This is an archive of the discontinued LLVM Phabricator instance.

Differential D34275

[analyzer] Re-implemente current virtual calls checker in a path-sensitive way
ClosedPublic

Authored by wangxindsb on Jun 16 2017, 6:31 AM.

Details

Reviewers
xazax.hun
NoQ
dcoughlin
Commits
rG857ccd291976: [analyzer][GSoC] Re-implemente current virtual calls checker in a path…
rC311877: [analyzer][GSoC] Re-implemente current virtual calls checker in a path…
rL311877: [analyzer][GSoC] Re-implemente current virtual calls checker in a path…
Summary

This implement a path-sensitive checker that warns if virtual calls are made from constructors and destructors.

The checker use the GDM (generic data map) to store three integers in the program state for constructors, destructors and objects. Once enter one of these is entered, increase the corresponding integer, once leave, decrease the corresponding integer. In a PreCall callback, the checker first check if a virtual method is called and the GDM meets the conditions, if yes, a warning will be issued.

The checker also include a bug reporter visitor to add an extra note when the last constructor/destructor was called before the call to the virtual function.

Diff Detail

Repository
rL LLVM

Event Timeline

wangxindsb created this revision.Jun 16 2017, 6:31 AM
xazax.hun edited edge metadata.Jun 20 2017, 1:38 AM

I do not see any test cases for this patch. Could you add them as well?

Are you sure that this representation is ok?
How do you handle the following case?

struct A {
  A() {
    X x;
    x.virtualMethod(); // this virtual call is ok
  }
}
int main() {
  A a;
}
VirtualCallChecker.cpp
44 ↗(On Diff #102812)

The name of this flag is not descriptive enough. Please choose a name that refers to what are you using this value for.

79 ↗(On Diff #102812)

Variable names should start with uppercase letter.

83 ↗(On Diff #102812)

Are you sure that the LCtx->getDecl can not return null?

114 ↗(On Diff #102812)

Do you need this cast here?

119 ↗(On Diff #102812)

Querying the state is not free, I think you should also query something from the state once you are sure that you will need that.

158 ↗(On Diff #102812)

I don't think this is the right approach. Once you increased the ObjectFlag on a path, you will never report anything on that path anymore. I think it might be better to have a map from Symbols (representing this) to ctor/dtors or some other approach.

260 ↗(On Diff #102812)

The formatting seems to be off here I recommend using clang format.

wangxindsb updated this revision to Diff 103180.Jun 20 2017, 3:52 AM

Add test case for the patch

wangxindsb added a comment.Jun 20 2017, 4:15 AM

I do not see any test cases for this patch. Could you add them as well?

I add the test case just now.

How do you handle the following case?

struct A {
  A() {
    X x;
    x.virtualMethod(); // this virtual call is ok
  }
}
int main() {
  A a;
}

I use the checker to check the code above, the checker works as expect and doesn't throw the warning.

xazax.hun added a comment.Jun 20 2017, 4:34 AM

Note that when you update the differential revision you need to upload the whole diff. Your diff now only contains the tests but not the code.

In D34275#785189, @wangxindsb wrote:

How do you handle the following case?

struct A {
  A() {
    X x;
    x.virtualMethod(); // this virtual call is ok
  }
}
int main() {
  A a;
}

I use the checker to check the code above, the checker works as expect and doesn't throw the warning.

What about:

struct A {
  A() {
    X x;
    x.virtualMethod(); // this virtual call is ok
    foo(); // should warn here
  }
  virtual foo();
}
int main() {
  A a;
}

Does the checker warn on the second call?

virtualcall.cpp
1 ↗(On Diff #103180)

Please add the appropriate run lines so you can run the tests using make check.

wangxindsb added a comment.Jun 20 2017, 6:00 AM

What about:

struct A {
  A() {
    X x;
    x.virtualMethod(); // this virtual call is ok
    foo(); // should warn here
  }
  virtual foo();
}
int main() {
  A a;
}

Does the checker warn on the second call?

Yes, the checker warn on the second call.

wangxindsb updated this revision to Diff 103196.Jun 20 2017, 6:22 AM

Add test case for the virtual call checker.

wangxindsb updated this revision to Diff 103199.Jun 20 2017, 6:33 AM

Add run line in the test case.

xiangzhai added a subscriber: xiangzhai.Jun 20 2017, 7:47 AM
wangxindsb marked 5 inline comments as done.Jun 20 2017, 9:01 AM
wangxindsb added inline comments.
VirtualCallChecker.cpp
260 ↗(On Diff #102812)

Sorry, can you explain what this means?

wangxindsb updated this revision to Diff 103214.Jun 20 2017, 9:08 AM

Correct some error in VirtualCallChecker.cpp.
Complete the test case.

xazax.hun added a comment.Jun 21 2017, 1:14 AM
In D34275#785294, @wangxindsb wrote:

What about:

struct A {
  A() {
    X x;
    x.virtualMethod(); // this virtual call is ok
    foo(); // should warn here
  }
  virtual foo();
}
int main() {
  A a;
}

Does the checker warn on the second call?

Yes, the checker warn on the second call.

Oh, I think I see how it works now. How about:

struct A;
struct X {
   void callFooOfA(A*);
};
struct A {
  A() {
    X x;
    x.virtualMethod(); // this virtual call is ok
    x.callFooOfA(this)
  }
  virtual foo();
};
void X::callFooOfA(A* a) {
   a->foo(); // Would be good to warn here. 
}
int main() {
  A a;
}
lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
1 ↗(On Diff #103214)

Please add the license back.

wangxindsb added a comment.Jun 21 2017, 4:34 AM

> Oh, I think I see how it works now. How about:

struct A;
struct X {
   void callFooOfA(A*);
};
struct A {
  A() {
    X x;
    x.virtualMethod(); // this virtual call is ok
    x.callFooOfA(this)
  }
  virtual foo();
};
void X::callFooOfA(A* a) {
   a->foo(); // Would be good to warn here. 
}
int main() {
  A a;
}

Yes, you are right, the checker doesn't warn on the a->foo();. I will fix this error soon.

Thanks,
Xin

wangxindsb updated this revision to Diff 103832.Jun 24 2017, 12:04 AM

Add license to VirtualCallChecker.cpp

wangxindsb updated this revision to Diff 104201.Jun 27 2017, 10:31 AM
wangxindsb marked an inline comment as done.

-Fix the bug of the virtual call during a function call of the object.
-Add flag for the PUREONLY.

xazax.hun added inline comments.Jun 29 2017, 12:44 AM
lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
31 ↗(On Diff #104201)

Could you find more descriptive names for these BugTypes?

