Open
Description
This is a followup of issue #190.
Dealing with the same example:
void foo() {
int *p = ({ int *q = malloc(sizeof(int)*3); q; });
p[1] = 2;
}
In #190, we discussed that inference fails with statement expressions, and currently, there is a method of adding a flow between p and q exactly as we wanted.
So for instance,
void foo() {
int *p;
p = ({int *q = malloc(3*sizeof(int)); q[2] = 1; q;});
p[1] = 2;
}
gets converted to:
void foo() {
_Array_ptr<int> p : count(3) = ((void *)0) ;
p = ({_Array_ptr<int> q : count(3) = malloc(3*sizeof(int)); q[2] = 1; q;});
p[1] = 2;
}
We can notice that p has the correct bounds information and that a flow from p to q and a flow from q to p now exists.
However, when we try to convert a similar program where the declaration and initialization happen on the same line:
void foo() {
int *p = ({int *q = malloc(sizeof(int)*3); q[2] = 1; q;});
p[1] = 2;
q does not get rewritten.
void foo() {
_Array_ptr<int> p : count(3) = ({int *q = malloc(3*sizeof(int)); q[2] = 1; q;});
p[1] = 3;
}
The constraint graphs generated by both of these programs are identical, indicating that the flow we want is being generated. This means q not getting rewritten is most probably a result of the rewriter.