[analyzer] Remove pattern matching of lambda capture initializers

Prior to this patch we handled lambda captures based on their initializer expression, which resulted in pattern matching. With C++17 copy elision the initializer expression can be anything, and this approach proved to be fragile and a source of crashes. This patch removes pattern matching and only checks whether the object is under construction or not. Differential Revision: https://reviews.llvm.org/D131944
2024-11-23 13:50:11 +00:00 · 2022-08-16 09:31:24 +02:00 · 2022-08-16 09:31:24 +02:00 · 3c482632e6
commit 3c482632e6
parent c860fd3f25
2 changed files with 15 additions and 17 deletions
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
@ -1147,23 +1147,12 @@ void ExprEngine::VisitLambdaExpr(const LambdaExpr *LE, ExplodedNode *Pred,

      assert(InitExpr && "Capture missing initialization expression");

-      if (const auto AILE = dyn_cast<ArrayInitLoopExpr>(InitExpr)) {
-        // If the AILE initializes a POD array, we need to keep it as the
-        // InitExpr.
-        if (dyn_cast<CXXConstructExpr>(AILE->getSubExpr()))
-          InitExpr = AILE->getSubExpr();
-      }
-
-      // With C++17 copy elision this can happen.
-      if (const auto *FC = dyn_cast<CXXFunctionalCastExpr>(InitExpr))
-        InitExpr = FC->getSubExpr();
-
-      assert(InitExpr &&
-             "Extracted capture initialization expression is missing");
-
-      if (dyn_cast<CXXConstructExpr>(InitExpr)) {
-        InitVal = *getObjectUnderConstruction(State, {LE, Idx}, LocCtxt);
-        InitVal = State->getSVal(InitVal.getAsRegion());
+      // With C++17 copy elision the InitExpr can be anything, so instead of
+      // pattern matching all cases, we simple check if the current field is
+      // under construction or not, regardless what it's InitExpr is.
+      if (const auto OUC =
+              getObjectUnderConstruction(State, {LE, Idx}, LocCtxt)) {
+        InitVal = State->getSVal(OUC->getAsRegion());

        State = finishObjectConstruction(State, {LE, Idx}, LocCtxt);
      } else
--- a/clang/test/Analysis/lambdas.cpp
+++ b/clang/test/Analysis/lambdas.cpp
@ -3,6 +3,8 @@
 // RUN: %clang_analyze_cc1 -std=c++11 -analyzer-checker=core,debug.DumpCFG -analyzer-config inline-lambdas=true %s > %t 2>&1
 // RUN: FileCheck --input-file=%t %s

+#include "Inputs/system-header-simulator-cxx.h"
+
 void clang_analyzer_warnIfReached();
 void clang_analyzer_eval(int);

@ -217,6 +219,13 @@ void testCopyElidedObjectCaptured(int x) {
  }();
 }

+static auto MakeUniquePtr() { return std::make_unique<std::vector<int>>(); }
+
+void testCopyElidedUniquePtr() {
+  [uniquePtr = MakeUniquePtr()] {}();
+  clang_analyzer_warnIfReached(); // expected-warning{{TRUE}}
+}
+
 #endif

 // Test inline defensive checks