This is an archive of the discontinued LLVM Phabricator instance.

Differential D43104

[analyzer] Find correct region for simple temporary destructor calls and inline them if possible.
ClosedPublic

Authored by NoQ on Feb 8 2018, 5:39 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
Commits
rG661ab34a3157: [analyzer] Compute the correct this-region for temporary destructors.
rC325282: [analyzer] Compute the correct this-region for temporary destructors.
rL325282: [analyzer] Compute the correct this-region for temporary destructors.
Summary

When a temporary is constructed into a CXXBindTemporaryExpr (i.e. when it needs a destructor), we can (since D43056/D43062) pick up the construction context and be sure that the temporary is initialized correctly.

Now, store the initialized temporary region in the program state with CXXBindTemporaryExpr as its key, and when the time comes to call the destructor, lookup the CXXBindTemporaryExpr in the CFGTemporaryDtor element, then lookup the region in the program state.

For this purpose, the existing program state trait is used - the one that was added by @klimek for making sure that the control flow for ternary operators with temporaries is correct. Now the region is also stuffed into it. Technically, it should be possible to reconstruct the region by having just the temporary-expression and the location context. However, this would require duplicating a bit of logic from the CFG.

When the this-region is available this way, give ourselves the privilege to attempt inlining it. Of course, normal limitations of what we will or will not inline will still apply.

Additionally, prevent the temporary from being garbage-collected from the program state until the destructor call. I don't think SymRegion::isLiveRegion() should be taught to query ExprEngine regarding live temporaries - we should be just fine treating it as a regular program state trait value liveness process. Also in this case LiveVariables analysis isn't going to help much: temporaries definitely outlive their CXXBindTemporaryExprs sometimes. So i have an impression that this is the right way to solve the liveness issue this time.

Diff Detail

Event Timeline

NoQ created this revision.Feb 8 2018, 5:39 PM
Herald added subscribers: cfe-commits, rnkovacs. · View Herald TranscriptFeb 8 2018, 5:39 PM
NoQ added inline comments.Feb 8 2018, 5:39 PM
lib/StaticAnalyzer/Core/ExprEngine.cpp
68–71

For consistency.

NoQ added parent revisions: D43062: [analyzer] Support CXXTemporaryObjectExpr constructors that have destructors., D42991: [analyzer] Use EvalCallOptions for destructors as well..Feb 8 2018, 5:40 PM
dcoughlin added inline comments.Feb 8 2018, 6:29 PM
lib/StaticAnalyzer/Core/ExprEngine.cpp
939

Can we add an assertion somewhere else (like when leaving a stack frame context) to make sure that the expected temporaries have all been removed from InitializedTemporaries?

NoQ updated this revision to Diff 133672.Feb 9 2018, 1:04 PM
NoQ marked an inline comment as done.

Assert that the destructors are cleaned up. This assertion is pretty important because it says that we didn't miss any destructors for initialized temporaries during analysis.

Disable tracking initialized temporaries when cfg-temporary-dtors is off - a bug i introduced when moving the code, which was found by the newly added assertion :)

NoQ added a child revision: D43144: [analyzer] Implement path notes for temporary destructors..Feb 9 2018, 2:29 PM
NoQ added a child revision: D43149: [analyzer] Fix a crash on destroying a temporary array..Feb 9 2018, 4:49 PM
NoQ mentioned this in D42876: [analyzer] Support returning objects by value..Feb 12 2018, 2:31 PM
NoQ updated this revision to Diff 133956.Feb 12 2018, 4:10 PM
  • Test const C &c = coin ? C(x, y) : C(z, w);.
  • Fix comments surrounding the assertion.
NoQ updated this revision to Diff 134341.Feb 14 2018, 5:13 PM

All right, so the assertion that we actually destroy all temporaries in our InitializedTemporaries map is still violated quite often - every time we do any sort of lifetime extension, we're actually calling the destructor on a different object, because createTemporaryRegionIfNeeded() has moved the object to a different place. I made a large brain dump on this matter in http://lists.llvm.org/pipermail/cfe-dev/2018-February/056898.html . For now it means that the assertion is still not going in. I added it in a commented-out form. In fact, @klimek has tried that long before me, and failed in a similar manner. If only i added the assertion in the right place (not in processCallExit, but in processEndOfFunction, which is also called for the top frame), i would have seen it earlier :) So i've reinvented quite a bit of a wheel here.

  • Move the assertion to the right place and disable it, explaining that lifetime extension is broken.
  • Move the similar operator-new assertion to the right place as well, while we're at it.
  • Add a flag to disable inlining of temporary destructors, which is different from having them at all. It's on by default but does nothing until cfg-temporary-dtors are also enabled.
  • Add a test for that flag. This flag cannot be tested in analyzer-config.cpp because it is never read unless cfg-temporary-dtors takes a non-default value, so ConfigDumper doesn't see it.
NoQ updated this revision to Diff 134351.Feb 14 2018, 6:20 PM

Whoops - recall that we still need to cleanup the temporaries map even, now that we know that we cannot assert that it's already empty. Clean up the map and enable the assertion that becomes tautological until the respective FIXME is fixed.

