This is an archive of the discontinued LLVM Phabricator instance.

Differential D47350

[analyzer] Track class member initializer constructors path-sensitively within their construction context.
ClosedPublic

Authored by NoQ on May 24 2018, 4:45 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
rnkovacs
Commits
rGa84374dc0e4e: [analyzer] Track class member initializer constructors path-sensitively.
rL334682: [analyzer] Track class member initializer constructors path-sensitively.
rC334682: [analyzer] Track class member initializer constructors path-sensitively.
Summary

Same as D47305 but for CXXCtorInitializer-based constructors, based on the discussion in http://lists.llvm.org/pipermail/cfe-dev/2018-May/058055.html

Because these don't suffer from liveness bugs (member variables are born much earlier than their constructors are called and live much longer than stack locals), this is mostly a refactoring pass. It has minor observable side effects, but it will have way more visible effects when we enable C++17 construction contexts because finding the direct constructor would be much harder.

Currently the observable effect is that we can preserve direct bindings to the object more often and we need to fall back to binding the lazy compound value of the initializer expression less often. Direct bindings are modeled better by the store. In the provided test case the default binding produced by trivial-copying s to t.s would overwrite the existing default binding to t. But if we instead preserve direct bindings, only bindings that correspond to t.s will be overwritten and the binding for t.w will remain untouched. This only works for C++17 because in C++11 the member variable is still modeled as a trivial copy from the temporary object, because there semantically *is* a temporary object, while in C++17 it is elided.

So we finally get rid of findDirectConstructorForCurrentCFGElement() which is a CFG look-behind hack. We pay the price of making our trait's key more complex; we should have probably just added state trait specializations for PointerUnion instead.

Diff Detail

Event Timeline

NoQ created this revision.May 24 2018, 4:45 PM
Herald added subscribers: cfe-commits, baloghadamsoftware. · View Herald TranscriptMay 24 2018, 4:45 PM
NoQ added a parent revision: D47305: [analyzer] pr37270: Fix binding constructed object to DeclStmt when ConstructionContext is already lost..May 24 2018, 4:45 PM
NoQ edited the summary of this revision. (Show Details)
NoQ updated this revision to Diff 148502.May 24 2018, 4:48 PM

Add a forgotten FIXME to the test.

NoQ mentioned this in D47351: [analyzer] Re-enable C++17-specific variable and member variable construction contexts..May 24 2018, 4:53 PM
NoQ added a child revision: D47351: [analyzer] Re-enable C++17-specific variable and member variable construction contexts..
george.karpenkov requested changes to this revision.May 30 2018, 11:50 AM

requesting changes due to minor nits inline

lib/StaticAnalyzer/Core/ExprEngine.cpp
161

newline after the brace. here and elsewhere within this class.

170

would it be faster to store a pair in the first place, instead of constructing it on each comparison? Is this operator required to be in a GDM?

771

gotta love state variables used 70 lines later on. Could we add a comment here? What is the semantics of the cleanup action? Running destructors? Maybe a better name would make this more readable?

Also would it be worse to change finishObjectConstruction function to not do anything when there's no object being constructed, and then we could simply call it on all code paths?

This revision now requires changes to proceed.May 30 2018, 11:50 AM
NoQ updated this revision to Diff 149205.May 30 2018, 2:34 PM
NoQ marked 3 inline comments as done.

Refactor everything to address review comments.

george.karpenkov accepted this revision.May 30 2018, 4:17 PM

LGTM, but I would really prefer if you could split that inheritance back into composition.

lib/StaticAnalyzer/Core/ExprEngine.cpp
123

sorry I find that very confusing, and I think the previous version was better (prefer composition over inheritance)

This revision is now accepted and ready to land.May 30 2018, 4:17 PM
NoQ added a comment.EditedMay 30 2018, 4:23 PM
This comment has been deleted.
lib/StaticAnalyzer/Core/ExprEngine.cpp
123

Ok, so, i mean, i don't think it would be faster, i really hope the compiler would know how to inline std::pair methods. I think converting to a std::pair or std::tuple is a fairly standard trick to avoid x < rhs.x || (x == rhs.x && y < rhs.y) kind of code. But with inheritance we at least have boilerplate operators sorted out for free.

