<div dir="ltr">Bot detects memory leak probably after this patch<div><br></div><div><a href="http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fast/builds/30957/steps/check-clang%20asan/logs/stdio" class="cremed">http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fast/builds/30957/steps/check-clang%20asan/logs/stdio</a><br></div><div><br></div><div><pre style="font-family:"Courier New",courier,monotype,monospace;color:rgb(0,0,0);font-size:medium"><span class="gmail-stdout"><br class="gmail-Apple-interchange-newline">
=================================================================
==22233==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1088 byte(s) in 17 object(s) allocated from:
#0 0xc770f8 in operator new(unsigned long) /b/sanitizer-x86_64-linux-fast/build/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:106
#1 0x9c6feef in __libcpp_allocate /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/new:238:10
#2 0x9c6feef in allocate /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/memory:1813
#3 0x9c6feef in __value_func<(lambda at /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236:9), std::__1::allocator<(lambda at /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236:9)> > /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1716
#4 0x9c6feef in function<(lambda at /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236:9), void> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:2290
#5 0x9c6feef in clang::ento::CheckerContext::getNoteTag(std::__1::function<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > (clang::ento::BugReport&)>&&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236
#6 0x9c6f061 in checkPostCall /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MIGChecker.cpp:165:24
#7 0x9c6f061 in void clang::ento::check::PostCall::_checkCall<(anonymous namespace)::MIGChecker>(void*, clang::ento::CallEvent const&, clang::ento::CheckerContext&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:183
#8 0x9fbd78c in operator() /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:69:12
#9 0x9fbd78c in runChecker /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:290
#10 0x9fbd78c in expandGraphWithCheckers<(anonymous namespace)::CheckCallContext> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:138
#11 0x9fbd78c in clang::ento::CheckerManager::runCheckersForCallEvent(bool, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&, clang::ento::ExprEngine&, bool) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:307
#12 0xa07d1ef in runCheckersForPostCall /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:274:5
#13 0xa07d1ef in clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::CallEvent const&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:578
#14 0xa07c657 in clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:495:5
#15 0xa01249f in clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1539:7
#16 0xa003888 in clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:743:5
#17 0xa002d48 in clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:590:7
#18 0x9fdcdfe in clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:438:12
#19 0x9fdaa85 in clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:192:7
#20 0x9fd9941 in clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:148:5
#21 0x987ae4f in ExecuteWorkList /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:170:19
#22 0x987ae4f in RunPathSensitiveChecks /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:740
#23 0x987ae4f in (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:715
#24 0x98619d5 in HandleDeclsCallGraph /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:506:5
#25 0x98619d5 in runAnalysisOnTranslationUnit /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:553
#26 0x98619d5 in (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:584
#27 0xa2a0d52 in clang::ParseAST(clang::Sema&, bool, bool) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Parse/ParseAST.cpp:169:13
#28 0x742e94d in clang::FrontendAction::Execute() /b/sanitizer-x86_64-linux-fast/build</span><span class="gmail-stdout">/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:934:8
</span><span class="gmail-stdout"> #29 0x731950a in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:949:11
#30 0x764c8c8 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:271:25
#31 0xc8b2ee in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/cc1_main.cpp:218:13
#32 0xc83732 in ExecuteCC1Tool /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:309:12
#33 0xc83732 in main /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:381
#34 0x7facad0612e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
SUMMARY: AddressSanitizer: 1088 byte(s) leaked in 17 allocation(s).
