<html>

    <head>

      <base href="http://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - Static analyzer invokes incorrect destructors for lifetime-extended temporaries"

   href="http://llvm.org/bugs/show_bug.cgi?id=17001">17001</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Static analyzer invokes incorrect destructors for lifetime-extended temporaries

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>kremenek@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>labath@google.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>jordan_rose@apple.com, klimek@google.com, llvmbugs@cs.uiuc.edu

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=11098" name="attach_11098" title="Patch draft">attachment 11098</a> <a href="attachment.cgi?id=11098&action=edit" title="Patch draft">[details]</a></span>

Patch draft

extern void clang_analyzer_eval(bool);

bool x;

struct A {

  int *a;

  A() { }

  ~A() { }

};

struct B: public A {

  B() { }

  ~B() { x = true; }

};

void f() {

  {

    const A &a = B();

  }

  clang_analyzer_eval(x); // expected-warning{{TRUE}}

}

When a reference bound to a temporary goes out of scope, the destructor of the

temporary should fire. However, the analyzer incorrectly determines which

destructor to call: it uses the type of the reference variable instead of the

type of the actual CXXBindTemporaryExpr. Changing the variable type to 'const B

&' produces correct behavior.

I actually consider this to be a bug in the CFG - the correct destructor to

call is deducible statically and this information should be available in the

CFG. I have made a *very* proof-of-concept patch (attached), which amends this

situation by using CFGTemporaryDtor instead of CFGAutomaticObjDtor nodes to

represent these objects. However, given the current state of temporary object

support in the analyzer, this causes the it to regress a bit, because it now

cannot process any calls to the lifetime-extended temporaries. Therefore, I

attach this here mostly just to start the discussion about how to address this

issue.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>