35 ↗(On Diff #104201)

Comments should be full sentences, this means they should be terminated with a period.

36 ↗(On Diff #104201)

Variables should start with capital letters.

xazax.hun added inline comments.Jun 29 2017, 12:44 AM
lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
32 ↗(On Diff #104201)

I'd rather have one bug type, describing a call to a virtual function from ctor/dtor. The actual error message can clarify whether this is a call from ctor or from dtor and whether it is pure virtual. You do not need to reflect every detail in the bug type.

40 ↗(On Diff #104201)

The names of the arguments should start with an uppercase letter.

72 ↗(On Diff #104201)

Do you need these traits above after having the maps bellow?

96 ↗(On Diff #104201)

The formatting here seems to be off, could you run clang-format on the code? This is a tool that can format the code to comply with the LLVM formatting style guide.

129 ↗(On Diff #104201)

I think you do not need the or_null suffix here since the argument of this cast will never be null.

141 ↗(On Diff #104201)

If you do not use the result of dyn_cast, you could use isa instead. Even better, you could reuse CC or DC in this check.

168 ↗(On Diff #104201)

Shouldn't this be const?

192 ↗(On Diff #104201)

In LLVM we do not write the braces for conditionals that guarding a single statement.

218 ↗(On Diff #104201)

In case of calling a pure virtual function maybe it would be better to stop the analysis, i.e.: creating a fatal error node.
Also, these functions might fail to give you back an ExplodedNode, so I think you should have a check here for that case.

314 ↗(On Diff #104201)

Can getParent ever return null? Maybe you do not need the or_null suffix in the cast.
Moreover are you sure that this method works? In case the function was a method, the parent should be the CXXRecordDecl, not a CXXMethodDecl.

332 ↗(On Diff #104201)

Maybe instead of callExpr, you should get CXXInstanceCall, which has a getCXXThisVal method.

wangxindsb updated this revision to Diff 105440.Jul 6 2017, 8:43 AM
  • Rename the BugType.
  • Correct the code style to be clang format.
  • Rename the arguments to start with uppercase letter.
  • Add the support to check for the constructor called by the New expr.

You don't need to put effort to review the code, because I will make some changes to the bug report system and the GDM of the checker which has not been done now.

wangxindsb added inline comments.Jul 6 2017, 8:46 AM
lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
332 ↗(On Diff #104201)

I tried to use the CXXInstanceCall, but I can't use it to get the expr which call the function.

wangxindsb updated this revision to Diff 105737.Jul 8 2017, 4:27 AM
  • Change the two bugtype to one.
  • Use the generateErrorNode() for the pure virtual call.
  • Change the test case for the new expression.
wangxindsb updated this revision to Diff 105738.Jul 8 2017, 4:44 AM
  • Change the two bugtype to one.
  • Use the generateErrorNode() for the pure virtual call.
  • Change the test case for the new expression.
wangxindsb updated this revision to Diff 105760.Jul 9 2017, 6:05 AM
wangxindsb marked an inline comment as done.
  • Use the map of object to ctor/dtor to check the virtual call.
  • Use CXXInstanceCall and getCXXThisVal method to get the 'this' instead of getThisSVal().
  • Correct some format errors.
wangxindsb marked 11 inline comments as done.Jul 9 2017, 6:09 AM

Look forward to your review.

xazax.hun added a comment.Jul 10 2017, 1:03 AM

You are making a pretty good progress!
I think right now there is some code duplication that could be reduced, but otherwise, the checker starts to look really good.

lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
43 ↗(On Diff #105760)

This could be maybe a free static function instead of a method?

47 ↗(On Diff #105760)

Maybe instead of Region the name could be more specific? I.e. the ThisRegion? Or ObjectRegion?

101 ↗(On Diff #105760)

In the warning messages we usually enclose the source code snippets (e.g.: declaration names) in single quotes.

135 ↗(On Diff #105760)

getting the SValBuilder is cheap, maybe you could hoist it from the if statements.

146 ↗(On Diff #105760)

The code of this function is almost completely identical with the checkBegin. I was thinking about abstracting this into a separate function with a bool argument to determine whether we would like to add something to the GDM or remove it.

186 ↗(On Diff #105760)

Maybe you could cast this to CXXMemberCall instead. If that cast succeed, than you do not need to check the Call.getDecl() and also do not need to check for ctor/dtor calls.

199 ↗(On Diff #105760)

Maybe it would be cleaner to early return if the call is not virtual and remove it from these two if statements.

213 ↗(On Diff #105760)

Maybe you could extract the error reporting into a separate function with two arguments: the error message, and whether it should generate an error node.

wangxindsb updated this revision to Diff 106204.Jul 12 2017, 7:29 AM
  • Change IsVirtualCall(const CallExpr *CE) to be a free static function.
  • Rename some variables.
  • Improve the BugReporterVisitor, enclose the declaration names in single quotes.
  • Hoist getSValBuilder() from the if statements.
  • Fix some code duplications.
  • Use the CXXMemberCall instead CXXInstanceCall in the CheckPreCall.
  • Remove IsVirtualCall(CE) from if statements.
  • Fix the error of the visitnode() method which may throw a wrong call graph for the code blow.
class Y {
public:
  virtual void foobar();
  Y() {
    F f1;
    foobar();
  }
};

Previous visitnode() will issue the virtual function called from the F(); Current visitnode() fix this bug.

wangxindsb marked 8 inline comments as done.Jul 12 2017, 7:31 AM
xazax.hun added a comment.Jul 12 2017, 7:55 AM

Thank you! I think we can start to run this check on real world code bases and evaluate the results.

lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
41 ↗(On Diff #106204)

Function names should start with a lower case letter. These two could be private. I'd prefer another name for this function like registerCtorDtorCallInState.

42 ↗(On Diff #106204)

Use StringRef instead of const char *. It is more idiomatic in LLVM code.

179 ↗(On Diff #106204)

I'd omit the Msg local variable. After that, we do not need to use braces for single statement blocks.

210 ↗(On Diff #106204)

Braces for single statement blocks.

224 ↗(On Diff #106204)

Braces for single statement blocks.

