[PATCH] D48436: [analyzer][UninitializedObjectChecker] Fixed a false negative by no longer filtering out certain constructor calls

Wed Jul 25 18:03:19 PDT 2018

NoQ added a comment.

Sorry, i'm still lagging with my reviews because there are a lot of them and i have to balance it with doing actual work. I'll hopefully get to this soon.

================
Comment at: lib/StaticAnalyzer/Checkers/UninitializedObjectChecker.cpp:681-689
+    Optional<nonloc::LazyCompoundVal> OtherObject =
+        getObjectVal(OtherCtor, Context);
+    if (!OtherObject)
+      continue;
+
+    // If the CurrentObject is a field of OtherObject, it will be analyzed
+    // during the analysis of OtherObject.
----------------
Szelethus wrote:
> NoQ wrote:
> > It seems safer to look at `CXXConstructExpr::getConstructionKind()`.
> > 
> > Taking a `LazyCompoundVal` and converting it back to a region is definitely a bad idea because the region within `LazyCompoundVal` is completely immaterial and carries no meaning for the value represented by this `SVal`; it's not necessarily the region you're looking for.
> Looking at the singleton test case, I think I need to get that region somehow, and I'm not too sure what you meant under using `CXXConstructExpr::getConstructionKind()`. One thing I could do, is similar to how `getObjectVal` works:
> ```
>   Loc Tmp = Context.getSValBuilder().getCXXThis(OtherCtor->getParent(),
>                                                 Context.getStackFrame());
> 
>   auto OtherThis = Context.getState()->getSVal(Tmp).castAs<loc::MemRegionVal>();
> 
>   OtherThis.getRegion(); // Hooray!
> ```
> 
> I have tested it, and it works wonders. Is this a "safe-to-use" region?
You can directly ask `CXXConstructExpr` if it's a field or a base constructor. I could describe `getConstructionKind()` as some sort of very limited `ConstructionContext` that's available in the AST: it explains to you what sort of object is being constructed. I suspect it's enough for your purposes.

https://reviews.llvm.org/D48436