[all-commits] [llvm/llvm-project] 4ff836: [analyzer] Pass correct bldrCtx to computeObjectUn...

tomasz-kaminski-sonarsource via All-commits all-commits at lists.llvm.org
Mon Sep 26 02:45:55 PDT 2022 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 4ff836a138b40a9fc3430bc08afc1f327e5ed281
      https://github.com/llvm/llvm-project/commit/4ff836a138b40a9fc3430bc08afc1f327e5ed281
  Author: Tomasz Kamiński <tomasz.kamiński at sonarsource.com>
  Date:   2022-09-26 (Mon, 26 Sep 2022)

  Changed paths:
    M clang/include/clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h
    M clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
    M clang/lib/StaticAnalyzer/Core/CallEvent.cpp
    M clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
    M clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
    M clang/test/Analysis/copy-elision.cpp

  Log Message:
  -----------
  [analyzer] Pass correct bldrCtx to computeObjectUnderConstruction

In case when the prvalue is returned from the function (kind is one
of `SimpleReturnedValueKind`, `CXX17ElidedCopyReturnedValueKind`),
then it construction happens in context of the caller.
We pass `BldrCtx` explicitly, as `currBldrCtx` will always refer to callee
context.

In the following example:
```
struct Result {int value; };
Result create() { return Result{10}; }
int accessValue(Result r) { return r.value; }

void test() {
   for (int i = 0; i < 2; ++i)
      accessValue(create());
}
```

In case when the returned object was constructed directly into the
argument to a function call `accessValue(create())`, this led to
inappropriate value of `blockCount` being used to locate parameter region,
and as a consequence resulting object (from `create()`) was constructed
into a different region, that was later read by inlined invocation of
outer function (`accessValue`).
This manifests itself only in case when calling block is visited more
than once (loop in above example), as otherwise there is no difference
in `blockCount` value between callee and caller context.
This happens only in case when copy elision is disabled (before C++17).

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D132030

More information about the All-commits mailing list