From 3f31d3204bd2726fa8e5c56ea27c8bba0074790e Mon Sep 17 00:00:00 2001
From: Martin Braenne <mboehme@google.com>
Date: Mon, 12 Jun 2023 08:11:03 +0000
Subject: [PATCH] [clang][dataflow] Model pointer value for builtin functions.

This fixes a false positive in the Crubit nullability verification.

Reviewed By: gribozavr2

Differential Revision: https://reviews.llvm.org/D152683
---
 clang/lib/Analysis/FlowSensitive/Transfer.cpp |  3 +-
 .../Analysis/FlowSensitive/TransferTest.cpp   | 33 +++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/clang/lib/Analysis/FlowSensitive/Transfer.cpp b/clang/lib/Analysis/FlowSensitive/Transfer.cpp
index 8547e5049261..e0cb872cfa37 100644
--- a/clang/lib/Analysis/FlowSensitive/Transfer.cpp
+++ b/clang/lib/Analysis/FlowSensitive/Transfer.cpp
@@ -400,7 +400,8 @@ public:
       Env.setValue(Loc, NullPointerVal);
       break;
     }
-    case CK_FunctionToPointerDecay: {
+    case CK_FunctionToPointerDecay:
+    case CK_BuiltinFnToFnPtr: {
       StorageLocation *PointeeLoc =
           Env.getStorageLocation(*SubExpr, SkipPast::Reference);
       if (PointeeLoc == nullptr)
diff --git a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
index 1a2442f0b12d..7077f7344a85 100644
--- a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
+++ b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
@@ -5327,4 +5327,37 @@ TEST(TransferTest, FunctionToPointerDecayHasValue) {
       });
 }
 
+// Check that the pointer that a builtin function decays to is associated with
+// a value.
+TEST(TransferTest, BuiltinFunctionModeled) {
+  std::string Code = R"(
+    void target() {
+      __builtin_expect(0, 0);
+      // [[p]]
+    }
+  )";
+  runDataflow(
+      Code,
+      [](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
+         ASTContext &ASTCtx) {
+        using ast_matchers::selectFirst;
+        using ast_matchers::match;
+        using ast_matchers::traverse;
+        using ast_matchers::implicitCastExpr;
+        using ast_matchers::hasCastKind;
+
+        const Environment &Env = getEnvironmentAtAnnotation(Results, "p");
+
+        auto *ImplicitCast = selectFirst<ImplicitCastExpr>(
+            "implicit_cast",
+            match(traverse(TK_AsIs,
+                           implicitCastExpr(hasCastKind(CK_BuiltinFnToFnPtr))
+                               .bind("implicit_cast")),
+                  ASTCtx));
+
+        ASSERT_THAT(ImplicitCast, NotNull());
+        EXPECT_THAT(Env.getValueStrict(*ImplicitCast), NotNull());
+      });
+}
+
 } // namespace
-- 
2.34.1