This is an archive of the discontinued LLVM Phabricator instance.

Differential D39803

[analyzer] pr34766: Fix a crash on explicit construction of std::initializer_list.
ClosedPublic

Authored by NoQ on Nov 8 2017, 8:03 AM.

Details

Reviewers
zaks.anna
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
Commits
rG052436f76868: [analyzer] pr34766: Fix a crash on explicit std::initializer_list constructor.
rC319058: [analyzer] pr34766: Fix a crash on explicit std::initializer_list constructor.
rL319058: [analyzer] pr34766: Fix a crash on explicit std::initializer_list constructor.
Summary

std::initializer_list objects can be constructed sort of explicitly, eg. (std::initializer_list<int>){12}. This produces an AST that looks like

CompoundLiteralExpr 0x11987f1a0 'std::initializer_list<int>':'class std::initializer_list<int>'
`-CXXStdInitializerListExpr 0x11987f188 'std::initializer_list<int>':'class std::initializer_list<int>'
  `-MaterializeTemporaryExpr 0x11987f170 'const int [1]' xvalue
    `-InitListExpr 0x11987f128 'const int [1]'
      `-IntegerLiteral 0x11987cd18 'int' 12

We crash because we did not expect to see CompoundLiteralExpr containing CXXStdInitializerListExpr.

It seems correct to pass the value through CompoundLiteralExpr transparently (the value is currently a conjured structure-symbol of initializer_list type, which sounds like a correct value for the expression, even if not super verbose), hence the patch.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Nov 8 2017, 8:03 AM
george.karpenkov edited edge metadata.Nov 8 2017, 3:36 PM

I think I lack context to completely get what is going on here: I assume we don't model the assignment here?

lib/StaticAnalyzer/Core/ExprEngineC.cpp
533 ↗(On Diff #122094)

Empty "if" looks weird, why not just negate the condition, and then you could get rid of "else"?

NoQ added a comment.Nov 8 2017, 11:39 PM
In D39803#919945, @george.karpenkov wrote:

I think I lack context to completely get what is going on here: I assume we don't model the assignment here?

  • We model IntegralLiteral as nonloc::ConcreteInt 12 S32b.
  • We model InitListExpr as nonloc::CompoundVal { 12 S32b }.
  • We model MaterializeTemporaryExpr as loc::MemRegionVal &temp_object{const int [1], {12}} in which {12 S32b} is stored, retroactively creating the location in which the list was supposed to be present from the start (TODO: why not CompoundLiteralRegion?).
  • We do not model CXXStdInitializerListExpr or internals of std::initializer_list, hence the value of this expresssion, conservatively, is conj_$0{std::initializer_list<int>}. See also D35216.
  • We now model CompoundLiteralExpr as conj_$0{std::initializer_list<int>} as no-op.
dcoughlin accepted this revision.Nov 10 2017, 11:11 AM

LGTM.

This revision is now accepted and ready to land.Nov 10 2017, 11:11 AM
xazax.hun accepted this revision.Nov 13 2017, 3:15 AM

LGTM!

alexfh added a comment.Nov 27 2017, 7:25 AM

Is anything holding this patch?

Closed by commit rL319058: [analyzer] pr34766: Fix a crash on explicit std::initializer_list constructor. (authored by dergachev). · Explain WhyNov 27 2017, 9:37 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
2 lines
test/
Analysis/
6 lines

Diff 124406

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp

Show First 20 LinesShow All 529 Lines▼ Show 20 Linesvoid ExprEngine::VisitCompoundLiteralExpr(const CompoundLiteralExpr *CL,
StmtNodeBuilder B(Pred, Dst, *currBldrCtx); StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
const Expr *Init = CL->getInitializer(); const Expr *Init = CL->getInitializer();
SVal V = State->getSVal(CL->getInitializer(), LCtx); SVal V = State->getSVal(CL->getInitializer(), LCtx);
if (isa<CXXConstructExpr>(Init)) { if (isa<CXXConstructExpr>(Init) || isa<CXXStdInitializerListExpr>(Init)) {
// No work needed. Just pass the value up to this expression. // No work needed. Just pass the value up to this expression.
} else { } else {
assert(isa<InitListExpr>(Init)); assert(isa<InitListExpr>(Init));
Loc CLLoc = State->getLValue(CL, LCtx); Loc CLLoc = State->getLValue(CL, LCtx);
State = State->bindLoc(CLLoc, V, LCtx); State = State->bindLoc(CLLoc, V, LCtx);
if (CL->isGLValue()) if (CL->isGLValue())
V = CLLoc; V = CLLoc;
▲ Show 20 LinesShow All 563 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/initializer.cpp

Show First 20 LinesShow All 205 Lines▼ Show 20 Linesstruct C {
const char(&f)[2]; const char(&f)[2];
}; };
} }
namespace CXX_initializer_lists { namespace CXX_initializer_lists {
struct C { struct C {
C(std::initializer_list<int *> list); C(std::initializer_list<int *> list);
}; };
void foo() { void testPointerEscapeIntoLists() {
C empty{}; // no-crash C empty{}; // no-crash
// Do not warn that 'x' leaks. It might have been deleted by // Do not warn that 'x' leaks. It might have been deleted by
// the destructor of 'c'. // the destructor of 'c'.
int *x = new int; int *x = new int;
C c{x}; // no-warning C c{x}; // no-warning
} }
void testPassListsWithExplicitConstructors() {
(void)(std::initializer_list<int>){12}; // no-crash
}
} }