From cf878bbe65b9f4b4b5ca96f5f6f33f8ff31349d6 Mon Sep 17 00:00:00 2001 From: Pavel Labath Date: Fri, 26 Jul 2013 11:50:42 +0000 Subject: [PATCH] [analyzer] Fix FP warnings when binding a temporary to a local static variable Summary: When binding a temporary object to a static local variable, the analyzer would complain about a dangling reference even though the temporary's lifetime should be extended past the end of the function. This commit tries to detect these cases and construct them in a global memory region instead of a local one. Reviewers: jordan_rose CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D1133 llvm-svn: 187196 --- .../clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h | 5 +++++ clang/lib/StaticAnalyzer/Core/ExprEngine.cpp | 13 ++++++++++++- clang/lib/StaticAnalyzer/Core/MemRegion.cpp | 6 ++++++ clang/test/Analysis/stack-addr-ps.cpp | 4 ++++ clang/test/Analysis/temporaries.cpp | 16 ++++++++++++++++ 5 files changed, 43 insertions(+), 1 deletion(-) diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h index 9b4f77d..a8946b8 100644 --- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h +++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h @@ -1272,6 +1272,11 @@ public: const BlockDataRegion *getBlockDataRegion(const BlockTextRegion *bc, const LocationContext *lc = NULL); + /// Create a CXXTempObjectRegion for temporaries which are lifetime-extended + /// by static references. This differs from getCXXTempObjectRegion in the + /// super-region used. + const CXXTempObjectRegion *getCXXStaticTempObjectRegion(const Expr *Ex); + private: template RegionTy* getRegion(const A1 a1); diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp index 04629dc..552b2ec 100644 --- a/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp +++ b/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp @@ -209,7 +209,18 @@ ExprEngine::createTemporaryRegionIfNeeded(ProgramStateRef State, // Create a temporary object region for the inner expression (which may have // a more derived type) and bind the value into it. - const TypedValueRegion *TR = MRMgr.getCXXTempObjectRegion(Inner, LC); + const TypedValueRegion *TR = NULL; + if (const MaterializeTemporaryExpr *MT = + dyn_cast(Result)) { + StorageDuration SD = MT->getStorageDuration(); + // If this object is bound to a reference with static storage duration, we + // put it in a different region to prevent "address leakage" warnings. + if (SD == SD_Static || SD == SD_Thread) + TR = MRMgr.getCXXStaticTempObjectRegion(Inner); + } + if (!TR) + TR = MRMgr.getCXXTempObjectRegion(Inner, LC); + SVal Reg = loc::MemRegionVal(TR); if (V.isUnknown()) diff --git a/clang/lib/StaticAnalyzer/Core/MemRegion.cpp b/clang/lib/StaticAnalyzer/Core/MemRegion.cpp index 0102f92..3c9e9e4 100644 --- a/clang/lib/StaticAnalyzer/Core/MemRegion.cpp +++ b/clang/lib/StaticAnalyzer/Core/MemRegion.cpp @@ -864,6 +864,12 @@ MemRegionManager::getBlockDataRegion(const BlockTextRegion *BC, return getSubRegion(BC, LC, sReg); } +const CXXTempObjectRegion * +MemRegionManager::getCXXStaticTempObjectRegion(const Expr *Ex) { + return getSubRegion( + Ex, getGlobalsRegion(MemRegion::GlobalInternalSpaceRegionKind, NULL)); +} + const CompoundLiteralRegion* MemRegionManager::getCompoundLiteralRegion(const CompoundLiteralExpr *CL, const LocationContext *LC) { diff --git a/clang/test/Analysis/stack-addr-ps.cpp b/clang/test/Analysis/stack-addr-ps.cpp index 65d7571..a39f9c7 100644 --- a/clang/test/Analysis/stack-addr-ps.cpp +++ b/clang/test/Analysis/stack-addr-ps.cpp @@ -20,6 +20,10 @@ const int& g3() { return s3; // expected-warning{{Address of stack memory associated with local variable 's1' returned}} expected-warning {{reference to stack memory associated with local variable 's1' returned}} } +void g4() { + static const int &x = 3; // no warning +} + int get_value(); const int &get_reference1() { return get_value(); } // expected-warning{{Address of stack memory associated with temporary object of type 'int' returned}} expected-warning {{returning reference to local temporary}} diff --git a/clang/test/Analysis/temporaries.cpp b/clang/test/Analysis/temporaries.cpp index ebfbfe9..ddad855 100644 --- a/clang/test/Analysis/temporaries.cpp +++ b/clang/test/Analysis/temporaries.cpp @@ -141,3 +141,19 @@ namespace destructors { } } } + +void testStaticMaterializeTemporaryExpr() { + static const Trivial &ref = getTrivial(); + clang_analyzer_eval(ref.value == 42); // expected-warning{{TRUE}} + + static const Trivial &directRef = Trivial(42); + clang_analyzer_eval(directRef.value == 42); // expected-warning{{TRUE}} + +#if __cplusplus >= 201103L + thread_local static const Trivial &threadRef = getTrivial(); + clang_analyzer_eval(threadRef.value == 42); // expected-warning{{TRUE}} + + thread_local static const Trivial &threadDirectRef = Trivial(42); + clang_analyzer_eval(threadDirectRef.value == 42); // expected-warning{{TRUE}} +#endif +} -- 2.7.4