<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Yup, indeed, i reverted it in r357332.<br>
<br>
Also, nice bot!<br>
<br>
<div class="moz-cite-prefix">On 3/29/19 4:14 PM, Vitaly Buka wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPjTjwtsXd6fJ4gq29mZFD_w=J0TXB6DbOHn8rWdVPMMaRBywA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Bot detects memory leak probably after this patch
<div><br>
</div>
<div><a
href="http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fast/builds/30957/steps/check-clang%20asan/logs/stdio"
class="cremed" moz-do-not-send="true">http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fast/builds/30957/steps/check-clang%20asan/logs/stdio</a><br>
</div>
<div><br>
</div>
<div>
<pre style="font-family:"Courier New",courier,monotype,monospace;color:rgb(0,0,0);font-size:medium"><span class="gmail-stdout">
=================================================================
==22233==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1088 byte(s) in 17 object(s) allocated from:
#0 0xc770f8 in operator new(unsigned long) /b/sanitizer-x86_64-linux-fast/build/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:106
#1 0x9c6feef in __libcpp_allocate /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/new:238:10
#2 0x9c6feef in allocate /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/memory:1813
#3 0x9c6feef in __value_func<(lambda at /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236:9), std::__1::allocator<(lambda at /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236:9)> > /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1716
#4 0x9c6feef in function<(lambda at /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236:9), void> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:2290
#5 0x9c6feef in clang::ento::CheckerContext::getNoteTag(std::__1::function<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > (clang::ento::BugReport&)>&&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236
#6 0x9c6f061 in checkPostCall /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MIGChecker.cpp:165:24
#7 0x9c6f061 in void clang::ento::check::PostCall::_checkCall<(anonymous namespace)::MIGChecker>(void*, clang::ento::CallEvent const&, clang::ento::CheckerContext&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:183
#8 0x9fbd78c in operator() /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:69:12
#9 0x9fbd78c in runChecker /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:290
#10 0x9fbd78c in expandGraphWithCheckers<(anonymous namespace)::CheckCallContext> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:138
#11 0x9fbd78c in clang::ento::CheckerManager::runCheckersForCallEvent(bool, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&, clang::ento::ExprEngine&, bool) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:307
#12 0xa07d1ef in runCheckersForPostCall /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:274:5
#13 0xa07d1ef in clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::CallEvent const&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:578
#14 0xa07c657 in clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:495:5
#15 0xa01249f in clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1539:7
#16 0xa003888 in clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:743:5
#17 0xa002d48 in clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:590:7
#18 0x9fdcdfe in clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:438:12
#19 0x9fdaa85 in clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:192:7
#20 0x9fd9941 in clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:148:5
#21 0x987ae4f in ExecuteWorkList /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:170:19
#22 0x987ae4f in RunPathSensitiveChecks /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:740
#23 0x987ae4f in (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:715
#24 0x98619d5 in HandleDeclsCallGraph /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:506:5
#25 0x98619d5 in runAnalysisOnTranslationUnit /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:553
#26 0x98619d5 in (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:584
#27 0xa2a0d52 in clang::ParseAST(clang::Sema&, bool, bool) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Parse/ParseAST.cpp:169:13
#28 0x742e94d in clang::FrontendAction::Execute() /b/sanitizer-x86_64-linux-fast/build</span><span class="gmail-stdout">/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:934:8
</span><span class="gmail-stdout"> #29 0x731950a in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:949:11
#30 0x764c8c8 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:271:25
#31 0xc8b2ee in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/cc1_main.cpp:218:13
#32 0xc83732 in ExecuteCC1Tool /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:309:12
#33 0xc83732 in main /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:381
#34 0x7facad0612e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
SUMMARY: AddressSanitizer: 1088 byte(s) leaked in 17 allocation(s).
