This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Implement handling array subscript into null pointer, improve null dereference checks for array subscripts
ClosedPublic

Authored by NoQ on Apr 20 2017, 6:44 AM.

Details

Summary

When encountering an array-to-pointer-decay and the array base is null (or any other concrete pointer value) (eg. it's a member array in a structure, and the structure pointer is null; of course it wouldn't happen to stack-based or global arrays), do not yield UnknownVal; instead, yield that concrete value.

While obvious, this change now triggers false positives because our suppression for inlined defensive checks was not prepared for dealing with array subscripts (the idcTrackZeroValueThroughUnaryPointerOperatorsWithArrayField test in inlining/inline-defensive-checks.cpp starts failing). So i additionally improve the suppression.

As discussed in D31982, which added the aforementioned test case, bugreporter::getDerefExpr() should have been used (we only used to match member expressions earlier, but now that we encountered arrays, we could use all the features it function can offer). Now that the code uses that function, and a few issues within that function were further fixed in order to support the new use case and avoid regressions.

Diff Detail

Event Timeline

This revision is now accepted and ready to land.Apr 20 2017, 2:15 PM
This revision was automatically updated to reflect the committed changes.
zaks.anna added inline comments.Apr 28 2017, 6:45 PM
cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
80 ↗(On Diff #96468)

Not sure what this does, but looks like we are stricter here now.
Also, since you are changing bug reporter visitor, shouldn't there be tests for diagnostic paths?