This patch is intended to improve pointer arithmetic checker.
From now on it tries to only warn, when the pointer arithmetic is likely to cause an error. For example when the pointer points to a single object, or an array of derived types.
Note that this check does not free the stored information right now, because it caused some trouble when I was checking the following code.
struct trie { struct trie* next; }; struct kwset { struct trie *trie; unsigned char y[10]; struct trie* next[10]; int d; }; typedef struct trie trie_t; typedef struct kwset kwset_t; void f(kwset_t *kws, char const *p, char const *q) { struct trie const *trie; struct trie * const *next = kws->next; register unsigned char c; register char const *end = p; register char const *lim = q; register int d = 1; register unsigned char const *y = kws->y; d = y[c = (end+=d)[-1]]; trie = next[c]; // Here the analyzer tought that kws->next is a dead region, so the stored information was unavailable for the array. adding a kws = 0 or similar line to the end of the function fixed the problem. Is this a bug in liveness analysis fo regions? }
Is it necessary to distinguish so many cases here? For example, why do we need to distinguish between PlacementNew and OverloadedNew?
Another thought: given the expense of tracking stuff in the GDM could we instead track whether pointer arithmetic is explicitly disallowed for a given region? Then we wouldn't have to track any data for the "good" pointers.
Also, how does AllocKind relate to the AllocationFamily from MallocChecker? Could that checker's state be used so we don't have to track any additional information here?
If you do keep AllocKind, I think it would be good to add a comment describing how this enum is used and the intended meaning of each element.