Szelethus updated this revision to Diff 142581.
Szelethus marked 2 inline comments as done.
Szelethus edited the summary of this revision.
Szelethus added a comment.

Among many other things:

- The checker class is now on top of the file.
- Reviewed all comments, fixed typos, tried to make the general idea more 
understandable.
- Removed all (at least, all I could find) unnecessary functions and function 
arguments.
- Removed support for unions entirely.


https://reviews.llvm.org/D45532

Files:
  include/clang/StaticAnalyzer/Checkers/Checkers.td
  lib/StaticAnalyzer/Checkers/CMakeLists.txt
  lib/StaticAnalyzer/Checkers/CtorUninitializedMemberChecker.cpp
  test/Analysis/ctor-uninitialized-member-inheritance.cpp
  test/Analysis/ctor-uninitialized-member.cpp

Index: test/Analysis/ctor-uninitialized-member.cpp
===================================================================
--- /dev/null
+++ test/Analysis/ctor-uninitialized-member.cpp
@@ -0,0 +1,899 @@
+//RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.cplusplus.CtorUninitializedMember -std=c++11 -verify %s
+
+//===----------------------------------------------------------------------===//
+// Default constructor test.
+//===----------------------------------------------------------------------===//
+
+class DefaultConstructorTest {
+  int a, b, c, d, e, f, g, h, i, j;
+
+public:
+  DefaultConstructorTest() = default;
+};
+
+void f00() {
+  DefaultConstructorTest();
+}
+
+//===----------------------------------------------------------------------===//
+// Initializer list test.
+//===----------------------------------------------------------------------===//
+
+class InitListTest1 {
+  int a;
+  int b;
+
+public:
+  InitListTest1()
+      : a(1),
+        b(2) {
+    // All good!
+  }
+};
+
+void f01() {
+  InitListTest1();
+}
+
+class InitListTest2 {
+  int a;
+  int b; // expected-note{{uninitialized field 'this->b'}}
+
+public:
+  InitListTest2()
+      : a(3) {} // expected-warning{{1 uninitialized field}}
+};
+
+void f02() {
+  InitListTest2();
+}
+
+class InitListTest3 {
+  int a; // expected-note{{uninitialized field 'this->a'}}
+  int b;
+
+public:
+  InitListTest3()
+      : b(4) {} // expected-warning{{1 uninitialized field}}
+};
+
+void f03() {
+  InitListTest3();
+}
+
+//===----------------------------------------------------------------------===//
+// Constructor body test.
+//===----------------------------------------------------------------------===//
+
+class CtorBodyTest1 {
+  int a, b;
+
+public:
+  CtorBodyTest1() {
+    a = 5;
+    b = 6;
+    // All good!
+  }
+};
+
+void f04() {
+  CtorBodyTest1();
+}
+
+class CtorBodyTest2 {
+  int a;
+  int b; // expected-note{{uninitialized field 'this->b'}}
+
+public:
+  CtorBodyTest2() {
+    a = 7; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f05() {
+  CtorBodyTest2();
+}
+
+class CtorBodyTest3 {
+  int a; // expected-note{{uninitialized field 'this->a'}}
+  int b;
+
+public:
+  CtorBodyTest3() {
+    b = 8; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f06() {
+  CtorBodyTest3();
+}
+
+class CtorBodyTest4 {
+  int a; // expected-note{{uninitialized field 'this->a'}}
+  int b; // expected-note{{uninitialized field 'this->b'}}
+
+public:
+  CtorBodyTest4() {}
+};
+
+void f07() {
+  CtorBodyTest4(); // expected-warning{{2 uninitialized fields}}
+}
+
+//===----------------------------------------------------------------------===//
+// Constructor delegation test.
+//===----------------------------------------------------------------------===//
+
+class CtorDelegationTest1 {
+  int a;
+  int b;
+
+public:
+  CtorDelegationTest1(int)
+      : a(9) {
+    // leaves 'b' unintialized, but we'll never check this function
+  }
+
+  CtorDelegationTest1()
+      : CtorDelegationTest1(int{}) { // Initializing 'a'
+    b = 10;
+    // All good!
+  }
+};
+
+void f08() {
+  CtorDelegationTest1();
+}
+
+class CtorDelegationTest2 {
+  int a; // expected-note{{uninitialized field 'this->a'}}
+  int b;
+
+public:
+  CtorDelegationTest2(int)
+      : b(11) {
+    // leaves 'a' unintialized, but we'll never check this function
+  }
+
+  CtorDelegationTest2()
+      : CtorDelegationTest2(int{}) { // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f09() {
+  CtorDelegationTest2();
+}
+
+//===----------------------------------------------------------------------===//
+// Tests for classes containing records.
+//===----------------------------------------------------------------------===//
+
+class ContainsRecordTest1 {
+  struct RecordType {
+    int x;
+    int y;
+  } rec;
+  int c, d;
+
+public:
+  ContainsRecordTest1()
+      : rec({12, 13}),
+        c(14),
+        d(15) {
+    // All good!
+  }
+};
+
+void f10() {
+  ContainsRecordTest1();
+}
+
+class ContainsRecordTest2 {
+  struct RecordType {
+    int x;
+    int y; // expected-note{{uninitialized field 'this->rec.y'}}
+  } rec;
+  int c, d;
+
+public:
+  ContainsRecordTest2()
+      : c(16),
+        d(17) {
+    rec.x = 18; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f11() {
+  ContainsRecordTest2();
+}
+
+class ContainsRecordTest3 {
+  struct RecordType {
+    int x; // expected-note{{uninitialized field 'this->rec.x'}}
+    int y; // expected-note{{uninitialized field 'this->rec.y'}}
+  } rec;
+  int c, d;
+
+public:
+  ContainsRecordTest3()
+      : c(19),
+        d(20) { // expected-warning{{2 uninitialized fields}}
+  }
+};
+
+void f12() {
+  ContainsRecordTest3();
+}
+
+class ContainsRecordTest4 {
+  struct RecordType {
+    int x; // expected-note{{uninitialized field 'this->rec.x'}}
+    int y; // expected-note{{uninitialized field 'this->rec.y'}}
+  } rec;
+  int c, d; // expected-note{{uninitialized field 'this->d'}}
+
+public:
+  ContainsRecordTest4()
+      : c(19) { // expected-warning{{3 uninitialized fields}}
+  }
+};
+
+void f12p2() {
+  ContainsRecordTest4();
+}
+
+//===----------------------------------------------------------------------===//
+// Tests for template classes.
+//===----------------------------------------------------------------------===//
+
+template <class T>
+class IntTemplateClassTest1 {
+  T t;
+  int b;
+
+public:
+  IntTemplateClassTest1(T i) {
+    b = 21;
+    t = i;
+    // All good!
+  }
+};
+
+void f13() {
+  IntTemplateClassTest1<int>(22);
+}
+
+template <class T>
+class IntTemplateClassTest2 {
+  T t; // expected-note{{uninitialized field 'this->t'}}
+  int b;
+
+public:
+  IntTemplateClassTest2() {
+    b = 23; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f14() {
+  IntTemplateClassTest2<int>();
+}
+
+struct Record {
+  int x; // expected-note{{uninitialized field 'this->t.x'}}
+  int y; // expected-note{{uninitialized field 'this->t.y'}}
+};
+
+template <class T>
+class RecordTemplateClassTest {
+  T t;
+  int b;
+
+public:
+  RecordTemplateClassTest() {
+    b = 24; // expected-warning{{2 uninitialized fields}}
+  }
+};
+
+void f15() {
+  RecordTemplateClassTest<Record>();
+}
+
+//===----------------------------------------------------------------------===//
+// Tests for classes containing pointers.
