This is an archive of the discontinued LLVM Phabricator instance.

Differential D43689

[analyzer] Disable constructor inlining when lifetime extension through fields occurs.
ClosedPublic

Authored by NoQ on Feb 23 2018, 11:21 AM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
Commits
rG8cd7961a0af7: [analyzer] Disable constructor inlining when lifetime extending through a field.
rL326240: [analyzer] Disable constructor inlining when lifetime extending through a field.
rC326240: [analyzer] Disable constructor inlining when lifetime extending through a field.
Summary

As i mentioned in D43497, automatic destructors are missing in the CFG in situations like

const int &x = C().x;

For now i'd rather disable construction inlining, because inlining constructors while doing nothing on destructors is very bad.

Diff Detail

Repository
rC Clang

Event Timeline

NoQ created this revision.Feb 23 2018, 11:21 AM
Herald added subscribers: cfe-commits, rnkovacs. · View Herald TranscriptFeb 23 2018, 11:21 AM
NoQ added a parent revision: D43533: [CFG] [analyzer] NFC: Refactor ConstructionContext into a finite set of cases..Feb 23 2018, 11:22 AM
dcoughlin accepted this revision.Feb 24 2018, 11:08 AM
dcoughlin added inline comments.
include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
70

Would you be willing to add a tiny code example to the comment? I.e., const int &x = C().x

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
177

I *think* this is safe. But it seems like it would be more direct to use skipRValueSubobjectAdjustments() and check for sub-object adjustments since ultimately that is what you care about, right?

This revision is now accepted and ready to land.Feb 24 2018, 11:08 AM
NoQ added inline comments.Feb 24 2018, 2:01 PM
lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
177

skipRValueSubobjectAdjustments()

This function doesn't do anything anymore (since rC288563) (in most cases, at least). We now have lvalue sub-objects adjustments that are outside of MaterializeTemporaryExpr, and i'm trying to see if there are any by comparing the variable type with the temporary type. If there are still any rvalue sub-object adjustments present in the AST, then i'd have to skip them, as an additional step.

NoQ added a child revision: D43804: [analyzer] Enable cfg-temporary-dtors by default?.Feb 26 2018, 8:14 PM
NoQ added inline comments.Feb 27 2018, 12:16 PM
include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
70

Fixed in the commit.

Closed by commit rC326240: [analyzer] Disable constructor inlining when lifetime extending through a field. (authored by NoQ). · Explain WhyFeb 27 2018, 12:16 PM
This revision was automatically updated to reflect the committed changes.
NoQ mentioned this in D44239: [analyzer] Re-enable constructor inlining when lifetime extension through fields occurs..Mar 7 2018, 5:35 PM
chh added a subscriber: chh.Apr 18 2018, 10:24 AM

This change caused an assertion failure in ExprEngineCXX.cpp:
https://bugs.llvm.org/show_bug.cgi?id=37166

NoQ mentioned this in D46037: [analyzer] pr37166, pr37139: Disable constructor inlining when lifetime extension through aggregate initialization occurs..Apr 24 2018, 6:20 PM

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
4 lines
lib/
StaticAnalyzer/
Core/
12 lines
5 lines
test/
Analysis/
23 lines

Diff 136133

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 59 Lines▼ Show 20 Lines struct EvalCallOptions {
/// This call is a constructor or a destructor for which we do not currently /// This call is a constructor or a destructor for which we do not currently
/// compute the this-region correctly. /// compute the this-region correctly.
bool IsCtorOrDtorWithImproperlyModeledTargetRegion = false; bool IsCtorOrDtorWithImproperlyModeledTargetRegion = false;
/// This call is a constructor or a destructor for a single element within /// This call is a constructor or a destructor for a single element within
/// an array, a part of array construction or destruction. /// an array, a part of array construction or destruction.
bool IsArrayCtorOrDtor = false; bool IsArrayCtorOrDtor = false;
/// This call is a constructor or a destructor of a temporary value. /// This call is a constructor or a destructor of a temporary value.
bool IsTemporaryCtorOrDtor = false; bool IsTemporaryCtorOrDtor = false;
/// This call is a constructor for a temporary that is lifetime-extended
/// by binding a smaller object within it to a reference, for example
/// 'const int &x = C().x;'.
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

Would you be willing to add a tiny code example to the comment? I.e., const int &x = C().x

dcoughlin: Would you be willing to add a tiny code example to the comment? I.e., `const int &x = C().x`
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Fixed in the commit.

NoQ: Fixed in the commit.
bool IsTemporaryLifetimeExtendedViaSubobject = false;
EvalCallOptions() {} EvalCallOptions() {}
}; };
private: private:
AnalysisManager &AMgr; AnalysisManager &AMgr;
AnalysisDeclContextManager &AnalysisDeclContexts; AnalysisDeclContextManager &AnalysisDeclContexts;
▲ Show 20 LinesShow All 689 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 162 Lines▼ Show 20 Lines case ConstructionContext::NewAllocatedObjectKind: {
MR, NE->getType()->getPointeeType()); MR, NE->getType()->getPointeeType());
} }
return MR; return MR;
} }
} }
break; break;
} }
case ConstructionContext::TemporaryObjectKind: { case ConstructionContext::TemporaryObjectKind: {
const auto *TOCC = cast<TemporaryObjectConstructionContext>(CC);
// See if we're lifetime-extended via our field. If so, take a note.
// Because automatic destructors aren't quite working in this case.
if (const auto *MTE = TOCC->getMaterializedTemporaryExpr()) {
if (const ValueDecl *VD = MTE->getExtendingDecl()) {
assert(VD->getType()->isReferenceType());
if (VD->getType()->getPointeeType().getCanonicalType() !=
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

I *think* this is safe. But it seems like it would be more direct to use skipRValueSubobjectAdjustments() and check for sub-object adjustments since ultimately that is what you care about, right?

dcoughlin: I *think* this is safe. But it seems like it would be more direct to use…
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

skipRValueSubobjectAdjustments()

This function doesn't do anything anymore (since rC288563) (in most cases, at least). We now have lvalue sub-objects adjustments that are outside of MaterializeTemporaryExpr, and i'm trying to see if there are any by comparing the variable type with the temporary type. If there are still any rvalue sub-object adjustments present in the AST, then i'd have to skip them, as an additional step.

