This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/
-
trunk/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
ExprEngineCXX.cpp
-
test/Analysis/
-
Analysis/
-
ctor.mm

Differential D43714

[analyzer] Don't do anything when trivial-copying an empty class object.
ClosedPublic

Authored by NoQ on Feb 23 2018, 8:26 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet

Commits

rG4449e7f008cb: [analyzer] Fix trivial copy for empty objects.
rC326247: [analyzer] Fix trivial copy for empty objects.
rL326247: [analyzer] Fix trivial copy for empty objects.

Summary

When modeling implicit copy/move-constructor or copy/move-assignment operator of an empty class, don't do anything. The previous behavior was to take the value of the empty source object (which is always UnknownVal for empty classes) and assign it to the empty target object. This causes problems when the target object is a field or a base class because, due to how RegionStore forgets binding sizes, such UnknownVal would overwrite any existing store binding at the respective offset.

While testing temporary constructors and destructors, this resulted in numerous leak false positives when the raw pointer value in unique_ptr started disappearing from the program state when the zero-size deleter part of the smart pointer was trivially-copied at its offset. Note that performTrivialCopy doesn't cause pointer escape, because it normally doesn't need to.

Diff Detail

Repository: rL LLVM

Event Timeline

NoQ created this revision.Feb 23 2018, 8:26 PM

Herald added a subscriber: rnkovacs. · View Herald TranscriptFeb 23 2018, 8:26 PM

LGTM.

This revision is now accepted and ready to land.Feb 24 2018, 12:02 PM

NoQ added a child revision: D43804: [analyzer] Enable cfg-temporary-dtors by default?.Feb 26 2018, 8:14 PM

Looks good!

Closed by commit rL326247: [analyzer] Fix trivial copy for empty objects. (authored by NoQ). · Explain WhyFeb 27 2018, 1:15 PM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: llvm-commits. · View Herald TranscriptFeb 27 2018, 1:15 PM

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Core/

ExprEngineCXX.cpp

11 lines

test/

Analysis/

ctor.mm

20 lines

Diff 136139

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

	Show All 36 Lines
	}			}

	// FIXME: This is the sort of code that should eventually live in a Core			// FIXME: This is the sort of code that should eventually live in a Core
	// checker rather than as a special case in ExprEngine.			// checker rather than as a special case in ExprEngine.
	void ExprEngine::performTrivialCopy(NodeBuilder &Bldr, ExplodedNode *Pred,			void ExprEngine::performTrivialCopy(NodeBuilder &Bldr, ExplodedNode *Pred,
	const CallEvent &Call) {			const CallEvent &Call) {
	SVal ThisVal;			SVal ThisVal;
	bool AlwaysReturnsLValue;			bool AlwaysReturnsLValue;
				const CXXRecordDecl *ThisRD = nullptr;
	if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {			if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {
	assert(Ctor->getDecl()->isTrivial());			assert(Ctor->getDecl()->isTrivial());
	assert(Ctor->getDecl()->isCopyOrMoveConstructor());			assert(Ctor->getDecl()->isCopyOrMoveConstructor());
	ThisVal = Ctor->getCXXThisVal();			ThisVal = Ctor->getCXXThisVal();
				ThisRD = Ctor->getDecl()->getParent();
	AlwaysReturnsLValue = false;			AlwaysReturnsLValue = false;
	} else {			} else {
	assert(cast<CXXMethodDecl>(Call.getDecl())->isTrivial());			assert(cast<CXXMethodDecl>(Call.getDecl())->isTrivial());
	assert(cast<CXXMethodDecl>(Call.getDecl())->getOverloadedOperator() ==			assert(cast<CXXMethodDecl>(Call.getDecl())->getOverloadedOperator() ==
	OO_Equal);			OO_Equal);
	ThisVal = cast<CXXInstanceCall>(Call).getCXXThisVal();			ThisVal = cast<CXXInstanceCall>(Call).getCXXThisVal();
				ThisRD = cast<CXXMethodDecl>(Call.getDecl())->getParent();
	AlwaysReturnsLValue = true;			AlwaysReturnsLValue = true;
	}			}

				assert(ThisRD);
				if (ThisRD->isEmpty()) {
				// Do nothing for empty classes. Otherwise it'd retrieve an UnknownVal
				// and bind it and RegionStore would think that the actual value
				// in this region at this offset is unknown.
				return;
				}

	const LocationContext *LCtx = Pred->getLocationContext();			const LocationContext *LCtx = Pred->getLocationContext();

	ExplodedNodeSet Dst;			ExplodedNodeSet Dst;
	Bldr.takeNodes(Pred);			Bldr.takeNodes(Pred);

	SVal V = Call.getArgSVal(0);			SVal V = Call.getArgSVal(0);

	// If the value being copied is not unknown, load from its location to get			// If the value being copied is not unknown, load from its location to get
	▲ Show 20 Lines • Show All 695 Lines • Show Last 20 Lines

cfe/trunk/test/Analysis/ctor.mm

Show First 20 Lines • Show All 723 Lines • ▼ Show 20 Lines	namespace NoCrashOnEmptyBaseOptimization {
struct S : NonEmptyBase, EmptyBase {		struct S : NonEmptyBase, EmptyBase {
S() : NonEmptyBase(0), EmptyBase() {}		S() : NonEmptyBase(0), EmptyBase() {}
};		};

void testSCtorNoCrash() {		void testSCtorNoCrash() {
S s;		S s;
}		}
}		}

		namespace EmptyBaseAssign {
		struct B1 {};
		struct B2 { int x; };
		struct D: public B1, public B2 {
		const D &operator=(const D &d) {
		((B2 )this) = d;
		((B1 )this) = d;
		return *this;
		}
		};

		void test() {
		D d1;
		d1.x = 1;
		D d2;
		d2 = d1;
		clang_analyzer_eval(d2.x == 1); // expected-warning{{TRUE}}
		}
		}