+//===----------------------------------------------------------------------===//
+
+class NullPtrTest {
+  struct RecordType {
+    int x;
+    int y;
+  };
+
+  float *fptr = nullptr;
+  int *ptr;
+  RecordType *recPtr;
+
+public:
+  NullPtrTest() : ptr(nullptr), recPtr(nullptr) {
+    // All good!
+  }
+};
+
+void f16() {
+  NullPtrTest();
+}
+
+class HeapPointerTest1 {
+  struct RecordType {
+    // TODO: we'd expect the note: {{uninitialized field 'this->recPtr->y'}}
+    int x; // no-note
+    // TODO: we'd expect the note: {{uninitialized field 'this->recPtr->y'}}
+    int y; // no-note
+  };
+  // TODO: we'd expect the note: {{uninitialized pointee 'this->fptr'}}
+  float *fptr = new float; // no-note
+  // TODO: we'd expect the note: {{uninitialized pointee 'this->ptr'}}
+  int *ptr; // no-note
+  RecordType *recPtr;
+
+public:
+  // TODO: we'd expect the warning: {{4 uninitialized fields}}
+  HeapPointerTest1() : ptr(new int), recPtr(new RecordType) { // no-note
+  }
+};
+
+void f17() {
+  HeapPointerTest1();
+}
+
+class HeapPointerTest2 {
+  struct RecordType {
+    int x;
+    int y;
+  };
+
+  float *fptr = new float(); // initializes to 0
+  int *ptr;
+  RecordType *recPtr;
+
+public:
+  HeapPointerTest2() : ptr(new int{25}), recPtr(new RecordType{26, 27}) {
+    // All good!
+  }
+};
+
+void f18() {
+  HeapPointerTest2();
+}
+
+class StackPointerTest1 {
+public:
+  struct RecordType {
+    int x;
+    int y;
+  };
+
+private:
+  int *ptr;
+  RecordType *recPtr;
+
+public:
+  StackPointerTest1(int *_ptr, StackPointerTest1::RecordType *_recPtr) : ptr(_ptr), recPtr(_recPtr) {
+    // All good!
+  }
+};
+
+void f19() {
+  int ok_a = 28;
+  StackPointerTest1::RecordType ok_rec{29, 30};
+  StackPointerTest1(&ok_a, &ok_rec); // 'a', 'rec.x', 'rec.y' uninitialized
+}
+
+class StackPointerTest2 {
+public:
+  struct RecordType {
+    int x; // expected-note{{uninitialized field 'this->recPtr->x'}}
+    int y; // expected-note{{uninitialized field 'this->recPtr->y'}}
+  };
+
+private:
+  int *ptr; // expected-note{{uninitialized pointee 'this->ptr'}}
+  RecordType *recPtr;
+
+public:
+  StackPointerTest2(int *_ptr, RecordType *_recPtr) : ptr(_ptr), recPtr(_recPtr) { // expected-warning{{3 uninitialized fields}}
+  }
+};
+
+void f20() {
+  int a;
+  StackPointerTest2::RecordType rec;
+  StackPointerTest2(&a, &rec); // 'a', 'rec.x', 'rec.y' uninitialized
+}
+
+class UninitPointerTest {
+  struct RecordType {
+    int x;
+    int y;
+  };
+
+  int *ptr; // expected-note{{uninitialized pointer 'this->ptr'}}
+  RecordType *recPtr;
+
+public:
+  UninitPointerTest() : recPtr(new RecordType{13, 13}) { // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f21() {
+  UninitPointerTest();
+}
+
+class VoidPointerTest {
+  void *vptr;
+
+public:
+  VoidPointerTest(void *vptr, char) : vptr(vptr) {
+    // All good!
+  }
+};
+
+void *malloc(int size);
+
+void f23() {
+  void *vptr = malloc(sizeof(int));
+  VoidPointerTest(vptr, char());
+}
+
+class MultiPointerTest1 {
+public:
+  struct RecordType {
+    int x;
+    int y;
+  };
+
+private:
+  RecordType **mptr; // expected-note{{uninitialized pointee 'this->mptr'}}
+
+public:
+  MultiPointerTest1(RecordType **p, int) : mptr(p) { // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f25() {
+  MultiPointerTest1::RecordType *p1;
+  MultiPointerTest1::RecordType **mptr = &p1;
+  MultiPointerTest1(mptr, int()); // '*mptr' uninitialized
+}
+
+class MultiPointerTest2 {
+public:
+  struct RecordType {
+    int x; // expected-note{{uninitialized field 'this->mptr->x'}}
+    int y; // expected-note{{uninitialized field 'this->mptr->y'}}
+  };
+
+private:
+  RecordType **mptr;
+
+public:
+  MultiPointerTest2(RecordType **p, int) : mptr(p) { // expected-warning{{2 uninitialized fields}}
+  }
+};
+
+void f26() {
+  MultiPointerTest2::RecordType i;
+  MultiPointerTest2::RecordType *p1 = &i;
+  MultiPointerTest2::RecordType **mptr = &p1;
+  MultiPointerTest2(mptr, int()); // '**mptr' uninitialized
+}
+
+class MultiPointerTest3 {
+public:
+  struct RecordType {
+    int x;
+    int y;
+  };
+
+private:
+  RecordType **mptr;
+
+public:
+  MultiPointerTest3(RecordType **p, int) : mptr(p) {
+    // All good!
+  }
+};
+
+void f27() {
+  MultiPointerTest3::RecordType i{31, 32};
+  MultiPointerTest3::RecordType *p1 = &i;
+  MultiPointerTest3::RecordType **mptr = &p1;
+  MultiPointerTest3(mptr, int()); // '**mptr' uninitialized
+}
+
+class ListTest1 {
+public:
+  struct Node {
+    Node *next = nullptr; // no crash
+    int i;
+  };
+
+private:
+  Node *head = nullptr;
+
+public:
+  ListTest1() {
+    // All good!
+  }
+};
+
+void f28() {
+  ListTest1();
+}
+
+class ListTest2 {
+public:
+  struct Node {
+    Node *next = nullptr;
+    int i; // expected-note{{uninitialized field 'this->head->i'}}
+  };
+
+private:
+  Node *head = nullptr;
+
+public:
+  ListTest2(Node *node, int) : head(node) { // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f29() {
+  ListTest2::Node n;
+  ListTest2(&n, int());
+}
+
+//===----------------------------------------------------------------------===//
+// Tests for classes containing references.
+//===----------------------------------------------------------------------===//
+
+class ReferenceTest1 {
+public:
+  struct RecordType {
+    int x;
+    int y;
+  };
+
+private:
+  RecordType &lref;
+  RecordType &&rref;
+
+public:
+  ReferenceTest1(RecordType &lref, RecordType &rref) : lref(lref), rref(static_cast<RecordType &&>(rref)) {
+    // All good!