</span></pre>
<br class="gmail-Apple-interchange-newline">
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Mar 29, 2019 at 3:19
PM Artem Dergachev via cfe-commits <<a
href="mailto:cfe-commits@lists.llvm.org"
moz-do-not-send="true">cfe-commits@lists.llvm.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Author:
dergachev<br>
Date: Fri Mar 29 15:21:00 2019<br>
New Revision: 357323<br>
<br>
URL: <a
href="http://llvm.org/viewvc/llvm-project?rev=357323&view=rev"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project?rev=357323&view=rev</a><br>
Log:<br>
[analyzer] Introduce a simplified API for adding custom path
notes.<br>
<br>
Almost all path-sensitive checkers need to tell the user when
something specific<br>
to that checker happens along the execution path but does not
constitute a bug<br>
on its own. For instance, a call to operator delete in C++ has
consequences<br>
that are specific to a use-after-free bug. Deleting an object
is not a bug<br>
on its own, but when the Analyzer finds an execution path on
which a deleted<br>
object is used, it'll have to explain to the user when exactly
during that path<br>
did the deallocation take place.<br>
<br>
Historically such custom notes were added by implementing "bug
report visitors".<br>
These visitors were post-processing bug reports by visiting
every ExplodedNode<br>
along the path and emitting path notes whenever they noticed
that a change that<br>
is relevant to a bug report occurs within the program state.
For example,<br>
it emits a "memory is deallocated" note when it notices that a
pointer changes<br>
its state from "allocated" to "deleted".<br>
<br>
The "visitor" approach is powerful and efficient but hard to
use because<br>
such preprocessing implies that the developer first models the
effects<br>
of the event (say, changes the pointer's state from
"allocated" to "deleted"<br>
as part of operator delete()'s transfer function) and then
forgets what happened<br>
and later tries to reverse-engineer itself and figure out what
did it do<br>
by looking at the report.<br>
<br>
The proposed approach tries to avoid discarding the
information that was<br>
available when the transfer function was evaluated. Instead,
it allows the<br>
developer to capture all the necessary information into a
closure that<br>
will be automatically invoked later in order to produce the
actual note.<br>
<br>
This should reduce boilerplate and avoid very painful logic
duplication.<br>
<br>
On the technical side, the closure is a lambda that's put into
a special kind of<br>
a program point tag, and a special bug report visitor visits
all nodes in the<br>
report and invokes all note-producing closures it finds along
the path.<br>
<br>
For now it is up to the lambda to make sure that the note is
actually relevant<br>
to the report. For instance, a memory deallocation note would
be irrelevant when<br>
we're reporting a division by zero bug or if we're reporting a
use-after-free<br>
of a different, unrelated chunk of memory. The lambda can
figure these thing out<br>
by looking at the bug report object that's passed into it.<br>
<br>
A single checker is refactored to make use of the new
functionality: MIGChecker.<br>
Its program state is trivial, making it an easy testing ground
for the first<br>
version of the API.<br>
<br>
Differential Revision: <a
href="https://reviews.llvm.org/D58367" rel="noreferrer"
target="_blank" moz-do-not-send="true">https://reviews.llvm.org/D58367</a><br>
<br>
Modified:<br>
cfe/trunk/include/clang/Analysis/ProgramPoint.h<br>
cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h<br>
cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h<br>
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h<br>
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h<br>
cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp<br>
cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp<br>
cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp<br>
cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp<br>
cfe/trunk/test/Analysis/<a href="http://mig.mm"
rel="noreferrer" target="_blank" moz-do-not-send="true">mig.mm</a><br>
<br>
Modified: cfe/trunk/include/clang/Analysis/ProgramPoint.h<br>
URL: <a
href="http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Analysis/ProgramPoint.h?rev=357323&r1=357322&r2=357323&view=diff"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Analysis/ProgramPoint.h?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/include/clang/Analysis/ProgramPoint.h (original)<br>
+++ cfe/trunk/include/clang/Analysis/ProgramPoint.h Fri Mar 29
15:21:00 2019<br>
@@ -42,12 +42,11 @@ public:<br>
virtual ~ProgramPointTag();<br>
virtual StringRef getTagDescription() const = 0;<br>
<br>
-protected:<br>
/// Used to implement 'isKind' in subclasses.<br>
- const void *getTagKind() { return TagKind; }<br>
+ const void *getTagKind() const { return TagKind; }<br>
<br>
private:<br>
- const void *TagKind;<br>
+ const void *const TagKind;<br>
};<br>
<br>
class SimpleProgramPointTag : public ProgramPointTag {<br>
<br>
Modified:
cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h<br>
URL: <a
href="http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h?rev=357323&r1=357322&r2=357323&view=diff"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
---
cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h
(original)<br>
+++
cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h
Fri Mar 29 15:21:00 2019<br>
@@ -592,6 +592,60 @@ public:<br>
NodeMapClosure& getNodeResolver() { return NMC; }<br>
};<br>
<br>
+<br>
+/// The tag upon which the TagVisitor reacts. Add these in
order to display<br>
+/// additional PathDiagnosticEventPieces along the path.<br>
+class NoteTag : public ProgramPointTag {<br>
+public:<br>
+ using Callback =<br>
+ std::function<std::string(BugReporterContext &,
BugReport &)>;<br>
+<br>
+private:<br>
+ static int Kind;<br>
+<br>
+ const Callback Cb;<br>
+<br>
+ NoteTag(Callback &&Cb) :
ProgramPointTag(&Kind), Cb(std::move(Cb)) {}<br>
+<br>
+public:<br>
+ static bool classof(const ProgramPointTag *T) {<br>
+ return T->getTagKind() == &Kind;<br>
+ }<br>
+<br>
+ Optional<std::string>
generateMessage(BugReporterContext &BRC,<br>
+ BugReport &R)
const {<br>
+ std::string Msg = Cb(BRC, R);<br>
+ if (Msg.empty())<br>
+ return None;<br>
+<br>
+ return std::move(Msg);<br>
+ }<br>
+<br>
+ StringRef getTagDescription() const override {<br>
+ // TODO: Remember a few examples of generated messages<br>
+ // and display them in the ExplodedGraph dump by<br>
+ // returning them from this function.<br>
+ return "Note Tag";<br>
+ }<br>
+<br>
+ // Manage memory for NoteTag objects.<br>
+ class Factory {<br>
+ llvm::BumpPtrAllocator &Alloc;<br>
+<br>
+ public:<br>
+ Factory(llvm::BumpPtrAllocator &Alloc) : Alloc(Alloc)
{}<br>
+<br>
+ const NoteTag *makeNoteTag(Callback &&Cb) {<br>
+ // We cannot use make_unique because we cannot access
the private<br>
+ // constructor from inside it.<br>
+ NoteTag *Tag = Alloc.Allocate<NoteTag>();<br>
+ return new (Tag) NoteTag(std::move(Cb));<br>
+ }<br>
+ };<br>
+<br>
+ friend class TagVisitor;<br>
+};<br>
+<br>
} // namespace ento<br>
<br>
} // namespace clang<br>
<br>
Modified:
cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h<br>
URL: <a
href="http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h?rev=357323&r1=357322&r2=357323&view=diff"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
---
cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
(original)<br>
+++
cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
Fri Mar 29 15:21:00 2019<br>
@@ -14,6 +14,7 @@<br>
#ifndef
LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H<br>
#define
LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H<br>
<br>
+#include "clang/Analysis/ProgramPoint.h"<br>
#include "clang/Basic/LLVM.h"<br>
#include
"clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"<br>
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"<br>
@@ -342,6 +343,17 @@ public:<br>
BugReport &BR) override;<br>
};<br>
<br>
+<br>
+/// The visitor detects NoteTags and displays the event notes
they contain.<br>
+class TagVisitor : public BugReporterVisitor {<br>
+public:<br>
+ void Profile(llvm::FoldingSetNodeID &ID) const
override;<br>
+<br>
+ std::shared_ptr<PathDiagnosticPiece> VisitNode(const
ExplodedNode *N,<br>
+
BugReporterContext &BRC,<br>
+ BugReport
&R) override;<br>
+};<br>
+<br>
namespace bugreporter {<br>
<br>
/// Attempts to add visitors to track expression value back
to its point of<br>
<br>
Modified:
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h<br>
URL: <a
href="http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h?rev=357323&r1=357322&r2=357323&view=diff"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
---
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
(original)<br>
+++
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
Fri Mar 29 15:21:00 2019<br>
@@ -219,6 +219,24 @@ public:<br>
Eng.getBugReporter().emitReport(std::move(R));<br>
}<br>
<br>
+<br>
+ /// Produce a program point tag that displays an additional
path note<br>
+ /// to the user. This is a lightweight alternative to the<br>
+ /// BugReporterVisitor mechanism: instead of visiting the
bug report<br>
+ /// node-by-node to restore the sequence of events that led
to discovering<br>
+ /// a bug, you can add notes as you add your transitions.<br>
+ const NoteTag *getNoteTag(NoteTag::Callback &&Cb) {<br>
+ return Eng.getNoteTags().makeNoteTag(std::move(Cb));<br>
+ }<br>
+<br>
+ /// A shorthand version of getNoteTag that doesn't require
you to accept<br>
+ /// the BugReporterContext arguments when you don't need
it.<br>
+ const NoteTag
*getNoteTag(std::function<std::string(BugReport &)>
&&Cb) {<br>
+ return getNoteTag(<br>
+ [Cb](BugReporterContext &, BugReport &BR) {
return Cb(BR); });<br>
+ }<br>
+<br>
+<br>
/// Returns the word that should be used to refer to the
declaration<br>
/// in the report.<br>
StringRef getDeclDescription(const Decl *D);<br>
<br>
Modified:
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h<br>
URL: <a
href="http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h?rev=357323&r1=357322&r2=357323&view=diff"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
---
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
(original)<br>
+++
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
Fri Mar 29 15:21:00 2019<br>
@@ -22,6 +22,7 @@<br>
#include "clang/Analysis/ProgramPoint.h"<br>
#include "clang/Basic/LLVM.h"<br>
#include
"clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"<br>
+#include
"clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"<br>
#include
"clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"<br>
#include
"clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h"<br>
#include
"clang/StaticAnalyzer/Core/PathSensitive/FunctionSummary.h"<br>
@@ -155,6 +156,8 @@ private:<br>
/// The flag, which specifies the mode of inlining for the
engine.<br>
InliningModes HowToInline;<br>
<br>
+ NoteTag::Factory NoteTags;<br>
+<br>
public:<br>
ExprEngine(cross_tu::CrossTranslationUnitContext &CTU,
AnalysisManager &mgr,<br>
SetOfConstDecls *VisitedCalleesIn,<br>
@@ -396,6 +399,8 @@ public:<br>
SymbolManager &getSymbolManager() { return SymMgr; }<br>
MemRegionManager &getRegionManager() { return MRMgr; }<br>
<br>
+ NoteTag::Factory &getNoteTags() { return NoteTags; }<br>
+<br>
<br>
// Functions for external checking of whether we have
