[PATCH] D47135: [analyzer] A checker for dangling internal buffer pointers in C++
Gábor Horváth via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Sat May 26 11:26:14 PDT 2018
xazax.hun added a comment.
Looks good so far, some comments inline.
================
Comment at: lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp:58
+
+ auto *TypeDecl = TypedR->getValueType().getTypePtr()->getAsCXXRecordDecl();
+ if (TypeDecl->getName() != "basic_string")
----------------
QualType should have overloaded `->` operator, I think you can remove the `getTypePtr`.
================
Comment at: lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp:65
+ if (Call.isCalled(CStrFn)) {
+ SymbolRef RawPtr = Call.getReturnValue().getAsSymbol();
+ State = State->set<RawPtrMap>(TypedR, RawPtr);
----------------
I wonder if we can always get a symbol.
I can think of two cases when the call above could fail:
* Non-standard implementation that does not return a pointer
* The analyzer able to inline stuff and the returned value is a constant (a specific address that is shared between all empty strings in some implementation?)
Even though I do find any of the above likely. @NoQ what do you think? Does this worth a check?
================
Comment at: lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp:73
+ if (State->contains<RawPtrMap>(TypedR)) {
+ const SymbolRef *StrBufferPtr = State->get<RawPtrMap>(TypedR);
+ const Expr *Origin = Call.getOriginExpr();
----------------
What if no symbol is associated with the region? Won't this return null that we dereference later on?
================
Comment at: test/Analysis/dangling-internal-buffer.cpp:24
+
+void deref_after_scope_char() {
+ const char *c;
----------------
I would like to see test cases that does not trigger warning.
https://reviews.llvm.org/D47135
More information about the cfe-commits
mailing list