diff --git a/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h b/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h --- a/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h +++ b/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h @@ -17,6 +17,7 @@ #include "clang/AST/Decl.h" #include "clang/AST/Expr.h" +#include "clang/AST/TypeOrdering.h" #include "clang/Analysis/FlowSensitive/Solver.h" #include "clang/Analysis/FlowSensitive/StorageLocation.h" #include "clang/Analysis/FlowSensitive/Value.h" @@ -160,6 +161,11 @@ return ThisPointeeLoc; } + /// Returns a pointer value that represents a null pointer. Calls + /// with `PointeeType` that are canonically equivalent will return the same + /// result. + PointerValue &getOrCreateNullPointerValue(QualType PointeeType); + /// Returns a symbolic boolean value that models a boolean literal equal to /// `Value`. AtomicBoolValue &getBoolLiteralValue(bool Value) const { @@ -240,6 +246,15 @@ StorageLocation *ThisPointeeLoc = nullptr; + // Index used to avoid recreating pointer values for null pointers of the + // same canonical pointee type. + // + // FIXME: The pointer values are indexed by the pointee types which are + // required to initialize the `PointeeLoc` field in `PointerValue`. Consider + // creating a type-independent `NullPointerValue` without a `PointeeLoc` + // field. + llvm::DenseMap NullPointerVals; + AtomicBoolValue &TrueVal; AtomicBoolValue &FalseVal; diff --git a/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h b/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h --- a/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h +++ b/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h @@ -313,6 +313,11 @@ /// imply that `Val` is true. bool flowConditionImplies(BoolValue &Val) const; + /// Returns a pointer value that represents a null pointer. Calls + /// with `PointeeType` that are canonically equivalent will return the same + /// result. + PointerValue &getOrCreateNullPointerValue(QualType PointeeType); + private: /// Creates a value appropriate for `Type`, if `Type` is supported, otherwise /// return null. diff --git a/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp b/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp --- a/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp +++ b/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp @@ -59,6 +59,18 @@ return Loc; } +PointerValue & +DataflowAnalysisContext::getOrCreateNullPointerValue(QualType PointeeType) { + auto CanonicalPointeeType = PointeeType.getCanonicalType(); + auto Res = NullPointerVals.try_emplace(CanonicalPointeeType, nullptr); + if (Res.second) { + auto &PointeeLoc = createStorageLocation(CanonicalPointeeType); + Res.first->second = + &takeOwnership(std::make_unique(PointeeLoc)); + } + return *Res.first->second; +} + static std::pair makeCanonicalBoolValuePair(BoolValue &LHS, BoolValue &RHS) { auto Res = std::make_pair(&LHS, &RHS); diff --git a/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp b/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp --- a/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp +++ b/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp @@ -502,5 +502,9 @@ return DACtx->flowConditionImplies(*FlowConditionToken, Val); } +PointerValue &Environment::getOrCreateNullPointerValue(QualType PointeeType) { + return DACtx->getOrCreateNullPointerValue(PointeeType); +} + } // namespace dataflow } // namespace clang diff --git a/clang/lib/Analysis/FlowSensitive/Transfer.cpp b/clang/lib/Analysis/FlowSensitive/Transfer.cpp --- a/clang/lib/Analysis/FlowSensitive/Transfer.cpp +++ b/clang/lib/Analysis/FlowSensitive/Transfer.cpp @@ -251,6 +251,16 @@ Env.setStorageLocation(*S, *SubExprLoc); break; } + case CK_NullToPointer: + case CK_NullToMemberPointer: { + auto &Loc = Env.createStorageLocation(S->getType()); + Env.setStorageLocation(*S, Loc); + + auto &NullPointerVal = + Env.getOrCreateNullPointerValue(S->getType()->getPointeeType()); + Env.setValue(Loc, NullPointerVal); + break; + } default: break; } diff --git a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp --- a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp +++ b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp @@ -2214,6 +2214,93 @@ }); } +TEST_F(TransferTest, NullToPointerCast) { + std::string Code = R"( + struct Baz {}; + void target() { + int *FooX = nullptr; + int *FooY = nullptr; + bool **Bar = nullptr; + Baz *Baz = nullptr; + // [[p]] + } + )"; + runDataflow(Code, + [](llvm::ArrayRef< + std::pair>> + Results, + ASTContext &ASTCtx) { + ASSERT_THAT(Results, ElementsAre(Pair("p", _))); + const Environment &Env = Results[0].second.Env; + + const ValueDecl *FooXDecl = findValueDecl(ASTCtx, "FooX"); + ASSERT_THAT(FooXDecl, NotNull()); + + const ValueDecl *FooYDecl = findValueDecl(ASTCtx, "FooY"); + ASSERT_THAT(FooYDecl, NotNull()); + + const ValueDecl *BarDecl = findValueDecl(ASTCtx, "Bar"); + ASSERT_THAT(BarDecl, NotNull()); + + const ValueDecl *BazDecl = findValueDecl(ASTCtx, "Baz"); + ASSERT_THAT(BazDecl, NotNull()); + + const auto *FooXVal = + cast(Env.getValue(*FooXDecl, SkipPast::None)); + const auto *FooYVal = + cast(Env.getValue(*FooYDecl, SkipPast::None)); + const auto *BarVal = + cast(Env.getValue(*BarDecl, SkipPast::None)); + const auto *BazVal = + cast(Env.getValue(*BazDecl, SkipPast::None)); + + EXPECT_EQ(FooXVal, FooYVal); + EXPECT_NE(FooXVal, BarVal); + EXPECT_NE(FooXVal, BazVal); + EXPECT_NE(BarVal, BazVal); + + const StorageLocation &FooPointeeLoc = FooXVal->getPointeeLoc(); + EXPECT_TRUE(isa(FooPointeeLoc)); + EXPECT_THAT(Env.getValue(FooPointeeLoc), IsNull()); + + const StorageLocation &BarPointeeLoc = BarVal->getPointeeLoc(); + EXPECT_TRUE(isa(BarPointeeLoc)); + EXPECT_THAT(Env.getValue(BarPointeeLoc), IsNull()); + + const StorageLocation &BazPointeeLoc = BazVal->getPointeeLoc(); + EXPECT_TRUE(isa(BazPointeeLoc)); + EXPECT_THAT(Env.getValue(BazPointeeLoc), IsNull()); + }); +} + +TEST_F(TransferTest, NullToMemberPointerCast) { + std::string Code = R"( + struct Foo {}; + void target(Foo *Foo) { + int Foo::*MemberPointer = nullptr; + // [[p]] + } + )"; + runDataflow( + Code, [](llvm::ArrayRef< + std::pair>> + Results, + ASTContext &ASTCtx) { + ASSERT_THAT(Results, ElementsAre(Pair("p", _))); + const Environment &Env = Results[0].second.Env; + + const ValueDecl *MemberPointerDecl = + findValueDecl(ASTCtx, "MemberPointer"); + ASSERT_THAT(MemberPointerDecl, NotNull()); + + const auto *MemberPointerVal = cast( + Env.getValue(*MemberPointerDecl, SkipPast::None)); + + const StorageLocation &MemberLoc = MemberPointerVal->getPointeeLoc(); + EXPECT_THAT(Env.getValue(MemberLoc), IsNull()); + }); +} + TEST_F(TransferTest, AddrOfValue) { std::string Code = R"( void target() {