[PATCH] D11832: [Patch] [Analyzer] false positive: Potential leak connected with memcpy (PR 22954)
inż. Piotr Zegar via cfe-commits
cfe-commits at lists.llvm.org
Mon Aug 31 12:37:18 PDT 2015
I also got crash with this commit:
0x0000000000f52d4b in (anonymous
namespace)::CStringChecker::InvalidateBuffer(clang::ento::CheckerContext&,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::Expr
const*, clang::ento::SVal, bool, clang::Expr const*) () at
llvm/tools/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:859
859 const MemRegion *R = BufEnd.getAsRegion();
#0 0x0000000000f52d4b in (anonymous
namespace)::CStringChecker::InvalidateBuffer(clang::ento::CheckerContext&,
llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::Expr
const*, clang::ento::SVal, bool, clang::Expr const*) () at
llvm/tools/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:859
#1 0x0000000000f54a52 in (anonymous
namespace)::CStringChecker::evalCopyCommon(clang::ento::CheckerContext&,
clang::CallExpr const*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState
const>, clang::Expr const*, clang::Expr const*, clang::Expr const*, bool,
bool) const ()
at llvm/tools/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:1079
#2 0x0000000000f559fc in (anonymous
namespace)::CStringChecker::evalMemcpy(clang::ento::CheckerContext&,
clang::CallExpr const*) const ()
at llvm/tools/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:1101
#3 0x0000000000f51e5d in bool
clang::ento::eval::Call::_evalCall<(anonymous
namespace)::CStringChecker>(void*, clang::CallExpr const*,
clang::ento::CheckerContext&) ()
at llvm/tools/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:2002
#4 0x0000000000fae631 in
clang::ento::CheckerManager::runCheckersForEvalCall(clang::ento::ExplodedNodeSet&,
clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&,
clang::ento::ExprEngine&) () at
llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:58
#5 0x0000000000fe40de in
clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&,
clang::ento::ExplodedNode*, clang::ento::CallEvent const&) ()
at
llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:528
#6 0x0000000000fe43ec in
clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const*,
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) ()
at
llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:499
#7 0x0000000000fd4c96 in clang::ento::ExprEngine::Visit(clang::Stmt
const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) ()
at llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1075
#8 0x0000000000fd6726 in
clang::ento::ExprEngine::ProcessStmt(clang::CFGStmt,
clang::ento::ExplodedNode*) ()
at llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:446
#9 0x0000000000fd6f24 in
clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*)
()
at llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:295
#10 0x0000000000fb746e in
clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned
int, clang::ento::ExplodedNode*) ()
at llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:503
#11 0x0000000000fb7607 in
clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
clang::ProgramPoint, clang::ento::WorkListUnit const&) ()
at llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:267
#12 0x0000000000fb7708 in
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) ()
#13 0x00000000007d4bd1 in (anonymous
namespace)::AnalysisConsumer::ActionExprEngine ()
#14 0x00000000007d5343 in (anonymous
namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
llvm::DenseMapInfo<clang::Decl const*> >*) ()
#15 0x00000000007e021d in (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit ()
#16 0x000000000082daa8 in
clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&) ()
at llvm/tools/clang/lib/Frontend/MultiplexConsumer.cpp:296
#17 0x00000000008be045 in clang::ParseAST(clang::Sema&, bool, bool) () at
llvm/tools/clang/lib/Parse/ParseAST.cpp:168
#18 0x0000000000812e36 in clang::FrontendAction::Execute() ()
#19 0x00000000007eda8f in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) ()
#20 0x00000000007ab25c in
clang::tooling::FrontendActionFactory::runInvocation(clang::CompilerInvocation*,
clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>,
clang::DiagnosticConsumer*) () at
llvm/tools/clang/lib/Tooling/Tooling.cpp:274
#21 0x00000000007a8861 in
clang::tooling::ToolInvocation::runInvocation(char const*,
clang::driver::Compilation*, clang::CompilerInvocation*,
std::shared_ptr<clang::PCHContainerOperations>) () at
llvm/tools/clang/lib/Tooling/Tooling.cpp:250
#22 0x00000000007a9e24 in clang::tooling::ToolInvocation::run() () at
llvm/tools/clang/lib/Tooling/Tooling.cpp:235
#23 0x00000000007aa7d2 in
clang::tooling::ClangTool::run(clang::tooling::ToolAction*) () at
llvm/tools/clang/lib/Tooling/Tooling.cpp:369
#24 0x000000000067a650 in
clang::tidy::runClangTidy(std::unique_ptr<clang::tidy::ClangTidyOptionsProvider,
std::default_delete<clang::tidy::ClangTidyOptionsProvider> >,
clang::tooling::CompilationDatabase const&, llvm::ArrayRef<std::string>,
std::vector<clang::tidy::ClangTidyError,
std::allocator<clang::tidy::ClangTidyError> >*, clang::tidy::ProfileData*)
() at llvm/tools/clang/tools/extra/clang-tidy/ClangTidy.cpp:408
Memcpy usage in file that crash:
std::memcpy(somelocalvar.data, someparam.somememer.data(),
somelocalvar.size * sizeof(u8));
std::memcpy(&(someparam.somemember[somelocal]),
somelocal[i].data,
somelocal[i].size);
std::memcpy(someparam.somemember[someparam.somemember].data,
somelocal[0].data,
somelocal[0].size);
Issue cause by commit: 93968
2015-08-31 21:04 GMT+02:00 Gábor Horváth <cfe-commits at lists.llvm.org>:
> xazax.hun added a comment.
>
> Hi!
>
> With this patch committed I noticed a regression in the static analyzer.
>
> I analyzed openssl-1.0.0d (using the test suite in
> utils/analyzer/SATestBuild.py).
> I got the following assertion error:
> (lldb) bt
>
> - thread #1: tid = 0xa1fcb, 0x00007fff943e50ae
> libsystem_kernel.dylib`__pthread_kill + 10, queue =
> 'com.apple.main-thread', stop reason = signal SIGABRT
> - frame #0: 0x00007fff943e50ae libsystem_kernel.dylib`__pthread_kill +
> 10 frame #1: 0x00007fff943f25fd libsystem_pthread.dylib`pthread_kill + 90
> frame #2: 0x0000000100960106 clang`::abort() [inlined] raise(sig=6) + 18 at
> Signals.inc:504 frame #3: 0x00000001009600f4 clang`::abort() + 4 at
> Signals.inc:521 frame #4: 0x00000001009600e1
> clang`::__assert_rtn(func=<unavailable>, file=<unavailable>,
> line=<unavailable>, expr=<unavailable>) + 81 at Signals.inc:517 frame #5:
> 0x00000001018fc418 clang`(anonymous
> namespace)::CStringChecker::InvalidateBuffer(clang::ento::CheckerContext&,
> llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::Expr
> const*, clang::ento::SVal, bool, clang::Expr const*) [inlined]
> clang::ento::NonLoc clang::ento::SVal::castAs<clang::ento::NonLoc>() const
> + 1448 at SVals.h:76 frame #6: 0x00000001018fc3f9 clang`(anonymous