This revision was not accepted when it landed; it landed in state Needs Review.Feb 15 2018, 11:19 AM
Closed by commit rL325282: [analyzer] Compute the correct this-region for temporary destructors. (authored by NoQ). · Explain Why
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptFeb 15 2018, 11:20 AM
This revision was not accepted when it landed; it landed in state Needs Review.Feb 15 2018, 11:20 AM
Closed by commit rC325282: [analyzer] Compute the correct this-region for temporary destructors. (authored by NoQ). · Explain Why
This revision was automatically updated to reflect the committed changes.
NoQ mentioned this in D43666: [analyzer] When constructing a temporary without construction context, track it for destruction anyway..Feb 22 2018, 6:13 PM

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
11 lines
lib/
StaticAnalyzer/
Core/
3 lines
102 lines
42 lines
test/
Analysis/
78 lines

Diff 133545

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 442 Lines▼ Show 20 Linespublic:
void VisitUnaryOperator(const UnaryOperator* B, ExplodedNode *Pred, void VisitUnaryOperator(const UnaryOperator* B, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
/// Handle ++ and -- (both pre- and post-increment). /// Handle ++ and -- (both pre- and post-increment).
void VisitIncrementDecrementOperator(const UnaryOperator* U, void VisitIncrementDecrementOperator(const UnaryOperator* U,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
void VisitCXXBindTemporaryExpr(const CXXBindTemporaryExpr *BTE,
ExplodedNodeSet &PreVisit,
ExplodedNodeSet &Dst);
void VisitCXXCatchStmt(const CXXCatchStmt *CS, ExplodedNode *Pred, void VisitCXXCatchStmt(const CXXCatchStmt *CS, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
void VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred, void VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred,
ExplodedNodeSet & Dst); ExplodedNodeSet & Dst);
void VisitCXXConstructExpr(const CXXConstructExpr *E, ExplodedNode *Pred, void VisitCXXConstructExpr(const CXXConstructExpr *E, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
▲ Show 20 LinesShow All 228 Lines▼ Show 20 Linesprivate:
const CXXConstructExpr *findDirectConstructorForCurrentCFGElement(); const CXXConstructExpr *findDirectConstructorForCurrentCFGElement();
/// For a given constructor, look forward in the current CFG block to /// For a given constructor, look forward in the current CFG block to
/// determine the region into which an object will be constructed by \p CE. /// determine the region into which an object will be constructed by \p CE.
/// When the lookahead fails, a temporary region is returned, and the /// When the lookahead fails, a temporary region is returned, and the
/// IsConstructorWithImproperlyModeledTargetRegion flag is set in \p CallOpts. /// IsConstructorWithImproperlyModeledTargetRegion flag is set in \p CallOpts.
const MemRegion *getRegionForConstructedObject(const CXXConstructExpr *CE, const MemRegion *getRegionForConstructedObject(const CXXConstructExpr *CE,
ExplodedNode *Pred, ExplodedNode *Pred,
const ConstructionContext *CC,
EvalCallOptions &CallOpts); EvalCallOptions &CallOpts);
/// Store the region of a C++ temporary object corresponding to a
/// CXXBindTemporaryExpr for later destruction.
static ProgramStateRef addInitializedTemporary(
ProgramStateRef State, const CXXBindTemporaryExpr *BTE,
const LocationContext *LC, const CXXTempObjectRegion *R);
/// Store the region returned by operator new() so that the constructor /// Store the region returned by operator new() so that the constructor
/// that follows it knew what location to initialize. The value should be /// that follows it knew what location to initialize. The value should be
/// cleared once the respective CXXNewExpr CFGStmt element is processed. /// cleared once the respective CXXNewExpr CFGStmt element is processed.
static ProgramStateRef static ProgramStateRef
setCXXNewAllocatorValue(ProgramStateRef State, const CXXNewExpr *CNE, setCXXNewAllocatorValue(ProgramStateRef State, const CXXNewExpr *CNE,
const LocationContext *CallerLC, SVal V); const LocationContext *CallerLC, SVal V);
/// Retrieve the location returned by the current operator new(). /// Retrieve the location returned by the current operator new().
Show All 33 Lines

lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 LinesShow All 1,191 Lines▼ Show 20 Lines default:
llvm_unreachable("This is not an inlineable statement."); llvm_unreachable("This is not an inlineable statement.");
} }
} }
// Fall back to the CFG. The only thing we haven't handled yet is // Fall back to the CFG. The only thing we haven't handled yet is
// destructors, though this could change in the future. // destructors, though this could change in the future.
const CFGBlock *B = CalleeCtx->getCallSiteBlock(); const CFGBlock *B = CalleeCtx->getCallSiteBlock();
CFGElement E = (*B)[CalleeCtx->getIndex()]; CFGElement E = (*B)[CalleeCtx->getIndex()];
assert(E.getAs<CFGImplicitDtor>() && assert(E.getAs<CFGImplicitDtor>() || E.getAs<CFGTemporaryDtor>() &&
"All other CFG elements should have exprs"); "All other CFG elements should have exprs");
assert(!E.getAs<CFGTemporaryDtor>() && "We don't handle temporaries yet");
SValBuilder &SVB = State->getStateManager().getSValBuilder(); SValBuilder &SVB = State->getStateManager().getSValBuilder();
const CXXDestructorDecl *Dtor = cast<CXXDestructorDecl>(CalleeCtx->getDecl()); const CXXDestructorDecl *Dtor = cast<CXXDestructorDecl>(CalleeCtx->getDecl());
Loc ThisPtr = SVB.getCXXThis(Dtor, CalleeCtx); Loc ThisPtr = SVB.getCXXThis(Dtor, CalleeCtx);
SVal ThisVal = State->getSVal(ThisPtr); SVal ThisVal = State->getSVal(ThisPtr);
const Stmt *Trigger; const Stmt *Trigger;
if (Optional<CFGAutomaticObjDtor> AutoDtor = E.getAs<CFGAutomaticObjDtor>()) if (Optional<CFGAutomaticObjDtor> AutoDtor = E.getAs<CFGAutomaticObjDtor>())
Show All 10 Lines

lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 48 Lines▼ Show 20 LinesSTATISTIC(NumMaxBlockCountReached,
"The # of aborted paths due to reaching the maximum block count in " "The # of aborted paths due to reaching the maximum block count in "
"a top level function"); "a top level function");
STATISTIC(NumMaxBlockCountReachedInInlined, STATISTIC(NumMaxBlockCountReachedInInlined,
"The # of aborted paths due to reaching the maximum block count in " "The # of aborted paths due to reaching the maximum block count in "
"an inlined function"); "an inlined function");
STATISTIC(NumTimesRetriedWithoutInlining, STATISTIC(NumTimesRetriedWithoutInlining,
"The # of times we re-evaluated a call without inlining"); "The # of times we re-evaluated a call without inlining");
typedef std::pair<const CXXBindTemporaryExpr *, const StackFrameContext *> typedef llvm::ImmutableMap<std::pair<const CXXBindTemporaryExpr *,
CXXBindTemporaryContext; const StackFrameContext *>,
const CXXTempObjectRegion *>
InitializedTemporariesMap;
// Keeps track of whether CXXBindTemporaryExpr nodes have been evaluated. // Keeps track of whether CXXBindTemporaryExpr nodes have been evaluated.
// The StackFrameContext assures that nested calls due to inlined recursive // The StackFrameContext assures that nested calls due to inlined recursive
// functions do not interfere. // functions do not interfere.
REGISTER_TRAIT_WITH_PROGRAMSTATE(InitializedTemporariesSet, REGISTER_TRAIT_WITH_PROGRAMSTATE(InitializedTemporaries,
llvm::ImmutableSet<CXXBindTemporaryContext>) InitializedTemporariesMap)
typedef llvm::ImmutableMap<std::pair<const CXXNewExpr *, typedef llvm::ImmutableMap<std::pair<const CXXNewExpr *,
const LocationContext *>, SVal> const LocationContext *>,
SVal>
CXXNewAllocatorValuesMap; CXXNewAllocatorValuesMap;
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

For consistency.

