From: Abbas Sabra <abbas.sabra@sonarsource.com>
Date: Tue, 9 Jun 2020 09:49:47 +0000 (+0300)
Subject: [analyzer] LoopWidening: fix crash by avoiding aliased references invalidation
X-Git-Tag: llvmorg-12-init~3654
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=29353e69d25c0f13cd2704ce2269af464d0751a8;p=platform%2Fupstream%2Fllvm.git

[analyzer] LoopWidening: fix crash by avoiding aliased references invalidation

Summary: LoopWidening is invalidating references coming from type
aliases which lead to a crash.

Patch by Abbas Sabra!

Differential Revision: https://reviews.llvm.org/D80669
---

diff --git a/clang/lib/StaticAnalyzer/Core/LoopWidening.cpp b/clang/lib/StaticAnalyzer/Core/LoopWidening.cpp
index 9a7b1a2..47e34dd 100644
--- a/clang/lib/StaticAnalyzer/Core/LoopWidening.cpp
+++ b/clang/lib/StaticAnalyzer/Core/LoopWidening.cpp
@@ -67,8 +67,10 @@ ProgramStateRef getWidenedLoopState(ProgramStateRef PrevState,
   }
 
   // References should not be invalidated.
-  auto Matches = match(findAll(stmt(hasDescendant(varDecl(hasType(referenceType())).bind(MatchRef)))),
-                       *LCtx->getDecl()->getBody(), ASTCtx);
+  auto Matches = match(
+      findAll(stmt(hasDescendant(
+          varDecl(hasType(hasCanonicalType(referenceType()))).bind(MatchRef)))),
+      *LCtx->getDecl()->getBody(), ASTCtx);
   for (BoundNodes Match : Matches) {
     const VarDecl *VD = Match.getNodeAs<VarDecl>(MatchRef);
     assert(VD);
diff --git a/clang/test/Analysis/loop-widening-preserve-reference-type.cpp b/clang/test/Analysis/loop-widening-preserve-reference-type.cpp
index b5746d1..38dcb4f 100644
--- a/clang/test/Analysis/loop-widening-preserve-reference-type.cpp
+++ b/clang/test/Analysis/loop-widening-preserve-reference-type.cpp
@@ -12,3 +12,11 @@ void invalid_type_region_access() {
   for (int i = 0; i < 10; ++i) { }
   clang_analyzer_eval(&x != 0); // expected-warning{{TRUE}}
 }                               // expected-warning@-1{{reference cannot be bound to dereferenced null pointer in well-defined C++ code; comparison may be assumed to always evaluate to true}}
+
+using AR = const A &;
+void invalid_type_alias_region_access() {
+  AR x = B();
+  for (int i = 0; i < 10; ++i) {
+  }
+  clang_analyzer_eval(&x != 0); // expected-warning{{TRUE}}
+} // expected-warning@-1{{reference cannot be bound to dereferenced null pointer in well-defined C++ code; comparison may be assumed to always evaluate to true}}