[PATCH] D43149: [analyzer] Fix a crash on destroying a temporary array.
Artem Dergachev via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Feb 9 16:44:08 PST 2018
NoQ updated this revision to Diff 133718.
NoQ added a comment.
> And even then, calling a destructor of a single array element does not invalidate the whole array for us, because destructors are `const` (unless there are mutable members). So we'd have to do this manually later as well.
Hmm, no, we don't. Because, well, destructors are `const`, so they won't change the contents of the array, so there's no need to invalidate in the first place.
https://reviews.llvm.org/D43149
Files:
lib/StaticAnalyzer/Core/ExprEngine.cpp
test/Analysis/temporaries.cpp
Index: test/Analysis/temporaries.cpp
===================================================================
--- test/Analysis/temporaries.cpp
+++ test/Analysis/temporaries.cpp
@@ -6,6 +6,8 @@
extern bool clang_analyzer_warnIfReached();
void clang_analyzer_checkInlined(bool);
+#include "Inputs/system-header-simulator-cxx.h";
+
struct Trivial {
Trivial(int x) : value(x) {}
int value;
@@ -857,3 +859,17 @@
}
}
} // namespace test_match_constructors_and_destructors
+
+#if __cplusplus >= 201103L
+namespace temporary_list_crash {
+class C {
+public:
+ C() {}
+ ~C() {}
+};
+
+void test() {
+ std::initializer_list<C>{C(), C()}; // no-crash
+}
+} // namespace temporary_list_crash
+#endif // C++11
Index: lib/StaticAnalyzer/Core/ExprEngine.cpp
===================================================================
--- lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -957,18 +957,31 @@
}
StmtBldr.generateNode(D.getBindTemporaryExpr(), Pred, State);
- QualType varType = D.getBindTemporaryExpr()->getSubExpr()->getType();
+ QualType T = D.getBindTemporaryExpr()->getSubExpr()->getType();
// FIXME: Currently CleanDtorState can be empty here due to temporaries being
// bound to default parameters.
assert(CleanDtorState.size() <= 1);
ExplodedNode *CleanPred =
CleanDtorState.empty() ? Pred : *CleanDtorState.begin();
EvalCallOptions CallOpts;
CallOpts.IsTemporaryCtorOrDtor = true;
- if (!MR)
+ if (!MR) {
CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true;
- VisitCXXDestructor(varType, MR, D.getBindTemporaryExpr(),
+
+ // If we have no MR, we still need to unwrap the array to avoid destroying
+ // the whole array at once. Regardless, we'd eventually need to model array
+ // destructors properly, element-by-element.
+ while (const ArrayType *AT = getContext().getAsArrayType(T)) {
+ T = AT->getElementType();
+ CallOpts.IsArrayCtorOrDtor = true;
+ }
+ } else {
+ // We'd eventually need to makeZeroElementRegion() trick here,
+ // but for now we don't have the respective construction contexts,
+ // so MR would always be null in this case. Do nothing for now.
+ }
+ VisitCXXDestructor(T, MR, D.getBindTemporaryExpr(),
/*IsBase=*/false, CleanPred, Dst, CallOpts);
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D43149.133718.patch
Type: text/x-patch
Size: 2338 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20180210/97d228ac/attachment.bin>
More information about the cfe-commits
mailing list