NoQ: For consistency.
// Keeps track of return values of various operator new() calls between // Keeps track of return values of various operator new() calls between
// evaluation of the inlined operator new(), through the constructor call, // evaluation of the inlined operator new(), through the constructor call,
// to the actual evaluation of the CXXNewExpr. // to the actual evaluation of the CXXNewExpr.
// TODO: Refactor the key for this trait into a LocationContext sub-class, // TODO: Refactor the key for this trait into a LocationContext sub-class,
// which would be put on the stack of location contexts before operator new() // which would be put on the stack of location contexts before operator new()
// is evaluated, and removed from the stack when the whole CXXNewExpr // is evaluated, and removed from the stack when the whole CXXNewExpr
// is fully evaluated. // is fully evaluated.
▲ Show 20 LinesShow All 241 Lines▼ Show 20 LinesExprEngine::createTemporaryRegionIfNeeded(ProgramStateRef State,
State = State->BindExpr(Result, LC, Reg); State = State->BindExpr(Result, LC, Reg);
// Notify checkers once for two bindLoc()s. // Notify checkers once for two bindLoc()s.
State = processRegionChange(State, TR, LC); State = processRegionChange(State, TR, LC);
return State; return State;
} }
ProgramStateRef ExprEngine::addInitializedTemporary(
ProgramStateRef State, const CXXBindTemporaryExpr *BTE,
const LocationContext *LC, const CXXTempObjectRegion *R) {
const auto &Key = std::make_pair(BTE, LC->getCurrentStackFrame());
if (!State->contains<InitializedTemporaries>(Key)) {
return State->set<InitializedTemporaries>(Key, R);
}
// FIXME: Currently the state might already contain the marker due to
// incorrect handling of temporaries bound to default parameters; for
// those, we currently skip the CXXBindTemporaryExpr but rely on adding
// temporary destructor nodes. Otherwise, this branch should be unreachable.
return State;
}
ProgramStateRef ProgramStateRef
ExprEngine::setCXXNewAllocatorValue(ProgramStateRef State, ExprEngine::setCXXNewAllocatorValue(ProgramStateRef State,
const CXXNewExpr *CNE, const CXXNewExpr *CNE,
const LocationContext *CallerLC, SVal V) { const LocationContext *CallerLC, SVal V) {
assert(!State->get<CXXNewAllocatorValues>(std::make_pair(CNE, CallerLC)) && assert(!State->get<CXXNewAllocatorValues>(std::make_pair(CNE, CallerLC)) &&
"Allocator value already set!"); "Allocator value already set!");
return State->set<CXXNewAllocatorValues>(std::make_pair(CNE, CallerLC), V); return State->set<CXXNewAllocatorValues>(std::make_pair(CNE, CallerLC), V);
} }
▲ Show 20 LinesShow All 51 Lines▼ Show 20 Lines
static void printInitializedTemporariesForContext(raw_ostream &Out, static void printInitializedTemporariesForContext(raw_ostream &Out,
ProgramStateRef State, ProgramStateRef State,
const char *NL, const char *NL,
const char *Sep, const char *Sep,
const LocationContext *LC) { const LocationContext *LC) {
PrintingPolicy PP = PrintingPolicy PP =
LC->getAnalysisDeclContext()->getASTContext().getPrintingPolicy(); LC->getAnalysisDeclContext()->getASTContext().getPrintingPolicy();
for (auto I : State->get<InitializedTemporariesSet>()) { for (auto I : State->get<InitializedTemporaries>()) {
if (I.second != LC) std::pair<const CXXBindTemporaryExpr *, const LocationContext *> Key =
I.first;
const MemRegion *Value = I.second;
if (Key.second != LC)
continue; continue;
Out << '(' << I.second << ',' << I.first << ") "; Out << '(' << Key.second << ',' << Key.first << ") ";
I.first->printPretty(Out, nullptr, PP); Key.first->printPretty(Out, nullptr, PP);
if (Value)
Out << " : " << Value;
Out << NL; Out << NL;
} }
} }
static void printCXXNewAllocatorValuesForContext(raw_ostream &Out, static void printCXXNewAllocatorValuesForContext(raw_ostream &Out,
ProgramStateRef State, ProgramStateRef State,
const char *NL, const char *NL,
const char *Sep, const char *Sep,
Show All 11 Lines for (auto I : State->get<CXXNewAllocatorValues>()) {
Out << " : " << Value << NL; Out << " : " << Value << NL;
} }
} }
void ExprEngine::printState(raw_ostream &Out, ProgramStateRef State, void ExprEngine::printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep, const char *NL, const char *Sep,
const LocationContext *LCtx) { const LocationContext *LCtx) {
if (LCtx) { if (LCtx) {
if (!State->get<InitializedTemporariesSet>().isEmpty()) { if (!State->get<InitializedTemporaries>().isEmpty()) {
Out << Sep << "Initialized temporaries:" << NL; Out << Sep << "Initialized temporaries:" << NL;
LCtx->dumpStack(Out, "", NL, Sep, [&](const LocationContext *LC) { LCtx->dumpStack(Out, "", NL, Sep, [&](const LocationContext *LC) {
printInitializedTemporariesForContext(Out, State, NL, Sep, LC); printInitializedTemporariesForContext(Out, State, NL, Sep, LC);
}); });
} }
if (!State->get<CXXNewAllocatorValues>().isEmpty()) { if (!State->get<CXXNewAllocatorValues>().isEmpty()) {
▲ Show 20 LinesShow All 97 Lines▼ Show 20 Lines if (!ReferenceStmt) {
assert(K == ProgramPoint::PostStmtPurgeDeadSymbolsKind && assert(K == ProgramPoint::PostStmtPurgeDeadSymbolsKind &&
"Use PostStmtPurgeDeadSymbolsKind for clearing a LocationContext"); "Use PostStmtPurgeDeadSymbolsKind for clearing a LocationContext");
LC = LC->getParent(); LC = LC->getParent();
} }
const StackFrameContext *SFC = LC ? LC->getCurrentStackFrame() : nullptr; const StackFrameContext *SFC = LC ? LC->getCurrentStackFrame() : nullptr;
SymbolReaper SymReaper(SFC, ReferenceStmt, SymMgr, getStoreManager()); SymbolReaper SymReaper(SFC, ReferenceStmt, SymMgr, getStoreManager());
for (auto I : CleanedState->get<InitializedTemporaries>())
if (I.second)
SymReaper.markLive(I.second);
for (auto I : CleanedState->get<CXXNewAllocatorValues>()) { for (auto I : CleanedState->get<CXXNewAllocatorValues>()) {
if (SymbolRef Sym = I.second.getAsSymbol()) if (SymbolRef Sym = I.second.getAsSymbol())
SymReaper.markLive(Sym); SymReaper.markLive(Sym);
if (const MemRegion *MR = I.second.getAsRegion()) if (const MemRegion *MR = I.second.getAsRegion())
SymReaper.markElementIndicesLive(MR); SymReaper.markElementIndicesLive(MR);
} }
getCheckerManager().runCheckersForLiveSymbols(CleanedState, SymReaper); getCheckerManager().runCheckersForLiveSymbols(CleanedState, SymReaper);
▲ Show 20 LinesShow All 348 Lines▼ Show 20 Lines
} }
void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D, void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
ExplodedNodeSet CleanDtorState; ExplodedNodeSet CleanDtorState;
StmtNodeBuilder StmtBldr(Pred, CleanDtorState, *currBldrCtx); StmtNodeBuilder StmtBldr(Pred, CleanDtorState, *currBldrCtx);
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
if (State->contains<InitializedTemporariesSet>( const MemRegion *MR = nullptr;
std::make_pair(D.getBindTemporaryExpr(), Pred->getStackFrame()))) { if (const CXXTempObjectRegion *const *MRPtr =
State->get<InitializedTemporaries>(std::make_pair(
D.getBindTemporaryExpr(), Pred->getStackFrame()))) {
// FIXME: Currently we insert temporary destructors for default parameters, // FIXME: Currently we insert temporary destructors for default parameters,
// but we don't insert the constructors. // but we don't insert the constructors, so the entry in
State = State->remove<InitializedTemporariesSet>( // InitializedTemporaries may be missing.
State = State->remove<InitializedTemporaries>(
std::make_pair(D.getBindTemporaryExpr(), Pred->getStackFrame())); std::make_pair(D.getBindTemporaryExpr(), Pred->getStackFrame()));
// *MRPtr may still be null when the construction context for the temporary
dcoughlinUnsubmitted
Done
ReplyInline Actions