unfinished work<br>
bool wasBlocksExhausted() const { return
Engine.wasBlocksExhausted(); }<br>
<br>
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp<br>
URL: <a
href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp?rev=357323&r1=357322&r2=357323&view=diff"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp
(original)<br>
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp Fri
Mar 29 15:21:00 2019<br>
@@ -80,43 +80,10 @@ public:<br>
checkReturnAux(RS, C);<br>
}<br>
<br>
- class Visitor : public BugReporterVisitor {<br>
- public:<br>
- void Profile(llvm::FoldingSetNodeID &ID) const {<br>
- static int X = 0;<br>
- ID.AddPointer(&X);<br>
- }<br>
-<br>
- std::shared_ptr<PathDiagnosticPiece>
VisitNode(const ExplodedNode *N,<br>
- BugReporterContext &BRC, BugReport &R);<br>
- };<br>
};<br>
} // end anonymous namespace<br>
<br>
-// FIXME: It's a 'const ParmVarDecl *' but there's no
ready-made GDM traits<br>
-// specialization for this sort of types.<br>
-REGISTER_TRAIT_WITH_PROGRAMSTATE(ReleasedParameter, const
void *)<br>
-<br>
-std::shared_ptr<PathDiagnosticPiece><br>
-MIGChecker::Visitor::VisitNode(const ExplodedNode *N,
BugReporterContext &BRC,<br>
- BugReport &R) {<br>
- const auto *NewPVD = static_cast<const ParmVarDecl
*>(<br>
- N->getState()->get<ReleasedParameter>());<br>
- const auto *OldPVD = static_cast<const ParmVarDecl
*>(<br>
-
N->getFirstPred()->getState()->get<ReleasedParameter>());<br>
- if (OldPVD == NewPVD)<br>
- return nullptr;<br>
-<br>
- assert(NewPVD && "What is deallocated cannot be
un-deallocated!");<br>
- SmallString<64> Str;<br>
- llvm::raw_svector_ostream OS(Str);<br>
- OS << "Value passed through parameter '" <<
NewPVD->getName()<br>
- << "' is deallocated";<br>
-<br>
- PathDiagnosticLocation Loc =<br>
- PathDiagnosticLocation::create(N->getLocation(),
BRC.getSourceManager());<br>
- return
std::make_shared<PathDiagnosticEventPiece>(Loc,
OS.str());<br>
-}<br>
+REGISTER_TRAIT_WITH_PROGRAMSTATE(ReleasedParameter, bool)<br>
<br>
static const ParmVarDecl *getOriginParam(SVal V,
CheckerContext &C) {<br>
SymbolRef Sym = V.getAsSymbol();<br>
@@ -195,7 +162,16 @@ void MIGChecker::checkPostCall(const Cal<br>
if (!PVD)<br>
return;<br>
<br>
-
C.addTransition(C.getState()->set<ReleasedParameter>(PVD));<br>
+ const NoteTag *T = C.getNoteTag([this, PVD](BugReport
&BR) -> std::string {<br>
+ if (&BR.getBugType() != &BT)<br>
+ return "";<br>
+ SmallString<64> Str;<br>
+ llvm::raw_svector_ostream OS(Str);<br>
+ OS << "Value passed through parameter '" <<
PVD->getName()<br>
+ << "\' is deallocated";<br>
+ return OS.str();<br>
+ });<br>
+
C.addTransition(C.getState()->set<ReleasedParameter>(true),
T);<br>
}<br>
<br>
// Returns true if V can potentially represent a "successful"
kern_return_t.<br>
@@ -260,7 +236,6 @@ void MIGChecker::checkReturnAux(const Re<br>
<br>
R->addRange(RS->getSourceRange());<br>
bugreporter::trackExpressionValue(N, RS->getRetValue(),
*R, false);<br>
- R->addVisitor(llvm::make_unique<Visitor>());<br>
C.emitReport(std::move(R));<br>
}<br>
<br>
<br>
Modified: cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp<br>
URL: <a
href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp?rev=357323&r1=357322&r2=357323&view=diff"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp
(original)<br>
+++ cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp Fri Mar
29 15:21:00 2019<br>
@@ -2612,6 +2612,7 @@ std::pair<BugReport*,
std::unique_ptr<Vi<br>
R->addVisitor(llvm::make_unique<NilReceiverBRVisitor>());<br>
R->addVisitor(llvm::make_unique<ConditionBRVisitor>());<br>
R->addVisitor(llvm::make_unique<CXXSelfAssignmentBRVisitor>());<br>
+ R->addVisitor(llvm::make_unique<TagVisitor>());<br>
<br>
BugReporterContext BRC(Reporter, ErrorGraph.BackMap);<br>
<br>
<br>
Modified:
cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp<br>
URL: <a
href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp?rev=357323&r1=357322&r2=357323&view=diff"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
(original)<br>
+++ cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
Fri Mar 29 15:21:00 2019<br>
@@ -2492,6 +2492,30 @@
FalsePositiveRefutationBRVisitor::VisitN<br>
return nullptr;<br>
}<br>
<br>
+int NoteTag::Kind = 0;<br>
+<br>
+void TagVisitor::Profile(llvm::FoldingSetNodeID &ID)
const {<br>
+ static int Tag = 0;<br>
+ ID.AddPointer(&Tag);<br>
+}<br>
+<br>
+std::shared_ptr<PathDiagnosticPiece><br>
+TagVisitor::VisitNode(const ExplodedNode *N,
BugReporterContext &BRC,<br>
+ BugReport &R) {<br>
+ ProgramPoint PP = N->getLocation();<br>
+ const NoteTag *T =
dyn_cast_or_null<NoteTag>(PP.getTag());<br>
+ if (!T)<br>
+ return nullptr;<br>
+<br>
+ if (Optional<std::string> Msg =
T->generateMessage(BRC, R)) {<br>
+ PathDiagnosticLocation Loc =<br>
+ PathDiagnosticLocation::create(PP,
BRC.getSourceManager());<br>
+ return
std::make_shared<PathDiagnosticEventPiece>(Loc, *Msg);<br>
+ }<br>
+<br>
+ return nullptr;<br>
+}<br>
+<br>
void FalsePositiveRefutationBRVisitor::Profile(<br>
llvm::FoldingSetNodeID &ID) const {<br>
static int Tag = 0;<br>
<br>
Modified: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp<br>
URL: <a
href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp?rev=357323&r1=357322&r2=357323&view=diff"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp
(original)<br>
+++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp Fri Mar
29 15:21:00 2019<br>
@@ -201,7 +201,9 @@ ExprEngine::ExprEngine(cross_tu::CrossTr<br>
svalBuilder(StateMgr.getSValBuilder()),<br>
ObjCNoRet(mgr.getASTContext()),<br>
BR(mgr, *this),<br>
- VisitedCallees(VisitedCalleesIn),
HowToInline(HowToInlineIn) {<br>
+ VisitedCallees(VisitedCalleesIn),<br>
+ HowToInline(HowToInlineIn),<br>
+ NoteTags(G.getAllocator()) {<br>
unsigned TrimInterval = mgr.options.GraphTrimInterval;<br>
if (TrimInterval != 0) {<br>
// Enable eager node reclamation when constructing the
ExplodedGraph.<br>
<br>
Modified: cfe/trunk/test/Analysis/<a href="http://mig.mm"
rel="noreferrer" target="_blank" moz-do-not-send="true">mig.mm</a><br>
URL: <a
href="http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/mig.mm?rev=357323&r1=357322&r2=357323&view=diff"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/mig.mm?rev=357323&r1=357322&r2=357323&view=diff</a><br>
==============================================================================<br>
--- cfe/trunk/test/Analysis/<a href="http://mig.mm"
rel="noreferrer" target="_blank" moz-do-not-send="true">mig.mm</a>
(original)<br>
+++ cfe/trunk/test/Analysis/<a href="http://mig.mm"
rel="noreferrer" target="_blank" moz-do-not-send="true">mig.mm</a>
Fri Mar 29 15:21:00 2019<br>
@@ -91,6 +91,14 @@ kern_return_t release_twice(mach_port_na<br>
// expected-note@-1{{MIG callback fails
with error after deallocating argument value. This is a
use-after-free vulnerability because the caller will try to
deallocate it again}}<br>
}<br>
<br>
+MIG_SERVER_ROUTINE<br>
+kern_return_t no_unrelated_notes(mach_port_name_t port,
vm_address_t address, vm_size_t size) {<br>
+ vm_deallocate(port, address, size); // no-note<br>
+ 1 / 0; // expected-warning{{Division by zero}}<br>
+ // expected-note@-1{{Division by zero}}<br>
+ return KERN_SUCCESS;<br>
+}<br>
+<br>
// Make sure we find the bug when the object is destroyed
within an<br>
// automatic destructor.<br>
MIG_SERVER_ROUTINE<br>
<br>
<br>
_______________________________________________<br>
cfe-commits mailing list<br>
<a href="mailto:cfe-commits@lists.llvm.org" target="_blank"
moz-do-not-send="true">cfe-commits@lists.llvm.org</a><br>
<a
href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>