</span></pre><br class="gmail-Apple-interchange-newline"></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 29, 2019 at 3:19 PM Artem Dergachev via cfe-commits <<a href="mailto:cfe-commits@lists.llvm.org">cfe-commits@lists.llvm.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Author: dergachev<br>
Date: Fri Mar 29 15:21:00 2019<br>
New Revision: 357323<br>
<br>
URL: <a href="http://llvm.org/viewvc/llvm-project?rev=357323&view=rev" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project?rev=357323&view=rev</a><br>
Log:<br>
[analyzer] Introduce a simplified API for adding custom path notes.<br>
<br>
Almost all path-sensitive checkers need to tell the user when something specific<br>
to that checker happens along the execution path but does not constitute a bug<br>
on its own. For instance, a call to operator delete in C++ has consequences<br>
that are specific to a use-after-free bug. Deleting an object is not a bug<br>
on its own, but when the Analyzer finds an execution path on which a deleted<br>
object is used, it'll have to explain to the user when exactly during that path<br>
did the deallocation take place.<br>
<br>
Historically such custom notes were added by implementing "bug report visitors".<br>
These visitors were post-processing bug reports by visiting every ExplodedNode<br>
along the path and emitting path notes whenever they noticed that a change that<br>
is relevant to a bug report occurs within the program state. For example,<br>
it emits a "memory is deallocated" note when it notices that a pointer changes<br>
its state from "allocated" to "deleted".<br>
<br>
The "visitor" approach is powerful and efficient but hard to use because<br>
such preprocessing implies that the developer first models the effects<br>
of the event (say, changes the pointer's state from "allocated" to "deleted"<br>
as part of operator delete()'s transfer function) and then forgets what happened<br>
and later tries to reverse-engineer itself and figure out what did it do<br>
by looking at the report.<br>
<br>
The proposed approach tries to avoid discarding the information that was<br>
available when the transfer function was evaluated. Instead, it allows the<br>
developer to capture all the necessary information into a closure that<br>
will be automatically invoked later in order to produce the actual note.<br>
<br>
This should reduce boilerplate and avoid very painful logic duplication.<br>
<br>
On the technical side, the closure is a lambda that's put into a special kind of<br>
a program point tag, and a special bug report visitor visits all nodes in the<br>
report and invokes all note-producing closures it finds along the path.<br>
<br>
For now it is up to the lambda to make sure that the note is actually relevant<br>
to the report. For instance, a memory deallocation note would be irrelevant when<br>
we're reporting a division by zero bug or if we're reporting a use-after-free<br>
of a different, unrelated chunk of memory. The lambda can figure these thing out<br>
by looking at the bug report object that's passed into it.<br>
<br>
A single checker is refactored to make use of the new functionality: MIGChecker.<br>
Its program state is trivial, making it an easy testing ground for the first<br>
version of the API.<br>
<br>
Differential Revision: <a href="https://reviews.llvm.org/D58367" rel="noreferrer" target="_blank">https://reviews.llvm.org/D58367</a><br>
<br>
Modified:<br>
cfe/trunk/include/clang/Analysis/ProgramPoint.h<br>
cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h<br>
cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h<br>
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h<br>
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h<br>
cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp<br>
cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp<br>
cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp<br>
cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp<br>
cfe/trunk/test/Analysis/<a href="http://mig.mm" rel="noreferrer" target="_blank">mig.mm</a><br>
<br>
Modified: cfe/trunk/include/clang/Analysis/ProgramPoint.h<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Analysis/ProgramPoint.h?rev=357323&r1=357322&r2=357323&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Analysis/ProgramPoint.h?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/include/clang/Analysis/ProgramPoint.h (original)<br>
