[cfe-commits] r150658 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/MallocChecker.cpp test/Analysis/malloc-annotations.c test/Analysis/malloc.c
Anna Zaks
ganna at apple.com
Wed Feb 15 19:40:57 PST 2012
Author: zaks
Date: Wed Feb 15 21:40:57 2012
New Revision: 150658
URL: http://llvm.org/viewvc/llvm-project?rev=150658&view=rev
Log:
[analyzer] Malloc Checker: Give up when a pointer escapes into a struct.
We are not properly handling the memory regions that escape into struct
fields, which led to a bunch of false positives. Be conservative here
and give up when a pointer escapes into a struct.
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
cfe/trunk/test/Analysis/malloc-annotations.c
cfe/trunk/test/Analysis/malloc.c
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp?rev=150658&r1=150657&r2=150658&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp Wed Feb 15 21:40:57 2012
@@ -924,6 +924,12 @@
// the binding).
escapes = (state == (state->bindLoc(*regionLoc, val)));
}
+ if (!escapes) {
+ // Case 4: We do not currently model what happens when a symbol is
+ // assigned to a struct field, so be conservative here and let the symbol
+ // go. TODO: This could definitely be improved upon.
+ escapes = !isa<VarRegion>(regionLoc->getRegion());
+ }
}
// If our store can represent the binding and we aren't storing to something
Modified: cfe/trunk/test/Analysis/malloc-annotations.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc-annotations.c?rev=150658&r1=150657&r2=150658&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/malloc-annotations.c (original)
+++ cfe/trunk/test/Analysis/malloc-annotations.c Wed Feb 15 21:40:57 2012
@@ -68,9 +68,10 @@
myglobalpointer = my_malloc(12); // no-warning
}
+// TODO: We will be able to handle this after we add support for tracking allocations stored in struct fields.
void af1_d() {
struct stuff mystuff;
- mystuff.somefield = my_malloc(12); // expected-warning{{Allocated memory never released. Potential memory leak.}}
+ mystuff.somefield = my_malloc(12); // false negative
}
// Test that we can pass out allocated memory via pointer-to-pointer.
Modified: cfe/trunk/test/Analysis/malloc.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc.c?rev=150658&r1=150657&r2=150658&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/malloc.c (original)
+++ cfe/trunk/test/Analysis/malloc.c Wed Feb 15 21:40:57 2012
@@ -485,6 +485,33 @@
free(GlS.x);
}
+// Make sure that we properly handle a pointer stored into a local struct/array.
+typedef struct _StructWithPtr {
+ int *memP;
+} StructWithPtr;
+
+static StructWithPtr arrOfStructs[10];
+
+void testMalloc() {
+ int *x = malloc(12);
+ StructWithPtr St;
+ St.memP = x;
+ arrOfStructs[0] = St;
+}
+
+StructWithPtr testMalloc2() {
+ int *x = malloc(12);
+ StructWithPtr St;
+ St.memP = x;
+ return St;
+}
+
+int *testMalloc3() {
+ int *x = malloc(12);
+ int *y = x;
+ return y;
+}
+
// Region escape testing.
unsigned takePtrToPtr(int **p);
@@ -600,3 +627,11 @@
free(p);// expected-warning {{leak}}
}
+// False negatives.
+
+// TODO: This requires tracking symbols stored inside the structs/arrays.
+void testMalloc5() {
+ StructWithPtr St;
+ StructWithPtr *pSt = &St;
+ pSt->memP = malloc(12);
+}
More information about the cfe-commits
mailing list