Avoid crashing when --dependence-graph is used by correcting namespace scoping.

martin · martin · commit 2801f0f041fe · 2017-12-20T18:13:57.000Z
The namespace has to last as long as the domain does, otherwise the
dependence graph will wind up with a reference to a dead, stack allocated
object, leading to some exciting crashes.
diff --git a/src/goto-analyzer/goto_analyzer_parse_options.cpp b/src/goto-analyzer/goto_analyzer_parse_options.cpp
@@ -311,7 +311,9 @@ void goto_analyzer_parse_optionst::get_command_line_options(optionst &options)
 /// For the task, build the appropriate kind of analyzer
 /// Ideally this should be a pure function of options.
 /// However at the moment some domains require the goto_model
-ai_baset *goto_analyzer_parse_optionst::build_analyzer(const optionst &options)
+ai_baset *goto_analyzer_parse_optionst::build_analyzer(
+  const optionst &options,
+  const namespacet &ns)
 {
   ai_baset *domain = nullptr;
 
@@ -324,7 +326,7 @@ ai_baset *goto_analyzer_parse_optionst::build_analyzer(const optionst &options)
     }
     else if(options.get_bool_option("dependence-graph"))
     {
-      domain=new dependence_grapht(namespacet(goto_model.symbol_table));
+      domain=new dependence_grapht(ns);
     }
     else if(options.get_bool_option("intervals"))
     {
@@ -348,7 +350,7 @@ ai_baset *goto_analyzer_parse_optionst::build_analyzer(const optionst &options)
     }
     else if(options.get_bool_option("dependence-graph"))
     {
-      domain=new dependence_grapht(namespacet(goto_model.symbol_table));
+      domain=new dependence_grapht(ns);
     }
     else if(options.get_bool_option("intervals"))
     {
@@ -611,7 +613,8 @@ int goto_analyzer_parse_optionst::perform_analysis(const optionst &options)
 
     // Build analyzer
     status() << "Selecting abstract domain" << eom;
-    std::unique_ptr<ai_baset> analyzer(build_analyzer(options));
+    namespacet ns(goto_model.symbol_table);  // Must live as long as the domain.
+    std::unique_ptr<ai_baset> analyzer(build_analyzer(options, ns));
 
     if(analyzer == nullptr)
     {
diff --git a/src/goto-analyzer/goto_analyzer_parse_options.h b/src/goto-analyzer/goto_analyzer_parse_options.h
@@ -168,7 +168,7 @@ class goto_analyzer_parse_optionst:
 
   virtual int perform_analysis(const optionst &options);
 
-  ai_baset *build_analyzer(const optionst &options);
+  ai_baset *build_analyzer(const optionst &, const namespacet &ns);
 
   void eval_verbosity();
 

Original file line number	Diff line number	Diff line change
`@@ -311,7 +311,9 @@ void goto_analyzer_parse_optionst::get_command_line_options(optionst &options)`
`311`	`311`	`/// For the task, build the appropriate kind of analyzer`
`312`	`312`	`/// Ideally this should be a pure function of options.`
`313`	`313`	`/// However at the moment some domains require the goto_model`
`314`		`-ai_baset *goto_analyzer_parse_optionst::build_analyzer(const optionst &options)`
	`314`	`+ai_baset *goto_analyzer_parse_optionst::build_analyzer(`
	`315`	`+ const optionst &options,`
	`316`	`+ const namespacet &ns)`
`315`	`317`	`{`
`316`	`318`	`ai_baset *domain = nullptr;`
`317`	`319`
`@@ -324,7 +326,7 @@ ai_baset *goto_analyzer_parse_optionst::build_analyzer(const optionst &options)`
`324`	`326`	`}`
`325`	`327`	`else if(options.get_bool_option("dependence-graph"))`
`326`	`328`	`{`
`327`		`- domain=new dependence_grapht(namespacet(goto_model.symbol_table));`
	`329`	`+ domain=new dependence_grapht(ns);`
`328`	`330`	`}`
`329`	`331`	`else if(options.get_bool_option("intervals"))`
`330`	`332`	`{`
`@@ -348,7 +350,7 @@ ai_baset *goto_analyzer_parse_optionst::build_analyzer(const optionst &options)`
`348`	`350`	`}`
`349`	`351`	`else if(options.get_bool_option("dependence-graph"))`
`350`	`352`	`{`
`351`		`- domain=new dependence_grapht(namespacet(goto_model.symbol_table));`
	`353`	`+ domain=new dependence_grapht(ns);`
`352`	`354`	`}`
`353`	`355`	`else if(options.get_bool_option("intervals"))`
`354`	`356`	`{`
`@@ -611,7 +613,8 @@ int goto_analyzer_parse_optionst::perform_analysis(const optionst &options)`
`611`	`613`
`612`	`614`	`// Build analyzer`
`613`	`615`	`status() << "Selecting abstract domain" << eom;`
`614`		`- std::unique_ptr<ai_baset> analyzer(build_analyzer(options));`
	`616`	`+ namespacet ns(goto_model.symbol_table); // Must live as long as the domain.`
	`617`	`+ std::unique_ptr<ai_baset> analyzer(build_analyzer(options, ns));`
`615`	`618`
`616`	`619`	`if(analyzer == nullptr)`
`617`	`620`	`{`