May i leave the actual previous version around without fixing it?^^

NoQ updated this revision to Diff 149337.May 31 2018, 12:11 PM

Hmm, actually composition looks very pretty if you use the magic word "impl".

george.karpenkov added a comment.May 31 2018, 1:24 PM

👍

Closed by commit rC334682: [analyzer] Track class member initializer constructors path-sensitively. (authored by NoQ). · Explain WhyJun 13 2018, 6:45 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: mikhail.ramalho. · View Herald TranscriptJun 13 2018, 6:45 PM

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
17 lines
lib/
StaticAnalyzer/
Core/
137 lines
30 lines
test/
Analysis/
31 lines

Diff 149337

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 756 Lines▼ Show 20 Linesprivate:
/// Store the location of a C++ object corresponding to a statement /// Store the location of a C++ object corresponding to a statement
/// until the statement is actually encountered. For example, if a DeclStmt /// until the statement is actually encountered. For example, if a DeclStmt
/// has CXXConstructExpr as its initializer, the object would be considered /// has CXXConstructExpr as its initializer, the object would be considered
/// to be "under construction" between CXXConstructExpr and DeclStmt. /// to be "under construction" between CXXConstructExpr and DeclStmt.
/// This allows, among other things, to keep bindings to variable's fields /// This allows, among other things, to keep bindings to variable's fields
/// made within the constructor alive until its declaration actually /// made within the constructor alive until its declaration actually
/// goes into scope. /// goes into scope.
static ProgramStateRef addObjectUnderConstruction( static ProgramStateRef addObjectUnderConstruction(
ProgramStateRef State, const Stmt *S, ProgramStateRef State,
llvm::PointerUnion<const Stmt *, const CXXCtorInitializer *> P,
const LocationContext *LC, SVal V); const LocationContext *LC, SVal V);
/// Mark the object sa fully constructed, cleaning up the state trait /// Mark the object sa fully constructed, cleaning up the state trait
/// that tracks objects under construction. /// that tracks objects under construction.
static ProgramStateRef finishObjectConstruction(ProgramStateRef State, static ProgramStateRef finishObjectConstruction(
const Stmt *S, ProgramStateRef State,
llvm::PointerUnion<const Stmt *, const CXXCtorInitializer *> P,
const LocationContext *LC); const LocationContext *LC);
/// If the given statement corresponds to an object under construction, /// If the given statement corresponds to an object under construction,
/// being part of its construciton context, retrieve that object's location. /// being part of its construciton context, retrieve that object's location.
static Optional<SVal> getObjectUnderConstruction(ProgramStateRef State, static Optional<SVal> getObjectUnderConstruction(
const Stmt *S, ProgramStateRef State,
llvm::PointerUnion<const Stmt *, const CXXCtorInitializer *> P,
const LocationContext *LC); const LocationContext *LC);
/// Check if all objects under construction have been fully constructed /// Check if all objects under construction have been fully constructed
/// for the given context range (including FromLC, not including ToLC). /// for the given context range (including FromLC, not including ToLC).
/// This is useful for assertions. /// This is useful for assertions.
static bool areAllObjectsFullyConstructed(ProgramStateRef State, static bool areAllObjectsFullyConstructed(ProgramStateRef State,
const LocationContext *FromLC, const LocationContext *FromLC,
const LocationContext *ToLC); const LocationContext *ToLC);
}; };
Show All 17 Lines

lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 103 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// When modeling a C++ constructor, for a variety of reasons we need to track // When modeling a C++ constructor, for a variety of reasons we need to track
// the location of the object for the duration of its ConstructionContext. // the location of the object for the duration of its ConstructionContext.
// ObjectsUnderConstruction maps statements within the construction context // ObjectsUnderConstruction maps statements within the construction context
// to the object's location, so that on every such statement the location // to the object's location, so that on every such statement the location
// could have been retrieved. // could have been retrieved.
typedef std::pair<const Stmt *, const LocationContext *> ConstructedObjectKey; /// ConstructedObjectKey is used for being able to find the path-sensitive
/// memory region of a freshly constructed object while modeling the AST node
/// that syntactically represents the object that is being constructed.
/// Semantics of such nodes may sometimes require access to the region that's
/// not otherwise present in the program state, or to the very fact that
/// the construction context was present and contained references to these
/// AST nodes.
class ConstructedObjectKey {
typedef std::pair<
llvm::PointerUnion<const Stmt *, const CXXCtorInitializer *>,
const LocationContext *> ConstructedObjectKeyImpl;
george.karpenkovUnsubmitted
Not Done
ReplyInline Actions

sorry I find that very confusing, and I think the previous version was better (prefer composition over inheritance)

george.karpenkov: sorry I find that very confusing, and I think the previous version was better (prefer…
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Ok, so, i mean, i don't think it would be faster, i really hope the compiler would know how to inline std::pair methods. I think converting to a std::pair or std::tuple is a fairly standard trick to avoid x < rhs.x || (x == rhs.x && y < rhs.y) kind of code. But with inheritance we at least have boilerplate operators sorted out for free.