NoQ: > skipRValueSubobjectAdjustments() This function doesn't do anything anymore (since rC288563)…
MTE->GetTemporaryExpr()->getType().getCanonicalType()) {
CallOpts.IsTemporaryLifetimeExtendedViaSubobject = true;
}
}
}
// TODO: Support temporaries lifetime-extended via static references. // TODO: Support temporaries lifetime-extended via static references.
// They'd need a getCXXStaticTempObjectRegion(). // They'd need a getCXXStaticTempObjectRegion().
CallOpts.IsTemporaryCtorOrDtor = true; CallOpts.IsTemporaryCtorOrDtor = true;
return MRMgr.getCXXTempObjectRegion(CE, LCtx); return MRMgr.getCXXTempObjectRegion(CE, LCtx);
} }
case ConstructionContext::ReturnedValueKind: { case ConstructionContext::ReturnedValueKind: {
// TODO: We should construct into a CXXBindTemporaryExpr or a // TODO: We should construct into a CXXBindTemporaryExpr or a
// MaterializeTemporaryExpr around the call-expression on the previous // MaterializeTemporaryExpr around the call-expression on the previous
▲ Show 20 LinesShow All 570 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 LinesShow All 672 Lines▼ Show 20 Lines if (CtorExpr->getConstructionKind() == CXXConstructExpr::CK_Complete) {
!Opts.includeTemporaryDtorsInCFG()) !Opts.includeTemporaryDtorsInCFG())
return CIP_DisallowedOnce; return CIP_DisallowedOnce;
// If we did not find the correct this-region, it would be pointless // If we did not find the correct this-region, it would be pointless
// to inline the constructor. Instead we will simply invalidate // to inline the constructor. Instead we will simply invalidate
// the fake temporary target. // the fake temporary target.
if (CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion) if (CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion)
return CIP_DisallowedOnce; return CIP_DisallowedOnce;
// If the temporary is lifetime-extended by binding a smaller object
// within it to a reference, automatic destructors don't work properly.
if (CallOpts.IsTemporaryLifetimeExtendedViaSubobject)
return CIP_DisallowedOnce;
} }
break; break;
} }
case CE_CXXDestructor: { case CE_CXXDestructor: {
if (!Opts.mayInlineCXXMemberFunction(CIMK_Destructors)) if (!Opts.mayInlineCXXMemberFunction(CIMK_Destructors))
return CIP_DisallowedAlways; return CIP_DisallowedAlways;
▲ Show 20 LinesShow All 351 LinesShow Last 20 Lines

test/Analysis/lifetime-extension.cpp

Show All 33 Linesstruct A {
~A() {} ~A() {}
}; };
void f() { void f() {
const int &x = A().i; // no-crash const int &x = A().i; // no-crash
const int &y = A().j[1]; // no-crash const int &y = A().j[1]; // no-crash
const int &z = (A().j[1], A().j[0]); // no-crash const int &z = (A().j[1], A().j[0]); // no-crash
clang_analyzer_eval(x == 1); // FIXME: All of these should be TRUE, but constructors aren't inlined.
clang_analyzer_eval(y == 3); clang_analyzer_eval(x == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(z == 2); clang_analyzer_eval(y == 3); // expected-warning{{UNKNOWN}}
#ifdef TEMPORARIES clang_analyzer_eval(z == 2); // expected-warning{{UNKNOWN}}
// expected-warning@-4{{TRUE}}
// expected-warning@-4{{TRUE}}
// expected-warning@-4{{TRUE}}
#else
// expected-warning@-8{{UNKNOWN}}
// expected-warning@-8{{UNKNOWN}}
// expected-warning@-8{{UNKNOWN}}
#endif
} }
} // end namespace pr19539_crash_on_destroying_an_integer } // end namespace pr19539_crash_on_destroying_an_integer
namespace maintain_original_object_address_on_lifetime_extension { namespace maintain_original_object_address_on_lifetime_extension {
class C { class C {
C **after, **before; C **after, **before;
public: public:
▲ Show 20 LinesShow All 77 Lines▼ Show 20 Lines
} }
void f5() { void f5() {
C *after, *before; C *after, *before;
{ {
const bool &x = C(true, &after, &before).x; // no-crash const bool &x = C(true, &after, &before).x; // no-crash
} }
// FIXME: Should be TRUE. Should not warn about garbage value. // FIXME: Should be TRUE. Should not warn about garbage value.
clang_analyzer_eval(after == before); clang_analyzer_eval(after == before); // expected-warning{{UNKNOWN}}
#ifdef TEMPORARIES
// expected-warning@-2{{The left operand of '==' is a garbage value}}
#else
// expected-warning@-4{{UNKNOWN}}
#endif
} }
} // end namespace maintain_original_object_address_on_lifetime_extension } // end namespace maintain_original_object_address_on_lifetime_extension
namespace maintain_original_object_address_on_move { namespace maintain_original_object_address_on_move {
class C { class C {
int *x; int *x;
public: public:
Show All 35 Lines