[PATCH] D49361: [analyzer][WIP] Detect pointers escaped after return statement execution in MallocChecker

Artem Dergachev via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Sun Jul 15 22:05:09 PDT 2018

NoQ added a comment.

Aha, so the destructors are called //after// the return statement! Makes sense.

The return statement is available in `ExprEngine::processEndOfFunction()`, so i guess we could improve the `checkEndFunction()` callback to provide it, and then we wouldn't need any of those extra state traits: the returned expression would be a sub-expression of the return statement and the return value would be, well, the value of the returned expression (hopefully). The procedure of adding more arguments to a callback is a bit annoying but straightforward.

I guess it'd be great to add a MallocChecker-only test. It should be possible by mocking a simple object that frees memory in its destructor (in a manner that the Analyzer can understand by inlining all methods of the object) and then returning that memory.

> The warning is emitted at the end of the function, which might be confusing.

I'm afraid it might be hard to fix; path-sensitive reports are usually thrown against the node and that node is already too far and the return statement node is too early.

@george.karpenkov would your `getEndPath()`-fu help here?

  rC Clang


More information about the cfe-commits mailing list