238 ↗(On Diff #106204)

Do not use braces for single statement blocks.

wangxindsb marked 6 inline comments as done.Jul 12 2017, 9:41 AM
wangxindsb updated this revision to Diff 106243.Jul 12 2017, 9:43 AM
  • Change function name to start with a lower case letter.
  • Use StringRef instead of `const char * ' for ReportBug() const.
  • Correct the braces for single statement blocks.
xazax.hun added inline comments.Jul 14 2017, 6:21 AM
lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
72 ↗(On Diff #106243)

I was wondering if there is another way to represent the state.
We could have a two element (bool based) enum class like:

enum class ObjectState : bool {
  CtorCalled,
  DtorCalled
};

Se we could have only one map in the GDM. Either the destructor is called for an object or the constructor. Or in case none of them is called on a path, the state is empty. What do you think?

86 ↗(On Diff #106243)

You could move the declarations of PSM and SVB after the next early return.

107 ↗(On Diff #106243)

You could eliminate this local variable.

169 ↗(On Diff #106243)

These two checks could be moved before you query the CXXThisVal.

247 ↗(On Diff #106243)

This return is redundant.

wangxindsb marked 5 inline comments as done.Jul 14 2017, 10:05 AM
wangxindsb added inline comments.
lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
72 ↗(On Diff #106243)

Yes, it's better than the previous two maps.

wangxindsb updated this revision to Diff 106654.Jul 14 2017, 10:05 AM
wangxindsb marked an inline comment as done.
  • Change two maps to one map.
  • Move the declarations of PSM and SVB after the next early return.
  • Delete the variable std::string DeclName.
  • Delete last return in reportbug().
wangxindsb updated this revision to Diff 108236.Jul 26 2017, 2:24 AM
  • Change the bugtype, just like the older checker.
wangxindsb updated this revision to Diff 110899.Aug 13 2017, 5:42 PM

Fix the Assertion Failed when run the checker to check the building of LibreOffice.

xazax.hun added a subscriber: NoQ.Aug 18 2017, 11:37 PM

@NoQ , @dcoughlin could either of you review this patch as well? The end of GSoC is closing and it would be awesome to be able to commit this before it ends. :)

lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
30 ↗(On Diff #106654)

Missing namespace closing comment.

wangxindsb removed reviewers: dcoughlin, dergachev.a.Aug 19 2017, 12:06 AM
wangxindsb updated this revision to Diff 111806.Aug 19 2017, 1:01 AM

+enum class ObjectState : bool { CtorCalled, DtorCalled };
+} // end namespace

Add namespace closing comment.

wangxindsb marked an inline comment as done.Aug 19 2017, 1:02 AM
wangxindsb added reviewers: NoQ, dcoughlin.Aug 19 2017, 5:56 AM
NoQ edited edge metadata.Aug 19 2017, 9:42 AM

First of all, thanks everybody for working on this. I'd see what i can do.

lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
29 ↗(On Diff #111806)

Please remind me what was wrong with ascending over StackFrameContexts to see if we're inside a constructor or destructor call? Why did we need a state trait here? Was it too hard to obtain this-values? (Not sure if there's time to fix this, but it might be worth it to leave a FIXME around).

56 ↗(On Diff #111806)

I wish for camelCase.

110 ↗(On Diff #111806)

I don't think this is working. CXXThisRegion is never a region of a C++ object; it's the segment of the stack where the pointer is passed, you need to dereference its value to get the actual object region.

Probably tests for the visitor might make things more clear.

194 ↗(On Diff #111806)

"Pure function" doesn't mean what we want to say here (https://en.wikipedia.org/wiki/Pure_function), i think we should stick with "pure virtual function" anyways.

test/Analysis/virtualcall.cpp
15 ↗(On Diff #111806)

Tests need fixing: expected-warning requires {{ and needs to be on the correct line.

wangxindsb marked 3 inline comments as done.Aug 19 2017, 8:16 PM
wangxindsb added inline comments.
lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
29 ↗(On Diff #111806)

I have implement this method before, the code is on this link, virtualcallchecker using stackframe. I thought it was harder and slower than the state trait, so I gave up this method. Also, I thought this method maybe hard to add visitor. I will work on this soon.

110 ↗(On Diff #111806)
class Y {
public:
  virtual void foobar();
  void fooY() {  
    F f1;
    foobar();
  }
  Y() {
    fooY();
  }
};

I thought this test is for this situation. If the visitor is correct, it will issued "Called from this constructor 'Y'", else it will issued "Called from this constructor 'F'".

wangxindsb updated this revision to Diff 111862.Aug 19 2017, 8:19 PM
  • Rename reportbug();
  • Change message "Pure function" to "pure virtual function";
  • Fixing: expected-warning;
wangxindsb added inline comments.Aug 19 2017, 11:36 PM
lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
31 ↗(On Diff #111862)

Add the FIXME

NoQ added a comment.Aug 21 2017, 6:34 AM

Tests are still not working - they pass now, but they don't actually test anything. Please make sure that tests actually work. Which means that

  1. Tests pass when you run make -j4 check-clang-analysis;
  2. Tests start failing when you change your code or expected-warning directives.
lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp
124–127 ↗(On Diff #111862)

Typo: "constructor", "destructor".

Also i guess we need to think about this warning message more carefully anyway. Like, we already have an "entering function..." event diagnostic piece. Because the warning always happens inside the function in question, this event would never be pruned, so it'd always be there. So what do we expect the visitor's diagnostic piece to say?

I suggest "This [constructor|destructor] of an object of type 'Foo' has not returned when the virtual method was called". With a probable future improvement of specifying the name of the object (when eg. it's a variable).

It might even be that later we'd decide that the visitor is not necessary for this checker. I'm not sure, i guess i'd have to see how it works in practice.

Also, right now the visitor's piece is above the "entering function..." event. Not sure if having it below, or even inside the constructor, would be better.

110 ↗(On Diff #111806)

Right, i didn't notice getSVal(); seems correct.

This test doesn't verify anything though, because it has no expected-warnings. Even if it had, it wouldn't verify where the visitor diagnostic appears, because without a more specific -analyzer-output option (eg. =text), the analyzer wouldn't emit visitor notes, so the -verify option would not be able to verify them.

So by visitor tests i mean adding -analyzer-output=text to the run-line and then adding expected-note directives wherever notes are expected.

test/Analysis/virtualcall.cpp
1–6 ↗(On Diff #111862)

Tests are still not working because your auto-format tool has inserted weird line breaks.

