Fixed a horribly insidious bit-masking bug in the implementation of

ExplodedNode that would occasionally result in heap corruption. llvm-svn: 47956
2026-02-07 16:11:27 +08:00 · 2008-03-05 19:08:55 +00:00
parent df4a5b9047
commit c156f1ffc6
2 changed files with 14 additions and 4 deletions
--- a/clang/Analysis/ExplodedGraph.cpp
+++ b/clang/Analysis/ExplodedGraph.cpp
@@ -23,18 +23,28 @@ static inline std::vector<ExplodedNodeImpl*>& getVector(void* P) {
 }

 void ExplodedNodeImpl::NodeGroup::addNode(ExplodedNodeImpl* N) {
+  
+  assert ((reinterpret_cast<uintptr_t>(N) & Mask) == 0x0);
+  
  if (getKind() == Size1) {
    if (ExplodedNodeImpl* NOld = getNode()) {
      std::vector<ExplodedNodeImpl*>* V = new std::vector<ExplodedNodeImpl*>();
+      assert ((reinterpret_cast<uintptr_t>(V) & Mask) == 0x0);
      V->push_back(NOld);
      V->push_back(N);
      P = reinterpret_cast<uintptr_t>(V) | SizeOther;
+      assert (getPtr() == (void*) V);
+      assert (getKind() == SizeOther);
    }
-    else
+    else {
      P = reinterpret_cast<uintptr_t>(N);
+      assert (getKind() == Size1);
+    }
  }
-  else
+  else {
+    assert (getKind() == SizeOther);
    getVector(getPtr()).push_back(N);
+  }
 }

 bool ExplodedNodeImpl::NodeGroup::empty() const {
@@ -62,7 +72,7 @@ ExplodedNodeImpl** ExplodedNodeImpl::NodeGroup::end() const {
  if (getKind() == Size1)
    return (ExplodedNodeImpl**) (P ? &P+1 : &P);
  else
-    return const_cast<ExplodedNodeImpl**>(&*(getVector(getPtr()).rbegin())+1);
+    return const_cast<ExplodedNodeImpl**>(&*(getVector(getPtr()).end()));
 }

 ExplodedNodeImpl::NodeGroup::~NodeGroup() {
--- a/clang/include/clang/Analysis/PathSensitive/ExplodedGraph.h
+++ b/clang/include/clang/Analysis/PathSensitive/ExplodedGraph.h
@@ -51,7 +51,7 @@ protected:
    uintptr_t P;
    
    unsigned getKind() const {
-      return P & Mask;
+      return P & 0x1;
    }
    
    void* getPtr() const {