[analyzer] Correctly handle destructors for lifetime-extended temporaries.
The lifetime of a temporary can be extended when it is immediately bound
to a local reference:
const Value &MyVal = Value("temporary");
In this case, the temporary object's lifetime is extended for the entire
scope of the reference; at the end of the scope it is destroyed.
The analyzer was modeling this improperly in two ways:
- Since we don't model temporary constructors just yet, we create a fake
temporary region when it comes time to "materialize" a temporary into
a real object (lvalue). This wasn't taking base casts into account when
the bindings being materialized was Unknown; now it always respects base
casts except when the temporary region is itself a pointer.
- When actually destroying the region, the analyzer did not actually load
from the reference variable -- it was basically destroying the reference
instead of its referent. Now it does do the load.
This will be more useful whenever we finally start modeling temporaries,
or at least those that get bound to local reference variables.
<rdar://problem/13552274>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178697 91177308-0d34-0410-b5e6-96231b3b80d8
diff --git a/lib/StaticAnalyzer/Core/ExprEngine.cpp b/lib/StaticAnalyzer/Core/ExprEngine.cpp
index ffc382f..5746bfb 100644
--- a/lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ b/lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -171,18 +171,28 @@
const Expr *Ex,
const Expr *Result) {
SVal V = State->getSVal(Ex, LC);
- if (!Result && !V.getAs<NonLoc>())
- return State;
+ if (!Result) {
+ // If we don't have an explicit result expression, we're in "if needed"
+ // mode. Only create a region if the current value is a NonLoc.
+ if (!V.getAs<NonLoc>())
+ return State;
+ Result = Ex;
+ } else {
+ // We need to create a region no matter what. For sanity, make sure we don't
+ // try to stuff a Loc into a non-pointer temporary region.
+ assert(!V.getAs<Loc>() || Loc::isLocType(Result->getType()));
+ }
ProgramStateManager &StateMgr = State->getStateManager();
MemRegionManager &MRMgr = StateMgr.getRegionManager();
StoreManager &StoreMgr = StateMgr.getStoreManager();
// We need to be careful about treating a derived type's value as
- // bindings for a base type. Start by stripping and recording base casts.
+ // bindings for a base type. Unless we're creating a temporary pointer region,
+ // start by stripping and recording base casts.
SmallVector<const CastExpr *, 4> Casts;
const Expr *Inner = Ex->IgnoreParens();
- if (V.getAs<NonLoc>()) {
+ if (!Loc::isLocType(Result->getType())) {
while (const CastExpr *CE = dyn_cast<CastExpr>(Inner)) {
if (CE->getCastKind() == CK_DerivedToBase ||
CE->getCastKind() == CK_UncheckedDerivedToBase)
@@ -195,8 +205,13 @@
}
// Create a temporary object region for the inner expression (which may have
- // a more derived type) and bind the NonLoc value into it.
- SVal Reg = loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(Inner, LC));
+ // a more derived type) and bind the value into it.
+ const TypedValueRegion *TR = MRMgr.getCXXTempObjectRegion(Inner, LC);
+ SVal Reg = loc::MemRegionVal(TR);
+
+ if (V.isUnknown())
+ V = getSValBuilder().conjureSymbolVal(Result, LC, TR->getValueType(),
+ currBldrCtx->blockCount());
State = State->bindLoc(Reg, V);
// Re-apply the casts (from innermost to outermost) for type sanity.
@@ -206,7 +221,7 @@
Reg = StoreMgr.evalDerivedToBase(Reg, *I);
}
- State = State->BindExpr(Result ? Result : Ex, LC, Reg);
+ State = State->BindExpr(Result, LC, Reg);
return State;
}
@@ -515,18 +530,20 @@
void ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor Dtor,
ExplodedNode *Pred,
ExplodedNodeSet &Dst) {
- ProgramStateRef state = Pred->getState();
const VarDecl *varDecl = Dtor.getVarDecl();
-
QualType varType = varDecl->getType();
- if (const ReferenceType *refType = varType->getAs<ReferenceType>())
+ ProgramStateRef state = Pred->getState();
+ SVal dest = state->getLValue(varDecl, Pred->getLocationContext());
+ const MemRegion *Region = dest.castAs<loc::MemRegionVal>().getRegion();
+
+ if (const ReferenceType *refType = varType->getAs<ReferenceType>()) {
varType = refType->getPointeeType();
+ Region = state->getSVal(Region).getAsRegion();
+ }
- Loc dest = state->getLValue(varDecl, Pred->getLocationContext());
-
- VisitCXXDestructor(varType, dest.castAs<loc::MemRegionVal>().getRegion(),
- Dtor.getTriggerStmt(), /*IsBase=*/ false, Pred, Dst);
+ VisitCXXDestructor(varType, Region, Dtor.getTriggerStmt(), /*IsBase=*/ false,
+ Pred, Dst);
}
void ExprEngine::ProcessBaseDtor(const CFGBaseDtor D,
diff --git a/test/Analysis/dtor.cpp b/test/Analysis/dtor.cpp
index a308237..18cd985 100644
--- a/test/Analysis/dtor.cpp
+++ b/test/Analysis/dtor.cpp
@@ -328,3 +328,76 @@
clang_analyzer_eval(j == 42); // expected-warning{{UNKNOWN}}
}
}
+
+namespace LifetimeExtension {
+ struct IntWrapper {
+ int x;
+ IntWrapper(int y) : x(y) {}
+ IntWrapper() {
+ extern void use(int);
+ use(x); // no-warning
+ }
+ };
+
+ struct DerivedWrapper : public IntWrapper {
+ DerivedWrapper(int y) : IntWrapper(y) {}
+ };
+
+ DerivedWrapper get() {
+ return DerivedWrapper(1);
+ }
+
+ void test() {
+ const DerivedWrapper &d = get(); // lifetime extended here
+ }
+
+
+ class SaveOnDestruct {
+ public:
+ static int lastOutput;
+ int value;
+
+ SaveOnDestruct();
+ ~SaveOnDestruct() {
+ lastOutput = value;
+ }
+ };
+
+ void testSimple() {
+ {
+ const SaveOnDestruct &obj = SaveOnDestruct();
+ if (obj.value != 42)
+ return;
+ // destructor called here
+ }
+
+ clang_analyzer_eval(SaveOnDestruct::lastOutput == 42); // expected-warning{{TRUE}}
+ }
+
+ class VirtualDtorBase {
+ public:
+ int value;
+ virtual ~VirtualDtorBase() {}
+ };
+
+ class SaveOnVirtualDestruct : public VirtualDtorBase {
+ public:
+ static int lastOutput;
+
+ SaveOnVirtualDestruct();
+ virtual ~SaveOnVirtualDestruct() {
+ lastOutput = value;
+ }
+ };
+
+ void testVirtual() {
+ {
+ const VirtualDtorBase &obj = SaveOnVirtualDestruct();
+ if (obj.value != 42)
+ return;
+ // destructor called here
+ }
+
+ clang_analyzer_eval(SaveOnVirtualDestruct::lastOutput == 42); // expected-warning{{TRUE}}
+ }
+}