NoQ added a comment.Aug 21 2017, 7:02 AM

Most importantly, do you think we can enable the checker by default now? Was this checker evaluated on any large codebase, and if so, how many true/false positives did it find, probably compared to the old checker?

wangxindsb updated this revision to Diff 112110.Aug 21 2017, 9:25 PM
  • Fix the errors of the tests;
  • Add -analyzer-output=text to the run-line;
  • Change the message of the visitor's diagnostic piece.
wangxindsb added a comment.Aug 21 2017, 10:04 PM

@NoQ

In D34275#847434, @NoQ wrote:

Most importantly, do you think we can enable the checker by default now? Was this checker evaluated on any large codebase, and if so, how many true/false positives did it find, probably compared to the old checker?

I am now runing the checker to check the build of firefox, llvm and libreoffice. There are no alarms on the building of firefox and llvm. When use scan-build to check the building of libreoffice, the scan-build failed (this may because the scan-build. Enable or not enable the virtualcallchecker, the build failed all the same, but when I just build the libreoffice and not run the scan-build, the build worked well) and there are 105 alarms about the virtual function in ctors/dtors, I am evaluating these alarms now.

NoQ added a comment.Aug 22 2017, 12:09 AM

Thanks, works now! Apart from the minor comment on the hanging header file in the tests, this looks good and i have no further nits :)

*summons @dcoughlin to have a look at English in the warning messages*

test/Analysis/virtualcall.cpp
15–21 ↗(On Diff #112110)

I think it might be worth it to highlight that the function is pure virtual even in non-pure-only mode (if you have time for that).

137–141 ↗(On Diff #112110)

There used to be a test case in this header; we should restore the test or remove the file if it's no longer relevant.

wangxindsb updated this revision to Diff 112196.Aug 22 2017, 10:33 AM
  • Highlight pure virtual even in non-pure-only mode;
  • Add change to the header.
wangxindsb added a comment.Aug 24 2017, 5:52 AM

There are 105 alarms running the checker on the LibreOffice, 92 True positive, 13 not sure.

NoQ accepted this revision.Aug 24 2017, 7:47 AM

All right then, i approve!

There are 105 alarms running the checker on the LibreOffice, 92 True positive, 13 not sure.

That's impressively loud. I guess you can try reporting some of the bugs you've found and seeing their reactions, if you enjoy this sort of stuff (it's always the ultimate test for bug-finding tools, and it'd also hopefully make libreoffice better).

This revision is now accepted and ready to land.Aug 24 2017, 7:47 AM
Closed by commit rL311877: [analyzer][GSoC] Re-implemente current virtual calls checker in a path… (authored by xazax). · Explain WhyAug 28 2017, 1:45 AM
This revision was automatically updated to reflect the committed changes.
NoQ mentioned this in D64274: [analyzer] VirtualCallChecker overhaul..Jul 5 2019, 7:39 PM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
449 lines
test/
Analysis/
32 lines
266 lines