May i leave the actual previous version around without fixing it?^^

NoQ: Ok, so, i mean, i don't think it would be faster, i really hope the compiler would know how to…
ConstructedObjectKeyImpl Impl;
const void *getAnyASTNodePtr() const {
if (const Stmt *S = getStmt())
return S;
else
return getCXXCtorInitializer();
}
public:
ConstructedObjectKey(
llvm::PointerUnion<const Stmt *, const CXXCtorInitializer *> P,
const LocationContext *LC)
: Impl(P, LC) {
// This is the full list of statements that require additional actions when
// encountered. This list may be expanded when new actions are implemented.
assert(getCXXCtorInitializer() || isa<DeclStmt>(getStmt()) ||
isa<CXXNewExpr>(getStmt()) || isa<CXXBindTemporaryExpr>(getStmt()) ||
isa<MaterializeTemporaryExpr>(getStmt()));
}
const Stmt *getStmt() const {
return Impl.first.dyn_cast<const Stmt *>();
}
const CXXCtorInitializer *getCXXCtorInitializer() const {
return Impl.first.dyn_cast<const CXXCtorInitializer *>();
}
const LocationContext *getLocationContext() const {
return Impl.second;
}
void print(llvm::raw_ostream &OS, PrinterHelper *Helper, PrintingPolicy &PP) {
OS << '(' << getLocationContext() << ',' << getAnyASTNodePtr() << ") ";
if (const Stmt *S = getStmt()) {
S->printPretty(OS, Helper, PP);
} else {
george.karpenkovUnsubmitted
Done
ReplyInline Actions

newline after the brace. here and elsewhere within this class.

george.karpenkov: newline after the brace. here and elsewhere within this class.
const CXXCtorInitializer *I = getCXXCtorInitializer();
OS << I->getAnyMember()->getNameAsString();
}
}
void Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddPointer(Impl.first.getOpaqueValue());
ID.AddPointer(Impl.second);
}
george.karpenkovUnsubmitted
Done
ReplyInline Actions

would it be faster to store a pair in the first place, instead of constructing it on each comparison? Is this operator required to be in a GDM?