+  }
+};
+
+void f30() {
+  ReferenceTest1::RecordType d{33, 34};
+  ReferenceTest1(d, d);
+}
+
+class ReferenceTest2 {
+public:
+  struct RecordType {
+    int x; // expected-note{{uninitialized field 'this->lref.x'}}
+    int y; // expected-note{{uninitialized field 'this->lref.y'}}
+  };
+
+private:
+  RecordType &lref;
+  RecordType &&rref;
+
+public:
+  ReferenceTest2(RecordType &lref, RecordType &rref)
+      : lref(lref), rref(static_cast<RecordType &&>(rref)) { // expected-warning{{2 uninitialized fields}}
+  }
+};
+
+void f31() {
+  ReferenceTest2::RecordType c;
+  ReferenceTest2(c, c);
+}
+
+class ReferenceTest3 {
+public:
+  struct RecordType {
+    int x; // expected-note{{uninitialized field 'this->lref.x'}}
+    int y; // expected-note{{uninitialized field 'this->lref.y'}}
+  };
+
+private:
+  RecordType &lref;
+  RecordType &&rref;
+
+public:
+  ReferenceTest3(RecordType &lref, RecordType &rref)
+      : lref(lref), rref(static_cast<RecordType &&>(rref)) { // expected-warning{{2 uninitialized fields}}
+  }
+};
+
+void f32() {
+  ReferenceTest3::RecordType c, d{35, 36};
+  ReferenceTest3(c, d);
+}
+
+class ReferenceTest4 {
+public:
+  struct RecordType {
+    int x; // expected-note{{uninitialized field 'this->rref.x'}}
+    int y; // expected-note{{uninitialized field 'this->rref.y'}}
+  };
+
+private:
+  RecordType &lref;
+  RecordType &&rref;
+
+public:
+  ReferenceTest4(RecordType &lref, RecordType &rref)
+      : lref(lref), rref(static_cast<RecordType &&>(rref)) { // expected-warning{{2 uninitialized fields}}
+  }
+};
+
+void f33() {
+  ReferenceTest4::RecordType c, d{37, 38};
+  ReferenceTest4(d, c);
+}
+
+//===----------------------------------------------------------------------===//
+// Tests for classes containing unions.
+//===----------------------------------------------------------------------===//
+
+template <class T>
+void mayInitialize(T &);
+
+template <class T>
+void wontInitialize(const T &);
+
+class PassingToUnknownFunctionTest1 {
+  int a, b;
+
+public:
+  PassingToUnknownFunctionTest1() {
+    mayInitialize(a);
+    mayInitialize(b);
+    // All good!
+  }
+
+  PassingToUnknownFunctionTest1(int) {
+    mayInitialize(a);
+    // All good!
+  }
+
+  PassingToUnknownFunctionTest1(int, int) {
+    mayInitialize(*this);
+    // All good!
+  }
+};
+
+void f34() {
+  PassingToUnknownFunctionTest1();
+  PassingToUnknownFunctionTest1(int());
+  PassingToUnknownFunctionTest1(int(), int());
+}
+
+class PassingToUnknownFunctionTest2 {
+  int a; // expected-note{{uninitialized field 'this->a'}}
+  int b;
+
+public:
+  PassingToUnknownFunctionTest2() {
+    wontInitialize(a);
+    b = 4; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f35() {
+  PassingToUnknownFunctionTest2();
+}
+
+//===----------------------------------------------------------------------===//
+// Tests for classes containing unions.
+//===----------------------------------------------------------------------===//
+
+// FIXME: As of writing this checker, there is no good support for union types 
+// in the CSA. Here is non-exhaustive list of cases.
+// Note that the rules for unions are different in C++ and C.
+// http://lists.llvm.org/pipermail/cfe-dev/2017-March/052910.html
+
+class ContainsSimpleUnionTest1 {
+  union SimpleUnion {
+    float uf;
+    int ui;
+    char uc;
+  } u;
+
+public:
+  ContainsSimpleUnionTest1() {
+    u.uf = 3.14;
+    // All good!
+  }
+};
+
+void f36() {
+  ContainsSimpleUnionTest1();
+}
+
+class ContainsSimpleUnionTest2 {
+  union SimpleUnion {
+    float uf;
+    int ui;
+    char uc;
+  // TODO: we'd expect the note: {{uninitialized field 'this->u'}}
+  } u; // no-note
+
+public:
+  ContainsSimpleUnionTest2() {}
+};
+
+void f37() {
+  // TODO: we'd expect the warning: {{1 uninitialized field}}
+  ContainsSimpleUnionTest2(); // no-warning
+}
+
+class UnionPointerTest1 {
+public:
+  union SimpleUnion {
+    float uf;
+    int ui;
+    char uc;
+  };
+
+private:
+  SimpleUnion *uptr;
+
+public:
+  UnionPointerTest1(SimpleUnion *uptr, int) : uptr(uptr) {
+    // All good!
+  }
+};
+
+void f38() {
+  UnionPointerTest1::SimpleUnion u;
+  u.uf = 41;
+  UnionPointerTest1(&u, int());
+}
+
+class UnionPointerTest2 {
+public:
+  union SimpleUnion {
+    float uf;
+    int ui;
+    char uc;
+  };
+
+private:
+  // TODO: we'd expect the note: {{uninitialized field 'this->uptr'}}
+  SimpleUnion *uptr; // no-note
+
+public:
+  UnionPointerTest2(SimpleUnion *uptr, char) : uptr(uptr) {}
+};
+
+void f39() {
+  UnionPointerTest2::SimpleUnion u;
+  // TODO: we'd expect the warning: {{1 uninitialized field}}
+  UnionPointerTest2(&u, int()); // no-warning
+}
+
+class ContainsUnionWithRecordTest1 {
+  union UnionWithRecord {
+    struct RecordType {
+      int x;
+      int y;
+    } us;
+    double ud;
+    long ul;
+
+    UnionWithRecord(){};
+  } u;
+
+public:
+  ContainsUnionWithRecordTest1() {
+    u.ud = 3.14;
+    // All good!
+  }
+};
+
+void f40() {
+  ContainsUnionWithRecordTest1();
+}
+
+class ContainsUnionWithRecordTest2 {
+  union UnionWithRecord {
+    struct RecordType {
+      int x;
+      int y;
+    } us;
+    double ud;
+    long ul;
+
+    UnionWithRecord(){};
+  } u;
+
+public:
+  ContainsUnionWithRecordTest2() {
+    u.us = UnionWithRecord::RecordType{42, 43};
+    // All good!
+  }
+};
+
+void f41() {
+  ContainsUnionWithRecordTest1();
+}
+
+class ContainsUnionWithRecordTest3 {
+  union UnionWithRecord {
+    struct RecordType {
+      int x;
+      int y;
+    } us;
+    double ud;
+    long ul;
+
+    UnionWithRecord(){};
+  // TODO: we'd expect the note: {{uninitialized field 'this->u'}}
+  } u; // no-note
+
+public:
+  ContainsUnionWithRecordTest3() {
+    UnionWithRecord::RecordType rec;
+    rec.x = 44;
+    // TODO: we'd expect the warning: {{1 uninitialized field}}
+    u.us = rec; // no-warning
+  }
+};
+
+void f42() {
+  ContainsUnionWithRecordTest3();
+}
+
+class ContainsUnionWithSimpleUnionTest1 {
+  union UnionWithSimpleUnion {
+    union SimpleUnion {
+      float uf;
+      int ui;
+      char uc;
+    } usu;
+    long ul;
+    unsigned uu;
+  } u;
+
+public:
+  ContainsUnionWithSimpleUnionTest1() {
+    u.usu.ui = 5;
+    // All good!
+  }
+};
+
+void f43() {
+  ContainsUnionWithSimpleUnionTest1();
+}
+
+class ContainsUnionWithSimpleUnionTest2 {
+  union UnionWithSimpleUnion {
+    union SimpleUnion {
+      float uf;
+      int ui;
+      char uc;
+    } usu;
+    long ul;
+    unsigned uu;
+  // TODO: we'd expect the note: {{uninitialized field 'this->u'}}
+  } u; // no-note
+
+public:
+  ContainsUnionWithSimpleUnionTest2() {}
+};
+
+void f44() {
+  // TODO: we'd expect the warning: {{1 uninitialized field}}
+  ContainsUnionWithSimpleUnionTest2(); // no-warning
+}
Index: test/Analysis/ctor-uninitialized-member-inheritance.cpp
===================================================================
--- /dev/null
+++ test/Analysis/ctor-uninitialized-member-inheritance.cpp
@@ -0,0 +1,775 @@
+//RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.cplusplus.CtorUninitializedMember -std=c++11 -verify %s
+
+//===----------------------------------------------------------------------===//
+// Non-polymorphic inheritance tests
+//===----------------------------------------------------------------------===//
+
+class NonPolymorphicLeft1 {
+  int x;
+
+protected:
+  int y;
+
+public:
+  NonPolymorphicLeft1() = default;
+  NonPolymorphicLeft1(int) : x(1) {}
+};
+
+class NonPolymorphicInheritanceTest1 : public NonPolymorphicLeft1 {
+  int z;
+
+public:
+  NonPolymorphicInheritanceTest1()
+      : NonPolymorphicLeft1(int{}) {
+    y = 2;
+    z = 3;
+    // All good!