Diff 112857

cfe/trunk/lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp

//=======- VirtualCallChecker.cpp --------------------------------*- C++ -*-==// //=======- VirtualCallChecker.cpp --------------------------------*- C++ -*-==//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines a checker that checks virtual function calls during // This file defines a checker that checks virtual function calls during
// construction or destruction of C++ objects. // construction or destruction of C++ objects.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ClangSACheckers.h" #include "ClangSACheckers.h"
#include "clang/AST/DeclCXX.h" #include "clang/AST/DeclCXX.h"
#include "clang/AST/StmtVisitor.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "llvm/ADT/SmallString.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "llvm/Support/SaveAndRestore.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "llvm/Support/raw_ostream.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
enum class ObjectState : bool { CtorCalled, DtorCalled };
class WalkAST : public StmtVisitor<WalkAST> { } // end namespace
const CheckerBase *Checker; // FIXME: Ascending over StackFrameContext maybe another method.
BugReporter &BR;
AnalysisDeclContext *AC; namespace llvm {
template <> struct FoldingSetTrait<ObjectState> {
/// The root constructor or destructor whose callees are being analyzed. static inline void Profile(ObjectState X, FoldingSetNodeID &ID) {
const CXXMethodDecl *RootMethod = nullptr; ID.AddInteger(static_cast<int>(X));
}
/// Whether the checker should walk into bodies of called functions.
/// Controlled by the "Interprocedural" analyzer-config option.
bool IsInterprocedural = false;
/// Whether the checker should only warn for calls to pure virtual functions
/// (which is undefined behavior) or for all virtual functions (which may
/// may result in unexpected behavior).
bool ReportPureOnly = false;
typedef const CallExpr * WorkListUnit;
typedef SmallVector<WorkListUnit, 20> DFSWorkList;
/// A vector representing the worklist which has a chain of CallExprs.
DFSWorkList WList;
// PreVisited : A CallExpr to this FunctionDecl is in the worklist, but the
// body has not been visited yet.
// PostVisited : A CallExpr to this FunctionDecl is in the worklist, and the
// body has been visited.
enum Kind { NotVisited,
PreVisited, /**< A CallExpr to this FunctionDecl is in the
worklist, but the body has not yet been
visited. */
PostVisited /**< A CallExpr to this FunctionDecl is in the
worklist, and the body has been visited. */
}; };
} // end namespace llvm
/// A DenseMap that records visited states of FunctionDecls. namespace {
llvm::DenseMap<const FunctionDecl *, Kind> VisitedFunctions; class VirtualCallChecker
: public Checker<check::BeginFunction, check::EndFunction, check::PreCall> {
/// The CallExpr whose body is currently being visited. This is used for mutable std::unique_ptr<BugType> BT;
/// generating bug reports. This is null while visiting the body of a
/// constructor or destructor.
const CallExpr *visitingCallExpr;
public: public:
WalkAST(const CheckerBase *checker, BugReporter &br, AnalysisDeclContext *ac, // The flag to determine if pure virtual functions should be issued only.
const CXXMethodDecl *rootMethod, bool isInterprocedural, DefaultBool IsPureOnly;
bool reportPureOnly)
: Checker(checker), BR(br), AC(ac), RootMethod(rootMethod),
IsInterprocedural(isInterprocedural), ReportPureOnly(reportPureOnly),
visitingCallExpr(nullptr) {
// Walking should always start from either a constructor or a destructor.
assert(isa<CXXConstructorDecl>(rootMethod) ||
isa<CXXDestructorDecl>(rootMethod));
}
bool hasWork() const { return !WList.empty(); }
/// This method adds a CallExpr to the worklist and marks the callee as
/// being PreVisited.
void Enqueue(WorkListUnit WLUnit) {
const FunctionDecl *FD = WLUnit->getDirectCallee();
if (!FD || !FD->getBody())
return;
Kind &K = VisitedFunctions[FD];
if (K != NotVisited)
return;
K = PreVisited;
WList.push_back(WLUnit);
}
/// This method returns an item from the worklist without removing it. void checkBeginFunction(CheckerContext &C) const;
WorkListUnit Dequeue() { void checkEndFunction(CheckerContext &C) const;
assert(!WList.empty()); void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
return WList.back();
} private:
void registerCtorDtorCallInState(bool IsBeginFunction,
void Execute() { CheckerContext &C) const;
while (hasWork()) { void reportBug(StringRef Msg, bool PureError, const MemRegion *Reg,
WorkListUnit WLUnit = Dequeue(); CheckerContext &C) const;
const FunctionDecl *FD = WLUnit->getDirectCallee();
assert(FD && FD->getBody()); class VirtualBugVisitor : public BugReporterVisitorImpl<VirtualBugVisitor> {
private:
if (VisitedFunctions[FD] == PreVisited) { const MemRegion *ObjectRegion;
// If the callee is PreVisited, walk its body. bool Found;
// Visit the body.
SaveAndRestore<const CallExpr *> SaveCall(visitingCallExpr, WLUnit);
Visit(FD->getBody());
// Mark the function as being PostVisited to indicate we have public:
// scanned the body. VirtualBugVisitor(const MemRegion *R) : ObjectRegion(R), Found(false) {}
VisitedFunctions[FD] = PostVisited;
continue;
}
// Otherwise, the callee is PostVisited. void Profile(llvm::FoldingSetNodeID &ID) const override {
// Remove it from the worklist. static int X = 0;
assert(VisitedFunctions[FD] == PostVisited); ID.AddPointer(&X);
WList.pop_back(); ID.AddPointer(ObjectRegion);
}
} }
// Stmt visitor methods. std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
void VisitCallExpr(CallExpr *CE); const ExplodedNode *PrevN,
void VisitCXXMemberCallExpr(CallExpr *CE); BugReporterContext &BRC,
void VisitStmt(Stmt *S) { VisitChildren(S); } BugReport &BR) override;
void VisitChildren(Stmt *S); };
void ReportVirtualCall(const CallExpr *CE, bool isPure);
}; };
} // end anonymous namespace } // end namespace
//===----------------------------------------------------------------------===// // GDM (generic data map) to the memregion of this for the ctor and dtor.
// AST walking. REGISTER_MAP_WITH_PROGRAMSTATE(CtorDtorMap, const MemRegion *, ObjectState)
//===----------------------------------------------------------------------===//
void WalkAST::VisitChildren(Stmt *S) { std::shared_ptr<PathDiagnosticPiece>
for (Stmt *Child : S->children()) VirtualCallChecker::VirtualBugVisitor::VisitNode(const ExplodedNode *N,
if (Child) const ExplodedNode *PrevN,
Visit(Child); BugReporterContext &BRC,
} BugReport &BR) {
// We need the last ctor/dtor which call the virtual function.
void WalkAST::VisitCallExpr(CallExpr *CE) { // The visitor walks the ExplodedGraph backwards.
VisitChildren(CE); if (Found)
if (IsInterprocedural) return nullptr;
Enqueue(CE);
} ProgramStateRef State = N->getState();
const LocationContext *LCtx = N->getLocationContext();
void WalkAST::VisitCXXMemberCallExpr(CallExpr *CE) { const CXXConstructorDecl *CD =
VisitChildren(CE); dyn_cast_or_null<CXXConstructorDecl>(LCtx->getDecl());
bool callIsNonVirtual = false; const CXXDestructorDecl *DD =
dyn_cast_or_null<CXXDestructorDecl>(LCtx->getDecl());
// Several situations to elide for checking.
if (MemberExpr *CME = dyn_cast<MemberExpr>(CE->getCallee())) { if (!CD && !DD)
// If the member access is fully qualified (i.e., X::F), then treat return nullptr;
// this as a non-virtual call and do not warn.
ProgramStateManager &PSM = State->getStateManager();
auto &SVB = PSM.getSValBuilder();
const auto *MD = dyn_cast<CXXMethodDecl>(LCtx->getDecl());
if (!MD)
return nullptr;
auto ThiSVal =
State->getSVal(SVB.getCXXThis(MD, LCtx->getCurrentStackFrame()));
const MemRegion *Reg = ThiSVal.castAs<loc::MemRegionVal>().getRegion();
if (!Reg)
return nullptr;
if (Reg != ObjectRegion)
return nullptr;
const Stmt *S = PathDiagnosticLocation::getStmt(N);
if (!S)
return nullptr;
Found = true;
std::string InfoText;
if (CD)
InfoText = "This constructor of an object of type '" +
CD->getNameAsString() +
"' has not returned when the virtual method was called";
else