+++ cfe/trunk/include/clang/Analysis/ProgramPoint.h Fri Mar 29 15:21:00 2019<br>
@@ -42,12 +42,11 @@ public:<br>
virtual ~ProgramPointTag();<br>
virtual StringRef getTagDescription() const = 0;<br>
<br>
-protected:<br>
/// Used to implement 'isKind' in subclasses.<br>
- const void *getTagKind() { return TagKind; }<br>
+ const void *getTagKind() const { return TagKind; }<br>
<br>
private:<br>
- const void *TagKind;<br>
+ const void *const TagKind;<br>
};<br>
<br>
class SimpleProgramPointTag : public ProgramPointTag {<br>
<br>
Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h?rev=357323&r1=357322&r2=357323&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h (original)<br>
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h Fri Mar 29 15:21:00 2019<br>
@@ -592,6 +592,60 @@ public:<br>
NodeMapClosure& getNodeResolver() { return NMC; }<br>
};<br>
<br>
+<br>
+/// The tag upon which the TagVisitor reacts. Add these in order to display<br>
+/// additional PathDiagnosticEventPieces along the path.<br>
+class NoteTag : public ProgramPointTag {<br>
+public:<br>
+ using Callback =<br>
+ std::function<std::string(BugReporterContext &, BugReport &)>;<br>
+<br>
+private:<br>
+ static int Kind;<br>
+<br>
+ const Callback Cb;<br>
+<br>
+ NoteTag(Callback &&Cb) : ProgramPointTag(&Kind), Cb(std::move(Cb)) {}<br>
+<br>
+public:<br>
+ static bool classof(const ProgramPointTag *T) {<br>
+ return T->getTagKind() == &Kind;<br>
+ }<br>
+<br>
+ Optional<std::string> generateMessage(BugReporterContext &BRC,<br>
+ BugReport &R) const {<br>
+ std::string Msg = Cb(BRC, R);<br>
+ if (Msg.empty())<br>
+ return None;<br>
+<br>
+ return std::move(Msg);<br>
+ }<br>
+<br>
+ StringRef getTagDescription() const override {<br>
+ // TODO: Remember a few examples of generated messages<br>
+ // and display them in the ExplodedGraph dump by<br>
+ // returning them from this function.<br>
+ return "Note Tag";<br>
+ }<br>
+<br>
+ // Manage memory for NoteTag objects.<br>
+ class Factory {<br>
+ llvm::BumpPtrAllocator &Alloc;<br>
+<br>
+ public:<br>
+ Factory(llvm::BumpPtrAllocator &Alloc) : Alloc(Alloc) {}<br>
+<br>
+ const NoteTag *makeNoteTag(Callback &&Cb) {<br>
+ // We cannot use make_unique because we cannot access the private<br>
+ // constructor from inside it.<br>
+ NoteTag *Tag = Alloc.Allocate<NoteTag>();<br>
+ return new (Tag) NoteTag(std::move(Cb));<br>
+ }<br>
+ };<br>
+<br>
+ friend class TagVisitor;<br>
+};<br>
+<br>
} // namespace ento<br>
<br>
} // namespace clang<br>
<br>
Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h?rev=357323&r1=357322&r2=357323&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h (original)<br>
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h Fri Mar 29 15:21:00 2019<br>
@@ -14,6 +14,7 @@<br>
#ifndef LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H<br>
#define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H<br>
<br>
+#include "clang/Analysis/ProgramPoint.h"<br>
#include "clang/Basic/LLVM.h"<br>
#include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"<br>
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"<br>
@@ -342,6 +343,17 @@ public:<br>
BugReport &BR) override;<br>
};<br>
<br>
+<br>
+/// The visitor detects NoteTags and displays the event notes they contain.<br>
+class TagVisitor : public BugReporterVisitor {<br>
+public:<br>
+ void Profile(llvm::FoldingSetNodeID &ID) const override;<br>
+<br>
+ std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,<br>
+ BugReporterContext &BRC,<br>
+ BugReport &R) override;<br>
+};<br>
+<br>
namespace bugreporter {<br>
<br>
/// Attempts to add visitors to track expression value back to its point of<br>
<br>
Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h?rev=357323&r1=357322&r2=357323&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h (original)<br>
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h Fri Mar 29 15:21:00 2019<br>
@@ -219,6 +219,24 @@ public:<br>
Eng.getBugReporter().emitReport(std::move(R));<br>
}<br>
<br>
+<br>
+ /// Produce a program point tag that displays an additional path note<br>
+ /// to the user. This is a lightweight alternative to the<br>
+ /// BugReporterVisitor mechanism: instead of visiting the bug report<br>
+ /// node-by-node to restore the sequence of events that led to discovering<br>
+ /// a bug, you can add notes as you add your transitions.<br>
+ const NoteTag *getNoteTag(NoteTag::Callback &&Cb) {<br>