+  }
+};
+
+void f00() {
+  NonPolymorphicInheritanceTest1();
+}
+
+class NonPolymorphicRight1 {
+  int x; // expected-note{{uninitialized field 'this->x'}}
+protected:
+  int y;
+
+public:
+  NonPolymorphicRight1() = default;
+  NonPolymorphicRight1(int) : x(4) {}
+};
+
+class NonPolymorphicInheritanceTest2 : public NonPolymorphicRight1 {
+  int z;
+
+public:
+  NonPolymorphicInheritanceTest2() {
+    y = 5;
+    z = 6; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f01() {
+  NonPolymorphicInheritanceTest2();
+}
+
+class NonPolymorphicBaseClass3 {
+  int x;
+
+protected:
+  int y; // expected-note{{uninitialized field 'this->y'}}
+public:
+  NonPolymorphicBaseClass3() = default;
+  NonPolymorphicBaseClass3(int) : x(7) {}
+};
+
+class NonPolymorphicInheritanceTest3 : public NonPolymorphicBaseClass3 {
+  int z;
+
+public:
+  NonPolymorphicInheritanceTest3()
+      : NonPolymorphicBaseClass3(int{}) {
+    z = 8; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f02() {
+  NonPolymorphicInheritanceTest3();
+}
+
+class NonPolymorphicBaseClass4 {
+  int x;
+
+protected:
+  int y;
+
+public:
+  NonPolymorphicBaseClass4() = default;
+  NonPolymorphicBaseClass4(int) : x(9) {}
+};
+
+class NonPolymorphicInheritanceTest4 : public NonPolymorphicBaseClass4 {
+  int z; // expected-note{{uninitialized field 'this->z'}}
+
+public:
+  NonPolymorphicInheritanceTest4()
+      : NonPolymorphicBaseClass4(int{}) {
+    y = 10; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f03() {
+  NonPolymorphicInheritanceTest4();
+}
+
+//===----------------------------------------------------------------------===//
+// Polymorphic inheritance tests
+//===----------------------------------------------------------------------===//
+
+class PolymorphicLeft1 {
+  int x;
+
+protected:
+  int y;
+
+public:
+  virtual ~PolymorphicLeft1() = default;
+  PolymorphicLeft1() = default;
+  PolymorphicLeft1(int) : x(11) {}
+};
+
+class PolymorphicInheritanceTest1 : public PolymorphicLeft1 {
+  int z;
+
+public:
+  PolymorphicInheritanceTest1()
+      : PolymorphicLeft1(int{}) {
+    y = 12;
+    z = 13;
+    // All good!
+  }
+};
+
+void f04() {
+  PolymorphicInheritanceTest1();
+}
+
+class PolymorphicRight1 {
+  int x; // expected-note{{uninitialized field 'this->x'}}
+protected:
+  int y;
+
+public:
+  virtual ~PolymorphicRight1() = default;
+  PolymorphicRight1() = default;
+  PolymorphicRight1(int) : x(14) {}
+};
+
+class PolymorphicInheritanceTest2 : public PolymorphicRight1 {
+  int z;
+
+public:
+  PolymorphicInheritanceTest2() {
+    y = 15;
+    z = 16; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f05() {
+  PolymorphicInheritanceTest2();
+}
+
+class PolymorphicBaseClass3 {
+  int x;
+
+protected:
+  int y; // expected-note{{uninitialized field 'this->y'}}
+public:
+  virtual ~PolymorphicBaseClass3() = default;
+  PolymorphicBaseClass3() = default;
+  PolymorphicBaseClass3(int) : x(17) {}
+};
+
+class PolymorphicInheritanceTest3 : public PolymorphicBaseClass3 {
+  int z;
+
+public:
+  PolymorphicInheritanceTest3()
+      : PolymorphicBaseClass3(int{}) {
+    z = 18; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f06() {
+  PolymorphicInheritanceTest3();
+}
+
+class PolymorphicBaseClass4 {
+  int x;
+
+protected:
+  int y;
+
+public:
+  virtual ~PolymorphicBaseClass4() = default;
+  PolymorphicBaseClass4() = default;
+  PolymorphicBaseClass4(int) : x(19) {}
+};
+
+class PolymorphicInheritanceTest4 : public PolymorphicBaseClass4 {
+  int z; // expected-note{{uninitialized field 'this->z'}}
+
+public:
+  PolymorphicInheritanceTest4()
+      : PolymorphicBaseClass4(int{}) {
+    y = 20; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f07() {
+  PolymorphicInheritanceTest4();
+}
+
+//===----------------------------------------------------------------------===//
+// Virtual inheritance tests
+//===----------------------------------------------------------------------===//
+
+class VirtualPolymorphicLeft1 {
+  int x;
+
+protected:
+  int y;
+
+public:
+  virtual ~VirtualPolymorphicLeft1() = default;
+  VirtualPolymorphicLeft1() = default;
+  VirtualPolymorphicLeft1(int) : x(21) {}
+};
+
+class VirtualInheritanceTest1 : virtual public VirtualPolymorphicLeft1 {
+  int z;
+
+public:
+  VirtualInheritanceTest1()
+      : VirtualPolymorphicLeft1(int()) {
+    y = 22;
+    z = 23;
+    // All good!
+  }
+};
+
+void f08() {
+  VirtualInheritanceTest1();
+}
+
+class VirtualPolymorphicRight1 {
+  int x; // expected-note{{uninitialized field 'this->x'}}
+protected:
+  int y;
+
+public:
+  virtual ~VirtualPolymorphicRight1() = default;
+  VirtualPolymorphicRight1() = default;
+  VirtualPolymorphicRight1(int) : x(24) {}
+};
+
+class VirtualInheritanceTest2 : virtual public VirtualPolymorphicRight1 {
+  int z;
+
+public:
+  VirtualInheritanceTest2() {
+    y = 25;
+    z = 26; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f09() {
+  VirtualInheritanceTest2();
+}
+
+class VirtualPolymorphicBaseClass3 {
+  int x;
+
+protected:
+  int y; // expected-note{{uninitialized field 'this->y'}}
+public:
+  virtual ~VirtualPolymorphicBaseClass3() = default;
+  VirtualPolymorphicBaseClass3() = default;
+  VirtualPolymorphicBaseClass3(int) : x(27) {}
+};
+
+class VirtualInheritanceTest3 : virtual public VirtualPolymorphicBaseClass3 {
+  int z;
+
+public:
+  VirtualInheritanceTest3()
+      : VirtualPolymorphicBaseClass3(int{}) {
+    z = 28; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f10() {
+  VirtualInheritanceTest3();
+}
+
+//===----------------------------------------------------------------------===//
+// Multiple inheritance tests
+//===----------------------------------------------------------------------===//
+
+/*
+        Left        Right
+          \           /
+           \         /
+            \       /
+     MultipleInheritanceTest
+*/
+
+struct Left1 {
+  int x;
+  Left1() = default;
+  Left1(int) : x(29) {}
+};
+struct Right1 {
+  int y;
+  Right1() = default;
+  Right1(int) : y(30) {}
+};
+
+class MultipleInheritanceTest1 : public Left1, public Right1 {
+  int z;
+
+public:
+  MultipleInheritanceTest1()
+      : Left1(int{}),
+        Right1(char{}) {
+    z = 31;
+    // All good!