george.karpenkov: would it be faster to store a pair in the first place, instead of constructing it on each…
bool operator==(const ConstructedObjectKey &RHS) const {
return Impl == RHS.Impl;
}
bool operator<(const ConstructedObjectKey &RHS) const {
return Impl < RHS.Impl;
}
};
typedef llvm::ImmutableMap<ConstructedObjectKey, SVal> typedef llvm::ImmutableMap<ConstructedObjectKey, SVal>
ObjectsUnderConstructionMap; ObjectsUnderConstructionMap;
REGISTER_TRAIT_WITH_PROGRAMSTATE(ObjectsUnderConstruction, REGISTER_TRAIT_WITH_PROGRAMSTATE(ObjectsUnderConstruction,
ObjectsUnderConstructionMap) ObjectsUnderConstructionMap)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Engine construction and deletion. // Engine construction and deletion.
▲ Show 20 LinesShow All 252 Lines▼ Show 20 LinesExprEngine::createTemporaryRegionIfNeeded(ProgramStateRef State,
if (!FoundOriginalMaterializationRegion) { if (!FoundOriginalMaterializationRegion) {
// Notify checkers once for two bindLoc()s. // Notify checkers once for two bindLoc()s.
State = processRegionChange(State, TR, LC); State = processRegionChange(State, TR, LC);
} }
return State; return State;
} }
ProgramStateRef ProgramStateRef ExprEngine::addObjectUnderConstruction(
ExprEngine::addObjectUnderConstruction(ProgramStateRef State, const Stmt *S, ProgramStateRef State,
llvm::PointerUnion<const Stmt *, const CXXCtorInitializer *> P,
const LocationContext *LC, SVal V) { const LocationContext *LC, SVal V) {
ConstructedObjectKey Key(S, LC->getCurrentStackFrame()); ConstructedObjectKey Key(P, LC->getCurrentStackFrame());
// FIXME: Currently the state might already contain the marker due to // FIXME: Currently the state might already contain the marker due to
// incorrect handling of temporaries bound to default parameters. // incorrect handling of temporaries bound to default parameters.
assert(!State->get<ObjectsUnderConstruction>(Key) || assert(!State->get<ObjectsUnderConstruction>(Key) ||
isa<CXXBindTemporaryExpr>(S)); isa<CXXBindTemporaryExpr>(Key.getStmt()));
return State->set<ObjectsUnderConstruction>(Key, V); return State->set<ObjectsUnderConstruction>(Key, V);
} }
Optional<SVal> ExprEngine::getObjectUnderConstruction(ProgramStateRef State, Optional<SVal> ExprEngine::getObjectUnderConstruction(
const Stmt *S, const LocationContext *LC) { ProgramStateRef State,
ConstructedObjectKey Key(S, LC->getCurrentStackFrame()); llvm::PointerUnion<const Stmt *, const CXXCtorInitializer *> P,
const LocationContext *LC) {
ConstructedObjectKey Key(P, LC->getCurrentStackFrame());
return Optional<SVal>::create(State->get<ObjectsUnderConstruction>(Key)); return Optional<SVal>::create(State->get<ObjectsUnderConstruction>(Key));
} }
ProgramStateRef ExprEngine::finishObjectConstruction(ProgramStateRef State, ProgramStateRef ExprEngine::finishObjectConstruction(
const Stmt *S, const LocationContext *LC) { ProgramStateRef State,
ConstructedObjectKey Key(S, LC->getCurrentStackFrame()); llvm::PointerUnion<const Stmt *, const CXXCtorInitializer *> P,
const LocationContext *LC) {
ConstructedObjectKey Key(P, LC->getCurrentStackFrame());
assert(State->contains<ObjectsUnderConstruction>(Key)); assert(State->contains<ObjectsUnderConstruction>(Key));
return State->remove<ObjectsUnderConstruction>(Key); return State->remove<ObjectsUnderConstruction>(Key);
} }
bool ExprEngine::areAllObjectsFullyConstructed(ProgramStateRef State, bool ExprEngine::areAllObjectsFullyConstructed(ProgramStateRef State,
const LocationContext *FromLC, const LocationContext *FromLC,
