[cfe-commits] r161248 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/MallocChecker.cpp test/Analysis/malloc.c
Anna Zaks
ganna at apple.com
Fri Aug 3 11:30:18 PDT 2012
Author: zaks
Date: Fri Aug 3 13:30:18 2012
New Revision: 161248
URL: http://llvm.org/viewvc/llvm-project?rev=161248&view=rev
Log:
[analyzer] Malloc: track non-allocated but freed memory
There is no reason why we should not track the memory which was not
allocated in the current function, but was freed there. This would
allow to catch more use-after-free and double free with no/limited IPA.
Also fix a realloc issue which surfaced as the result of this patch.
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
cfe/trunk/test/Analysis/malloc.c
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp?rev=161248&r1=161247&r2=161248&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp Fri Aug 3 13:30:18 2012
@@ -679,14 +679,8 @@
SymbolRef Sym = SR->getSymbol();
const RefState *RS = state->get<RegionState>(Sym);
- // If the symbol has not been tracked, return. This is possible when free() is
- // called on a pointer that does not get its pointee directly from malloc().
- // Full support of this requires inter-procedural analysis.
- if (!RS)
- return 0;
-
// Check double free.
- if (RS->isReleased() || RS->isRelinquished()) {
+ if (RS && (RS->isReleased() || RS->isRelinquished())) {
if (ExplodedNode *N = C.generateSink()) {
if (!BT_DoubleFree)
BT_DoubleFree.reset(
@@ -902,10 +896,8 @@
if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero,0,false)){
// The semantics of the return value are:
// If size was equal to 0, either NULL or a pointer suitable to be passed
- // to free() is returned.
- stateFree = stateFree->set<ReallocPairs>(ToPtr,
- ReallocPair(FromPtr, FreesOnFail));
- C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
+ // to free() is returned. We just free the input pointer and do not add
+ // any constrains on the output pointer.
return stateFree;
}
@@ -1518,7 +1510,7 @@
const RefState *RS = state->get<RegionState>(Sym);
const RefState *RSPrev = statePrev->get<RegionState>(Sym);
- if (!RS && !RSPrev)
+ if (!RS)
return 0;
const Stmt *S = 0;
Modified: cfe/trunk/test/Analysis/malloc.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc.c?rev=161248&r1=161247&r2=161248&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/malloc.c (original)
+++ cfe/trunk/test/Analysis/malloc.c Fri Aug 3 13:30:18 2012
@@ -69,7 +69,7 @@
char *p = malloc(12);
char *r = realloc(p, 0);
if (!r) {
- free(p);
+ free(p); // expected-warning {{Attempt to free released memory}}
} else {
free(r);
}
@@ -79,7 +79,7 @@
char *p = malloc(12);
char *r = realloc(p, 0);
if (!r) {
- free(p);
+ free(p); // expected-warning {{Attempt to free released memory}}
} else {
free(r);
}
@@ -321,7 +321,7 @@
void paramFree(int *p) {
myfoo(p);
free(p); // no warning
- myfoo(p); // TODO: This should be a warning.
+ myfoo(p); // expected-warning {{Use of memory after it is freed}}
}
int* mallocEscapeRet() {
@@ -999,3 +999,11 @@
xpc_connection_resume(peer);
}
+// Make sure we catch errors when we free in a function which does not allocate memory.
+void freeButNoMalloc(int *p, int x){
+ if (x) {
+ free(p);
+ //user forgot a return here.
+ }
+ free(p); // expected-warning {{Attempt to free released memory}}
+}
More information about the cfe-commits
mailing list