsequent `.front()` is UB. Put here an assertion if you are sure that it cannot be empty. steakhal: Can this be empty? If so, the subsequent `.front()` is UB. Put here an assertion if you are…
// Example:		// Example:
// const char arr[] = "abc";		// const char arr[] = "abc";
if (const auto *SL = dyn_cast<StringLiteral>(Init))		if (const auto *SL = dyn_cast<StringLiteral>(Init))
		steakhalUnsubmitted Done Reply Inline Actions I would rather take it by value. They are designed so. A mutable reference is always a bad sign anyway. BTW for a brief moment I thought `reverse()` returns a temporary, but it doesn't, so we don't dangle at least. steakhal: I would rather take it by value. They are designed so. A mutable reference is always a bad sign…
return getSValFromStringLiteral(SL, Offset, R->getElementType());		return getSValFromStringLiteral(SL, ConcreteOffsets.front(),
		R->getElementType());

// FIXME: Handle CompoundLiteralExpr.		// FIXME: Handle CompoundLiteralExpr.

return None;		return None;
		steakhalUnsubmitted Done Reply Inline Actions Please use the `isNegative()`. And don't have sideffects in conditions. advance the iterator at the end of the `if`. I also think you can eliminate the `I` variable. That way the `getExtValue()` would be guarded by the negativity check. I know that your code would behave the same, but I would find that phrasing slightly easier to follow. This way you could even spare the 2 comment lines. steakhal: Please use the `isNegative()`. And don't have sideffects in conditions. advance the iterator at…
}		}

Optional<SVal>		/// Returns an SVal, if possible, for the specified position of an
RegionStoreManager::getSValFromInitListExpr(const InitListExpr *ILE,		/// initialization list.
		steakhalUnsubmitted Done Reply Inline Actions This is probably a rare case when a `continue` is preferred instead of the `else` statement. steakhal: This is probably a rare case when a `continue` is preferred instead of the `else` statement.
uint64_t Offset, QualType ElemT) {		///
		/// \param ILE The given initialization list.
		/// \param Offsets The array of unsigned offsets. E.g. for the expression
		/// `int x = arr[1][2][3];` an array should be { 1, 2, 3 }.
		/// \param ElemT The type of the result SVal expression.
		/// \return Optional SVal for the particular position in the initialization
		/// list. E.g. for the list `{{1, 2},[3, 4],{5, 6}, {}}` offsets:
		/// - {1, 1} returns SVal{4}, because it's the second position in the second
		/// sublist;
		/// - {3, 0} returns SVal{0}, because there's no explicit value at this
		/// position in the sublist.
		///
		/// NOTE: Inorder to get a valid SVal, a caller shall guarantee valid offsets
		/// for the given initialization list. Otherwise SVal can be an equivalent to 0
		/// or lead to assertion.
		Optional<SVal> RegionStoreManager::getSValFromInitListExpr(
		const InitListExpr *ILE, const SmallVector<uint64_t, 2> &Offsets,
		QualType ElemT) {
assert(ILE && "InitListExpr should not be null");		assert(ILE && "InitListExpr should not be null");

		for (uint64_t Offset : Offsets) {
// C++20 [dcl.init.string] 9.4.2.1:		// C++20 [dcl.init.string] 9.4.2.1:
// An array of ordinary character type [...] can be initialized by [...]		// An array of ordinary character type [...] can be initialized by [...]
// an appropriately-typed string-literal enclosed in braces.		// an appropriately-typed string-literal enclosed in braces.
// Example:		// Example:
// const char arr[] = { "abc" };		// const char arr[] = { "abc" };
if (ILE->isStringLiteralInit())		if (ILE->isStringLiteralInit())
if (const auto *SL = dyn_cast<StringLiteral>(ILE->getInit(0)))		if (const auto *SL = dyn_cast<StringLiteral>(ILE->getInit(0)))
return getSValFromStringLiteral(SL, Offset, ElemT);		return getSValFromStringLiteral(SL, Offset, ElemT);