const LocationContext *ToLC) { const LocationContext *ToLC) {
const LocationContext *LC = FromLC; const LocationContext *LC = FromLC;
while (LC != ToLC) { while (LC != ToLC) {
assert(LC && "ToLC must be a parent of FromLC!"); assert(LC && "ToLC must be a parent of FromLC!");
for (auto I : State->get<ObjectsUnderConstruction>()) for (auto I : State->get<ObjectsUnderConstruction>())
if (I.first.second == LC) if (I.first.getLocationContext() == LC)
return false; return false;
LC = LC->getParent(); LC = LC->getParent();
} }
return true; return true;
} }
Show All 25 Linesstatic void printObjectsUnderConstructionForContext(raw_ostream &Out,
const char *NL, const char *NL,
const char *Sep, const char *Sep,
const LocationContext *LC) { const LocationContext *LC) {
PrintingPolicy PP = PrintingPolicy PP =
LC->getAnalysisDeclContext()->getASTContext().getPrintingPolicy(); LC->getAnalysisDeclContext()->getASTContext().getPrintingPolicy();
for (auto I : State->get<ObjectsUnderConstruction>()) { for (auto I : State->get<ObjectsUnderConstruction>()) {
ConstructedObjectKey Key = I.first; ConstructedObjectKey Key = I.first;
SVal Value = I.second; SVal Value = I.second;
if (Key.second != LC) if (Key.getLocationContext() != LC)
continue; continue;
Out << '(' << Key.second << ',' << Key.first << ") "; Key.print(Out, nullptr, PP);
Key.first->printPretty(Out, nullptr, PP);
Out << " : " << Value << NL; Out << " : " << Value << NL;
} }
} }
void ExprEngine::printState(raw_ostream &Out, ProgramStateRef State, void ExprEngine::printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep, const char *NL, const char *Sep,
const LocationContext *LCtx) { const LocationContext *LCtx) {
if (LCtx) { if (LCtx) {
▲ Show 20 LinesShow All 206 Lines▼ Show 20 Lines if(AMgr.options.shouldUnrollLoops())
NewState = processLoopEnd(S, NewState); NewState = processLoopEnd(S, NewState);
LoopExit PP(S, Pred->getLocationContext()); LoopExit PP(S, Pred->getLocationContext());
Bldr.generateNode(PP, NewState, Pred); Bldr.generateNode(PP, NewState, Pred);
// Enqueue the new nodes onto the work list. // Enqueue the new nodes onto the work list.
Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx); Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx);
} }
void ExprEngine::ProcessInitializer(const CFGInitializer Init, void ExprEngine::ProcessInitializer(const CFGInitializer CFGInit,
ExplodedNode *Pred) { ExplodedNode *Pred) {
const CXXCtorInitializer *BMI = Init.getInitializer(); const CXXCtorInitializer *BMI = CFGInit.getInitializer();
const Expr *Init = BMI->getInit()->IgnoreImplicit();
const LocationContext *LC = Pred->getLocationContext();
PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
BMI->getSourceLocation(), BMI->getSourceLocation(),
"Error evaluating initializer"); "Error evaluating initializer");
// We don't clean up dead bindings here. // We don't clean up dead bindings here.
const auto *stackFrame = cast<StackFrameContext>(Pred->getLocationContext()); const auto *stackFrame = cast<StackFrameContext>(Pred->getLocationContext());
const auto *decl = cast<CXXConstructorDecl>(stackFrame->getDecl()); const auto *decl = cast<CXXConstructorDecl>(stackFrame->getDecl());
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
SVal thisVal = State->getSVal(svalBuilder.getCXXThis(decl, stackFrame)); SVal thisVal = State->getSVal(svalBuilder.getCXXThis(decl, stackFrame));
ExplodedNodeSet Tmp(Pred); ExplodedNodeSet Tmp;
SVal FieldLoc; SVal FieldLoc;
george.karpenkovUnsubmitted
Done
ReplyInline Actions

