This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/
-
trunk/
-
include/clang/StaticAnalyzer/Core/PathSensitive/
-
clang/
-
StaticAnalyzer/
-
Core/
-
PathSensitive/
-
ExprEngine.h
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
ExprEngineCXX.cpp
-
ExprEngineCallAndReturn.cpp
-
test/Analysis/
-
Analysis/
-
lifetime-extension.cpp

Differential D46037

[analyzer] pr37166, pr37139: Disable constructor inlining when lifetime extension through aggregate initialization occurs.
ClosedPublic

Authored by NoQ on Apr 24 2018, 6:20 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet

Commits

rG310bca01781b: [analyzer] Fix a crash on lifetime extension through aggregate initialization.
rC330882: [analyzer] Fix a crash on lifetime extension through aggregate initialization.
rL330882: [analyzer] Fix a crash on lifetime extension through aggregate initialization.

Summary

This hotfix is similar to D43689 (and needs a follow-up similar to D44238 and D44239). CFG again doesn't provide us with correct automatic destructors, this time it's in the following code:

struct A {
  const C &c;
};

void foo() {
  A a = { C() };
}

In this code a is an aggregate, so it doesn't require construction or destruction. Instead, C() is lifetime-extended until the end of a's scope.

Additionally, we used to crash on my defensive "i know C++" assertion (no, i don't).

Diff Detail

Repository: rL LLVM

Event Timeline

NoQ created this revision.Apr 24 2018, 6:20 PM

Herald added subscribers: cfe-commits, rnkovacs, baloghadamsoftware. · View Herald TranscriptApr 24 2018, 6:20 PM

Add a test similar to pr37166. It should be actually fixed now with this patch. Essentially, we may also be lifetime-extended by an array of aggregate structures (with arbitrary amounts of interleaving array and aggregate structure brace-initializers).

pirama added a subscriber: pirama.Apr 25 2018, 11:02 AM

NoQ edited the summary of this revision. (Show Details)Apr 25 2018, 3:51 PM

This revision was not accepted when it landed; it landed in state Needs Review.Apr 25 2018, 4:05 PM

Closed by commit rL330882: [analyzer] Fix a crash on lifetime extension through aggregate initialization. (authored by NoQ). · Explain Why

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: llvm-commits. · View Herald TranscriptApr 25 2018, 4:05 PM

Revision Contents

Path

Size

cfe/

trunk/

include/

clang/

StaticAnalyzer/

Core/

PathSensitive/

ExprEngine.h

5 lines

lib/

StaticAnalyzer/

Core/

ExprEngineCXX.cpp

23 lines

ExprEngineCallAndReturn.cpp

5 lines

test/

Analysis/

lifetime-extension.cpp

31 lines

Diff 144032

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 Lines • Show All 104 Lines • ▼ Show 20 Lines	struct EvalCallOptions {
/// This call is a constructor or a destructor of a temporary value.		/// This call is a constructor or a destructor of a temporary value.
bool IsTemporaryCtorOrDtor = false;		bool IsTemporaryCtorOrDtor = false;

/// This call is a constructor for a temporary that is lifetime-extended		/// This call is a constructor for a temporary that is lifetime-extended
/// by binding a smaller object within it to a reference, for example		/// by binding a smaller object within it to a reference, for example
/// 'const int &x = C().x;'.		/// 'const int &x = C().x;'.
bool IsTemporaryLifetimeExtendedViaSubobject = false;		bool IsTemporaryLifetimeExtendedViaSubobject = false;

		/// This call is a constructor for a temporary that is lifetime-extended
		/// by binding it to a reference-type field within an aggregate,
		/// for example 'A { const C &c; }; A a = { C() };'
		bool IsTemporaryLifetimeExtendedViaAggregate = false;

EvalCallOptions() {}		EvalCallOptions() {}
};		};

private:		private:
cross_tu::CrossTranslationUnitContext &CTU;		cross_tu::CrossTranslationUnitContext &CTU;

AnalysisManager &AMgr;		AnalysisManager &AMgr;