+  }
+
+  MultipleInheritanceTest1(int)
+      : Left1(int{}) {
+    y = 32;
+    z = 33;
+    // All good!
+  }
+
+  MultipleInheritanceTest1(int, int)
+      : Right1(char{}) {
+    x = 34;
+    z = 35;
+    // All good!
+  }
+};
+
+void f11() {
+  MultipleInheritanceTest1();
+  MultipleInheritanceTest1(int());
+  MultipleInheritanceTest1(int(), int());
+}
+
+struct Left2 {
+  int x;
+  Left2() = default;
+  Left2(int) : x(36) {}
+};
+struct Right2 {
+  int y; // expected-note{{uninitialized field 'this->y'}}
+  Right2() = default;
+  Right2(int) : y(37) {}
+};
+
+class MultipleInheritanceTest2 : public Left2, public Right2 {
+  int z;
+
+public:
+  MultipleInheritanceTest2()
+      : Left2(int{}) {
+    z = 38; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f12() {
+  MultipleInheritanceTest2();
+}
+
+struct Left3 {
+  int x; // expected-note{{uninitialized field 'this->x'}}
+  Left3() = default;
+  Left3(int) : x(39) {}
+};
+struct Right3 {
+  int y;
+  Right3() = default;
+  Right3(int) : y(40) {}
+};
+
+class MultipleInheritanceTest3 : public Left3, public Right3 {
+  int z;
+
+public:
+  MultipleInheritanceTest3()
+      : Right3(char{}) {
+    z = 41; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f13() {
+  MultipleInheritanceTest3();
+}
+
+struct Left4 {
+  int x;
+  Left4() = default;
+  Left4(int) : x(42) {}
+};
+struct Right4 {
+  int y;
+  Right4() = default;
+  Right4(int) : y(43) {}
+};
+
+class MultipleInheritanceTest4 : public Left4, public Right4 {
+  int z; // expected-note{{uninitialized field 'this->z'}}
+
+public:
+  MultipleInheritanceTest4()
+      : Left4(int{}),
+        Right4(char{}) { // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f14() {
+  MultipleInheritanceTest4();
+}
+
+struct Left5 {
+  int x;
+  Left5() = default;
+  Left5(int) : x(44) {}
+};
+struct Right5 {
+  int y; // expected-note{{uninitialized field 'this->y'}}
+  Right5() = default;
+  Right5(int) : y(45) {}
+};
+
+class MultipleInheritanceTest5 : public Left5, public Right5 {
+  int z; // expected-note{{uninitialized field 'this->z'}}
+
+public:
+  MultipleInheritanceTest5() // expected-warning{{2 uninitialized fields}}
+      : Left5(int{}) {
+  }
+};
+
+void f15() {
+  MultipleInheritanceTest5();
+}
+
+//===----------------------------------------------------------------------===//
+// Non-virtual diamond inheritance tests
+//===----------------------------------------------------------------------===//
+
+/*
+  NonVirtualBase   NonVirtualBase        
+        |                |
+        |                |
+        |                |
+     First              Second   
+        \                /
+         \              /
+          \            /
+  NonVirtualDiamondInheritanceTest
+*/
+
+struct NonVirtualBase1 {
+  int x;
+  NonVirtualBase1() = default;
+  NonVirtualBase1(int) : x(46) {}
+};
+struct First1 : public NonVirtualBase1 {
+  First1() = default;
+  First1(int) : NonVirtualBase1(int{}) {}
+};
+struct Second1 : public NonVirtualBase1 {
+  Second1() = default;
+  Second1(int) : NonVirtualBase1(int{}) {}
+};
+
+class NonVirtualDiamondInheritanceTest1 : public First1, public Second1 {
+  int z;
+
+public:
+  NonVirtualDiamondInheritanceTest1()
+      : First1(int{}),
+        Second1(int{}) {
+    z = 47;
+    // All good!
+  }
+
+  NonVirtualDiamondInheritanceTest1(int)
+      : First1(int{}) {
+    Second1::x = 48;
+    z = 49;
+    // All good!
+  }
+
+  NonVirtualDiamondInheritanceTest1(int, int)
+      : Second1(int{}) {
+    First1::x = 50;
+    z = 51;
+    // All good!
+  }
+};
+
+void f16() {
+  NonVirtualDiamondInheritanceTest1();
+  NonVirtualDiamondInheritanceTest1(int());
+  NonVirtualDiamondInheritanceTest1(int(), int());
+}
+
+struct NonVirtualBase2 {
+  int x; // expected-note{{uninitialized field 'this->x'}}
+  NonVirtualBase2() = default;
+  NonVirtualBase2(int) : x(52) {}
+};
+struct First2 : public NonVirtualBase2 {
+  First2() = default;
+  First2(int) : NonVirtualBase2(int{}) {}
+};
+struct Second2 : public NonVirtualBase2 {
+  Second2() = default;
+  Second2(int) : NonVirtualBase2(int{}) {}
+};
+
+class NonVirtualDiamondInheritanceTest2 : public First2, public Second2 {
+  int z;
+
+public:
+  NonVirtualDiamondInheritanceTest2()
+      : First2(int{}) {
+    z = 53; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f17() {
+  NonVirtualDiamondInheritanceTest2();
+}
+
+struct NonVirtualBase3 {
+  int x; // expected-note{{uninitialized field 'this->x'}}
+  NonVirtualBase3() = default;
+  NonVirtualBase3(int) : x(54) {}
+};
+struct First3 : public NonVirtualBase3 {
+  First3() = default;
+  First3(int) : NonVirtualBase3(int{}) {}
+};
+struct Second3 : public NonVirtualBase3 {
+  Second3() = default;
+  Second3(int) : NonVirtualBase3(int{}) {}
+};
+
+class NonVirtualDiamondInheritanceTest3 : public First3, public Second3 {
+  int z;
+
+public:
+  NonVirtualDiamondInheritanceTest3()
+      : Second3(int{}) {
+    z = 55; // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f18() {
+  NonVirtualDiamondInheritanceTest3();
+}
+
+struct NonVirtualBase4 {
+  int x; // expected-note{{uninitialized field 'this->x'}}
+  // expected-note@-1{{uninitialized field 'this->x'}}
+  NonVirtualBase4() = default;
+  NonVirtualBase4(int) : x(56) {}
+};
+struct First4 : public NonVirtualBase4 {
+  First4() = default;
+  First4(int) : NonVirtualBase4(int{}) {}
+};
+struct Second4 : public NonVirtualBase4 {
+  Second4() = default;
+  Second4(int) : NonVirtualBase4(int{}) {}
+};
+
+class NonVirtualDiamondInheritanceTest4 : public First4, public Second4 {
+  int z;
+
+public:
+  NonVirtualDiamondInheritanceTest4() {
+    z = 57; // expected-warning{{2 uninitialized fields}}
+  }
+};
+
+void f19() {
+  NonVirtualDiamondInheritanceTest4();
+}
+
+struct NonVirtualBase5 {
+  int x;
+  NonVirtualBase5() = default;
+  NonVirtualBase5(int) : x(58) {}
+};
+struct First5 : public NonVirtualBase5 {
+  First5() = default;
+  First5(int) : NonVirtualBase5(int{}) {}
+};
+struct Second5 : public NonVirtualBase5 {
+  Second5() = default;
+  Second5(int) : NonVirtualBase5(int{}) {}
+};
+
+class NonVirtualDiamondInheritanceTest5 : public First5, public Second5 {
+  int z; // expected-note{{uninitialized field 'this->z'}}
+
+public:
+  NonVirtualDiamondInheritanceTest5()
+      : First5(int{}),
+        Second5(int{}) { // expected-warning{{1 uninitialized field}}
+  }
+};
+
+void f20() {
+  NonVirtualDiamondInheritanceTest5();
+}
+
+struct NonVirtualBase6 {
+  int x; // expected-note{{uninitialized field 'this->x'}}
+  NonVirtualBase6() = default;
+  NonVirtualBase6(int) : x(59) {}
+};
+struct First6 : public NonVirtualBase6 {
