[pulse] be more careful about what to consider as a variable going out of scope

Summary:
The heuristic to detect variables going out of scope was to detect any
access expression passed as argument to an injected destructor call.
However destructor calls are also injected in destructor bodies to
destruct each field of an object, so the heuristic would detect fields
going out of scope, which, erm, doesn't make sense. Limit the heuristic
to local program variables.

Reviewed By: jberdine

Differential Revision: D14771454

fbshipit-source-id: ffa3c9fe3

infer/src/pulse/Pulse.ml

@@ -145,8 +145,8 @@ module PulseTransferFunctions = struct
     if flags.cf_injected_destructor then
       match (call, actuals) with
       | ( Direct (Typ.Procname.ObjC_Cpp pname)
-        , [AccessExpression (*AddressOf (Base _) as *) destroyed_access] )
-        when not (Typ.Procname.ObjC_Cpp.is_inner_destructor pname) ->
+        , [AccessExpression (AddressOf (Base (ProgramVar pvar, _)) as destroyed_access)] )
+        when Pvar.is_local pvar && not (Typ.Procname.ObjC_Cpp.is_inner_destructor pname) ->
           (* ignore inner destructors, only trigger out of scope on the final destructor call *)
           Some destroyed_access
       | _ ->

infer/tests/codetoanalyze/cpp/pulse/use_after_destructor.cpp

@@ -259,4 +259,31 @@ bool variable_init_ternary_ok(bool b) {
   std::string newPath = b ? "" : mk_string();
 }
 
+void move_data(POD* from, POD* to);
+
+struct Moveable {
+  Moveable() = default;
+  Moveable(const Moveable&) = delete; // not copyable
+
+  // move constructor
+  Moveable(Moveable&& that) noexcept { move_data(&that.data, &data); }
+
+  Moveable& operator=(Moveable&& that) noexcept {
+    this->~Moveable();
+    ::new (this) Moveable(std::move(that));
+    return *this;
+  }
+
+  ~Moveable() {}
+
+  Moveable& operator=(const Moveable&) = delete;
+
+  POD data;
+};
+
+void move_moveable_ok(Moveable& src) {
+  Moveable x;
+  x = std::move(src);
+}
+
 } // namespace use_after_destructor