+ return Eng.getNoteTags().makeNoteTag(std::move(Cb));<br>
+ }<br>
+<br>
+ /// A shorthand version of getNoteTag that doesn't require you to accept<br>
+ /// the BugReporterContext arguments when you don't need it.<br>
+ const NoteTag *getNoteTag(std::function<std::string(BugReport &)> &&Cb) {<br>
+ return getNoteTag(<br>
+ [Cb](BugReporterContext &, BugReport &BR) { return Cb(BR); });<br>
+ }<br>
+<br>
+<br>
/// Returns the word that should be used to refer to the declaration<br>
/// in the report.<br>
StringRef getDeclDescription(const Decl *D);<br>
<br>
Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h?rev=357323&r1=357322&r2=357323&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h (original)<br>
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h Fri Mar 29 15:21:00 2019<br>
@@ -22,6 +22,7 @@<br>
#include "clang/Analysis/ProgramPoint.h"<br>
#include "clang/Basic/LLVM.h"<br>
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"<br>
+#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"<br>
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"<br>
#include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h"<br>
#include "clang/StaticAnalyzer/Core/PathSensitive/FunctionSummary.h"<br>
@@ -155,6 +156,8 @@ private:<br>
/// The flag, which specifies the mode of inlining for the engine.<br>
InliningModes HowToInline;<br>
<br>
+ NoteTag::Factory NoteTags;<br>
+<br>
public:<br>
ExprEngine(cross_tu::CrossTranslationUnitContext &CTU, AnalysisManager &mgr,<br>
SetOfConstDecls *VisitedCalleesIn,<br>
@@ -396,6 +399,8 @@ public:<br>
SymbolManager &getSymbolManager() { return SymMgr; }<br>
MemRegionManager &getRegionManager() { return MRMgr; }<br>
<br>
+ NoteTag::Factory &getNoteTags() { return NoteTags; }<br>
+<br>
<br>
// Functions for external checking of whether we have unfinished work<br>
bool wasBlocksExhausted() const { return Engine.wasBlocksExhausted(); }<br>
<br>
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp?rev=357323&r1=357322&r2=357323&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp (original)<br>
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp Fri Mar 29 15:21:00 2019<br>
@@ -80,43 +80,10 @@ public:<br>
checkReturnAux(RS, C);<br>
}<br>
<br>
- class Visitor : public BugReporterVisitor {<br>
- public:<br>
- void Profile(llvm::FoldingSetNodeID &ID) const {<br>
- static int X = 0;<br>
- ID.AddPointer(&X);<br>
- }<br>
-<br>
- std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,<br>
- BugReporterContext &BRC, BugReport &R);<br>
- };<br>
};<br>
} // end anonymous namespace<br>
<br>
-// FIXME: It's a 'const ParmVarDecl *' but there's no ready-made GDM traits<br>
-// specialization for this sort of types.<br>
-REGISTER_TRAIT_WITH_PROGRAMSTATE(ReleasedParameter, const void *)<br>
-<br>
-std::shared_ptr<PathDiagnosticPiece><br>
-MIGChecker::Visitor::VisitNode(const ExplodedNode *N, BugReporterContext &BRC,<br>
- BugReport &R) {<br>
- const auto *NewPVD = static_cast<const ParmVarDecl *>(<br>
- N->getState()->get<ReleasedParameter>());<br>
- const auto *OldPVD = static_cast<const ParmVarDecl *>(<br>
- N->getFirstPred()->getState()->get<ReleasedParameter>());<br>
- if (OldPVD == NewPVD)<br>
- return nullptr;<br>
-<br>
- assert(NewPVD && "What is deallocated cannot be un-deallocated!");<br>
- SmallString<64> Str;<br>
- llvm::raw_svector_ostream OS(Str);<br>
- OS << "Value passed through parameter '" << NewPVD->getName()<br>
- << "' is deallocated";<br>
-<br>
- PathDiagnosticLocation Loc =<br>
- PathDiagnosticLocation::create(N->getLocation(), BRC.getSourceManager());<br>
- return std::make_shared<PathDiagnosticEventPiece>(Loc, OS.str());<br>
-}<br>
+REGISTER_TRAIT_WITH_PROGRAMSTATE(ReleasedParameter, bool)<br>
<br>
static const ParmVarDecl *getOriginParam(SVal V, CheckerContext &C) {<br>
SymbolRef Sym = V.getAsSymbol();<br>
@@ -195,7 +162,16 @@ void MIGChecker::checkPostCall(const Cal<br>
if (!PVD)<br>
return;<br>
<br>
- C.addTransition(C.getState()->set<ReleasedParameter>(PVD));<br>
+ const NoteTag *T = C.getNoteTag([this, PVD](BugReport &BR) -> std::string {<br>
+ if (&BR.getBugType() != &BT)<br>
+ return "";<br>
+ SmallString<64> Str;<br>
+ llvm::raw_svector_ostream OS(Str);<br>
+ OS << "Value passed through parameter '" << PVD->getName()<br>
+ << "\' is deallocated";<br>
+ return OS.str();<br>
+ });<br>
+ C.addTransition(C.getState()->set<ReleasedParameter>(true), T);<br>
}<br>
<br>