InfoText = "This destructor of an object of type '" +
DD->getNameAsString() +
"' has not returned when the virtual method was called";
// Generate the extra diagnostic.
PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
N->getLocationContext());
return std::make_shared<PathDiagnosticEventPiece>(Pos, InfoText, true);
}
// The function to check if a callexpr is a virtual function.
static bool isVirtualCall(const CallExpr *CE) {
bool CallIsNonVirtual = false;
if (const MemberExpr *CME = dyn_cast<MemberExpr>(CE->getCallee())) {
// The member access is fully qualified (i.e., X::F).
// Treat this as a non-virtual call and do not warn.
if (CME->getQualifier()) if (CME->getQualifier())
callIsNonVirtual = true; CallIsNonVirtual = true;
if (Expr *base = CME->getBase()->IgnoreImpCasts()) { if (const Expr *Base = CME->getBase()->IgnoreImpCasts()) {
// Elide analyzing the call entirely if the base pointer is not 'this'. // The most derived class is marked final.
if (!isa<CXXThisExpr>(base)) if (Base->getBestDynamicClassType()->hasAttr<FinalAttr>())
return; CallIsNonVirtual = true;
// If the most derived class is marked final, we know that now subclass
// can override this member.
if (base->getBestDynamicClassType()->hasAttr<FinalAttr>())
callIsNonVirtual = true;
} }
} }
// Get the callee.
const CXXMethodDecl *MD = const CXXMethodDecl *MD =
dyn_cast_or_null<CXXMethodDecl>(CE->getDirectCallee()); dyn_cast_or_null<CXXMethodDecl>(CE->getDirectCallee());
if (MD && MD->isVirtual() && !callIsNonVirtual && !MD->hasAttr<FinalAttr>() && if (MD && MD->isVirtual() && !CallIsNonVirtual && !MD->hasAttr<FinalAttr>() &&
!MD->getParent()->hasAttr<FinalAttr>()) !MD->getParent()->hasAttr<FinalAttr>())
ReportVirtualCall(CE, MD->isPure()); return true;
return false;
}
if (IsInterprocedural) // The BeginFunction callback when enter a constructor or a destructor.
Enqueue(CE); void VirtualCallChecker::checkBeginFunction(CheckerContext &C) const {
registerCtorDtorCallInState(true, C);
} }
void WalkAST::ReportVirtualCall(const CallExpr *CE, bool isPure) { // The EndFunction callback when leave a constructor or a destructor.
if (ReportPureOnly && !isPure) void VirtualCallChecker::checkEndFunction(CheckerContext &C) const {
return; registerCtorDtorCallInState(false, C);
}
SmallString<100> buf; void VirtualCallChecker::checkPreCall(const CallEvent &Call,
llvm::raw_svector_ostream os(buf); CheckerContext &C) const {
const auto MC = dyn_cast<CXXMemberCall>(&Call);
if (!MC)
return;
// FIXME: The interprocedural diagnostic experience here is not good. const CXXMethodDecl *MD = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl());
// Ultimately this checker should be re-written to be path sensitive. if (!MD)
// For now, only diagnose intraprocedurally, by default. return;
if (IsInterprocedural) { ProgramStateRef State = C.getState();
os << "Call Path : "; const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
// Name of current visiting CallExpr.
os << *CE->getDirectCallee();
// Name of the CallExpr whose body is current being walked.
if (visitingCallExpr)
os << " <-- " << *visitingCallExpr->getDirectCallee();
// Names of FunctionDecls in worklist with state PostVisited.
for (SmallVectorImpl<const CallExpr *>::iterator I = WList.end(),
E = WList.begin(); I != E; --I) {
const FunctionDecl *FD = (*(I-1))->getDirectCallee();
assert(FD);
if (VisitedFunctions[FD] == PostVisited)
os << " <-- " << *FD;
}
os << "\n";
}
PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
SourceRange R = CE->getCallee()->getSourceRange();
os << "Call to ";
if (isPure)
os << "pure ";
os << "virtual function during "; if (IsPureOnly && !MD->isPure())
return;
if (!isVirtualCall(CE))
return;
if (isa<CXXConstructorDecl>(RootMethod)) const MemRegion *Reg = MC->getCXXThisVal().getAsRegion();
os << "construction "; const ObjectState *ObState = State->get<CtorDtorMap>(Reg);
if (!ObState)
return;
// Check if a virtual method is called.
// The GDM of constructor and destructor should be true.
if (*ObState == ObjectState::CtorCalled) {
if (IsPureOnly && MD->isPure())
reportBug("Call to pure virtual function during construction", true, Reg,
C);
else if (!MD->isPure())
reportBug("Call to virtual function during construction", false, Reg, C);
else else
os << "destruction "; reportBug("Call to pure virtual function during construction", false, Reg,
C);
}
if (isPure) if (*ObState == ObjectState::DtorCalled) {
os << "has undefined behavior"; if (IsPureOnly && MD->isPure())
reportBug("Call to pure virtual function during destruction", true, Reg,
C);
else if (!MD->isPure())
reportBug("Call to virtual function during destruction", false, Reg, C);
else else
os << "will not dispatch to derived class"; reportBug("Call to pure virtual function during construction", false, Reg,
C);
BR.EmitBasicReport(AC->getDecl(), Checker, }
"Call to virtual function during construction or "
"destruction",
"C++ Object Lifecycle", os.str(), CELoc, R);
} }
//===----------------------------------------------------------------------===// void VirtualCallChecker::registerCtorDtorCallInState(bool IsBeginFunction,
// VirtualCallChecker CheckerContext &C) const {
//===----------------------------------------------------------------------===// const auto *LCtx = C.getLocationContext();
const auto *MD = dyn_cast_or_null<CXXMethodDecl>(LCtx->getDecl());
if (!MD)
return;
namespace { ProgramStateRef State = C.getState();
class VirtualCallChecker : public Checker<check::ASTDecl<CXXRecordDecl> > { auto &SVB = C.getSValBuilder();
public:
DefaultBool isInterprocedural;
DefaultBool isPureOnly;
void checkASTDecl(const CXXRecordDecl *RD, AnalysisManager& mgr, // Enter a constructor, set the corresponding memregion be true.
BugReporter &BR) const { if (isa<CXXConstructorDecl>(MD)) {
AnalysisDeclContext *ADC = mgr.getAnalysisDeclContext(RD); auto ThiSVal =
State->getSVal(SVB.getCXXThis(MD, LCtx->getCurrentStackFrame()));
// Check the constructors. const MemRegion *Reg = ThiSVal.getAsRegion();
for (const auto *I : RD->ctors()) { if (IsBeginFunction)
if (!I->isCopyOrMoveConstructor()) State = State->set<CtorDtorMap>(Reg, ObjectState::CtorCalled);
if (Stmt *Body = I->getBody()) { else
WalkAST walker(this, BR, ADC, I, isInterprocedural, isPureOnly); State = State->remove<CtorDtorMap>(Reg);
walker.Visit(Body);
walker.Execute(); C.addTransition(State);
} return;
} }
// Check the destructor. // Enter a Destructor, set the corresponding memregion be true.
if (CXXDestructorDecl *DD = RD->getDestructor()) if (isa<CXXDestructorDecl>(MD)) {
if (Stmt *Body = DD->getBody()) { auto ThiSVal =
WalkAST walker(this, BR, ADC, DD, isInterprocedural, isPureOnly); State->getSVal(SVB.getCXXThis(MD, LCtx->getCurrentStackFrame()));
walker.Visit(Body); const MemRegion *Reg = ThiSVal.getAsRegion();
walker.Execute(); if (IsBeginFunction)
State = State->set<CtorDtorMap>(Reg, ObjectState::DtorCalled);
else
State = State->remove<CtorDtorMap>(Reg);
C.addTransition(State);
return;
} }
} }
};
void VirtualCallChecker::reportBug(StringRef Msg, bool IsSink,
const MemRegion *Reg,
CheckerContext &C) const {
ExplodedNode *N;
if (IsSink)
N = C.generateErrorNode();
else
N = C.generateNonFatalErrorNode();
if (!N)
return;
if (!BT)
BT.reset(new BugType(
this, "Call to virtual function during construction or destruction",
"C++ Object Lifecycle"));
auto Reporter = llvm::make_unique<BugReport>(*BT, Msg, N);
Reporter->addVisitor(llvm::make_unique<VirtualBugVisitor>(Reg));
C.emitReport(std::move(Reporter));
} }
void ento::registerVirtualCallChecker(CheckerManager &mgr) { void ento::registerVirtualCallChecker(CheckerManager &mgr) {
VirtualCallChecker *checker = mgr.registerChecker<VirtualCallChecker>(); VirtualCallChecker *checker = mgr.registerChecker<VirtualCallChecker>();
checker->isInterprocedural =
mgr.getAnalyzerOptions().getBooleanOption("Interprocedural", false, checker->IsPureOnly =
checker); mgr.getAnalyzerOptions().getBooleanOption("PureOnly", false, checker);
checker->isPureOnly =
mgr.getAnalyzerOptions().getBooleanOption("PureOnly", false,
checker);
} }