// C++20 [expr.add] 9.4.17.5 (excerpt):		// C++20 [expr.add] 9.4.17.5 (excerpt):
// i-th array element is value-initialized for each k < i ≤ n,		// i-th array element is value-initialized for each k < i ≤ n,
// where k is an expression-list size and n is an array extent.		// where k is an expression-list size and n is an array extent.
if (Offset >= ILE->getNumInits())		if (Offset >= ILE->getNumInits())
return svalBuilder.makeZeroVal(ElemT);		return svalBuilder.makeZeroVal(ElemT);

		const Expr *E = ILE->getInit(Offset);
		const auto *IL = dyn_cast<InitListExpr>(E);
		if (!IL)
// Return a constant value, if it is presented.		// Return a constant value, if it is presented.
// FIXME: Support other SVals.		// FIXME: Support other SVals.
const Expr *E = ILE->getInit(Offset);
return svalBuilder.getConstantVal(E);		return svalBuilder.getConstantVal(E);

		// Go to the nested initializer list.
		ILE = IL;
		}
		llvm_unreachable(
		"Unhandled InitListExpr sub-expressions or invalid offsets.");
		steakhalUnsubmitted Done Reply Inline Actions Just spell out `uint64_t` here. We don't win much by using `auto`. steakhal: Just spell out `uint64_t` here. We don't win much by using `auto`.
}		}

/// Returns an SVal, if possible, for the specified position in a string		/// Returns an SVal, if possible, for the specified position in a string
/// literal.		/// literal.
///		///
/// \param SL The given string literal.		/// \param SL The given string literal.
/// \param Offset The unsigned offset. E.g. for the expression		/// \param Offset The unsigned offset. E.g. for the expression
/// `char x = str[42];` an offset should be 42.		/// `char x = str[42];` an offset should be 42.
/// E.g. for the string "abc" offset:		/// E.g. for the string "abc" offset:
/// - 1 returns SVal{b}, because it's the second position in the string.		/// - 1 returns SVal{b}, because it's the second position in the string.
/// - 42 returns SVal{0}, because there's no explicit value at this		/// - 42 returns SVal{0}, because there's no explicit value at this
/// position in the string.		/// position in the string.
		steakhalUnsubmitted Done Reply Inline Actions Please, restructure this. Probably negating the condition and returning on that path would do the job. steakhal: Please, restructure this. Probably negating the condition and returning on that path would do…
/// \param ElemT The type of the result SVal expression.		/// \param ElemT The type of the result SVal expression.
///		///
/// NOTE: We return `0` for every offset >= the literal length for array		/// NOTE: We return `0` for every offset >= the literal length for array
/// declarations, like:		/// declarations, like:
/// const char str[42] = "123"; // Literal length is 4.		/// const char str[42] = "123"; // Literal length is 4.
/// char c = str[41]; // Offset is 41.		/// char c = str[41]; // Offset is 41.
/// FIXME: Nevertheless, we can't do the same for pointer declaraions, like:		/// FIXME: Nevertheless, we can't do the same for pointer declaraions, like:
/// const char * const str = "123"; // Literal length is 4.		/// const char * const str = "123"; // Literal length is 4.
Show All 33 Lines	if (!Ctx.hasSameUnqualifiedType(T, R->getElementType()))
return UnknownVal();		return UnknownVal();
if (const auto CI = R->getIndex().getAs<nonloc::ConcreteInt>()) {		if (const auto CI = R->getIndex().getAs<nonloc::ConcreteInt>()) {
const llvm::APSInt &Idx = CI->getValue();		const llvm::APSInt &Idx = CI->getValue();
if (Idx < 0)		if (Idx < 0)
return UndefinedVal();		return UndefinedVal();
const StringLiteral *SL = StrR->getStringLiteral();		const StringLiteral *SL = StrR->getStringLiteral();
return getSValFromStringLiteral(SL, Idx.getZExtValue(), T);		return getSValFromStringLiteral(SL, Idx.getZExtValue(), T);
}		}
} else if (const VarRegion *VR = dyn_cast<VarRegion>(superR)) {		} else if (isa<ElementRegion, VarRegion>(superR)) {
if (Optional<SVal> V = getConstantValFromConstArrayInitializer(B, VR, R))		if (Optional<SVal> V = getConstantValFromConstArrayInitializer(B, R))
return *V;		return *V;
}		}

