[PATCH] D60988: [analyzer] Fix crash when returning C++ objects from ObjC messages-to-nil.

Artem Dergachev via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Mon Apr 22 18:19:42 PDT 2019

NoQ created this revision.
NoQ added a reviewer: dcoughlin.
Herald added subscribers: cfe-commits, Charusso, dkrupp, donat.nagy, Szelethus, mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware, xazax.hun.
Herald added a project: clang.

This is an Objective-C++ specific fix to a problem that's similar to D59573 <https://reviews.llvm.org/D59573> and D59622 <https://reviews.llvm.org/D59622> (i.e., hitting the same assertion i added in D59054 <https://reviews.llvm.org/D59054>).

This time, surprisingly, the assertion is in fact incorrect: there is a cornercase in Objective-C++ in which a C++ object is not constructed with a constructor, but only zero-initialized. Namely, this happens when an Objective-C message is sent to a `nil` and it is supposed to return a C++ object.

I made sure that the assertion is only relaxed for Objective-C++ but it's hard to relax it in a more specific way with the amount of information that `RegionStore` receives. The alternative solution was to conjure a `LazyCompoundValue` specifically for this case instead, but implementing this cornercase in `SValBuilder::makeZeroVal()` is hard because there's no good region to use as the base of that `LazyCompoundVal`, and in the checker (this modeling currently belongs to CallAndMessageChecker) it's even uglier and is bad for checker APIs.

  rC Clang



Index: clang/test/Analysis/nil-receiver.mm
--- /dev/null
+++ clang/test/Analysis/nil-receiver.mm
@@ -0,0 +1,24 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection \
+// RUN:                    -verify %s
+#define nil ((id)0)
+void clang_analyzer_eval(int);
+struct S {
+  int x;
+  S();
+ at interface I
+ at property S s;
+ at end
+void foo() {
+  // This produces a zero-initialized structure.
+  // FIXME: This very fact does deserve the warning, because zero-initialized
+  // structures aren't always valid in C++. It's particularly bad when the
+  // object has a vtable.
+  S s = ((I *)nil).s;
+  clang_analyzer_eval(s.x == 0); // expected-warning{{TRUE}}
Index: clang/lib/StaticAnalyzer/Core/RegionStore.cpp
--- clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -2361,7 +2361,14 @@
   // In C++17 aggregates may have base classes, handle those as well.
   // They appear before fields in the initializer list / compound value.
   if (const auto *CRD = dyn_cast<CXXRecordDecl>(RD)) {
-    assert(CRD->isAggregate() &&
+    // If the object was constructed with a constructor, its value is a
+    // LazyCompoundVal. If it's a raw CompoundVal, it means that we're
+    // performing aggregate initialization. The only exception from this
+    // rule is sending an Objective-C++ message that returns a C++ object
+    // to a nil receiver; in this case the semantics is to return a
+    // zero-initialized object even if it's a C++ object that doesn't have
+    // this sort of constructor; the CompoundVal is empty in this case.
+    assert((CRD->isAggregate() || (Ctx.getLangOpts().ObjC && VI == VE)) &&
            "Non-aggregates are constructed with a constructor!");
     for (const auto &B : CRD->bases()) {

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D60988.196161.patch
Type: text/x-patch
Size: 1940 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20190423/04b311f5/attachment.bin>

More information about the cfe-commits mailing list