[cfe-dev] Undiagnosed "reference to stack memory [...] returned"

Matthieu Monrocq matthieu.monrocq at gmail.com
Sat Sep 18 06:48:08 PDT 2010 

Okay, with the week-end I have been able to look at this issue a bit more
in-depth:

So, the first issue is:

struct S {
  int array[32];
};

S value() { return S(); }

S const& return_temporary() {
  return value();
}

The return statement yields the following AST:

          <ReturnStmt file="f2" line="9" col="3" endcol="16">
            <ImplicitCastExpr file="f2" line="9" col="10" endcol="16"
type="_17">
              <CallExpr file="f2" line="9" col="10" endcol="16" type="_8"
num_args="0">
                <ImplicitCastExpr file="f2" line="9" col="10" type="_1E">
                  <DeclRefExpr file="f2" line="9" col="10" type="_1A"
ref="_18" name="value"/>
                </ImplicitCastExpr>
              </CallExpr>
            </ImplicitCastExpr>
          </ReturnStmt>

However `static DeclRefExpr* EvalVal(Expr *E)` in SemaChecking.cpp (line
1979) does not handle `CallExpr` (or CXXOperatorCallExpr or
CXXMemberCallExpr for that matter)

I was thinking about adding a case in the switch:

  case Stmt::CallExprClass:
  case Stmt::CXXMemberCallExprClass:
  case Stmt::CXXOperatorCallExprClass: {
    // Functions / Methods / Operators
    // that return a pointer or prvalue
    CallExpr* CE = cast<CallExpr>(E);
    if (!CE->getCallReturnType()->isReferenceType()) {
      return CE;
    }
    return NULL;
  }

since at the moment it's not handled at all. However there are MANY possible
kinds for Type, so I am quite puzzled when it comes to figuring out which
ones are okay and which are not... Furthermore there is it seems the issue
of `typedef` which might embed a reference within and that we'll need to
account for.


Regarding the second issue:

S const& return_bounded_temporary() {
  S const& bind = value();
  return bind;
}

This returns the following AST:

          <ReturnStmt file="f2" line="10" col="3" endcol="10">
            <DeclRefExpr file="f2" line="10" col="10" type="_17" ref="_1D"
name="bind"/>
          </ReturnStmt>

So there is no indication here that the reference variable has bounded a
temporary at all, I would have expected something like CXXBindTemporaryExpr.


Comments are welcome :)


2010/9/16 Ted Kremenek <kremenek at apple.com>

> No it doesn't.  There is active work on this front, but no ETA right now.
>
> On Sep 15, 2010, at 3:18 PM, Alexei Svitkine wrote:
>
> Does the analyzer support C++ now?
>
> -Alexei
>
> On Wed, Sep 15, 2010 at 5:25 PM, Ted Kremenek <kremenek at apple.com> wrote:
>
>>
>> On Sep 15, 2010, at 1:13 PM, Eli Friedman wrote:
>>
>> > On Wed, Sep 15, 2010 at 12:58 PM, Matthieu Monrocq
>> > <matthieu.monrocq at gmail.com> wrote:
>> >> Therefore it seems that the proper thing to do would be to diagnose the
>> >> issue (in both get_reference_no_warning cases) and let the developer
>> fix
>> >> them. I surmise it should be possible to detect them (since VC++
>> already
>> >> detects the first case), but then, as I said, I am very naive about
>> >> compilers yet.
>> >>
>> >> I hope to look at this further during the week-end, guess it would be
>> as
>> >> good a way as any to try and understand how Clang work
>> >
>> > Yes, we should be able to diagnose both cases... the relevant code is
>> > Sema::CheckReturnStackAddr in SemaChecking.cpp.
>> >
>> > -Eli
>>
>> I'll fix this.  It will be good for me (after being confused about this
>> one).
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20100918/de28c747/attachment.html>

More information about the cfe-dev mailing list