// Check for loads from a code text region. For such loads, just give up.		// Check for loads from a code text region. For such loads, just give up.
if (isa<CodeTextRegion>(superR))		if (isa<CodeTextRegion>(superR))
return UnknownVal();		return UnknownVal();

// Handle the case where we are indexing into a larger scalar object.		// Handle the case where we are indexing into a larger scalar object.
▲ Show 20 Lines • Show All 948 Lines • Show Last 20 Lines

clang/test/Analysis/initialization.c

	Show First 20 Lines • Show All 52 Lines • ▼ Show 20 Lines
	}			}

	void glob_invalid_index2() {			void glob_invalid_index2() {
	const int *ptr = glob_arr1;			const int *ptr = glob_arr1;
	int x = 42;			int x = 42;
	int res = ptr[x]; // expected-warning{{garbage or undefined}}			int res = ptr[x]; // expected-warning{{garbage or undefined}}
	}			}

	// TODO: Support multidimensional array.
	const int glob_arr2[3][3] = {[0][0] = 1, [1][1] = 5, [2][0] = 7};			const int glob_arr2[3][3] = {[0][0] = 1, [1][1] = 5, [2][0] = 7};
	void glob_arr_index3() {			void glob_arr_index3() {
	// FIXME: These all should be TRUE.			clang_analyzer_eval(glob_arr2[0][0] == 1); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr2[0][0] == 1); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr2[0][1] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr2[0][1] == 0); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr2[0][2] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr2[0][2] == 0); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr2[1][0] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr2[1][0] == 0); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr2[1][1] == 5); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr2[1][1] == 5); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr2[1][2] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr2[1][2] == 0); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr2[2][0] == 7); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr2[2][0] == 7); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr2[2][1] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr2[2][1] == 0); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr2[2][2] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr2[2][2] == 0); // expected-warning{{UNKNOWN}}
	}			}

	// TODO: Support multidimensional array.
	void negative_index() {			void negative_index() {
	int x = 2, y = -2;			int x = 2, y = -2;
	// FIXME: Should be UNDEFINED.			clang_analyzer_eval(glob_arr2[x][y] == 5); // expected-warning{{UNDEFINED}}
				martongUnsubmitted Done Reply Inline Actions Very good! martong: Very good!
	clang_analyzer_eval(glob_arr2[x][y] == 5); // expected-warning{{UNKNOWN}}
	x = 3;			x = 3;
	y = -3;			y = -3;
	// FIXME: Should be UNDEFINED.			clang_analyzer_eval(glob_arr2[x][y] == 7); // expected-warning{{UNDEFINED}}
	clang_analyzer_eval(glob_arr2[x][y] == 7); // expected-warning{{UNKNOWN}}
	}			}

	// TODO: Support multidimensional array.
	void glob_invalid_index3() {			void glob_invalid_index3() {
	int x = -1, y = -1;			int x = -1, y = -1;
	// FIXME: Should warn {{garbage or undefined}}.			int res = glob_arr2[x][y]; // expected-warning{{garbage or undefined}}
	int res = glob_arr2[x][y]; // no-warning
	}			}

	// TODO: Support multidimensional array.
	void glob_invalid_index4() {			void glob_invalid_index4() {
	int x = 3, y = 2;			int x = 3, y = 2;
	// FIXME: Should warn {{garbage or undefined}}.			int res = glob_arr2[x][y]; // expected-warning{{garbage or undefined}}
	int res = glob_arr2[x][y]; // no-warning
	}			}

	const int glob_arr_no_init[10];			const int glob_arr_no_init[10];
	void glob_arr_index4() {			void glob_arr_index4() {
	// FIXME: Should warn {{FALSE}}, since the array has a static storage.			// FIXME: Should warn {{FALSE}}, since the array has a static storage.
	clang_analyzer_eval(glob_arr_no_init[2]); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr_no_init[2]); // expected-warning{{UNKNOWN}}
	}			}

