<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 28.02.2013 21:11, Jordan Rose wrote:<br>
</div>
<blockquote
cite="mid:5336DD0C-ED7C-4822-8458-7E608D544659@apple.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<br>
<div>
<div>On Feb 28, 2013, at 4:26 , Anton Yartsev <<a
moz-do-not-send="true" href="mailto:anton.yartsev@gmail.com">anton.yartsev@gmail.com</a>>
wrote:</div>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">+void testDeleteOp1() {<br>
+ int *p = (int *)malloc(sizeof(int));<br>
+ operator delete(p); // FIXME: should complain "Argument
to operator delete() was allocated by malloc(), not
operator new"<br>
+}<br>
</blockquote>
Hm. Any idea why this is not working? Is it not showing up
as a standard operator delete?<br>
</blockquote>
Nasty error.<br>
There appears to be no RefState attached to a symbolic region
for 'p' when operator delete(p) is processed by FreeMemAux().
Everything works fine if the call to operator delete is
replaced by a delete expression or free().<br>
Debugging of the following example<br>
void test() {<br>
int *p = (int *)malloc(sizeof(int));<br>
operator delete(p); // case 1<br>
free(p); // case2<br>
}<br>
showed that in both cases all the addresses of SVals and
regions remain the same from one call to FreeMemAux() to
another but in the first case "const RefState *RsBase =
State->get<RegionState>(SymBase);" returns 0.<br>
The same thing happens for Objective-C methods.<br>
The problem seem to lie somewhere in the guts of the analyzer.<br>
</blockquote>
<div><br>
</div>
<div>Aha. Haven't read the new patch yet, but I think I figured
this one out. We're doing the free checks in a <i>post-CallExpr</i> check,
but by that point we've already evaluated the function, which
causes the pointers to escape, which causes checkPointerEscape
to clear out the RefState for these objects. Note this part in
doesNotFreeMemory():</div>
<div><br>
</div>
<div>
<div style="margin: 0px; font-size: 11px; font-family: Menlo;
color: rgb(0, 132, 0); "><span style="color: #000000"> </span>//
If it's one of the allocation functions we can reason about,
we model</div>
<div style="margin: 0px; font-size: 11px; font-family: Menlo;
color: rgb(0, 132, 0); "><span style="color: #000000"> </span>//
its behavior explicitly.</div>
<div style="margin: 0px; font-size: 11px; font-family: Menlo;
"> <span style="color: #bb2ca2">if</span> (<span
style="color: #31595d">isMemFunction</span>(FD, ASTC))</div>
<div style="margin: 0px; font-size: 11px; font-family: Menlo;
color: rgb(187, 44, 162); "><span style="color: #000000">
</span>return<span style="color: #000000"> </span>true<span
style="color: #000000">;</span></div>
<div><span style="color: #000000"><br>
</span></div>
</div>
<div>You should just be able to add isStandardNewDelete to
isMemFunction. As for Objective-C methods, the same thing
applies: if they're one of the methods we handle
in checkPostObjCMessage(), we can actually return true from
doesNotFreeMemory(), but we need to keep the existing escaping
behavior for methods we don't handle.</div>
</div>
</blockquote>
Right. Fixed it.<br>
I guess that all methods with the first selector ending with NoCopy
and 'freeWhenDone' param set to 1 should be handled by
checkPostObjCMessage(). Am I right?<br>
Also propose to fix confusing name of doesNotFreeMemory() (that also
return true for calls that does free memory, but interesting to us)
and incorrect logic of checking Objective-C messages in
checkPostObjCMessage() that conflicts with the logic in
checkPostObjCMessage(). <br>
All this solutions are included in the attached patch.<br>
<pre class="moz-signature" cols="72">--
Anton</pre>
</body>
</html>