+  First6() = default;
+  First6(int) : NonVirtualBase6(int{}) {}
+};
+struct Second6 : public NonVirtualBase6 {
+  Second6() = default;
+  Second6(int) : NonVirtualBase6(int{}) {}
+};
+
+class NonVirtualDiamondInheritanceTest6 : public First6, public Second6 {
+  int z; // expected-note{{uninitialized field 'this->z'}}
+
+public:
+  NonVirtualDiamondInheritanceTest6() // expected-warning{{2 uninitialized fields}}
+      : First6(int{}) {
+    // 'z' and 'Second::x' unintialized
+  }
+};
+
+void f21() {
+  NonVirtualDiamondInheritanceTest6();
+}
+
+//===----------------------------------------------------------------------===//
+// Virtual diamond inheritance tests
+//===----------------------------------------------------------------------===//
+
+/*
+           VirtualBase      
+            /       \
+           /         \
+          /           \
+  VirtualFirst     VirtualSecond   
+          \           /
+           \         /
+            \       /
+  NonVirtualDiamondInheritanceTest
+*/
+
+struct VirtualBase1 {
+  int x;
+  VirtualBase1() = default;
+  VirtualBase1(int) : x(60) {}
+};
+struct VirtualFirst1 : virtual public VirtualBase1 {
+  VirtualFirst1() = default;
+  VirtualFirst1(int) : VirtualBase1(int{}) {}
+  VirtualFirst1(int, int) { x = 61; }
+};
+struct VirtualSecond1 : virtual public VirtualBase1 {
+  VirtualSecond1() = default;
+  VirtualSecond1(int) : VirtualBase1(int{}) {}
+  VirtualSecond1(int, int) { x = 62; }
+};
+
+class VirtualDiamondInheritanceTest1 : public VirtualFirst1, public VirtualSecond1 {
+
+public:
+  VirtualDiamondInheritanceTest1() {
+    x = 0;
+    // All good!
+  }
+
+  VirtualDiamondInheritanceTest1(int)
+      : VirtualFirst1(int{}, int{}),
+        VirtualSecond1(int{}, int{}) {
+    // All good!
+  }
+
+  VirtualDiamondInheritanceTest1(int, int)
+      : VirtualFirst1(int{}, int{}) {
+    // All good!
+  }
+};
+
+void f22() {
+  VirtualDiamondInheritanceTest1();
+  VirtualDiamondInheritanceTest1(int());
+  VirtualDiamondInheritanceTest1(int(), int());
+}
+
+struct VirtualBase2 {
+  int x; // expected-note{{uninitialized field 'this->x'}}
+  VirtualBase2() = default;
+  VirtualBase2(int) : x(63) {}
+};
+struct VirtualFirst2 : virtual public VirtualBase2 {
+  VirtualFirst2() = default;
+  VirtualFirst2(int) : VirtualBase2(int{}) {}
+  VirtualFirst2(int, int) { x = 64; }
+};
+struct VirtualSecond2 : virtual public VirtualBase2 {
+  VirtualSecond2() = default;
+  VirtualSecond2(int) : VirtualBase2(int{}) {}
+  VirtualSecond2(int, int) { x = 65; }
+};
+
+class VirtualDiamondInheritanceTest2 : public VirtualFirst2, public VirtualSecond2 {
+
+public:
+  VirtualDiamondInheritanceTest2() // expected-warning{{1 uninitialized field}}
+      : VirtualFirst2(int{}) {
+    // From the N4659 C++ Standard Working Draft:
+    //
+    //   (15.6.2.7)
+    //   [...] A 'mem-initializer' where the 'mem-initializer-id' denotes a
+    //   virtual base class is ignored during execution of a constructor of any
+    //   class that is not the most derived class.
+    //
+    // This means that Left1::x will not be initialized, because in both
+    // VirtualFirst::VirtualFirst(int) and VirtualSecond::VirtualSecond(int)
+    // the constructor delegation to Left1::Left1(int) will be
+    // ignored.
+  }
+};
+
+void f23() {
+  VirtualDiamondInheritanceTest2();
+}
+
+struct VirtualBase3 {
+  int x; // expected-note{{uninitialized field 'this->x'}}
+  VirtualBase3() = default;
+  VirtualBase3(int) : x(66) {}
+};
+struct VirtualFirst3 : virtual public VirtualBase3 {
+  VirtualFirst3() = default;
+  VirtualFirst3(int) : VirtualBase3(int{}) {}
+  VirtualFirst3(int, int) { x = 67; }
+};
+struct VirtualSecond3 : virtual public VirtualBase3 {
+  VirtualSecond3() = default;
+  VirtualSecond3(int) : VirtualBase3(int{}) {}
+  VirtualSecond3(int, int) { x = 68; }
+};
+
+class VirtualDiamondInheritanceTest3 : public VirtualFirst3, public VirtualSecond3 {
+
+public:
+  VirtualDiamondInheritanceTest3() // expected-warning{{1 uninitialized field}}
+      : VirtualFirst3(int{}) {}
+};
+
+void f24() {
+  VirtualDiamondInheritanceTest3();
+}
Index: lib/StaticAnalyzer/Checkers/CtorUninitializedMemberChecker.cpp
===================================================================
--- /dev/null
+++ lib/StaticAnalyzer/Checkers/CtorUninitializedMemberChecker.cpp
@@ -0,0 +1,468 @@
+//=======- CtorUninitializedMemberChecker.cpp --------------------*- C++ -*-==//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This file defines a checker that reports uninitialized fields in objects
+// created after a constructor call.
+//
+//===----------------------------------------------------------------------===//
+
+#include "ClangSACheckers.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include <algorithm>
+#include <vector>
+
+using namespace clang;
+using namespace clang::ento;
+
+namespace {
+
+class CtorUninitializedMemberChecker : public Checker<check::EndFunction> {
+  std::unique_ptr<BuiltinBug> BT_uninitField;
+
+public:
+  CtorUninitializedMemberChecker()
+      : BT_uninitField(new BuiltinBug(this, "Uninitialized fields")) {}
+  void checkEndFunction(CheckerContext &C) const;
+};
+
+/// Represents a field chain. A field chain is a vector of fields where the
+/// first element of the chain is the object under checking (not stored), and
+/// every other element is a field, and the element that precedes it is the
+/// object that contains it.
+class FieldChainInfo {
+  using FieldChain = llvm::SmallVector<const FieldRegion *, 10>;
+
+  FieldChain Chain;
+  // If this is a fieldchain whose last element is an uninitialized region of a
+  // pointer type, this variable will store whether the pointer itself or the
+  // pointee is uninitialized.
+  bool IsDereferenced = false;
+
+public:
+  FieldChainInfo() = default;
+  FieldChainInfo(const FieldChainInfo &Other, const FieldRegion *FR)
+      : FieldChainInfo(Other) {
+    Chain.push_back(FR);
+  }
+
+  bool isPointer() const {
+    return Chain.back()->getDecl()->getType()->isPointerType();
+  }
+  bool isDereferenced() const;
+  void dereference() { IsDereferenced = true; }
+  const FieldDecl *getEndOfChain() const { return Chain.back()->getDecl(); }
+  template <unsigned Size> void toString(SmallString<Size> &Buf) const;
+  friend struct FieldChainInfoComparator;
+};
+
+struct FieldChainInfoComparator {
+  bool operator()(const FieldChainInfo &lhs, const FieldChainInfo &rhs) {
+    return lhs.Chain.back() < rhs.Chain.back();
+  }
+};
+
+using UninitFieldSet = std::set<FieldChainInfo, FieldChainInfoComparator>;
+
+/// Searches for and stores uninitialized fields in a non-union object.