	Show All 38 Lines

clang/test/Analysis/initialization.cpp

	// RUN: %clang_cc1 -std=c++14 -triple i386-apple-darwin10 -analyze -analyzer-config eagerly-assume=false -analyzer-checker=core.uninitialized.Assign,core.builtin,debug.ExprInspection,core.uninitialized.UndefReturn -verify %s			// RUN: %clang_cc1 -std=c++14 -triple i386-apple-darwin10 -analyze -analyzer-config eagerly-assume=false -analyzer-checker=core.uninitialized.Assign,core.builtin,debug.ExprInspection,core.uninitialized.UndefReturn -verify %s

	template <typename T>			template <typename T>
	void clang_analyzer_dump(T x);			void clang_analyzer_dump(T x);
	void clang_analyzer_eval(int);			void clang_analyzer_eval(int);

	struct S {			struct S {
	int a = 3;			int a = 3;
	};			};
	S const sarr[2] = {};			S const sarr[2] = {};
	void definit() {			void definit() {
	int i = 1;			int i = 1;
	// FIXME: Should recognize that it is 3.			// FIXME: Should recognize that it is 3.
	clang_analyzer_eval(sarr[i].a); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(sarr[i].a); // expected-warning{{UNKNOWN}}
	}			}

	int const arr[2][2] = {};
	void arr2init() {
	int i = 1;
	// FIXME: Should recognize that it is 0.
	clang_analyzer_eval(arr[i][0]); // expected-warning{{UNKNOWN}}
	}

	steakhalUnsubmitted Not Done Reply Inline Actions Sorry If I was misunderstood in the previous patches. I think, for this instance, the key is that `arr` is `const`, so this TU is supposed to provide this linker symbol, thus any other definitions would violate the ODR. So, the `FIXME` is actually accurate, and we should report `0` here. steakhal: Sorry If I was misunderstood in the previous patches. I think, for this instance, the key is…
	ASDenysPetrovAuthorUnsubmitted Done Reply Inline Actions Right. FALSE expected. And it is fixed with the patch. But this case duplicates some more detailed cases I've added below. So I decide to remove it. ASDenysPetrov: Right. FALSE expected. And it is fixed with the patch. But this case duplicates some more…
	steakhalUnsubmitted Done Reply Inline Actions Awesome, thanks! steakhal: Awesome, thanks!
	int const glob_arr1[3] = {};			int const glob_arr1[3] = {};
	void glob_array_index1() {			void glob_array_index1() {
	clang_analyzer_eval(glob_arr1[0] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval(glob_arr1[0] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr1[1] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval(glob_arr1[1] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr1[2] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval(glob_arr1[2] == 0); // expected-warning{{TRUE}}
	}			}

	void glob_invalid_index1() {			void glob_invalid_index1() {
	Show All 23 Lines
	}			}

	const float glob_arr3[] = {			const float glob_arr3[] = {
	0.0000, 0.0235, 0.0470, 0.0706, 0.0941, 0.1176};			0.0000, 0.0235, 0.0470, 0.0706, 0.0941, 0.1176};
	float no_warn_garbage_value() {			float no_warn_garbage_value() {
	return glob_arr3[0]; // no-warning (garbage or undefined)			return glob_arr3[0]; // no-warning (garbage or undefined)
	}			}

	// TODO: Support multidimensional array.
	int const glob_arr4[4][2] = {};			int const glob_arr4[4][2] = {};
				steakhalUnsubmitted Done Reply Inline Actions Does this work if the `= {}` is not present? steakhal: Does this work if the ` = {}` is not present?
				ASDenysPetrovAuthorUnsubmitted Done Reply Inline Actions The compiler (AST) doesn't pass you through without an initializer by emitting a warning. But still there is a case without initializer at the end of the file. Yes, it does work. ASDenysPetrov: The compiler (AST) doesn't pass you through without an initializer by emitting a warning. But…
				steakhalUnsubmitted Done Reply Inline Actions Okay, thanks! steakhal: Okay, thanks!
	void glob_array_index2() {			void glob_array_index2() {
	// FIXME: Should be TRUE.			clang_analyzer_eval(glob_arr4[0][0] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr4[1][0] == 0); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr4[1][0] == 0); // expected-warning{{TRUE}}
	// FIXME: Should be TRUE.			clang_analyzer_eval(glob_arr4[1][1] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr4[1][1] == 0); // expected-warning{{UNKNOWN}}
	}			}

