[analyzer] Handle destructors for the argument to C++ 'delete'.

Now that the CFG includes nodes for the destructors in a delete-expression, process them in the analyzer using the same common destructor interface currently used for local, member, and base destructors. Also, check for when the value is known to be null, in which case no destructor is actually run. This does not yet handle destructors for deleted /arrays/, which may need more CFG work. It also causes a slight regression in the location of double delete warnings; the double delete is detected at the destructor call, which is implicit, and so is reported on the first access within the destructor instead of at the 'delete' statement. This will be fixed soon. Patch by Karthik Bhat! llvm-svn: 191381
author: Jordan Rose <jordan_rose@apple.com> 2013-09-25 16:06:17 +0000
committer: Jordan Rose <jordan_rose@apple.com> 2013-09-25 16:06:17 +0000
commit: 1ccc43d50ef7cc9e2acbe002b0360e7b46a781c3 (patch)
tree: bd5ce89b79ab622833fd33d5373503d747384cfb /clang/lib
parent: cc707bc9894177b9cb6a71157ba5f907388e89ed (diff)
download: bcm5719-llvm-1ccc43d50ef7cc9e2acbe002b0360e7b46a781c3.tar.gz
bcm5719-llvm-1ccc43d50ef7cc9e2acbe002b0360e7b46a781c3.zip
4 files changed, 31 insertions, 3 deletions
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 1fa15d09cbc..c7aa0fb150c 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1803,7 +1803,8 @@ bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const {
 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
                                       const Stmt *S) const {
 
-  if (isReleased(Sym, C)) {
+  // FIXME: Handle destructor called from delete more precisely.
+  if (isReleased(Sym, C) && S) {
     ReportUseAfterFree(C, S->getSourceRange(), Sym);
     return true;
   }
diff --git a/clang/lib/StaticAnalyzer/Core/CallEvent.cpp b/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
index 556f93b7cfb..ce66363413f 100644
--- a/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
+++ b/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
@@ -964,6 +964,8 @@ CallEventManager::getCaller(const StackFrameContext *CalleeCtx,
   const Stmt *Trigger;
   if (Optional<CFGAutomaticObjDtor> AutoDtor = E.getAs<CFGAutomaticObjDtor>())
     Trigger = AutoDtor->getTriggerStmt();
+  else if (Optional<CFGDeleteDtor> DeleteDtor = E.getAs<CFGDeleteDtor>())
+    Trigger = cast<Stmt>(DeleteDtor->getDeleteExpr());
   else
     Trigger = Dtor->getBody();
 
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
index 91acd55bc7f..411e2f6aea3 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -569,7 +569,30 @@ void ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor Dtor,
 void ExprEngine::ProcessDeleteDtor(const CFGDeleteDtor Dtor,
                                    ExplodedNode *Pred,
                                    ExplodedNodeSet &Dst) {
-  //TODO: Handle DeleteDtor
+  ProgramStateRef State = Pred->getState();
+  const LocationContext *LCtx = Pred->getLocationContext();
+  const CXXDeleteExpr *DE = Dtor.getDeleteExpr();
+  const Stmt *Arg = DE->getArgument();
+  SVal ArgVal = State->getSVal(Arg, LCtx);
+
+  // If the argument to delete is known to be a null value,
+  // don't run destructor.
+  if (State->isNull(ArgVal).isConstrainedTrue()) {
+    QualType DTy = DE->getDestroyedType();
+    QualType BTy = getContext().getBaseElementType(DTy);
+    const CXXRecordDecl *RD = BTy->getAsCXXRecordDecl();
+    const CXXDestructorDecl *Dtor = RD->getDestructor();
+
+    PostImplicitCall PP(Dtor, DE->getLocStart(), LCtx);
+    NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
+    Bldr.generateNode(PP, Pred->getState(), Pred);
+    return;
+  }
+
+  VisitCXXDestructor(DE->getDestroyedType(),
+                     ArgVal.getAsRegion(),
+                     DE, /*IsBase=*/ false,
+                     Pred, Dst);
 }
 
 void ExprEngine::ProcessBaseDtor(const CFGBaseDtor D,
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
index b128bee1429..eba4f94d80e 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
@@ -296,7 +296,9 @@ void ExprEngine::VisitCXXDestructor(QualType ObjectType,
   // FIXME: We need to run the same destructor on every element of the array.
   // This workaround will just run the first destructor (which will still
   // invalidate the entire array).
-  SVal DestVal = loc::MemRegionVal(Dest);
+  SVal DestVal = UnknownVal();
+  if (Dest)
+    DestVal = loc::MemRegionVal(Dest);
   DestVal = makeZeroElementRegion(State, DestVal, ObjectType);
   Dest = DestVal.getAsRegion();
author	Jordan Rose <jordan_rose@apple.com>	2013-09-25 16:06:17 +0000
committer	Jordan Rose <jordan_rose@apple.com>	2013-09-25 16:06:17 +0000
commit	1ccc43d50ef7cc9e2acbe002b0360e7b46a781c3 (patch)
tree	bd5ce89b79ab622833fd33d5373503d747384cfb /clang/lib
parent	cc707bc9894177b9cb6a71157ba5f907388e89ed (diff)
download	bcm5719-llvm-1ccc43d50ef7cc9e2acbe002b0360e7b46a781c3.tar.gz bcm5719-llvm-1ccc43d50ef7cc9e2acbe002b0360e7b46a781c3.zip