▲ Show 20 Lines • Show All 710 Lines • Show Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 Lines • Show All 174 Lines • ▼ Show 20 Lines	case ConstructionContext::NewAllocatedObjectKind: {
}		}
return MR;		return MR;
}		}
}		}
break;		break;
}		}
case ConstructionContext::TemporaryObjectKind: {		case ConstructionContext::TemporaryObjectKind: {
const auto *TOCC = cast<TemporaryObjectConstructionContext>(CC);		const auto *TOCC = cast<TemporaryObjectConstructionContext>(CC);
// See if we're lifetime-extended via our field. If so, take a note.
// Because automatic destructors aren't quite working in this case.
if (const auto *MTE = TOCC->getMaterializedTemporaryExpr()) {		if (const auto *MTE = TOCC->getMaterializedTemporaryExpr()) {
if (const ValueDecl *VD = MTE->getExtendingDecl()) {		if (const ValueDecl *VD = MTE->getExtendingDecl()) {
		// Pattern-match various forms of lifetime extension that aren't
		// currently supported by the CFG.
		// FIXME: Is there a better way to retrieve this information from
		// the MaterializeTemporaryExpr?
		assert(MTE->getStorageDuration() != SD_FullExpression);
		if (VD->getType()->isReferenceType()) {
assert(VD->getType()->isReferenceType());		assert(VD->getType()->isReferenceType());
if (VD->getType()->getPointeeType().getCanonicalType() !=		if (VD->getType()->getPointeeType().getCanonicalType() !=
MTE->GetTemporaryExpr()->getType().getCanonicalType()) {		MTE->GetTemporaryExpr()->getType().getCanonicalType()) {
		// We're lifetime-extended via our field. Automatic destructors
		// aren't quite working in this case.
CallOpts.IsTemporaryLifetimeExtendedViaSubobject = true;		CallOpts.IsTemporaryLifetimeExtendedViaSubobject = true;
}		}
		} else {
		// We're lifetime-extended by a surrounding aggregate.
		// Automatic destructors aren't quite working in this case.
		CallOpts.IsTemporaryLifetimeExtendedViaAggregate = true;
		}
}		}
}		}
// TODO: Support temporaries lifetime-extended via static references.		// TODO: Support temporaries lifetime-extended via static references.
// They'd need a getCXXStaticTempObjectRegion().		// They'd need a getCXXStaticTempObjectRegion().
CallOpts.IsTemporaryCtorOrDtor = true;		CallOpts.IsTemporaryCtorOrDtor = true;
return MRMgr.getCXXTempObjectRegion(CE, LCtx);		return MRMgr.getCXXTempObjectRegion(CE, LCtx);
}		}
case ConstructionContext::SimpleReturnedValueKind: {		case ConstructionContext::SimpleReturnedValueKind: {
▲ Show 20 Lines • Show All 561 Lines • Show Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 Lines • Show All 693 Lines • ▼ Show 20 Lines	if (CtorExpr->getConstructionKind() == CXXConstructExpr::CK_Complete) {
// the fake temporary target.		// the fake temporary target.
if (CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion)		if (CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion)
return CIP_DisallowedOnce;		return CIP_DisallowedOnce;

// If the temporary is lifetime-extended by binding a smaller object		// If the temporary is lifetime-extended by binding a smaller object
// within it to a reference, automatic destructors don't work properly.		// within it to a reference, automatic destructors don't work properly.
if (CallOpts.IsTemporaryLifetimeExtendedViaSubobject)		if (CallOpts.IsTemporaryLifetimeExtendedViaSubobject)
return CIP_DisallowedOnce;		return CIP_DisallowedOnce;

		// If the temporary is lifetime-extended by binding it to a reference-typ
		// field within an aggregate, automatic destructors don't work properly.
		if (CallOpts.IsTemporaryLifetimeExtendedViaAggregate)
		return CIP_DisallowedOnce;
}		}

break;		break;
}		}
case CE_CXXDestructor: {		case CE_CXXDestructor: {
if (!Opts.mayInlineCXXMemberFunction(CIMK_Destructors))		if (!Opts.mayInlineCXXMemberFunction(CIMK_Destructors))
return CIP_DisallowedAlways;		return CIP_DisallowedAlways;

▲ Show 20 Lines • Show All 352 Lines • Show Last 20 Lines

cfe/trunk/test/Analysis/lifetime-extension.cpp

	Show First 20 Lines • Show All 141 Lines • ▼ Show 20 Lines
	void f5() {			void f5() {
	C after, before;			C after, before;
	{			{
	const bool &x = C(true, &after, &before).x; // no-crash			const bool &x = C(true, &after, &before).x; // no-crash
	}			}
	// FIXME: Should be TRUE. Should not warn about garbage value.			// FIXME: Should be TRUE. Should not warn about garbage value.
	clang_analyzer_eval(after == before); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(after == before); // expected-warning{{UNKNOWN}}
	}			}

				struct A { // A is an aggregate.
				const C &c;
				};

				void f6() {
				C after, before;
				{
				A a{C(true, &after, &before)};
				}
				// FIXME: Should be TRUE. Should not warn about garbage value.
				clang_analyzer_eval(after == before); // expected-warning{{UNKNOWN}}
				}

				void f7() {
				C after, before;
				{
				A a = {C(true, &after, &before)};
				}
				// FIXME: Should be TRUE. Should not warn about garbage value.
				clang_analyzer_eval(after == before); // expected-warning{{UNKNOWN}}
				}

				void f8() {
				C after, before;
				{
				A a[2] = {C(false, nullptr, nullptr), C(true, &after, &before)};
				}
				// FIXME: Should be TRUE. Should not warn about garbage value.
				clang_analyzer_eval(after == before); // expected-warning{{UNKNOWN}}
				}
	} // end namespace maintain_original_object_address_on_lifetime_extension			} // end namespace maintain_original_object_address_on_lifetime_extension

	namespace maintain_original_object_address_on_move {			namespace maintain_original_object_address_on_move {
	class C {			class C {
	int *x;			int *x;

	public:			public:
	C() : x(nullptr) {}			C() : x(nullptr) {}
	▲ Show 20 Lines • Show All 185 Lines • Show Last 20 Lines