[cfe-dev] Fwd: [analyzer] false positive in loop?

Francisco Chiotta via cfe-dev cfe-dev at lists.llvm.org
Tue Dec 1 13:12:04 PST 2015


Hi Jonathan,

Thanks for helping me out with this. My question pointed to whether the
analyzer can learn (or not) that the only way the program executes the free
statement in the method 'walkthrough' is when the list passed on as a
parameter has at least one even number. But in the caller, we are making
sure that if the list indeed has even numbers, the if condition (in
loopExample method) should have taken us to the false branch.
If *hasEvenNumbers* returns false, it means there is no even number on the
list, does the analyzer not store that constraints on the symbols
associated to the element of the list? If this information is available in
*walkthrough* we could invalidate those paths that make the "*number % 2 ==
0*" condition true, which takes us to the free statement.

Am I doing anything wrong here? Makes sense?

2015-11-30 21:42 GMT-06:00 Jonathan Roelofs <jonathan at codesourcery.com>:

>
>
> On 11/30/15 6:18 PM, Francisco Chiotta via cfe-dev wrote:
>
>> Hi guys,
>>
>>
>> Does this chunk of code represent a false positive? it warns a double
>> free. I'm being too ambitious?
>>
>>
>> // Does a walk through the list looking for even numbers. If any,
>>
>> // it frees obj parameter.
>>
>> static void walkthrough(IntegerList list, char* obj) {
>>
>> for (int i = 0; i<list.getSize(); i++) {
>>
>> int number = list.at(i);
>>
>> if (number % 2 == 0){
>>
>> free(obj);  <- Attempt to release free memory
>>
>
> If execution ever reaches here ^,
>
>
>>      }
>>
>>    }
>>
>> }
>>
>> // Tell if the list has at least one even number.
>>
>> bool hasEvenNumbers(IntegerList list) {
>>
>> for (int i = 0; i<list.getSize(); i++) {
>>
>> int number = list.at(i);
>>
>> if (number % 2 == 0){
>>
>> returntrue;
>>
>>      }
>>
>>    }
>>
>> returnfalse;
>>
>> }
>>
>> void loopExample(IntegerList list){
>>
>> char* obj = (char*)malloc(sizeof(char));
>>
>> free(obj); <- First free statement.
>>
>
> it must have passed through here ^... Meaning, if the second statement is
> ever executed, it is always a double free.
>
>
> Jon
>
>
>> if(!hasEvenNumbers(list)){
>>
>> walkthrough(list, obj);
>>
>>    }
>>
>> else {
>>
>> std::cout<< "The list has at least one even number!"<< std::endl;
>>
>>    }
>>
>> }
>>
>>
>> Thanks!
>>
>>
>>
>>
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at lists.llvm.org
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>
>>
> --
> Jon Roelofs
> jonathan at codesourcery.com
> CodeSourcery / Mentor Embedded
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20151201/657ea77b/attachment.html>


More information about the cfe-dev mailing list