cfe/trunk/test/Analysis/virtualcall.h

#ifdef AS_SYSTEM
#pragma clang system_header
namespace system {
class A {
public:
A() {
foo(); // no-warning
}
virtual int foo();
};
}
#else
namespace header { namespace header {
class A { class Z {
public: public:
A() { Z() {
foo(); foo();
#if !PUREONLY #if !PUREONLY
#if INTERPROCEDURAL // expected-warning-re@-2 {{{{^}}Call to virtual function during construction}}
// expected-warning-re@-3 {{{{^}}Call Path : fooCall to virtual function during construction will not dispatch to derived class}} // expected-note-re@-3 {{{{^}}This constructor of an object of type 'Z' has not returned when the virtual method was called}}
#else // expected-note-re@-4 {{{{^}}Call to virtual function during construction}}
// expected-warning-re@-5 {{{{^}}Call to virtual function during construction will not dispatch to derived class}}
#endif
#endif #endif
} }
virtual int foo(); virtual int foo();
}; };
} }
#endif

cfe/trunk/test/Analysis/virtualcall.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -verify -std=c++11 %s // RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -analyzer-output=text -verify -std=c++11 %s
// RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -analyzer-config optin.cplusplus.VirtualCall:Interprocedural=true -DINTERPROCEDURAL=1 -verify -std=c++11 %s
// RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -analyzer-config optin.cplusplus.VirtualCall:PureOnly=true -DPUREONLY=1 -verify -std=c++11 %s // RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -analyzer-config optin.cplusplus.VirtualCall:PureOnly=true -DPUREONLY=1 -analyzer-output=text -verify -std=c++11 %s
/* When INTERPROCEDURAL is set, we expect diagnostics in all functions reachable #include "virtualcall.h"
from a constructor or destructor. If it is not set, we expect diagnostics
only in the constructor or destructor.
When PUREONLY is set, we expect diagnostics only for calls to pure virtual
functions not to non-pure virtual functions.
*/
class A { class A {
public: public:
A(); A();
A(int i);
~A() {}; ~A(){};
virtual int foo() = 0; // from Sema: expected-note {{'foo' declared here}} virtual int foo() = 0;
virtual void bar() = 0; virtual void bar() = 0;
void f() { void f() {
foo(); foo();
#if INTERPROCEDURAL // expected-warning-re@-1 {{{{^}}Call to pure virtual function during construction}}
// expected-warning-re@-2 {{{{^}}Call Path : foo <-- fCall to pure virtual function during construction has undefined behavior}} // expected-note-re@-2 {{{{^}}Call to pure virtual function during construction}}
#endif
} }
}; };
class B : public A { class B : public A {
public: public:
B() { B() { // expected-note {{Calling default constructor for 'A'}}
foo(); foo();
#if !PUREONLY #if !PUREONLY
#if INTERPROCEDURAL // expected-warning-re@-2 {{{{^}}Call to virtual function during construction}}
// expected-warning-re@-3 {{{{^}}Call Path : fooCall to virtual function during construction will not dispatch to derived class}} // expected-note-re@-3 {{{{^}}This constructor of an object of type 'B' has not returned when the virtual method was called}}
#else // expected-note-re@-4 {{{{^}}Call to virtual function during construction}}
// expected-warning-re@-5 {{{{^}}Call to virtual function during construction will not dispatch to derived class}}
#endif
#endif #endif
} }
~B(); ~B();
virtual int foo(); virtual int foo();
virtual void bar() { foo(); } virtual void bar() {
#if INTERPROCEDURAL foo();
// expected-warning-re@-2 {{{{^}}Call Path : foo <-- barCall to virtual function during destruction will not dispatch to derived class}} #if !PUREONLY
// expected-warning-re@-2 {{{{^}}Call to virtual function during destruction}}
// expected-note-re@-3 {{{{^}}Call to virtual function during destruction}}
#endif #endif
}
}; };
A::A() { A::A() {
f(); f();
} // expected-note-re@-1 {{{{^}}This constructor of an object of type 'A' has not returned when the virtual method was called}}
// expected-note-re@-2 {{{{^}}Calling 'A::f'}}
A::A(int i) {
foo(); // From Sema: expected-warning {{call to pure virtual member function 'foo' has undefined behavior}}
#if INTERPROCEDURAL
// expected-warning-re@-2 {{{{^}}Call Path : fooCall to pure virtual function during construction has undefined behavior}}
#else
// expected-warning-re@-4 {{{{^}}Call to pure virtual function during construction has undefined behavior}}
#endif
} }
B::~B() { B::~B() {
this->B::foo(); // no-warning this->B::foo(); // no-warning
this->B::bar(); this->B::bar();
this->foo();
#if !PUREONLY #if !PUREONLY
#if INTERPROCEDURAL // expected-note-re@-2 {{{{^}}This destructor of an object of type '~B' has not returned when the virtual method was called}}
// expected-warning-re@-3 {{{{^}}Call Path : fooCall to virtual function during destruction will not dispatch to derived class}} // expected-note-re@-3 {{{{^}}Calling 'B::bar'}}
#else
// expected-warning-re@-5 {{{{^}}Call to virtual function during destruction will not dispatch to derived class}}
#endif #endif
this->foo();
#if !PUREONLY
// expected-warning-re@-2 {{{{^}}Call to virtual function during destruction}}
// expected-note-re@-3 {{{{^}}This destructor of an object of type '~B' has not returned when the virtual method was called}}
// expected-note-re@-4 {{{{^}}Call to virtual function during destruction}}
#endif #endif
} }
class C : public B { class C : public B {
public: public:
C(); C();
~C(); ~C();
virtual int foo(); virtual int foo();
