In C++, objects being returned on the stack are actually copy-constructed into
the return value. That means that when a temporary is returned, it still has
to be destroyed, i.e. the returned expression will be wrapped in an
ExprWithCleanups node. Our "returning stack memory" checker needs to look
through this node to see if we really are returning an object by value.
PR13722
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162817
91177308-0d34-0410-b5e6-
96231b3b80d8
const Expr *RetE = RS->getRetValue();
if (!RetE)
return;
+ RetE = RetE->IgnoreParens();
const LocationContext *LCtx = C.getLocationContext();
SVal V = C.getState()->getSVal(RetE, LCtx);
return;
// Returning a record by value is fine. (In this case, the returned
- // expression will be a copy-constructor.)
+ // expression will be a copy-constructor, possibly wrapped in an
+ // ExprWithCleanups node.)
+ if (const ExprWithCleanups *Cleanup = dyn_cast<ExprWithCleanups>(RetE))
+ RetE = Cleanup->getSubExpr();
if (isa<CXXConstructExpr>(RetE) && RetE->getType()->isRecordType())
return;
--- /dev/null
+// RUN: %clang_cc1 -analyze -analyzer-checker=core,debug.ExprInspection -analyzer-ipa=inlining -verify -w %s
+
+struct Trivial {
+ Trivial(int x) : value(x) {}
+ int value;
+};
+
+struct NonTrivial : public Trivial {
+ NonTrivial(int x) : Trivial(x) {}
+ ~NonTrivial();
+};
+
+
+Trivial getTrivial() {
+ return Trivial(42); // no-warning
+}
+
+const Trivial &getTrivialRef() {
+ return Trivial(42); // expected-warning {{Address of stack memory associated with temporary object of type 'struct Trivial' returned to caller}}
+}
+
+
+NonTrivial getNonTrivial() {
+ return NonTrivial(42); // no-warning
+}
+
+const NonTrivial &getNonTrivialRef() {
+ return NonTrivial(42); // expected-warning {{Address of stack memory associated with temporary object of type 'struct NonTrivial' returned to caller}}
+}
+
projects / clang / commitdiff