[cfe-dev] Potentially expensive analysis for missing `[]` in delete expression

Jiří Zárevúcky zarevucky.jiri at gmail.com
Tue Jul 8 16:00:33 PDT 2014 

Hi, I am new here and I am wondering... does the frontend or the static
analyzer have any support for generic abstract interpretation?

I would imagine most of the static analysis done in the frontend is
abstract interpretation in some form, but I am utterly lost in the code so
I have no clue how much of it may be generic and how much is just hardcoded
special cases.


-- Jiří Zárevúcky


On 8 July 2014 23:34, Jordan Rose <jordan_rose at apple.com> wrote:

> The static analyzer *does* have this check:
>
> *<stdin>:3:5: **warning: **Memory allocated by 'new[]' should be
> deallocated by*
> *      'delete[]', not 'delete'*
>     delete a;
> *    ^~~~~~~~*
>
> ...but only if it can see both the allocation and deallocation sites in
> the same path.
>
> Jordan
>
> On Jul 8, 2014, at 10:17 , Rafael Auler <rafaelauler at gmail.com> wrote:
>
> This is an interesting analysis that would really help a lot of people.
> However, if the analysis intend to be truly accurate, I think it should be
> implemented in the static analyzer.
>
> For example:
>
> if (cond)
>   a = new int[5];
> else
>   a = (int*) malloc(sizeof(int)*5);
>
> would easily trick a CFG-based analysis because it can't know at
> compile-time whether cond is true or false.
>
> Nevertheless, I still believe that a front-end analysis can help in
> simpler cases, but we can't expect to be 100% accurate.
>
>
> On Tue, Jul 8, 2014 at 1:57 PM, Ismail Pazarbasi <
> ismail.pazarbasi at gmail.com> wrote:
>
>> Hi,
>>
>> During a demo, audience caught that I forgot [] in delete expression.
>> clang didn't warn about it. I was wondering whether this is due to the cost
>> of analysis. My sample was something like:
>>
>>   class A {
>>     int *a;
>>   public:
>>     A() : a(new int[5]) { }
>>     ~A() { delete /*[]*/ a; }
>>   };
>>
>> but following doesn't seem like to analyze missing [] either:
>>
>>   % clang++ -fsyntax-only -x c++ -pedantic -Wall -Wextra -
>>   void f() {
>>     int *a = new int[5];
>>     delete a;
>>   }
>>   %
>>
>> Is this analysis omitted due to performance concerns or simply an
>> oversight?
>>
>> Analyzing my sample requires clang to analyze all ctor-initializers, then
>> in-class initializers, to check whether member was new[]'ed each time it
>> sees delete expression where pointee is a MemberExpr. For the latter case,
>> I think checking whether VarDecl initialized with new[] is enough. Did I
>> get this right? I already have a patch for this, but I didn't test its
>> performance impact on a sufficiently large code base. Do we have previous
>> implementation experience with this?
>>
>> Ismail
>>
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>>
>>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140709/89f6e850/attachment.html>

More information about the cfe-dev mailing list