Index: lib/StaticAnalyzer/Core/RegionStore.cpp =================================================================== --- lib/StaticAnalyzer/Core/RegionStore.cpp +++ lib/StaticAnalyzer/Core/RegionStore.cpp @@ -1606,7 +1606,7 @@ const MemRegion* superR = R->getSuperRegion(); // Check if the region is an element region of a string literal. - if (const StringRegion *StrR=dyn_cast(superR)) { + if (const StringRegion *StrR = dyn_cast(superR)) { // FIXME: Handle loads from strings where the literal is treated as // an integer, e.g., *((unsigned int*)"hello") QualType T = Ctx.getAsArrayType(StrR->getValueType())->getElementType(); @@ -1629,6 +1629,29 @@ char c = (i >= length) ? '\0' : Str->getCodeUnit(i); return svalBuilder.makeIntVal(c, T); } + } else if (const VarRegion *VR = dyn_cast(superR)) { + // Check if the containing array is const and has an initialized value. + const VarDecl *VD = VR->getDecl(); + // Either the array or the array element has to be const. + if (VD->getType().isConstQualified() || R->getElementType().isConstQualified()) { + if (const Expr *Init = VD->getInit()) { + if (const InitListExpr *InitList = dyn_cast(Init)) { + // The array index has to be known. + if (Optional CI = R->getIndex().getAs()) { + int64_t i = CI->getValue().getSExtValue(); + // Return unknown value if index is out of bounds. + if (i < 0 || i >= InitList->getNumInits()) { + return UnknownVal(); + } + + if (const Expr *ElemInit = InitList->getInit(i)) { + if (Optional V = svalBuilder.getConstantVal(ElemInit)) + return *V; + } + } + } + } + } } // Check for loads from a code text region. For such loads, just give up. @@ -1678,7 +1701,34 @@ if (const Optional &V = B.getDirectBinding(R)) return *V; - QualType Ty = R->getValueType(); + // Is the field declared constant and has an in-class initializer? + const FieldDecl *FD = R->getDecl(); + QualType Ty = FD->getType(); + if (Ty.isConstQualified()) { + if (const Expr *Init = FD->getInClassInitializer()) { + if (Optional V = svalBuilder.getConstantVal(Init)) + return *V; + } + } + + // If the containing record was initialized, try to get its constant value. + const MemRegion* superR = R->getSuperRegion(); + if (const VarRegion *VR = dyn_cast(superR)) { + const VarDecl *VD = VR->getDecl(); + QualType RecordVarTy = VD->getType(); + // Either the record variable or the field has to be const qualified. + if (RecordVarTy.isConstQualified() || Ty.isConstQualified()) { + if (const Expr *Init = VD->getInit()) { + if (const InitListExpr *InitList = dyn_cast(Init)) { + if (const Expr *FieldInit = InitList->getInit(FD->getFieldIndex())) { + if (Optional V = svalBuilder.getConstantVal(FieldInit)) + return *V; + } + } + } + } + } + return getBindingForFieldOrElementCommon(B, R, Ty); } Index: lib/StaticAnalyzer/Core/SValBuilder.cpp =================================================================== --- lib/StaticAnalyzer/Core/SValBuilder.cpp +++ lib/StaticAnalyzer/Core/SValBuilder.cpp @@ -119,7 +119,7 @@ if (T->isNullPtrType()) return makeZeroVal(T); - + if (!SymbolManager::canSymbolicate(T)) return UnknownVal(); @@ -328,12 +328,19 @@ case Stmt::CXXNullPtrLiteralExprClass: return makeNull(); + case Stmt::CStyleCastExprClass: + case Stmt::CXXFunctionalCastExprClass: + case Stmt::CXXConstCastExprClass: + case Stmt::CXXReinterpretCastExprClass: + case Stmt::CXXStaticCastExprClass: case Stmt::ImplicitCastExprClass: { const auto *CE = cast(E); switch (CE->getCastKind()) { default: break; case CK_ArrayToPointerDecay: + case CK_IntegralToPointer: + case CK_NoOp: case CK_BitCast: { const Expr *SE = CE->getSubExpr(); Optional Val = getConstantVal(SE); Index: test/Analysis/globals.cpp =================================================================== --- test/Analysis/globals.cpp +++ test/Analysis/globals.cpp @@ -0,0 +1,101 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s + + +static const unsigned long long scull = 0; +void static_int() +{ + *(int*)scull = 0; // expected-warning{{Dereference of null pointer}} +} + +const unsigned long long cull = 0; +void const_int() +{ + *(int*)cull = 0; // expected-warning{{Dereference of null pointer}} +} + +static int * const spc = 0; +void static_ptr() +{ + *spc = 0; // expected-warning{{Dereference of null pointer}} +} + +int * const pc = 0; +void const_ptr() +{ + *pc = 0; // expected-warning{{Dereference of null pointer}} +} + +const unsigned long long cull_nonnull = 4; +void nonnull_int() +{ + *(int*)(cull_nonnull - 4) = 0; // expected-warning{{Dereference of null pointer}} +} + +int * const pc_nonnull = (int*)sizeof(int); +void nonnull_ptr() +{ + *(pc_nonnull - 1) = 0; // expected-warning{{Dereference of null pointer}} +} + +int * const constcast = const_cast((int*)sizeof(int)); +void cast1() +{ + *(constcast - 1) = 0; // expected-warning{{Dereference of null pointer}} +} + +int * const recast = reinterpret_cast(sizeof(int)); +void cast2() +{ + *(recast - 1) = 0; // expected-warning{{Dereference of null pointer}} +} + +int * const staticcast = static_cast((int*)sizeof(int)); +void cast3() +{ + *(staticcast - 1) = 0; // expected-warning{{Dereference of null pointer}} +} + +struct Foo { int a; }; +Foo * const dyncast = dynamic_cast((Foo*)sizeof(Foo)); +void cast4() +{ + // Do not handle dynamic_cast for now, because it may change the pointer value. + (dyncast - 1)->a = 0; // no-warning +} + +typedef int * const intptrconst; +int * const funccast = intptrconst(sizeof(int)); +void cast5() +{ + *(funccast - 1) = 0; // expected-warning{{Dereference of null pointer}} +} + +struct S1 +{ + int * p; +}; +const S1 s1 = { + .p = (int*)sizeof(int) +}; +void conststruct() +{ + *(s1.p - 1) = 0; // expected-warning{{Dereference of null pointer}} +} + +struct S2 +{ + int * const p; +}; +S2 s2 = { + .p = (int*)sizeof(int) +}; +void constfield() +{ + *(s2.p - 1) = 0; // expected-warning{{Dereference of null pointer}} +} + +int * const parr[1] = { (int*)sizeof(int) }; +void constarr() +{ + *(parr[0] - 1) = 0; // expected-warning{{Dereference of null pointer}} +}