	// TODO: Support multidimensional array.
	void glob_invalid_index3() {			void glob_invalid_index3() {
	int idx = -42;			int idx = -42;
	// FIXME: Should warn {{garbage or undefined}}.			auto x = glob_arr4[1][idx]; // expected-warning{{garbage or undefined}}
	auto x = glob_arr4[1][idx]; // no-warning
	}			}

	// TODO: Support multidimensional array.
	void glob_invalid_index4() {			void glob_invalid_index4() {
	const int *ptr = glob_arr4[1];			const int *ptr = glob_arr4[1];
	int idx = -42;			int idx = -42;
	// FIXME: Should warn {{garbage or undefined}}.			// FIXME: Should warn {{garbage or undefined}}.
	auto x = ptr[idx]; // no-warning			auto x = ptr[idx]; // no-warning
	}			}

	// TODO: Support multidimensional array.
	int const glob_arr5[4][2] = {{1}, 3, 4, 5};			int const glob_arr5[4][2] = {{1}, 3, 4, 5};
	void glob_array_index3() {			void glob_array_index3() {
	// FIXME: Should be TRUE.			clang_analyzer_eval(glob_arr5[0][0] == 1); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr5[0][0] == 1); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr5[0][1] == 0); // expected-warning{{TRUE}}
	// FIXME: Should be TRUE.			clang_analyzer_eval(glob_arr5[1][0] == 3); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr5[0][1] == 0); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr5[1][1] == 4); // expected-warning{{TRUE}}
	// FIXME: Should be TRUE.			clang_analyzer_eval(glob_arr5[2][0] == 5); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr5[1][0] == 3); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr5[2][1] == 0); // expected-warning{{TRUE}}
	// FIXME: Should be TRUE.			clang_analyzer_eval(glob_arr5[3][0] == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_arr5[1][1] == 4); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr5[3][1] == 0); // expected-warning{{TRUE}}
	// FIXME: Should be TRUE.
	clang_analyzer_eval(glob_arr5[2][0] == 5); // expected-warning{{UNKNOWN}}
	// FIXME: Should be TRUE.
	clang_analyzer_eval(glob_arr5[2][1] == 0); // expected-warning{{UNKNOWN}}
	// FIXME: Should be TRUE.
	clang_analyzer_eval(glob_arr5[3][0] == 0); // expected-warning{{UNKNOWN}}
	// FIXME: Should be TRUE.
	clang_analyzer_eval(glob_arr5[3][1] == 0); // expected-warning{{UNKNOWN}}
	}			}

	// TODO: Support multidimensional array.
	void glob_ptr_index2() {			void glob_ptr_index2() {
	int const *ptr = glob_arr5[1];			int const *ptr = glob_arr5[1];
	// FIXME: Should be TRUE.			// FIXME: Should be TRUE.
	clang_analyzer_eval(ptr[0] == 3); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(ptr[0] == 3); // expected-warning{{UNKNOWN}}
	// FIXME: Should be TRUE.			// FIXME: Should be TRUE.
	clang_analyzer_eval(ptr[1] == 4); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(ptr[1] == 4); // expected-warning{{UNKNOWN}}
	// FIXME: Should be UNDEFINED.			// FIXME: Should be UNDEFINED.
	clang_analyzer_eval(ptr[2] == 5); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(ptr[2] == 5); // expected-warning{{UNKNOWN}}
	// FIXME: Should be UNDEFINED.			// FIXME: Should be UNDEFINED.
	clang_analyzer_eval(ptr[3] == 0); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(ptr[3] == 0); // expected-warning{{UNKNOWN}}
	// FIXME: Should be UNDEFINED.			// FIXME: Should be UNDEFINED.
	clang_analyzer_eval(ptr[4] == 0); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(ptr[4] == 0); // expected-warning{{UNKNOWN}}
	}			}
				steakhalUnsubmitted Done Reply Inline Actions Uh, this would be a regression. Accessing `Unknown` is not a bug, unlike accessing `Undefined` - which is a clear indication that we must have had UB in the calculation previously, to get this. So, this is slightly similar to llvm poison on that sense. steakhal: Uh, this would be a regression. Accessing `Unknown` is not a bug, unlike accessing `Undefined`…
				ASDenysPetrovAuthorUnsubmitted Done Reply Inline Actions This is a big problem with casts (in `SValBuilder::evalCast`). I've investigated it. Relates to D89055. IMO the solution will take a separate patch stack. I'm going to fix this next. ASDenysPetrov: This is a big problem with casts (in `SValBuilder::evalCast`). I've investigated it. Relates to…
				steakhalUnsubmitted Done Reply Inline Actions I think until you do that we should stick to the previous behavior. Please address this regression, so report `UNKNOWN` for these cases or the correct answer. steakhal: I think until you do that we should stick to the previous behavior. Please address this…