gotta love state variables used 70 lines later on. Could we add a comment here? What is the semantics of the cleanup action? Running destructors? Maybe a better name would make this more readable?

Also would it be worse to change finishObjectConstruction function to not do anything when there's no object being constructed, and then we could simply call it on all code paths?

george.karpenkov: gotta love state variables used 70 lines later on. Could we add a comment here? What is the…
// Evaluate the initializer, if necessary // Evaluate the initializer, if necessary
if (BMI->isAnyMemberInitializer()) { if (BMI->isAnyMemberInitializer()) {
// Constructors build the object directly in the field, // Constructors build the object directly in the field,
// but non-objects must be copied in from the initializer. // but non-objects must be copied in from the initializer.
if (const auto *CtorExpr = findDirectConstructorForCurrentCFGElement()) { if (getObjectUnderConstruction(State, BMI, LC)) {
assert(BMI->getInit()->IgnoreImplicit() == CtorExpr);
(void)CtorExpr;
// The field was directly constructed, so there is no need to bind. // The field was directly constructed, so there is no need to bind.
// But we still need to stop tracking the object under construction.
State = finishObjectConstruction(State, BMI, LC);
NodeBuilder Bldr(Pred, Tmp, *currBldrCtx);
PostStore PS(Init, LC, /*Loc*/ nullptr, /*tag*/ nullptr);
Bldr.generateNode(PS, State, Pred);
} else { } else {
const Expr *Init = BMI->getInit()->IgnoreImplicit();
const ValueDecl *Field; const ValueDecl *Field;
if (BMI->isIndirectMemberInitializer()) { if (BMI->isIndirectMemberInitializer()) {
Field = BMI->getIndirectMember(); Field = BMI->getIndirectMember();
FieldLoc = State->getLValue(BMI->getIndirectMember(), thisVal); FieldLoc = State->getLValue(BMI->getIndirectMember(), thisVal);
} else { } else {
Field = BMI->getMember(); Field = BMI->getMember();
FieldLoc = State->getLValue(BMI->getMember(), thisVal); FieldLoc = State->getLValue(BMI->getMember(), thisVal);
} }
Show All 17 Lines if (getObjectUnderConstruction(State, BMI, LC)) {
InitVal = SVB.conjureSymbolVal(BMI->getInit(), stackFrame, InitVal = SVB.conjureSymbolVal(BMI->getInit(), stackFrame,
Field->getType(), Field->getType(),
currBldrCtx->blockCount()); currBldrCtx->blockCount());
} }
} else { } else {
InitVal = State->getSVal(BMI->getInit(), stackFrame); InitVal = State->getSVal(BMI->getInit(), stackFrame);
} }
assert(Tmp.size() == 1 && "have not generated any new nodes yet");
assert(*Tmp.begin() == Pred && "have not generated any new nodes yet");
Tmp.clear();
PostInitializer PP(BMI, FieldLoc.getAsRegion(), stackFrame); PostInitializer PP(BMI, FieldLoc.getAsRegion(), stackFrame);
evalBind(Tmp, Init, Pred, FieldLoc, InitVal, /*isInit=*/true, &PP); evalBind(Tmp, Init, Pred, FieldLoc, InitVal, /*isInit=*/true, &PP);
} }
} else { } else {
assert(BMI->isBaseInitializer() || BMI->isDelegatingInitializer()); assert(BMI->isBaseInitializer() || BMI->isDelegatingInitializer());
Tmp.insert(Pred);
// We already did all the work when visiting the CXXConstructExpr. // We already did all the work when visiting the CXXConstructExpr.
} }
// Construct PostInitializer nodes whether the state changed or not, // Construct PostInitializer nodes whether the state changed or not,
// so that the diagnostics don't get confused. // so that the diagnostics don't get confused.
PostInitializer PP(BMI, FieldLoc.getAsRegion(), stackFrame); PostInitializer PP(BMI, FieldLoc.getAsRegion(), stackFrame);
ExplodedNodeSet Dst; ExplodedNodeSet Dst;
NodeBuilder Bldr(Tmp, Dst, *currBldrCtx); NodeBuilder Bldr(Tmp, Dst, *currBldrCtx);
for (const auto I : Tmp) for (const auto I : Tmp) {
Bldr.generateNode(PP, I->getState(), I); ProgramStateRef State = I->getState();
Bldr.generateNode(PP, State, I);
}
// Enqueue the new nodes onto the work list. // Enqueue the new nodes onto the work list.
Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx); Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx);
} }
void ExprEngine::ProcessImplicitDtor(const CFGImplicitDtor D, void ExprEngine::ProcessImplicitDtor(const CFGImplicitDtor D,
ExplodedNode *Pred) { ExplodedNode *Pred) {
ExplodedNodeSet Dst; ExplodedNodeSet Dst;
▲ Show 20 LinesShow All 1,346 Lines▼ Show 20 Lines // should go away, but the assertion should remain.
NodeBuilder Bldr(Pred, CleanUpObjects, BC); NodeBuilder Bldr(Pred, CleanUpObjects, BC);
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
const LocationContext *FromLC = Pred->getLocationContext(); const LocationContext *FromLC = Pred->getLocationContext();
const LocationContext *ToLC = FromLC->getCurrentStackFrame()->getParent(); const LocationContext *ToLC = FromLC->getCurrentStackFrame()->getParent();
const LocationContext *LC = FromLC; const LocationContext *LC = FromLC;
while (LC != ToLC) { while (LC != ToLC) {
assert(LC && "ToLC must be a parent of FromLC!"); assert(LC && "ToLC must be a parent of FromLC!");
for (auto I : State->get<ObjectsUnderConstruction>()) for (auto I : State->get<ObjectsUnderConstruction>())