> namespace)::CStringChecker::InvalidateBuffer(clang::ento::CheckerContext&,
> llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::Expr
> const*, clang::ento::SVal, bool, clang::Expr const*) [inlined] (anonymous
> namespace)::CStringChecker::IsFirstBufInBound(state=clang::ento::ProgramStateRef
> @ 0x0000000103bf2080, FirstBuf=0x0000000103a86768) at
> CStringChecker.cpp:842 frame #7: 0x00000001018fc3f9 clang`(anonymous
> namespace)::CStringChecker::InvalidateBuffer(C=<unavailable>,
> state=<unavailable>, E=0x0000000103a86768, V=<unavailable>,
> IsSourceBuffer=<unavailable>, Size=<unavailable>) + 1417 at
> CStringChecker.cpp:920 frame #8: 0x00000001018fadf7 clang`(anonymous
> namespace)::CStringChecker::evalCopyCommon(this=0x0000000103212fb0,
> C=0x00007fff5fbfc1a0, CE=<unavailable>, state=clang::ento::ProgramStateRef
> @ 0x00007fff5fbfc0c0, Size=0x0000000103a867b0, Dest=0x0000000103a86768,
> Source=<unavailable>, Restricted=<unavailable>, IsMempcpy=<unavailable>)
> const + 3991 at CStringChecker.cpp:1079 frame #9: 0x00000001018f8ad8
> clang`(anonymous
> namespace)::CStringChecker::evalMemcpy(this=0x0000000103212fb0,
> C=0x00007fff5fbfc1a0, CE=0x0000000103a86720) const + 248 at
> CStringChecker.cpp:1101 frame #10: 0x00000001018f89b6 clang`bool
> clang::ento::eval::Call::_evalCall<(anonymous
> namespace)::CStringChecker>(void*, clang::CallExpr const*,
> clang::ento::CheckerContext&) [inlined] (anonymous
> namespace)::CStringChecker::evalCall(CE=0x0000000103a86720,
> C=0x00007fff5fbfc1a0) const + 655 at CStringChecker.cpp:2002 frame #11:
> 0x00000001018f8727 clang`bool clang::ento::eval::Call::_evalCall<(anonymous
> namespace)::CStringChecker>(checker=0x0000000103212fb0,
> CE=0x0000000103a86720, C=0x00007fff5fbfc1a0) + 23 at Checker.h:438 frame
> #12: 0x0000000101a0417d
> clang`clang::ento::CheckerManager::runCheckersForEvalCall(clang::ento::ExplodedNodeSet&,
> clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&,
> clang::ento::ExprEngine&) [inlined] clang::ento::CheckerFn<bool
> (clang::CallExpr const*,
> clang::ento::CheckerContext&)>::operator(this=<unavailable>,
> ps=<unavailable>)(clang::CallExpr const*, clang::ento::CheckerContext&)
> const + 653 at CheckerManager.h:58 frame #13: 0x0000000101a0416b
> clang`clang::ento::CheckerManager::runCheckersForEvalCall(this=0x0000000103211950,
> Dst=0x00007fff5fbfc2d8, Src=<unavailable>, Call=0x0000000103ac2070,
> Eng=0x00007fff5fbfcd90) + 635 at CheckerManager.cpp:549 frame #14:
> 0x0000000101a361af
> clang`clang::ento::ExprEngine::evalCall(this=0x00007fff5fbfcd90,
> Dst=0x00007fff5fbfc448, Pred=<unavailable>, Call=0x0000000103ac2070) + 383
> at ExprEngineCallAndReturn.cpp:527 frame #15: 0x0000000101a35ee0
> clang`clang::ento::ExprEngine::VisitCallExpr(this=0x00007fff5fbfcd90,
> CE=0x0000000103a86720, Pred=<unavailable>, dst=0x00007fff5fbfc9b8) + 528 at
> ExprEngineCallAndReturn.cpp:499 frame #16: 0x0000000101a1b4a0
> clang`clang::ento::ExprEngine::Visit(this=0x00007fff5fbfcd90,
> S=0x0000000103a86720, Pred=<unavailable>, DstTop=<unavailable>) + 12224 at
> ExprEngine.cpp:1075 frame #17: 0x0000000101a16c30
> clang`clang::ento::ExprEngine::ProcessStmt(this=0x00007fff5fbfcd90,
> S=<unavailable>, Pred=<unavailable>) + 880 at ExprEngine.cpp:446 frame #18:
> 0x0000000101a1681e
> clang`clang::ento::ExprEngine::processCFGElement(this=<unavailable>,
> E=<unavailable>, Pred=0x0000000103bf1be0, StmtIdx=<unavailable>,