	// TODO: Support multidimensional array.
	void glob_invalid_index5() {			void glob_invalid_index5() {
	int idx = -42;			int idx = -42;
	// FIXME: Should warn {{garbage or undefined}}.			auto x = glob_arr5[1][idx]; // expected-warning{{garbage or undefined}}
	auto x = glob_arr5[1][idx]; // no-warning
	}			}

	// TODO: Support multidimensional array.
	void glob_invalid_index6() {			void glob_invalid_index6() {
	int const *ptr = &glob_arr5[1][0];			int const *ptr = &glob_arr5[1][0];
	int idx = 42;			int idx = 42;
	// FIXME: Should warn {{garbage or undefined}}.			// FIXME: Should warn {{garbage or undefined}}.
	auto x = ptr[idx]; // // no-warning			auto x = ptr[idx]; // no-warning
				steakhalUnsubmitted Done Reply Inline Actions typo steakhal: typo
	}			}

	extern const int glob_arr_no_init[10];			extern const int glob_arr_no_init[10];
	void glob_array_index4() {			void glob_array_index4() {
	clang_analyzer_eval(glob_arr_no_init[2]); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob_arr_no_init[2]); // expected-warning{{UNKNOWN}}
	}			}

	struct S2 {			struct S2 {
	▲ Show 20 Lines • Show All 104 Lines • ▼ Show 20 Lines

	const char *const glob_ptr12 = u8"abc";			const char *const glob_ptr12 = u8"abc";
	void glob_ptr_index8() {			void glob_ptr_index8() {
	clang_analyzer_eval(glob_ptr12[0] == 'a'); // expected-warning{{TRUE}}			clang_analyzer_eval(glob_ptr12[0] == 'a'); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_ptr12[1] == 'b'); // expected-warning{{TRUE}}			clang_analyzer_eval(glob_ptr12[1] == 'b'); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_ptr12[2] == 'c'); // expected-warning{{TRUE}}			clang_analyzer_eval(glob_ptr12[2] == 'c'); // expected-warning{{TRUE}}
	clang_analyzer_eval(glob_ptr12[3] == '\0'); // expected-warning{{TRUE}}			clang_analyzer_eval(glob_ptr12[3] == '\0'); // expected-warning{{TRUE}}
	}			}

				typedef int Int;
				typedef Int const CInt;
				typedef CInt Arr[2];
				typedef Arr Arr2[4];
				Arr2 glob_arr8 = {{1}, 3, 4, 5}; // const int[4][2]
				void glob_array_typedef1() {
				clang_analyzer_eval(glob_arr8[0][0] == 1); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr8[0][1] == 0); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr8[1][0] == 3); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr8[1][1] == 4); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr8[2][0] == 5); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr8[2][1] == 0); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr8[3][0] == 0); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr8[3][1] == 0); // expected-warning{{TRUE}}
				}

				const int glob_arr9[2][4] = {{(1), 2, ((3)), 4}, 5, 6, (((7)))};
				void glob_array_parentheses1() {
				clang_analyzer_eval(glob_arr9[0][0] == 1); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr9[0][1] == 2); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr9[0][2] == 3); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr9[0][3] == 4); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr9[1][0] == 5); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr9[1][1] == 6); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr9[1][2] == 7); // expected-warning{{TRUE}}
				clang_analyzer_eval(glob_arr9[1][3] == 0); // expected-warning{{TRUE}}
				}