[LLVMbugs] [Bug 17001] New: Static analyzer invokes incorrect destructors for lifetime-extended temporaries

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Mon Aug 26 06:39:20 PDT 2013 

http://llvm.org/bugs/show_bug.cgi?id=17001

            Bug ID: 17001
           Summary: Static analyzer invokes incorrect destructors for
                    lifetime-extended temporaries
           Product: clang
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: kremenek at apple.com
          Reporter: labath at google.com
                CC: jordan_rose at apple.com, klimek at google.com,
                    llvmbugs at cs.uiuc.edu
    Classification: Unclassified

Created attachment 11098
  --> http://llvm.org/bugs/attachment.cgi?id=11098&action=edit
Patch draft

extern void clang_analyzer_eval(bool);

bool x;

struct A {
  int *a;
  A() { }
  ~A() { }
};
struct B: public A {
  B() { }
  ~B() { x = true; }
};

void f() {
  {
    const A &a = B();
  }
  clang_analyzer_eval(x); // expected-warning{{TRUE}}
}

When a reference bound to a temporary goes out of scope, the destructor of the
temporary should fire. However, the analyzer incorrectly determines which
destructor to call: it uses the type of the reference variable instead of the
type of the actual CXXBindTemporaryExpr. Changing the variable type to 'const B
&' produces correct behavior.

I actually consider this to be a bug in the CFG - the correct destructor to
call is deducible statically and this information should be available in the
CFG. I have made a *very* proof-of-concept patch (attached), which amends this
situation by using CFGTemporaryDtor instead of CFGAutomaticObjDtor nodes to
represent these objects. However, given the current state of temporary object
support in the analyzer, this causes the it to regress a bit, because it now
cannot process any calls to the lifetime-extended temporaries. Therefore, I
attach this here mostly just to start the discussion about how to address this
issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20130826/19eabc94/attachment.html>

More information about the llvm-bugs mailing list