Can we add an assertion somewhere else (like when leaving a stack frame context) to make sure that the expected temporaries have all been removed from InitializedTemporaries?

dcoughlin: Can we add an assertion somewhere else (like when leaving a stack frame context) to make sure…
// was not implemented.
MR = *MRPtr;
} }
StmtBldr.generateNode(D.getBindTemporaryExpr(), Pred, State); StmtBldr.generateNode(D.getBindTemporaryExpr(), Pred, State);
QualType varType = D.getBindTemporaryExpr()->getSubExpr()->getType(); QualType varType = D.getBindTemporaryExpr()->getSubExpr()->getType();
// FIXME: Currently CleanDtorState can be empty here due to temporaries being // FIXME: Currently CleanDtorState can be empty here due to temporaries being
// bound to default parameters. // bound to default parameters.
assert(CleanDtorState.size() <= 1); assert(CleanDtorState.size() <= 1);
ExplodedNode *CleanPred = ExplodedNode *CleanPred =
CleanDtorState.empty() ? Pred : *CleanDtorState.begin(); CleanDtorState.empty() ? Pred : *CleanDtorState.begin();
// FIXME: Inlining of temporary destructors is not supported yet anyway, so
// we just put a NULL region for now. This will need to be changed later.
EvalCallOptions CallOpts; EvalCallOptions CallOpts;
CallOpts.IsTemporaryCtorOrDtor = true; CallOpts.IsTemporaryCtorOrDtor = true;
if (!MR)
CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true;
VisitCXXDestructor(varType, nullptr, D.getBindTemporaryExpr(), VisitCXXDestructor(varType, MR, D.getBindTemporaryExpr(),
/*IsBase=*/false, CleanPred, Dst, CallOpts); /*IsBase=*/false, CleanPred, Dst, CallOpts);
} }
void ExprEngine::processCleanupTemporaryBranch(const CXXBindTemporaryExpr *BTE, void ExprEngine::processCleanupTemporaryBranch(const CXXBindTemporaryExpr *BTE,
NodeBuilderContext &BldCtx, NodeBuilderContext &BldCtx,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst, ExplodedNodeSet &Dst,
const CFGBlock *DstT, const CFGBlock *DstT,
const CFGBlock *DstF) { const CFGBlock *DstF) {
BranchNodeBuilder TempDtorBuilder(Pred, Dst, BldCtx, DstT, DstF); BranchNodeBuilder TempDtorBuilder(Pred, Dst, BldCtx, DstT, DstF);
if (Pred->getState()->contains<InitializedTemporariesSet>( if (Pred->getState()->contains<InitializedTemporaries>(
std::make_pair(BTE, Pred->getStackFrame()))) { std::make_pair(BTE, Pred->getStackFrame()))) {
TempDtorBuilder.markInfeasible(false); TempDtorBuilder.markInfeasible(false);
TempDtorBuilder.generateNode(Pred->getState(), true, Pred); TempDtorBuilder.generateNode(Pred->getState(), true, Pred);
} else { } else {
TempDtorBuilder.markInfeasible(true); TempDtorBuilder.markInfeasible(true);
TempDtorBuilder.generateNode(Pred->getState(), false, Pred); TempDtorBuilder.generateNode(Pred->getState(), false, Pred);
} }
} }
void ExprEngine::VisitCXXBindTemporaryExpr(const CXXBindTemporaryExpr *BTE,
ExplodedNodeSet &PreVisit,
ExplodedNodeSet &Dst) {
if (!getAnalysisManager().options.includeTemporaryDtorsInCFG()) {
// In case we don't have temporary destructors in the CFG, do not mark
// the initialization - we would otherwise never clean it up.
Dst = PreVisit;
return;
}
StmtNodeBuilder StmtBldr(PreVisit, Dst, *currBldrCtx);
for (ExplodedNode *Node : PreVisit) {
ProgramStateRef State = Node->getState();
if (!State->contains<InitializedTemporariesSet>(
std::make_pair(BTE, Node->getStackFrame()))) {
// FIXME: Currently the state might already contain the marker due to
// incorrect handling of temporaries bound to default parameters; for
// those, we currently skip the CXXBindTemporaryExpr but rely on adding
// temporary destructor nodes.
State = State->add<InitializedTemporariesSet>(
std::make_pair(BTE, Node->getStackFrame()));
}
StmtBldr.generateNode(BTE, Node, State);
}
}
namespace { namespace {
class CollectReachableSymbolsCallback final : public SymbolVisitor { class CollectReachableSymbolsCallback final : public SymbolVisitor {
InvalidatedSymbols Symbols; InvalidatedSymbols Symbols;
public: public:
explicit CollectReachableSymbolsCallback(ProgramStateRef State) {} explicit CollectReachableSymbolsCallback(ProgramStateRef State) {}
const InvalidatedSymbols &getSymbols() const { return Symbols; } const InvalidatedSymbols &getSymbols() const { return Symbols; }
▲ Show 20 LinesShow All 146 Lines▼ Show 20 Lines switch (S->getStmtClass()) {
case Stmt::ExprWithCleanupsClass: case Stmt::ExprWithCleanupsClass:
// Handled due to fully linearised CFG. // Handled due to fully linearised CFG.
break; break;
case Stmt::CXXBindTemporaryExprClass: { case Stmt::CXXBindTemporaryExprClass: {
Bldr.takeNodes(Pred); Bldr.takeNodes(Pred);
ExplodedNodeSet PreVisit; ExplodedNodeSet PreVisit;
getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this); getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this);
ExplodedNodeSet Next; getCheckerManager().runCheckersForPostStmt(Dst, PreVisit, S, *this);
VisitCXXBindTemporaryExpr(cast<CXXBindTemporaryExpr>(S), PreVisit, Next);
getCheckerManager().runCheckersForPostStmt(Dst, Next, S, *this);
Bldr.addNodes(Dst); Bldr.addNodes(Dst);
break; break;
} }
// Cases not handled yet; but will handle some day. // Cases not handled yet; but will handle some day.
case Stmt::DesignatedInitExprClass: case Stmt::DesignatedInitExprClass:
case Stmt::DesignatedInitUpdateExprClass: case Stmt::DesignatedInitUpdateExprClass:
case Stmt::ArrayInitLoopExprClass: case Stmt::ArrayInitLoopExprClass:
▲ Show 20 LinesShow All 1,945 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 96 Lines▼ Show 20 LinesSVal ExprEngine::makeZeroElementRegion(ProgramStateRef State, SVal LValue,
return LValue; return LValue;
} }
const MemRegion * const MemRegion *
ExprEngine::getRegionForConstructedObject(const CXXConstructExpr *CE, ExprEngine::getRegionForConstructedObject(const CXXConstructExpr *CE,
ExplodedNode *Pred, ExplodedNode *Pred,
const ConstructionContext *CC,
EvalCallOptions &CallOpts) { EvalCallOptions &CallOpts) {
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
MemRegionManager &MRMgr = getSValBuilder().getRegionManager(); MemRegionManager &MRMgr = getSValBuilder().getRegionManager();
// See if we're constructing an existing region by looking at the // See if we're constructing an existing region by looking at the
// current construction context. // current construction context.
if (auto CC = getCurrentCFGElement().getAs<CFGConstructor>()) { if (CC) {
if (const Stmt *TriggerStmt = CC->getTriggerStmt()) { if (const Stmt *TriggerStmt = CC->getTriggerStmt()) {
if (const CXXNewExpr *CNE = dyn_cast<CXXNewExpr>(TriggerStmt)) { if (const CXXNewExpr *CNE = dyn_cast<CXXNewExpr>(TriggerStmt)) {
if (AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) { if (AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) {
// TODO: Detect when the allocator returns a null pointer. // TODO: Detect when the allocator returns a null pointer.
// Constructor shall not be called in this case. // Constructor shall not be called in this case.
if (const SubRegion *MR = dyn_cast_or_null<SubRegion>( if (const SubRegion *MR = dyn_cast_or_null<SubRegion>(
getCXXNewAllocatorValue(State, CNE, LCtx).getAsRegion())) { getCXXNewAllocatorValue(State, CNE, LCtx).getAsRegion())) {
if (CNE->isArray()) { if (CNE->isArray()) {
▲ Show 20 LinesShow All 91 Lines▼ Show 20 Linesvoid ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE,
const MemRegion *Target = nullptr; const MemRegion *Target = nullptr;
// FIXME: Handle arrays, which run the same constructor for every element. // FIXME: Handle arrays, which run the same constructor for every element.
// For now, we just run the first constructor (which should still invalidate // For now, we just run the first constructor (which should still invalidate
// the entire array). // the entire array).
EvalCallOptions CallOpts; EvalCallOptions CallOpts;
auto C = getCurrentCFGElement().getAs<CFGConstructor>();
const ConstructionContext *CC = C ? C->getConstructionContext() : nullptr;
const CXXBindTemporaryExpr *BTE = nullptr;
switch (CE->getConstructionKind()) { switch (CE->getConstructionKind()) {
case CXXConstructExpr::CK_Complete: { case CXXConstructExpr::CK_Complete: {
Target = getRegionForConstructedObject(CE, Pred, CallOpts); Target = getRegionForConstructedObject(CE, Pred, CC, CallOpts);
if (CC &&
!CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion &&
CallOpts.IsTemporaryCtorOrDtor) {
// May as well be a ReturnStmt.
BTE = dyn_cast<CXXBindTemporaryExpr>(CC->getTriggerStmt());
}
break; break;
} }
case CXXConstructExpr::CK_VirtualBase: case CXXConstructExpr::CK_VirtualBase:
// Make sure we are not calling virtual base class initializers twice. // Make sure we are not calling virtual base class initializers twice.
