diff --git a/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp b/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp --- a/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp +++ b/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp @@ -300,8 +300,12 @@ !Type->isRecordType()) return; - for (const FieldDecl *Field : Type->getAsRecordDecl()->fields()) - Fields.insert(Field); + for (const FieldDecl *Field : Type->getAsRecordDecl()->fields()) { + if (Field->isAnonymousStructOrUnion()) + getFieldsFromClassHierarchy(Field->getType(), Fields); + else + Fields.insert(Field); + } if (auto *CXXRecord = Type->getAsCXXRecordDecl()) for (const CXXBaseSpecifier &Base : CXXRecord->bases()) getFieldsFromClassHierarchy(Base.getType(), Fields); diff --git a/clang/lib/Analysis/FlowSensitive/Transfer.cpp b/clang/lib/Analysis/FlowSensitive/Transfer.cpp --- a/clang/lib/Analysis/FlowSensitive/Transfer.cpp +++ b/clang/lib/Analysis/FlowSensitive/Transfer.cpp @@ -543,6 +543,16 @@ if (BaseLoc == nullptr) return; + // Fields on anonymous records are treated as being part of the enclosing + // records. So if we see a member access for an anonymous record, just pass + // through the storage location of the base object. + if (auto *Field = dyn_cast(Member)) { + if (Field->isAnonymousStructOrUnion()) { + Env.setStorageLocation(*S, *BaseLoc); + return; + } + } + auto &MemberLoc = BaseLoc->getChild(*Member); if (MemberLoc.getType()->isReferenceType()) { // Based on its type, `MemberLoc` must be mapped either to nothing or to a diff --git a/clang/unittests/Analysis/FlowSensitive/TestingSupport.cpp b/clang/unittests/Analysis/FlowSensitive/TestingSupport.cpp --- a/clang/unittests/Analysis/FlowSensitive/TestingSupport.cpp +++ b/clang/unittests/Analysis/FlowSensitive/TestingSupport.cpp @@ -154,7 +154,8 @@ } const ValueDecl *test::findValueDecl(ASTContext &ASTCtx, llvm::StringRef Name) { - auto TargetNodes = match(valueDecl(hasName(Name)).bind("v"), ASTCtx); + auto TargetNodes = match( + valueDecl(unless(indirectFieldDecl()), hasName(Name)).bind("v"), ASTCtx); assert(TargetNodes.size() == 1 && "Name must be unique"); auto *const Result = selectFirst("v", TargetNodes); assert(Result != nullptr); diff --git a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp --- a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp +++ b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp @@ -5403,4 +5403,35 @@ }); } +// Check that fields of anonymous records are modeled and treated as children +// of the enclosing record. +TEST(TransferTest, AnonymousStruct) { + std::string Code = R"( + struct S { + struct { + int i; + }; + }; + void target() { + S s; + (void)s.i; + // [[p]] + } + )"; + runDataflow( + Code, + [](const llvm::StringMap> &Results, + ASTContext &ASTCtx) { + const Environment &Env = getEnvironmentAtAnnotation(Results, "p"); + const ValueDecl *SDecl = findValueDecl(ASTCtx, "s"); + const ValueDecl *IDecl = findValueDecl(ASTCtx, "i"); + + auto *S = + cast(Env.getStorageLocation(*SDecl)); + // If we can call getChild() without an assertion failure, it means + // that `i` is modeled. + S->getChild(*IDecl); + }); +} + } // namespace