if (I.first.second == LC) { if (I.first.getLocationContext() == LC) {
// The comment above only pardons us for not cleaning up a // The comment above only pardons us for not cleaning up a
// CXXBindTemporaryExpr. If any other statements are found here, // CXXBindTemporaryExpr. If any other statements are found here,
// it must be a separate problem. // it must be a separate problem.
assert(isa<CXXBindTemporaryExpr>(I.first.first)); assert(isa<CXXBindTemporaryExpr>(I.first.getStmt()));
State = State->remove<ObjectsUnderConstruction>(I.first); State = State->remove<ObjectsUnderConstruction>(I.first);
} }
LC = LC->getParent(); LC = LC->getParent();
} }
if (State != Pred->getState()) { if (State != Pred->getState()) {
Pred = Bldr.generateNode(Pred->getLocation(), State, Pred); Pred = Bldr.generateNode(Pred->getLocation(), State, Pred);
if (!Pred) { if (!Pred) {
▲ Show 20 LinesShow All 954 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 147 Lines▼ Show 20 Lines case ConstructionContext::SimpleConstructorInitializerKind: {
} else { } else {
Field = Init->getMember(); Field = Init->getMember();
FieldVal = State->getLValue(Init->getMember(), ThisVal); FieldVal = State->getLValue(Init->getMember(), ThisVal);
} }
QualType Ty = Field->getType(); QualType Ty = Field->getType();
FieldVal = makeZeroElementRegion(State, FieldVal, Ty, FieldVal = makeZeroElementRegion(State, FieldVal, Ty,
CallOpts.IsArrayCtorOrDtor); CallOpts.IsArrayCtorOrDtor);
State = addObjectUnderConstruction(State, Init, LCtx, FieldVal);
return std::make_pair(State, FieldVal); return std::make_pair(State, FieldVal);
} }
case ConstructionContext::NewAllocatedObjectKind: { case ConstructionContext::NewAllocatedObjectKind: {
if (AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) { if (AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) {
const auto *NECC = cast<NewAllocatedObjectConstructionContext>(CC); const auto *NECC = cast<NewAllocatedObjectConstructionContext>(CC);
const auto *NE = NECC->getCXXNewExpr(); const auto *NE = NECC->getCXXNewExpr();
SVal V = *getObjectUnderConstruction(State, NE, LCtx); SVal V = *getObjectUnderConstruction(State, NE, LCtx);
if (const SubRegion *MR = if (const SubRegion *MR =
▲ Show 20 LinesShow All 103 Lines▼ Show 20 Linesstd::pair<ProgramStateRef, SVal> ExprEngine::prepareForObjectConstruction(
} }
// If we couldn't find an existing region to construct into, assume we're // If we couldn't find an existing region to construct into, assume we're
// constructing a temporary. Notify the caller of our failure. // constructing a temporary. Notify the caller of our failure.
CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true;
return std::make_pair( return std::make_pair(
State, loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(E, LCtx))); State, loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(E, LCtx)));
} }
const CXXConstructExpr *
ExprEngine::findDirectConstructorForCurrentCFGElement() {
// Go backward in the CFG to see if the previous element (ignoring
// destructors) was a CXXConstructExpr. If so, that constructor
// was constructed directly into an existing region.
// This process is essentially the inverse of that performed in
// findElementDirectlyInitializedByCurrentConstructor().
if (currStmtIdx == 0)
return nullptr;
const CFGBlock *B = getBuilderContext().getBlock();
unsigned int PreviousStmtIdx = currStmtIdx - 1;
CFGElement Previous = (*B)[PreviousStmtIdx];
while (Previous.getAs<CFGImplicitDtor>() && PreviousStmtIdx > 0) {
--PreviousStmtIdx;
Previous = (*B)[PreviousStmtIdx];
}
if (Optional<CFGStmt> PrevStmtElem = Previous.getAs<CFGStmt>()) {
if (auto *CtorExpr = dyn_cast<CXXConstructExpr>(PrevStmtElem->getStmt())) {
return CtorExpr;
}
}
return nullptr;
}
void ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE, void ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &destNodes) { ExplodedNodeSet &destNodes) {
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
SVal Target = UnknownVal(); SVal Target = UnknownVal();
▲ Show 20 LinesShow All 491 LinesShow Last 20 Lines

test/Analysis/cxx17-mandatory-elision.cpp

Show All 15 Lines
struct B { struct B {
A a; A a;
B(): a(A(0)) {} B(): a(A(0)) {}
}; };
} // namespace variable_functional_cast_crash } // namespace variable_functional_cast_crash
namespace ctor_initializer {
struct S {
int x, y, z;
};
struct T {
S s;
int w;
T(int w): s(), w(w) {}
};
class C {
T t;
public:
C() : t(T(4)) {
S s = {1, 2, 3};
t.s = s;
// FIXME: Should be TRUE in C++11 as well.
clang_analyzer_eval(t.w == 4);
#if __cplusplus >= 201703L
// expected-warning@-2{{TRUE}}
#else
// expected-warning@-4{{UNKNOWN}}
#endif
}
};
} // namespace ctor_initializer
namespace address_vector_tests { namespace address_vector_tests {
template <typename T> struct AddressVector { template <typename T> struct AddressVector {
T *buf[10]; T *buf[10];
int len; int len;
AddressVector() : len(0) {} AddressVector() : len(0) {}
▲ Show 20 LinesShow All 49 LinesShow Last 20 Lines