// Only the most-derived object should initialize virtual base classes. // Only the most-derived object should initialize virtual base classes.
if (const Stmt *Outer = LCtx->getCurrentStackFrame()->getCallSite()) { if (const Stmt *Outer = LCtx->getCurrentStackFrame()->getCallSite()) {
const CXXConstructExpr *OuterCtor = dyn_cast<CXXConstructExpr>(Outer); const CXXConstructExpr *OuterCtor = dyn_cast<CXXConstructExpr>(Outer);
if (OuterCtor) { if (OuterCtor) {
▲ Show 20 LinesShow All 51 Lines▼ Show 20 Linesvoid ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE,
CallEventManager &CEMgr = getStateManager().getCallEventManager(); CallEventManager &CEMgr = getStateManager().getCallEventManager();
CallEventRef<CXXConstructorCall> Call = CallEventRef<CXXConstructorCall> Call =
CEMgr.getCXXConstructorCall(CE, Target, State, LCtx); CEMgr.getCXXConstructorCall(CE, Target, State, LCtx);
ExplodedNodeSet DstPreVisit; ExplodedNodeSet DstPreVisit;
getCheckerManager().runCheckersForPreStmt(DstPreVisit, Pred, CE, *this); getCheckerManager().runCheckersForPreStmt(DstPreVisit, Pred, CE, *this);
// FIXME: Is it possible and/or useful to do this before PreStmt?
ExplodedNodeSet PreInitialized; ExplodedNodeSet PreInitialized;
{ {
StmtNodeBuilder Bldr(DstPreVisit, PreInitialized, *currBldrCtx); StmtNodeBuilder Bldr(DstPreVisit, PreInitialized, *currBldrCtx);
if (CE->requiresZeroInitialization()) {
// Type of the zero doesn't matter.
SVal ZeroVal = svalBuilder.makeZeroVal(getContext().CharTy);
for (ExplodedNodeSet::iterator I = DstPreVisit.begin(), for (ExplodedNodeSet::iterator I = DstPreVisit.begin(),
E = DstPreVisit.end(); E = DstPreVisit.end();
I != E; ++I) { I != E; ++I) {
ProgramStateRef State = (*I)->getState(); ProgramStateRef State = (*I)->getState();
if (CE->requiresZeroInitialization()) {
// Type of the zero doesn't matter.
SVal ZeroVal = svalBuilder.makeZeroVal(getContext().CharTy);
// FIXME: Once we properly handle constructors in new-expressions, we'll // FIXME: Once we properly handle constructors in new-expressions, we'll
// need to invalidate the region before setting a default value, to make // need to invalidate the region before setting a default value, to make
// sure there aren't any lingering bindings around. This probably needs // sure there aren't any lingering bindings around. This probably needs
// to happen regardless of whether or not the object is zero-initialized // to happen regardless of whether or not the object is zero-initialized
// to handle random fields of a placement-initialized object picking up // to handle random fields of a placement-initialized object picking up
// old bindings. We might only want to do it when we need to, though. // old bindings. We might only want to do it when we need to, though.
// FIXME: This isn't actually correct for arrays -- we need to zero- // FIXME: This isn't actually correct for arrays -- we need to zero-
// initialize the entire array, not just the first element -- but our // initialize the entire array, not just the first element -- but our
// handling of arrays everywhere else is weak as well, so this shouldn't // handling of arrays everywhere else is weak as well, so this shouldn't
// actually make things worse. Placement new makes this tricky as well, // actually make things worse. Placement new makes this tricky as well,
// since it's then possible to be initializing one part of a multi- // since it's then possible to be initializing one part of a multi-
// dimensional array. // dimensional array.
State = State->bindDefault(loc::MemRegionVal(Target), ZeroVal, LCtx); State = State->bindDefault(loc::MemRegionVal(Target), ZeroVal, LCtx);
}
if (BTE) {
State = addInitializedTemporary(State, BTE, LCtx,
cast<CXXTempObjectRegion>(Target));
}
Bldr.generateNode(CE, *I, State, /*tag=*/nullptr, Bldr.generateNode(CE, *I, State, /*tag=*/nullptr,
ProgramPoint::PreStmtKind); ProgramPoint::PreStmtKind);
} }
} }
}
ExplodedNodeSet DstPreCall; ExplodedNodeSet DstPreCall;
getCheckerManager().runCheckersForPreCall(DstPreCall, PreInitialized, getCheckerManager().runCheckersForPreCall(DstPreCall, PreInitialized,
*Call, *this); *Call, *this);
ExplodedNodeSet DstEvaluated; ExplodedNodeSet DstEvaluated;
StmtNodeBuilder Bldr(DstPreCall, DstEvaluated, *currBldrCtx); StmtNodeBuilder Bldr(DstPreCall, DstEvaluated, *currBldrCtx);
▲ Show 20 LinesShow All 360 LinesShow Last 20 Lines

