From 162132fe03c8c2b02735f2adfd4e2dc421488006 Mon Sep 17 00:00:00 2001
From: Devin Coughlin <dcoughlin@apple.com>
Date: Wed, 1 Mar 2017 17:48:39 +0000
Subject: [PATCH] [analyzer] pr32088: Don't destroy the temporary if its
 initializer causes return.

In the following code involving GNU statement-expression extension:
  struct S {
    ~S();
  };

  void foo() {
    const S &x = ({ return; S(); });
  }
function 'foo()' returns before reference x is initialized. We shouldn't call
the destructor for the temporary object lifetime-extended by 'x' in this case,
because the object never gets constructed in the first place.

The real problem is probably in the CFG somewhere, so this is a quick-and-dirty
hotfix rather than the perfect solution.

A patch by Artem Dergachev!

rdar://problem/30759076

Differential Revision: https://reviews.llvm.org/D30499

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296646 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/StaticAnalyzer/Core/ExprEngine.cpp | 10 +++++++++-
 test/Analysis/temporaries.cpp          | 10 ++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/StaticAnalyzer/Core/ExprEngine.cpp b/lib/StaticAnalyzer/Core/ExprEngine.cpp
index 7d0c8b4bdf8..350992849e0 100644
--- a/lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ b/lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -615,7 +615,15 @@ void ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor Dtor,
   const MemRegion *Region = dest.castAs<loc::MemRegionVal>().getRegion();
 
   if (varType->isReferenceType()) {
-    Region = state->getSVal(Region).getAsRegion()->getBaseRegion();
+    const MemRegion *ValueRegion = state->getSVal(Region).getAsRegion();
+    if (!ValueRegion) {
+      // FIXME: This should not happen. The language guarantees a presence
+      // of a valid initializer here, so the reference shall not be undefined.
+      // It seems that we're calling destructors over variables that
+      // were not initialized yet.
+      return;
+    }
+    Region = ValueRegion->getBaseRegion();
     varType = cast<TypedValueRegion>(Region)->getValueType();
   }
 
diff --git a/test/Analysis/temporaries.cpp b/test/Analysis/temporaries.cpp
index 49cf070177f..cc39201b0c3 100644
--- a/test/Analysis/temporaries.cpp
+++ b/test/Analysis/temporaries.cpp
@@ -493,3 +493,13 @@ namespace PR16629 {
     clang_analyzer_eval(x == 47); // expected-warning{{TRUE}}
   }
 }
+
+namespace PR32088 {
+  void testReturnFromStmtExprInitializer() {
+    // We shouldn't try to destroy the object pointed to by `obj' upon return.
+    const NonTrivial &obj = ({
+      return; // no-crash
+      NonTrivial(42);
+    });
+  }
+}
-- 
GitLab