Bug Summary

File:clang/lib/CodeGen/CGCXX.cpp
Warning:line 286, column 40
Called C++ object pointer is null

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name CGCXX.cpp -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -mframe-pointer=none -relaxed-aliasing -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -ffunction-sections -fdata-sections -fcoverage-compilation-dir=/build/llvm-toolchain-snapshot-14~++20210903100615+fd66b44ec19e/build-llvm/tools/clang/lib/CodeGen -resource-dir /usr/lib/llvm-14/lib/clang/14.0.0 -D _GNU_SOURCE -D __STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D __STDC_LIMIT_MACROS -I /build/llvm-toolchain-snapshot-14~++20210903100615+fd66b44ec19e/build-llvm/tools/clang/lib/CodeGen -I /build/llvm-toolchain-snapshot-14~++20210903100615+fd66b44ec19e/clang/lib/CodeGen -I /build/llvm-toolchain-snapshot-14~++20210903100615+fd66b44ec19e/clang/include -I /build/llvm-toolchain-snapshot-14~++20210903100615+fd66b44ec19e/build-llvm/tools/clang/include -I /build/llvm-toolchain-snapshot-14~++20210903100615+fd66b44ec19e/build-llvm/include -I /build/llvm-toolchain-snapshot-14~++20210903100615+fd66b44ec19e/llvm/include -D NDEBUG -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/x86_64-linux-gnu/c++/10 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/backward -internal-isystem /usr/lib/llvm-14/lib/clang/14.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-long-long -Wno-maybe-uninitialized -Wno-class-memaccess -Wno-redundant-move -Wno-pessimizing-move -Wno-noexcept-type -Wno-comment -std=c++14 -fdeprecated-macro -fdebug-compilation-dir=/build/llvm-toolchain-snapshot-14~++20210903100615+fd66b44ec19e/build-llvm/tools/clang/lib/CodeGen -fdebug-prefix-map=/build/llvm-toolchain-snapshot-14~++20210903100615+fd66b44ec19e=. -ferror-limit 19 -fvisibility-inlines-hidden -stack-protector 2 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2021-09-04-040900-46481-1 -x c++ /build/llvm-toolchain-snapshot-14~++20210903100615+fd66b44ec19e/clang/lib/CodeGen/CGCXX.cpp
1//===--- CGCXX.cpp - Emit LLVM Code for declarations ----------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This contains code dealing with C++ code generation.
10//
11//===----------------------------------------------------------------------===//
12
13// We might split this into multiple files if it gets too unwieldy
14
15#include "CGCXXABI.h"
16#include "CodeGenFunction.h"
17#include "CodeGenModule.h"
18#include "clang/AST/ASTContext.h"
19#include "clang/AST/Attr.h"
20#include "clang/AST/Decl.h"
21#include "clang/AST/DeclCXX.h"
22#include "clang/AST/DeclObjC.h"
23#include "clang/AST/Mangle.h"
24#include "clang/AST/RecordLayout.h"
25#include "clang/AST/StmtCXX.h"
26#include "clang/Basic/CodeGenOptions.h"
27#include "llvm/ADT/StringExtras.h"
28using namespace clang;
29using namespace CodeGen;
30
31
32/// Try to emit a base destructor as an alias to its primary
33/// base-class destructor.
34bool CodeGenModule::TryEmitBaseDestructorAsAlias(const CXXDestructorDecl *D) {
35 if (!getCodeGenOpts().CXXCtorDtorAliases)
36 return true;
37
38 // Producing an alias to a base class ctor/dtor can degrade debug quality
39 // as the debugger cannot tell them apart.
40 if (getCodeGenOpts().OptimizationLevel == 0)
41 return true;
42
43 // If sanitizing memory to check for use-after-dtor, do not emit as
44 // an alias, unless this class owns no members.
45 if (getCodeGenOpts().SanitizeMemoryUseAfterDtor &&
46 !D->getParent()->field_empty())
47 return true;
48
49 // If the destructor doesn't have a trivial body, we have to emit it
50 // separately.
51 if (!D->hasTrivialBody())
52 return true;
53
54 const CXXRecordDecl *Class = D->getParent();
55
56 // We are going to instrument this destructor, so give up even if it is
57 // currently empty.