void f(int i); void f(int i);
}; };
C::C() { C::C() {
f(foo()); f(foo());
#if !PUREONLY #if !PUREONLY
#if INTERPROCEDURAL // expected-warning-re@-2 {{{{^}}Call to virtual function during construction}}
// expected-warning-re@-3 {{{{^}}Call Path : fooCall to virtual function during construction will not dispatch to derived class}} // expected-note-re@-3 {{{{^}}This constructor of an object of type 'C' has not returned when the virtual method was called}}
#else // expected-note-re@-4 {{{{^}}Call to virtual function during construction}}
// expected-warning-re@-5 {{{{^}}Call to virtual function during construction will not dispatch to derived class}}
#endif
#endif #endif
} }
class D : public B { class D : public B {
public: public:
D() { D() {
foo(); // no-warning foo(); // no-warning
} }
~D() { bar(); } ~D() { bar(); }
int foo() final; int foo() final;
void bar() final { foo(); } // no-warning void bar() final { foo(); } // no-warning
}; };
class E final : public B { class E final : public B {
public: public:
E() { E() {
foo(); // no-warning foo(); // no-warning
} }
~E() { bar(); } ~E() { bar(); }
#if !PUREONLY
// expected-note-re@-2 2{{{{^}}Calling '~B'}}
#endif
int foo() override; int foo() override;
}; };
// Regression test: don't crash when there's no direct callee.
class F { class F {
public: public:
F() { F() {
void (F::* ptr)() = &F::foo; void (F::*ptr)() = &F::foo;
(this->*ptr)(); (this->*ptr)();
} }
void foo(); void foo();
}; };
int main() { class G {
A *a; public:
B *b; G() {}
C *c; virtual void bar();
D *d; void foo() {
E *e; bar(); // no warning
F *f;
} }
};
#include "virtualcall.h" class H {
public:
H() : initState(0) { init(); }
int initState;
virtual void f() const;
void init() {
if (initState)
f(); // no warning
}
#define AS_SYSTEM H(int i) {
#include "virtualcall.h" G g;
#undef AS_SYSTEM g.foo();
g.bar(); // no warning
f();
#if !PUREONLY
// expected-warning-re@-2 {{{{^}}Call to virtual function during construction}}
// expected-note-re@-3 {{{{^}}This constructor of an object of type 'H' has not returned when the virtual method was called}}
// expected-note-re@-4 {{{{^}}Call to virtual function during construction}}
#endif
H &h = *this;
h.f();
#if !PUREONLY
// expected-warning-re@-2 {{{{^}}Call to virtual function during construction}}
// expected-note-re@-3 {{{{^}}This constructor of an object of type 'H' has not returned when the virtual method was called}}
// expected-note-re@-4 {{{{^}}Call to virtual function during construction}}
#endif
}
};
class X {
public:
X() {
g();
#if !PUREONLY
// expected-warning-re@-2 {{{{^}}Call to virtual function during construction}}
// expected-note-re@-3 {{{{^}}This constructor of an object of type 'X' has not returned when the virtual method was called}}
// expected-note-re@-4 {{{{^}}Call to virtual function during construction}}
#endif
}
X(int i) {
if (i > 0) {
#if !PUREONLY
// expected-note-re@-2 {{{{^}}Taking true branch}}
// expected-note-re@-3 {{{{^}}Taking false branch}}
#endif
X x(i - 1);
#if !PUREONLY
// expected-note-re@-2 {{{{^}}Calling constructor for 'X'}}
#endif
x.g(); // no warning
}
g();
#if !PUREONLY
// expected-warning-re@-2 {{{{^}}Call to virtual function during construction}}
// expected-note-re@-3 {{{{^}}This constructor of an object of type 'X' has not returned when the virtual method was called}}
// expected-note-re@-4 {{{{^}}Call to virtual function during construction}}
#endif
}
virtual void g();
};
class M;
class N {
public:
virtual void virtualMethod();
void callFooOfM(M *);
};
class M {
public:
M() {
N n;
n.virtualMethod(); // no warning
n.callFooOfM(this);
#if !PUREONLY
// expected-note-re@-2 {{{{^}}This constructor of an object of type 'M' has not returned when the virtual method was called}}
// expected-note-re@-3 {{{{^}}Calling 'N::callFooOfM'}}
#endif
}
virtual void foo();
};
void N::callFooOfM(M *m) {
m->foo();
#if !PUREONLY
// expected-warning-re@-2 {{{{^}}Call to virtual function during construction}}
// expected-note-re@-3 {{{{^}}Call to virtual function during construction}}
#endif
}
class Y {
public:
virtual void foobar();
void fooY() {
F f1;
foobar();
#if !PUREONLY
// expected-warning-re@-2 {{{{^}}Call to virtual function during construction}}
// expected-note-re@-3 {{{{^}}Call to virtual function during construction}}
#endif
}
Y() { fooY(); }
#if !PUREONLY
// expected-note-re@-2 {{{{^}}This constructor of an object of type 'Y' has not returned when the virtual method was called}}
// expected-note-re@-3 {{{{^}}Calling 'Y::fooY'}}
#endif
};
int main() {
B b;
#if PUREONLY
//expected-note-re@-2 {{{{^}}Calling default constructor for 'B'}}
#else
//expected-note-re@-4 2{{{{^}}Calling default constructor for 'B'}}
#endif
C c;
#if !PUREONLY
//expected-note-re@-2 {{{{^}}Calling default constructor for 'C'}}
#endif
D d;
E e;
F f;
G g;
H h;
H h1(1);
#if !PUREONLY
//expected-note-re@-2 {{{{^}}Calling constructor for 'H'}}
//expected-note-re@-3 {{{{^}}Calling constructor for 'H'}}
#endif
X x;
#if !PUREONLY
//expected-note-re@-2 {{{{^}}Calling default constructor for 'X'}}
#endif
X x1(1);
#if !PUREONLY
//expected-note-re@-2 {{{{^}}Calling constructor for 'X'}}
#endif
M m;
#if !PUREONLY
//expected-note-re@-2 {{{{^}}Calling default constructor for 'M'}}
#endif
Y *y = new Y;
delete y;
header::Z z;
#if !PUREONLY
// expected-note-re@-2 {{{{^}}Calling default constructor for 'Z'}}
#endif
}
#if !PUREONLY
//expected-note-re@-2 2{{{{^}}Calling '~E'}}
#endif