test/Analysis/temporaries.cpp

Show First 20 LinesShow All 773 Lines▼ Show 20 Lines#ifdef TEMPORARY_DTORS
// expected-warning@-2{{TRUE}} // expected-warning@-2{{TRUE}}
#else #else
// expected-warning@-4{{UNKNOWN}} // expected-warning@-4{{UNKNOWN}}
#endif #endif
} }
} }
} // namespace test_temporary_object_expr } // namespace test_temporary_object_expr
namespace test_match_constructors_and_destructors {
class C {
public:
int &x, &y;
C(int &_x, int &_y) : x(_x), y(_y) { ++x; }
C(const C &c): x(c.x), y(c.y) { ++x; }
~C() { ++y; }
};
void test_simple_temporary() {
int x = 0, y = 0;
{
const C &c = C(x, y);
}
// One constructor and one destructor.
clang_analyzer_eval(x == 1);
clang_analyzer_eval(y == 1);
#ifdef TEMPORARY_DTORS
// expected-warning@-3{{TRUE}}
// expected-warning@-3{{TRUE}}
#else
// expected-warning@-6{{UNKNOWN}}
// expected-warning@-6{{UNKNOWN}}
#endif
}
void test_simple_temporary_with_copy() {
int x = 0, y = 0;
{
C c = C(x, y);
}
// Two constructors (temporary object expr and copy) and two destructors.
clang_analyzer_eval(x == 2);
clang_analyzer_eval(y == 2);
#ifdef TEMPORARY_DTORS
// expected-warning@-3{{TRUE}}
// expected-warning@-3{{TRUE}}
#else
// expected-warning@-6{{UNKNOWN}}
// expected-warning@-6{{UNKNOWN}}
#endif
}
void test_ternary_temporary(int coin) {
int x = 0, y = 0, z = 0, w = 0;
{
C c = coin ? C(x, y) : C(z, w);
}
// This time each branch contains an additional elidable copy constructor.
if (coin) {
clang_analyzer_eval(x == 3);
clang_analyzer_eval(y == 3);
#ifdef TEMPORARY_DTORS
// expected-warning@-3{{TRUE}}
// expected-warning@-3{{TRUE}}
#else
// expected-warning@-6{{UNKNOWN}}
// expected-warning@-6{{UNKNOWN}}
#endif
clang_analyzer_eval(z == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(w == 0); // expected-warning{{TRUE}}
} else {
clang_analyzer_eval(x == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(y == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(z == 3);
clang_analyzer_eval(w == 3);
#ifdef TEMPORARY_DTORS
// expected-warning@-3{{TRUE}}
// expected-warning@-3{{TRUE}}
#else
// expected-warning@-6{{UNKNOWN}}
// expected-warning@-6{{UNKNOWN}}
#endif
}
}
} // namespace test_match_constructors_and_destructors