+class FindUninitializedFields {
+  StoreManager &StoreMgr;
+  MemRegionManager &MrMgr;
+  Store S;
+  const TypedValueRegion *const ObjectR;
+  bool IsChecked = false;
+
+  UninitFieldSet UninitFields;
+
+public:
+  FindUninitializedFields(StoreManager &StoreMgr, MemRegionManager &MrMgr,
+                          Store S, const TypedValueRegion *const R);
+  bool isFullyInitialized();
+  const UninitFieldSet &getUninitFields();
+
+private:
+  void addFieldToUninits(FieldChainInfo LocalChain);
+
+  // For the purposes of this checker, we'll regard the object under checking as
+  // a directed tree, where
+  //   * the root is the object under checking
+  //   * every node is an object that is
+  //     - a union
+  //     - a non-union record
+  //     - a pointer/reference
+  //     - of a fundamental type (int, double, etc.)
+  //   * the parent of each node is the object that contains it
+  //   * every leaf is a fundamental object, a nullptr or an undefined pointer.
+  // Example:
+  //
+  //   struct A {
+  //      struct B {
+  //        int x, y = 0;
+  //      };
+  //      B b;
+  //      int *iptr = new int;
+  //      B* bptr;
+  //
+  //      A() {}
+  //   };
+  //
+  // The directed tree:
+  //
+  //           ->x
+  //          /
+  //      ->b--->y
+  //     /
+  //    A-->iptr->(int value)
+  //     \
+  //      ->bptr
+  //
+  // From this we'll construct a vector of fieldchains, where each fieldchain
+  // represents an uninitialized field. If the field is a pointer type, we'll
+  // also store whether the pointer itself or value it points to is uninit.
+  // In the above example, for the default constructor call we'll end up with
+  // these fieldchains:
+  //
+  //   this->b.x
+  //   this->iptr (pointed value uninit)
+  //   this->bptr (pointer uninit)
+  //
+  // We'll traverse each node of the above graph with the appropiate one of
+  // these methods:
+  bool isUnionUninit(const TypedValueRegion *R);
+  bool isNonUnionUninit(const TypedValueRegion *R, FieldChainInfo LocalChain);
+  bool isPointerOrReferenceUninit(const FieldRegion *FR,
+                                  FieldChainInfo LocalChain);
+  bool isFundamentalUninit(const SVal &V);
+};
+
+// Utility function declarations.
+
+/// Returns the with the object that was constructed by CtorDecl, or None if
+/// that isn't possible.
+Optional<nonloc::LazyCompoundVal>
+getObjectVal(const CXXConstructorDecl *CtorDecl, CheckerContext &Context);
+
+/// Checks whether the constructor under checking is called by another
+/// constructor. This avoids essentially the same error being reported multiple
+/// times.
+bool isCalledByConstructor(const CheckerContext &Context);
+
+/// Returns true if FD is a void pointer (void*, void**, etc.).
+/// We can't know the type of the region that a void pointer points to, so FD
+/// can't be analyzed if this function return true for it.
+bool isVoidPointer(const FieldDecl *FD);
+
+} // namespace
+
+//===----------------------------------------------------------------------===//
+//               Methods for CtorUninitializedMemberChecker.
+//===----------------------------------------------------------------------===//
+
+void CtorUninitializedMemberChecker::checkEndFunction(
+    CheckerContext &Context) const {
+
+  const auto *CtorDecl = dyn_cast_or_null<CXXConstructorDecl>(
+      Context.getLocationContext()->getDecl());
+  if (!CtorDecl)
+    return;
+
+  if (!CtorDecl->isUserProvided())
+    return;
+
+  if (CtorDecl->getParent()->isUnion())
+    return;
+
+  if (isCalledByConstructor(Context))
+    return;
+
+  Optional<nonloc::LazyCompoundVal> Object = getObjectVal(CtorDecl, Context);
+  if (!Object)
+    return;
+
+  FindUninitializedFields F(Context.getStoreManager(),
+                            Context.getSValBuilder().getRegionManager(),
+                            Object->getStore(), Object->getRegion());
+
+  if (!F.isFullyInitialized())
+    return;
+
+  // There are uninitialized fields in the record.
+  const UninitFieldSet &UninitFields = F.getUninitFields();
+
+  ExplodedNode *Node = Context.generateNonFatalErrorNode(Context.getState());
+  if (!Node)
+    return;
+
+  PathDiagnosticLocation LocUsedForUniqueing;
+  const Stmt *CallSite = Context.getStackFrame()->getCallSite();
+  if (CallSite)
+    LocUsedForUniqueing = PathDiagnosticLocation::createBegin(
+        CallSite, Context.getSourceManager(), Node->getLocationContext());
+
+  std::string WarningMsg = std::to_string(UninitFields.size()) +
+                           " uninitialized field" +
+                           (UninitFields.size() == 1 ? "" : "s") +
+                           " at the end of the constructor call";
+
+  auto Report = llvm::make_unique<BugReport>(
+      *BT_uninitField, WarningMsg, Node, LocUsedForUniqueing,
+      Node->getLocationContext()->getDecl());
+
+  for (const auto &FieldChain : UninitFields) {
+    SmallString<200> FieldChainBuf;
+    FieldChain.toString(FieldChainBuf);
+    SmallString<200> NoteBuf;
+    llvm::raw_svector_ostream NoteOS(NoteBuf);
+
+    if (FieldChain.isPointer()) {
+      if (FieldChain.isDereferenced())
+        NoteOS << "uninitialized pointee 'this->";
+      else
+        NoteOS << "uninitialized pointer 'this->";
+    } else
+      NoteOS << "uninitialized field 'this->";
+    NoteOS << FieldChainBuf;
+    NoteOS << "'";
+
+    Report->addNote(NoteBuf,
+                    PathDiagnosticLocation::create(FieldChain.getEndOfChain(),
+                                                   Context.getSourceManager()));
+  }
+
+  Context.emitReport(std::move(Report));
+}
+
+//===----------------------------------------------------------------------===//
+//                   Methods for FindUninitializedFields.
+//===----------------------------------------------------------------------===//
+
+FindUninitializedFields::FindUninitializedFields(
+    StoreManager &StoreMgr, MemRegionManager &MrMgr, Store S,
+    const TypedValueRegion *const R)
+    : StoreMgr(StoreMgr), MrMgr(MrMgr), S(S), ObjectR(R) {}
+
+bool FindUninitializedFields::isFullyInitialized() {
+  IsChecked = true;
+  return isNonUnionUninit(ObjectR, FieldChainInfo());
+}
+
+const UninitFieldSet &FindUninitializedFields::getUninitFields() {
+  if (!IsChecked)
+    isFullyInitialized();
+  return UninitFields;
+}
+
+bool FindUninitializedFields::isNonUnionUninit(const TypedValueRegion *R,
+                                               FieldChainInfo LocalChain) {
+
+  const RecordDecl *RD =
+      R->getValueType()->getAs<RecordType>()->getDecl()->getDefinition();
+  assert(RD && "Referred record has no definition");
+
+  bool ContainsUninitField = false;
+
+  // Are all of this non-union's fields initialized?