58 if (Class->mayInsertExtraPadding())
59 return true;
60
61 // If we need to manipulate a VTT parameter, give up.
62 if (Class->getNumVBases()) {
63 // Extra Credit: passing extra parameters is perfectly safe
64 // in many calling conventions, so only bail out if the ctor's
65 // calling convention is nonstandard.
66 return true;
67 }
68
69 // If any field has a non-trivial destructor, we have to emit the
70 // destructor separately.
71 for (const auto *I : Class->fields())
72 if (I->getType().isDestructedType())
73 return true;
74
75 // Try to find a unique base class with a non-trivial destructor.
76 const CXXRecordDecl *UniqueBase = nullptr;
77 for (const auto &I : Class->bases()) {
78
79 // We're in the base destructor, so skip virtual bases.
80 if (I.isVirtual()) continue;
81
82 // Skip base classes with trivial destructors.
83 const auto *Base =
84 cast<CXXRecordDecl>(I.getType()->castAs<RecordType>()->getDecl());
85 if (Base->hasTrivialDestructor()) continue;
86
87 // If we've already found a base class with a non-trivial
88 // destructor, give up.
89 if (UniqueBase) return true;
90 UniqueBase = Base;
91 }
92
93 // If we didn't find any bases with a non-trivial destructor, then
94 // the base destructor is actually effectively trivial, which can
95 // happen if it was needlessly user-defined or if there are virtual
96 // bases with non-trivial destructors.
97 if (!UniqueBase)
98 return true;
99
100 // If the base is at a non-zero offset, give up.
101 const ASTRecordLayout &ClassLayout = Context.getASTRecordLayout(Class);
102 if (!ClassLayout.getBaseClassOffset(UniqueBase).isZero())
103 return true;
104
105 // Give up if the calling conventions don't match. We could update the call,
106 // but it is probably not worth it.
107 const CXXDestructorDecl *BaseD = UniqueBase->getDestructor();
108 if (BaseD->getType()->castAs<FunctionType>()->getCallConv() !=
109 D->getType()->castAs<FunctionType>()->getCallConv())
110 return true;
111
112 GlobalDecl AliasDecl(D, Dtor_Base);
113 GlobalDecl TargetDecl(BaseD, Dtor_Base);
114
115 // The alias will use the linkage of the referent. If we can't
116 // support aliases with that linkage, fail.
117 llvm::GlobalValue::LinkageTypes Linkage = getFunctionLinkage(AliasDecl);
118
119 // We can't use an alias if the linkage is not valid for one.
120 if (!llvm::GlobalAlias::isValidLinkage(Linkage))
121 return true;
122
123 llvm::GlobalValue::LinkageTypes TargetLinkage =
124 getFunctionLinkage(TargetDecl);
125
126 // Check if we have it already.
127 StringRef MangledName = getMangledName(AliasDecl);
128 llvm::GlobalValue *Entry = GetGlobalValue(MangledName);
129 if (Entry && !Entry->isDeclaration())
130 return false;
131 if (Replacements.count(MangledName))
132 return false;
133
134 // Derive the type for the alias.
135 llvm::Type *AliasValueType = getTypes().GetFunctionType(AliasDecl);
136 llvm::PointerType *AliasType = AliasValueType->getPointerTo();
137
138 // Find the referent. Some aliases might require a bitcast, in
139 // which case the caller is responsible for ensuring the soundness
140 // of these semantics.
141 auto *Ref = cast<llvm::GlobalValue>(GetAddrOfGlobal(TargetDecl));
142 llvm::Constant *Aliasee = Ref;
143 if (Ref->getType() != AliasType)
144 Aliasee = llvm::ConstantExpr::getBitCast(Ref, AliasType);
145
146 // Instead of creating as alias to a linkonce_odr, replace all of the uses
147 // of the aliasee.
148 if (llvm::GlobalValue::isDiscardableIfUnused(Linkage) &&
149 !(TargetLinkage == llvm::GlobalValue::AvailableExternallyLinkage &&
150 TargetDecl.getDecl()->hasAttr<AlwaysInlineAttr>())) {
151 // FIXME: An extern template instantiation will create functions with
152 // linkage "AvailableExternally". In libc++, some classes also define
153 // members with attribute "AlwaysInline" and expect no reference to
154 // be generated. It is desirable to reenable this optimisation after
155 // corresponding LLVM changes.
