<div dir="ltr"><div style="font-size:12.8px">Hello everyone,</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">As part of <a href="https://summerofcode.withgoogle.com/projects/#4884807304609792" target="_blank">my GSoC project</a>, I ran the ISL (Integer Set Library) codebase through Clang Static Analyzer which by its checker for reference counting (checking for improper memory management) called <b>RetainCountChecker </b>produced the following diagnostics.</div><div style="font-size:12.8px"><b><br></b></div><b style="font-size:12.8px">Results of building the ISL codebase with scan-build:</b><br style="font-size:12.8px"><table cellspacing="0" cellpadding="0" dir="ltr" border="1" style="table-layout:fixed;font-size:13px;font-family:arial,sans,sans-serif;border-collapse:collapse;border:none"><colgroup><col width="151"><col width="259"></colgroup><tbody><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom;word-wrap:break-word">False positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">395</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom;word-wrap:break-word">True positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">148</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom;word-wrap:break-word">Not sure</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">37</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom"></td><td style="padding:2px 3px;vertical-align:bottom"></td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">Total</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">580</td></tr></tbody></table><br style="font-size:12.8px"><b style="font-size:12.8px">Note:</b><span style="font-size:12.8px"> Most of the true positives (121 to be exact) arise due to missing annotations in the declarations of various functions.</span><div style="font-size:12.8px"><br></div><div><b style="font-size:12.8px">Types of false positives:</b><br><table cellspacing="0" cellpadding="0" dir="ltr" border="1" style="font-size:13px;table-layout:fixed;font-family:arial,sans,sans-serif;border-collapse:collapse;border:none"><colgroup><col width="199"><col width="100"></colgroup><tbody><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">Leak false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">323</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">Use-after-free false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">38</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">Use-after-release-false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">31</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">Bad release false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">3</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">Total false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">395</td></tr></tbody></table><b style="font-size:12.8px"><br>Leaks:</b><br><div style="font-size:12.8px"><table cellspacing="0" cellpadding="0" dir="ltr" border="1" style="table-layout:fixed;font-size:13px;font-family:arial,sans,sans-serif;border-collapse:collapse;border:none"><colgroup><col width="151"><col width="259"></colgroup><tbody><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">Leaks</td><td style="padding:2px 3px;vertical-align:bottom">(Total = 323)</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">obj_free() false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">213</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">obj_cow() false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">41</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">explicit free false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">24</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">Impossible execution path</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">1</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">function pointer false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">44</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom"></td><td style="padding:2px 3px;vertical-align:bottom"></td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">Total leak false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">323</td></tr></tbody></table><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">As you can see from the stats mentioned above, most of the leak false positives are due to functions of the type obj_free() where obj is some ISL object like isl_basic_map, isl_basic_set, isl_map, etc. </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">The explanations of these false positives are given below.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><br></div><div><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e2f8-e49b-c70e-a17abfade890"><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font face="arial, helvetica, sans-serif" size="4"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></font></p><b style="font-size:12.8px"><font color="#000000" face="arial, helvetica, sans-serif" size="4">obj_free()</font><br></b><div><div class="gmail-m_1339923580266893754gmail-hljs gmail-m_1339923580266893754gmail-ruby" style="overflow-x:auto;padding:0.5em;background:rgb(248,248,248);font-family:monospace"><div><div class="gmail-hljs gmail-cpp" style="display:block;overflow-x:auto;padding:0.5em;color:rgb(51,51,51);background:rgb(248,248,248);font-family:monospace"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_give</span></span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"> </span></span><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">__attribute__((cf_returns_retained))</span></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span id="gmail-docs-internal-guid-862bdbbe-e450-3223-e779-4e46fa46a7b3"></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_take __attribute__((cf_consumed))</span></span></p></div></div><br><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"></span></p><p dir="ltr" style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">__isl_null obj *obj_free(__isl_take obj *o)</p><p dir="ltr" style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">{</p><p dir="ltr" style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">  </span><span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="font-weight:bold">if</span> (!o)</p><p dir="ltr" style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">  </span><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">      </span><span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="font-weight:bold">return</span> NULL;</p><p dir="ltr" style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><p dir="ltr" style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">   </span><span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="font-weight:bold">if</span> (--o->ref > <span class="gmail-m_1339923580266893754gmail-hljs-number" style="color:rgb(136,0,0)">0</span>)</p><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="color:rgb(51,51,51);white-space:pre-wrap">    </span><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="color:rgb(51,51,51);white-space:pre-wrap">  </span><span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="color:rgb(51,51,51);font-weight:bold">return</span><font color="#333333"> NULL;</font><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="color:rgb(51,51,51);white-space:pre-wrap">  </span><span class="gmail-m_1339923580266893754gmail-hljs-regexp" style="color:rgb(188,96,96)">//</span> <b><font color="#ff0000">Leak warning <span class="gmail-m_1339923580266893754gmail-hljs-keyword">for</span> ‘o’.</font></b></p><p dir="ltr" style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><p style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">   // Freeing the fields of 'o'</span></p><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(51,51,51)"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">    </span></span><font color="#ff0000">free</font><font color="#333333">(o);</font></p><p dir="ltr" style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="color:rgb(51,51,51);white-space:pre-wrap"> </span><span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="color:rgb(51,51,51);font-weight:bold">return</span><font color="#333333"> NULL;</font></p><p dir="ltr" style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">}</p><p dir="ltr" style="font-size:12.8px;color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p><br><div style="font-size:12.8px"><div class="gmail-m_1339923580266893754gmail-hljs gmail-m_1339923580266893754gmail-nginx" style="overflow-x:auto;padding:0.5em;color:rgb(51,51,51);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-hljs-attribute">__isl_give</span> obj *foo(__isl_take obj *o){</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">  </span><span class="gmail-m_1339923580266893754gmail-hljs-attribute">return</span> obj_free(o);</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">}</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">__isl_give obj *bar(__isl_take obj *o);</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-hljs-attribute">__isl_give</span> obj *dummy(__isl_take obj *o) {</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">       </span><span class="gmail-m_1339923580266893754gmail-hljs-attribute">o</span> = bar(o); // Reference count of 'o' = +1 after calling 'bar'</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap"> o</span> = foo(o);</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">       </span><span class="gmail-m_1339923580266893754gmail-hljs-attribute">return</span> o;</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e2fa-a6a5-cb84-9b3c6e764562"></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">}</p></div></div><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p></div></div><div style="font-size:12.8px"><br></div><span style="font-size:12.8px">In the above example, consider the analysis to start from 'dummy'.</span></span></div><div style="font-size:12.8px">When the reference counted object 'o' is passed to foo and eventually to obj_free(), in the second 'if' condition inside obj_free(), although the reference count is decremented (according to ISL's convention), the analyzer interprets it as just a change in some field of 'o' and then raises a leak warning.</div><div style="font-size:12.8px"><br></div><div><span style="font-size:12.8px">Along another path in obj_free(), the explicit use of </span><b style="font-size:12.8px">'free(o)'</b><span style="font-size:12.8px"> also raises a leak warning since free() does not decrement the reference count of 'o'. I have labelled them as </span><b style="font-size:12.8px">'explicit free false positives'. </b><span style="font-size:12.8px">These explicit free false positives are encountered mainly in the case of </span><b style="font-size:12.8px">character pointers</b><span style="font-size:12.8px"> and </span><b style="font-size:12.8px">isl_dim_map pointers</b><span style="font-size:12.8px"> as they are the only ones who are always freed using </span><b style="font-size:12.8px">free() </b><span style="font-size:12.8px">in the ISL codebase</span><span style="font-size:12.8px">.</span><br><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p><div style="font-size:12.8px"><span style="font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><b><font face="arial, helvetica, sans-serif" size="4">obj_cow()</font></b></span></div><div style="font-size:12.8px"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font face="arial, helvetica, sans-serif">In case definition of obj_cow() can be accessed by the analyzer, similar to <b>obj_free()</b>, leak warnings are raised as obj_cow() don't deallocate an object per se instead just the reference counters are altered.