> Ctx=0x00007fff5fbfcc98) + 190 at ExprEngine.cpp:295 frame #19:
> 0x0000000101a0c128
> clang`clang::ento::CoreEngine::HandlePostStmt(this=<unavailable>,
> B=<unavailable>, StmtIdx=<unavailable>, Pred=<unavailable>) + 136 at
> CoreEngine.cpp:503 frame #20: 0x0000000101a0b71b
> clang`clang::ento::CoreEngine::ExecuteWorkList(this=0x00007fff5fbfcda8,
> L=<unavailable>, Steps=150000, InitState=clang::ento::ProgramStateRef @
> 0x00007fff5fbfd120) + 491 at CoreEngine.cpp:223 frame #21:
> 0x00000001012698a0 clang`(anonymous
> namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool,
> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
> llvm::DenseMapInfo<clang::Decl const*> >*) [inlined]
> clang::ento::ExprEngine::ExecuteWorkList(L=0x00000001032c84a0,
> Steps=<unavailable>) + 35 at ExprEngine.h:109 frame #22: 0x000000010126987d
> clang`(anonymous
> namespace)::AnalysisConsumer::ActionExprEngine(this=0x0000000103211090,
> D=0x00000001039b8418, ObjCGCEnabled=<unavailable>, IMode=<unavailable>,
> VisitedCallees=<unavailable>) + 973 at AnalysisConsumer.cpp:659 frame #23:
> 0x000000010126931d clang`(anonymous
> namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
> llvm::DenseMapInfo<clang::Decl const*> >*) [inlined] (anonymous
> namespace)::AnalysisConsumer::RunPathSensitiveChecks(this=<unavailable>,
> D=<unavailable>, IMode=<unavailable>, Visited=<unavailable>) + 1501 at
> AnalysisConsumer.cpp:689 frame #24: 0x00000001012692c9 clang`(anonymous
> namespace)::AnalysisConsumer::HandleCode(this=<unavailable>,
> D=<unavailable>, Mode=<unavailable>, IMode=Inline_Regular,
> VisitedCallees=<unavailable>) + 1417 at AnalysisConsumer.cpp:627 frame #25:
> 0x000000010125bd31 clang`(anonymous
> namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) +
> 743 at AnalysisConsumer.cpp:491 frame #26: 0x000000010125ba4a
> clang`(anonymous
> namespace)::AnalysisConsumer::HandleTranslationUnit(this=0x0000000103211090,
> C=<unavailable>) + 650 at AnalysisConsumer.cpp:542 frame #27:
> 0x0000000101274065 clang`clang::ParseAST(S=0x0000000103858a00,
> PrintStats=false, SkipFunctionBodies=<unavailable>) + 581 at
> ParseAST.cpp:168 frame #28: 0x0000000100d96adb
> clang`clang::FrontendAction::Execute(this=<unavailable>) + 75 at
> FrontendAction.cpp:439 frame #29: 0x0000000100d621eb
> clang`clang::CompilerInstance::ExecuteAction(this=0x0000000103208240,
> Act=0x0000000103209ae0) + 843 at CompilerInstance.cpp:830 frame #30:
> 0x0000000100dd48bf
> clang`clang::ExecuteCompilerInvocation(Clang=0x0000000103208240) + 4047 at
> ExecuteCompilerInvocation.cpp:222 frame #31: 0x000000010000608c
> clang`cc1_main(Argv=<unavailable>,
> Argv0="/Users/ghorvath/Documents/LLVM/build/bin/clang",
> MainAddr=0x0000000100001df0) + 1180 at cc1_main.cpp:116 frame #32:
> 0x0000000100004cc9 clang`main [inlined] ExecuteCC1Tool(Tool=<unavailable>)
> + 83 at driver.cpp:380 frame #33: 0x0000000100004c76
> clang`main(argc_=<unavailable>, argv_=<unavailable>) + 11830 at
> driver.cpp:443 frame #34: 0x00007fff881eb5ad libdyld.dylib`start + 1 frame
> #35: 0x00007fff881eb5ad libdyld.dylib`start + 1
>
> Could you look into this?
>
>
> Repository:
> rL LLVM
>
> http://reviews.llvm.org/D11832
>
>
>
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
>
--
inż. Piotr Zegar
me at piotrzegar.pl
http://www.piotrzegar.pl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20150831/7a57878e/attachment-0001.html>
More information about the cfe-commits
mailing list