156 addReplacement(MangledName, Aliasee);
157 return false;
158 }
159
160 // If we have a weak, non-discardable alias (weak, weak_odr), like an extern
161 // template instantiation or a dllexported class, avoid forming it on COFF.
162 // A COFF weak external alias cannot satisfy a normal undefined symbol
163 // reference from another TU. The other TU must also mark the referenced
164 // symbol as weak, which we cannot rely on.
165 if (llvm::GlobalValue::isWeakForLinker(Linkage) &&
166 getTriple().isOSBinFormatCOFF()) {
167 return true;
168 }
169
170 // If we don't have a definition for the destructor yet or the definition is
171 // avaialable_externally, don't emit an alias. We can't emit aliases to
172 // declarations; that's just not how aliases work.
173 if (Ref->isDeclarationForLinker())
174 return true;
175
176 // Don't create an alias to a linker weak symbol. This avoids producing
177 // different COMDATs in different TUs. Another option would be to
178 // output the alias both for weak_odr and linkonce_odr, but that
179 // requires explicit comdat support in the IL.
180 if (llvm::GlobalValue::isWeakForLinker(TargetLinkage))
181 return true;
182
183 // Create the alias with no name.
184 auto *Alias = llvm::GlobalAlias::create(AliasValueType, 0, Linkage, "",
185 Aliasee, &getModule());
186
187 // Destructors are always unnamed_addr.
188 Alias->setUnnamedAddr(llvm::GlobalValue::UnnamedAddr::Global);
189
190 // Switch any previous uses to the alias.
191 if (Entry) {
192 assert(Entry->getType() == AliasType &&(static_cast<void> (0))
193 "declaration exists with different type")(static_cast<void> (0));
194 Alias->takeName(Entry);
195 Entry->replaceAllUsesWith(Alias);
196 Entry->eraseFromParent();
197 } else {
198 Alias->setName(MangledName);
199 }
200
201 // Finally, set up the alias with its proper name and attributes.
202 SetCommonAttributes(AliasDecl, Alias);
203
204 return false;
205}
206
207llvm::Function *CodeGenModule::codegenCXXStructor(GlobalDecl GD) {
208 const CGFunctionInfo &FnInfo = getTypes().arrangeCXXStructorDeclaration(GD);
209 auto *Fn = cast<llvm::Function>(
210 getAddrOfCXXStructor(GD, &FnInfo, /*FnType=*/nullptr,
211 /*DontDefer=*/true, ForDefinition));
212
213 setFunctionLinkage(GD, Fn);
214
215 CodeGenFunction(*this).GenerateCode(GD, Fn, FnInfo);
216 setNonAliasAttributes(GD, Fn);
217 SetLLVMFunctionAttributesForDefinition(cast<CXXMethodDecl>(GD.getDecl()), Fn);
218 return Fn;
219}
220
221llvm::FunctionCallee CodeGenModule::getAddrAndTypeOfCXXStructor(
222 GlobalDecl GD, const CGFunctionInfo *FnInfo, llvm::FunctionType *FnType,
223 bool DontDefer, ForDefinition_t IsForDefinition) {
224 auto *MD = cast<CXXMethodDecl>(GD.getDecl());
225
226 if (isa<CXXDestructorDecl>(MD)) {
227 // Always alias equivalent complete destructors to base destructors in the
228 // MS ABI.
