Page MenuHomePhabricator

[analyzer] Support temporaries conjured by conservatively evaluated functions.

Authored by NoQ on Mar 5 2018, 6:06 PM.



If a conservatively evaluated function returns a C++ object by value, it no longer returns a conjured symbol. Instead it creates a proper temporary region, wipes it with a conjured symbol, returns the compound value, and then lifetime-extends/destroys the newly created object properly, while making sure its this-region is known from the beginning to the end of the object's lifetime and doesn't change in the process.

This review obsoletes D27202 and is better because the temporary is not only created but also correctly managed.

It allows us, in particular, to inline the destructor of such conjured temporary objects. I do not know whether it is a good idea or we should disable inlining specifically via a separate flag. But even without inlining, this change would hopefully help various C++ checkers track the object by keeping both its lvalue and its rvalue stable in all circumstances (as long as the construction context is available). For now i did not have a look at how current checkers are affected, but @baloghadamsoftware and @szepet might be interested.

C objects are untouched (i.e. still represented by conjured symbols) because they don't require lifetime management or even having a "this".

Diff Detail

rC Clang