[llvm-bugs] [Bug 37459] New: Static analyzer temp-dtor-inlining doesn't appear to escape by-value function parameters

via llvm-bugs llvm-bugs at lists.llvm.org
Mon May 14 12:44:15 PDT 2018 

https://bugs.llvm.org/show_bug.cgi?id=37459

            Bug ID: 37459
           Summary: Static analyzer temp-dtor-inlining doesn't appear to
                    escape by-value function parameters
           Product: clang
           Version: trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Static Analyzer
          Assignee: dcoughlin at apple.com
          Reporter: george.burgess.iv at gmail.com
                CC: llvm-bugs at lists.llvm.org

It looks like the analyzer assumes that, given

void foo(std::unique_ptr<int> i);

void bar() {
  auto x = std::make_unique<int>();
  int *i = x.get();
  foo(std::move(x));
  *i = 99;
}

...`i` is always freed after the call to `foo` completes, so the store to *i is
broken. However, if we change `foo` to take a `std::unique_ptr<int> &&`, the
analyzer assumes that it can't know what happened to `x` during the call, and
doesn't warn.

Since the unique_ptr passed to `foo` can be stashed away in a global, class
member, etc. I think the analyzer should be more conservative with code like
the above.

Test-case:

$ cat /tmp/sa-test.cpp
// Stripped down unique_ptr<int>
struct IntPtr {
  IntPtr(): i(new int) {}
  IntPtr(IntPtr &&o): i(o.i) { o.i = nullptr; }
  ~IntPtr() { delete i; }

  int *i;
};

struct Foo {
  Foo(IntPtr);
  void bar();

  IntPtr i;
};

void bar() {
  IntPtr ptr;
  int *i = ptr.i;
  Foo f(static_cast<IntPtr &&>(ptr));
  *i = 99;
  f.bar();
}

$ clang-tidy /tmp/sa-test.cpp -- -Xclang -analyzer-config -Xclang
'c++-temp-dtor-inlining=false' -std=c++11

$ clang-tidy /tmp/sa-test.cpp -- -std=c++11
1 warning generated.
/tmp/sa-test.cpp:20:6: warning: Use of memory after it is freed
[clang-analyzer-cplusplus.NewDelete]
  *i = 99;
     ^
/tmp/sa-test.cpp:17:10: note: Calling default constructor for 'IntPtr'
  IntPtr ptr;
         ^
/tmp/sa-test.cpp:2:15: note: Memory is allocated
  IntPtr(): i(new int) {}
              ^
/tmp/sa-test.cpp:17:10: note: Returning from default constructor for 'IntPtr'
  IntPtr ptr;
         ^
/tmp/sa-test.cpp:19:35: note: Calling '~IntPtr'
  Foo f(static_cast<IntPtr &&>(ptr));
                                  ^
/tmp/sa-test.cpp:4:15: note: Memory is released
  ~IntPtr() { delete i; }
              ^
/tmp/sa-test.cpp:19:35: note: Returning from '~IntPtr'
  Foo f(static_cast<IntPtr &&>(ptr));
                                  ^
/tmp/sa-test.cpp:20:6: note: Use of memory after it is freed
  *i = 99;
     ^

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180514/0026bba7/attachment.html>

More information about the llvm-bugs mailing list