229 if (getTarget().getCXXABI().isMicrosoft() &&
230 GD.getDtorType() == Dtor_Complete &&
231 MD->getParent()->getNumVBases() == 0)
232 GD = GD.getWithDtorType(Dtor_Base);
233 }
234
235 if (!FnType) {
236 if (!FnInfo)
237 FnInfo = &getTypes().arrangeCXXStructorDeclaration(GD);
238 FnType = getTypes().GetFunctionType(*FnInfo);
239 }
240
241 llvm::Constant *Ptr = GetOrCreateLLVMFunction(
242 getMangledName(GD), FnType, GD, /*ForVTable=*/false, DontDefer,
243 /*IsThunk=*/false, /*ExtraAttrs=*/llvm::AttributeList(), IsForDefinition);
244 return {FnType, Ptr};
245}
246
247static CGCallee BuildAppleKextVirtualCall(CodeGenFunction &CGF,
248 GlobalDecl GD,
249 llvm::Type *Ty,
250 const CXXRecordDecl *RD) {
251 assert(!CGF.CGM.getTarget().getCXXABI().isMicrosoft() &&(static_cast<void> (0))
252 "No kext in Microsoft ABI")(static_cast<void> (0));
253 CodeGenModule &CGM = CGF.CGM;
254 llvm::Value *VTable = CGM.getCXXABI().getAddrOfVTable(RD, CharUnits());
255 Ty = Ty->getPointerTo();
256 VTable = CGF.Builder.CreateBitCast(VTable, Ty->getPointerTo());
257 assert(VTable && "BuildVirtualCall = kext vtbl pointer is null")(static_cast<void> (0));
258 uint64_t VTableIndex = CGM.getItaniumVTableContext().getMethodVTableIndex(GD);
259 const VTableLayout &VTLayout = CGM.getItaniumVTableContext().getVTableLayout(RD);
260 VTableLayout::AddressPointLocation AddressPoint =
261 VTLayout.getAddressPoint(BaseSubobject(RD, CharUnits::Zero()));
262 VTableIndex += VTLayout.getVTableOffset(AddressPoint.VTableIndex) +
263 AddressPoint.AddressPointIndex;
264 llvm::Value *VFuncPtr =
265 CGF.Builder.CreateConstInBoundsGEP1_64(Ty, VTable, VTableIndex, "vfnkxt");
266 llvm::Value *VFunc = CGF.Builder.CreateAlignedLoad(
267 Ty, VFuncPtr, llvm::Align(CGF.PointerAlignInBytes));
268 CGCallee Callee(GD, VFunc);
269 return Callee;
270}
271
272/// BuildAppleKextVirtualCall - This routine is to support gcc's kext ABI making
273/// indirect call to virtual functions. It makes the call through indexing
274/// into the vtable.
275CGCallee
276CodeGenFunction::BuildAppleKextVirtualCall(const CXXMethodDecl *MD,
277 NestedNameSpecifier *Qual,
278 llvm::Type *Ty) {
279 assert((Qual->getKind() == NestedNameSpecifier::TypeSpec) &&(static_cast<void> (0))
280 "BuildAppleKextVirtualCall - bad Qual kind")(static_cast<void> (0));
281
282 const Type *QTy = Qual->getAsType();
283 QualType T = QualType(QTy, 0);
284 const RecordType *RT = T->getAs<RecordType>();
1
Assuming the object is not a 'RecordType'
2
'RT' initialized to a null pointer value
285 assert(RT && "BuildAppleKextVirtualCall - Qual type must be record")(static_cast<void> (0));
286 const auto *RD = cast<CXXRecordDecl>(RT->getDecl());
3
Called C++ object pointer is null
287
288 if (const auto *DD = dyn_cast<CXXDestructorDecl>(MD))
289 return BuildAppleKextVirtualDestructorCall(DD, Dtor_Complete, RD);
290
291 return ::BuildAppleKextVirtualCall(*this, MD, Ty, RD);
292}
293
294/// BuildVirtualCall - This routine makes indirect vtable call for
295/// call to virtual destructors. It returns 0 if it could not do it.
296CGCallee
297CodeGenFunction::BuildAppleKextVirtualDestructorCall(
298 const CXXDestructorDecl *DD,
299 CXXDtorType Type,
300 const CXXRecordDecl *RD) {
301 assert(DD->isVirtual() && Type != Dtor_Base)(static_cast<void> (0));
302 // Compute the function type we're calling.
303 const CGFunctionInfo &FInfo = CGM.getTypes().arrangeCXXStructorDeclaration(
304 GlobalDecl(DD, Dtor_Complete));
305 llvm::Type *Ty = CGM.getTypes().GetFunctionType(FInfo);
306 return ::BuildAppleKextVirtualCall(*this, GlobalDecl(DD, Type), Ty, RD);
307}