// Returns true if V can potentially represent a "successful" kern_return_t.<br>
@@ -260,7 +236,6 @@ void MIGChecker::checkReturnAux(const Re<br>
<br>
R->addRange(RS->getSourceRange());<br>
bugreporter::trackExpressionValue(N, RS->getRetValue(), *R, false);<br>
- R->addVisitor(llvm::make_unique<Visitor>());<br>
C.emitReport(std::move(R));<br>
}<br>
<br>
<br>
Modified: cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp?rev=357323&r1=357322&r2=357323&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp (original)<br>
+++ cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp Fri Mar 29 15:21:00 2019<br>
@@ -2612,6 +2612,7 @@ std::pair<BugReport*, std::unique_ptr<Vi<br>
R->addVisitor(llvm::make_unique<NilReceiverBRVisitor>());<br>
R->addVisitor(llvm::make_unique<ConditionBRVisitor>());<br>
R->addVisitor(llvm::make_unique<CXXSelfAssignmentBRVisitor>());<br>
+ R->addVisitor(llvm::make_unique<TagVisitor>());<br>
<br>
BugReporterContext BRC(Reporter, ErrorGraph.BackMap);<br>
<br>
<br>
Modified: cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp?rev=357323&r1=357322&r2=357323&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp (original)<br>
+++ cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp Fri Mar 29 15:21:00 2019<br>
@@ -2492,6 +2492,30 @@ FalsePositiveRefutationBRVisitor::VisitN<br>
return nullptr;<br>
}<br>
<br>
+int NoteTag::Kind = 0;<br>
+<br>
+void TagVisitor::Profile(llvm::FoldingSetNodeID &ID) const {<br>
+ static int Tag = 0;<br>
+ ID.AddPointer(&Tag);<br>
+}<br>
+<br>
+std::shared_ptr<PathDiagnosticPiece><br>
+TagVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BRC,<br>
+ BugReport &R) {<br>
+ ProgramPoint PP = N->getLocation();<br>
+ const NoteTag *T = dyn_cast_or_null<NoteTag>(PP.getTag());<br>
+ if (!T)<br>
+ return nullptr;<br>
+<br>
+ if (Optional<std::string> Msg = T->generateMessage(BRC, R)) {<br>
+ PathDiagnosticLocation Loc =<br>
+ PathDiagnosticLocation::create(PP, BRC.getSourceManager());<br>
+ return std::make_shared<PathDiagnosticEventPiece>(Loc, *Msg);<br>
+ }<br>
+<br>
+ return nullptr;<br>
+}<br>
+<br>
void FalsePositiveRefutationBRVisitor::Profile(<br>
llvm::FoldingSetNodeID &ID) const {<br>
static int Tag = 0;<br>
<br>
Modified: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp?rev=357323&r1=357322&r2=357323&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp (original)<br>
+++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp Fri Mar 29 15:21:00 2019<br>
@@ -201,7 +201,9 @@ ExprEngine::ExprEngine(cross_tu::CrossTr<br>
svalBuilder(StateMgr.getSValBuilder()),<br>
ObjCNoRet(mgr.getASTContext()),<br>
BR(mgr, *this),<br>
- VisitedCallees(VisitedCalleesIn), HowToInline(HowToInlineIn) {<br>
+ VisitedCallees(VisitedCalleesIn),<br>
+ HowToInline(HowToInlineIn),<br>
+ NoteTags(G.getAllocator()) {<br>
unsigned TrimInterval = mgr.options.GraphTrimInterval;<br>
if (TrimInterval != 0) {<br>
// Enable eager node reclamation when constructing the ExplodedGraph.<br>
<br>
Modified: cfe/trunk/test/Analysis/<a href="http://mig.mm" rel="noreferrer" target="_blank">mig.mm</a><br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/mig.mm?rev=357323&r1=357322&r2=357323&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/mig.mm?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/test/Analysis/<a href="http://mig.mm" rel="noreferrer" target="_blank">mig.mm</a> (original)<br>
+++ cfe/trunk/test/Analysis/<a href="http://mig.mm" rel="noreferrer" target="_blank">mig.mm</a> Fri Mar 29 15:21:00 2019<br>
@@ -91,6 +91,14 @@ kern_return_t release_twice(mach_port_na<br>
// expected-note@-1{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}<br>
}<br>
<br>
+MIG_SERVER_ROUTINE<br>
+kern_return_t no_unrelated_notes(mach_port_name_t port, vm_address_t address, vm_size_t size) {<br>
+ vm_deallocate(port, address, size); // no-note<br>
+ 1 / 0; // expected-warning{{Division by zero}}<br>
+ // expected-note@-1{{Division by zero}}<br>
+ return KERN_SUCCESS;<br>
+}<br>
+<br>
// Make sure we find the bug when the object is destroyed within an<br>
// automatic destructor.<br>
MIG_SERVER_ROUTINE<br>
<br>
<br>
_______________________________________________<br>
cfe-commits mailing list<br>
<a href="mailto:cfe-commits@lists.llvm.org" target="_blank">cfe-commits@lists.llvm.org</a><br>
<a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits" rel="noreferrer" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits</a><br>
</blockquote></div>