+  for (const FieldDecl *I : RD->fields()) {
+    const FieldRegion *FR = MrMgr.getFieldRegion(I, R);
+    QualType T = I->getType();
+
+    if (T->isStructureOrClassType()) {
+      if (isNonUnionUninit(FR, {LocalChain, FR}))
+        ContainsUninitField = true;
+      continue;
+    }
+
+    if (T->isUnionType()) {
+      if (isUnionUninit(FR)) {
+        addFieldToUninits({LocalChain, FR});
+        ContainsUninitField = true;
+      }
+      continue;
+    }
+
+    SVal V = StoreMgr.getBinding(S, loc::MemRegionVal(FR));
+
+    // If this is a pointer or reference type.
+    if (V.getAs<Loc>()) {
+      if (isPointerOrReferenceUninit(FR, {LocalChain, FR}))
+        ContainsUninitField = true;
+      continue;
+    }
+
+    // At this point the field is a fundamental type.
+    if (isFundamentalUninit(V)) {
+      addFieldToUninits({LocalChain, FR});
+      ContainsUninitField = true;
+    }
+  }
+
+  // Checking bases.
+  const auto *CXXRD = dyn_cast<CXXRecordDecl>(RD);
+  if (!CXXRD)
+    return ContainsUninitField;
+
+  for (const CXXBaseSpecifier BaseSpec : CXXRD->bases()) {
+    const auto *Base = BaseSpec.getType()->getAsCXXRecordDecl();
+    const auto *BaseRegion =
+        MrMgr.getCXXBaseObjectRegion(Base, R, BaseSpec.isVirtual());
+
+    if (isNonUnionUninit(BaseRegion, LocalChain))
+      ContainsUninitField = true;
+  }
+
+  return ContainsUninitField;
+}
+
+bool FindUninitializedFields::isUnionUninit(const TypedValueRegion *R) {
+  // TODO: Implement support for union fields.
+  return false;
+}
+
+// Note that pointers/references don't contain fields themselves, so in this
+// function we won't add anything to LocalChain.
+bool FindUninitializedFields::isPointerOrReferenceUninit(
+    const FieldRegion *FR, FieldChainInfo LocalChain) {
+
+  SVal V = StoreMgr.getBinding(S, loc::MemRegionVal(FR));
+
+  if (V.isUnknown() || V.isZeroConstant())
+    return false;
+
+  if (V.isUndef()) {
+    addFieldToUninits(std::move(LocalChain));
+    return true;
+  }
+
+  const FieldDecl *FD = FR->getDecl();
+
+  if (isVoidPointer(FD))
+    return false;
+
+  SVal DerefdV = StoreMgr.getBinding(S, V.castAs<Loc>());
+  while (Optional<Loc> L = DerefdV.getAs<Loc>())
+    DerefdV = StoreMgr.getBinding(S, *L);
+
+  // If V is a pointer pointing to a record type.
+  if (Optional<nonloc::LazyCompoundVal> RecordV =
+          DerefdV.getAs<nonloc::LazyCompoundVal>()) {
+
+    const TypedValueRegion *RT = RecordV->getRegion();
+
+    // We can't reason about symbolic regions, assume its initialized.
+    // Note that this also avoids a potential infinite recursion, because
+    // constructors for list-like classes are checked without being called, and
+    // the CSA will conjure a symbolic region for Node *next; or similar code
+    // snippets.
+    if (RT->getSymbolicBase())
+      return false;
+
+    const auto *T = RT->getValueType()->getAs<RecordType>();
+
+    if (T->isStructureOrClassType())
+      return isNonUnionUninit(RT, std::move(LocalChain));
+
+    if (T->isUnionType()) {
+      // TODO: does control ever reach here?
+      if (isUnionUninit(RT)) {
+        LocalChain.dereference();
+        addFieldToUninits(std::move(LocalChain));
+        return true;
+      }
+    }
+  }
+
+  // At this point V is a pointer pointing to a fundamental type.
+  if (isFundamentalUninit(DerefdV)) {
+    LocalChain.dereference();
+    addFieldToUninits(std::move(LocalChain));
+    return true;
+  }
+
+  return false;
+}
+
+bool FindUninitializedFields::isFundamentalUninit(const SVal &V) {
+  return V.isUndef();
+}
+
+void FindUninitializedFields::addFieldToUninits(FieldChainInfo Chain) {
+  UninitFields.insert(std::move(Chain));
+}
+
+//===----------------------------------------------------------------------===//
+//                       Methods for FieldChainInfo.
+//===----------------------------------------------------------------------===//
+
+bool FieldChainInfo::isDereferenced() const {
+  assert(isPointer() && "Only pointers may or may not be dereferenced!");
+  return IsDereferenced;
+}
+
+template <unsigned Size>
+void FieldChainInfo::toString(SmallString<Size> &Buf) const {
+  if (Chain.empty())
+    return;
+
+  llvm::raw_svector_ostream OS(Buf);
+  const FieldRegion *Last = Chain.back();
+  for (auto It = Chain.begin(); *It != Last; ++It) {
+    const FieldDecl *Field = (*It)->getDecl();
+    OS << Field->getNameAsString();
+    OS << (Field->getType()->isPointerType() ? "->" : ".");
+  }
+  OS << Last->getDecl()->getNameAsString();
+}
+
+//===----------------------------------------------------------------------===//
+//                           Utility functions.
+//===----------------------------------------------------------------------===//
+
+namespace {
+
+bool isVoidPointer(const FieldDecl *FD) {
+  QualType T = FD->getType();
+  while (T->isPointerType() && !T->isVoidPointerType()) {
+    T = T->getPointeeType();
+  }
+  return T->isVoidPointerType();
+}
+
+Optional<nonloc::LazyCompoundVal>
+getObjectVal(const CXXConstructorDecl *CtorDecl, CheckerContext &Context) {
+
+  Loc ThisLoc = Context.getSValBuilder().getCXXThis(CtorDecl->getParent(),
+                                                    Context.getStackFrame());
+  // Getting the value for 'this'.
+  SVal This = Context.getState()->getSVal(ThisLoc);
+
+  // Getting the value for '*this'.
+  SVal Object = Context.getState()->getSVal(This.castAs<Loc>());
+
+  return Object.getAs<nonloc::LazyCompoundVal>();
+}
+
+bool isCalledByConstructor(const CheckerContext &Context) {
+  const LocationContext *LC = Context.getLocationContext()->getParent();
+
+  while (LC) {
+    if (isa<CXXConstructorDecl>(LC->getDecl()))
+      return true;
+
+    LC = LC->getParent();
+  }
+  return false;
+}
+
+} // namespace
+
+void ento::registerCtorUninitializedMemberChecker(CheckerManager &Mgr) {
+  Mgr.registerChecker<CtorUninitializedMemberChecker>();
+}
Index: lib/StaticAnalyzer/Checkers/CMakeLists.txt
===================================================================
--- lib/StaticAnalyzer/Checkers/CMakeLists.txt
+++ lib/StaticAnalyzer/Checkers/CMakeLists.txt
@@ -26,6 +26,7 @@
   ClangCheckers.cpp
   CloneChecker.cpp
   ConversionChecker.cpp
+  CtorUninitializedMemberChecker.cpp
   CXXSelfAssignmentChecker.cpp
   DeadStoresChecker.cpp
   DebugCheckers.cpp
Index: include/clang/StaticAnalyzer/Checkers/Checkers.td
===================================================================
--- include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -300,6 +300,10 @@
 
 let ParentPackage = CplusplusAlpha in {
 
+def CtorUninitializedMemberChecker: Checker<"CtorUninitializedMember">,
+     HelpText<"Reports uninitialized members in constructors">,
+     DescFile<"CtorUninitializedMemberChecker.cpp">;
+
 def DeleteWithNonVirtualDtorChecker : Checker<"DeleteWithNonVirtualDtor">,
   HelpText<"Reports destructions of polymorphic objects with a non-virtual "
            "destructor in their base class">,
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to