</font></span></div><div style="font-size:12.8px"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font face="arial, helvetica, sans-serif"><br></font></span></div><div><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span id="gmail-docs-internal-guid-862bdbbe-e452-00f0-fae2-05fe629c89b5"><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";background-color:transparent;vertical-align:baseline"></span></p><br><div><div class="gmail-hljs gmail-perl" style="display:block;overflow-x:auto;padding:0.5em;color:rgb(51,51,51);background:rgb(248,248,248);font-family:monospace"><p dir="ltr" style="white-space:normal;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_give</span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"> </span></span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">__attribute__((cf_returns_retained))</span></p><p style="white-space:normal;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span id="gmail-docs-internal-guid-862bdbbe-e450-3223-e779-4e46fa46a7b3"></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span></span></p><p dir="ltr" style="white-space:normal;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_take __attribute__((cf_consumed))</span></p><p dir="ltr" style="white-space:normal;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"><br></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span>__isl_give obj *obj_dup(__isl_keep obj *passed_leak_warning_obj) {</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre">       </span></span><span><span class="gmail-hljs-regexp" style="color:rgb(188,96,96)">//</span> <b>Some code which does <span class="gmail-hljs-keyword">not</span> deallocate passed_leak_warning_obj</b></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span>}</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span>__isl_give obj *obj_cow(__isl_take obj *passed_leak_warning_obj) {</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span></span><span><span class="gmail-hljs-keyword" style="font-weight:bold">if</span>(!passed_leak_warning_obj)</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre">    </span></span><span><span class="gmail-Apple-tab-span" style="white-space:pre">     </span></span><span><span class="gmail-hljs-keyword" style="font-weight:bold">return</span> NULL;</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre">    </span></span><span><span class="gmail-hljs-keyword" style="font-weight:bold">if</span>(passed_leak_warning_obj-><span class="gmail-hljs-keyword" style="font-weight:bold">ref</span> == <span class="gmail-hljs-number" style="color:rgb(136,0,0)">1</span>)</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre">     </span></span><span><span class="gmail-Apple-tab-span" style="white-space:pre">     </span></span><span><span class="gmail-hljs-keyword" style="font-weight:bold">return</span> passed_leak_warning_obj;</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span></span><span>passed_leak_warning_obj-><span class="gmail-hljs-keyword" style="font-weight:bold">ref</span>--;</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span></span><span><span class="gmail-hljs-keyword" style="font-weight:bold">return</span> obj_dup(passed_leak_warning_obj);</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span>}</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span>__isl_give obj *foo(some arguments) {</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre">     </span></span><span>obj *leak_warning_obj;</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre">   </span></span><span>leak_warning_obj = some_function_returning_isl_give_pointer(some_parameters); </span><span><span class="gmail-hljs-regexp" style="color:rgb(188,96,96)">//</span> <b>retain count = +<span class="gmail-hljs-number" style="color:rgb(136,0,0)">1</span></b></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre">     </span></span><span>leak_warning_obj = obj_cow(leak_warning_obj);</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-Apple-tab-span" style="white-space:pre">    </span></span><span><span class="gmail-hljs-regexp" style="color:rgb(188,96,96)">//</span> <b>Now, the <span class="gmail-hljs-keyword">use</span> of leak_warning_obj raises a leak warning about it.</b></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span>}</span></p></div></div><span style="font-size:12.8px"><br></span><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";background-color:transparent;vertical-align:baseline"></span></p><div><span style="background-color:transparent;vertical-align:baseline"><font face="arial, helvetica, sans-serif">In the above example, assume that the analysis starts from the function foo. When leak_warning_obj obtained with a retain count of +1 is passed to obj_cow(), it is not <i>consumed </i>so to speak which leads the analyzer to raise a leak warning.</font></span></div></span></span></div><div style="font-size:12.8px"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font face="arial, helvetica, sans-serif"><br></font></span></div><div style="font-size:12.8px"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font face="arial, helvetica, sans-serif" size="4"><b>Function pointers</b></font></span></div><div style="font-size:12.8px"><font color="#000000" face="arial, helvetica, sans-serif"><span style="white-space:pre-wrap">Now, there are two different kind of usages of function pointers which lead to leak false positives.</span></font></div><div style="font-size:12.8px"><font color="#000000" face="arial, helvetica, sans-serif"><span style="white-space:pre-wrap"><br></span></font></div><div style="font-size:12.8px"><font color="#000000" face="arial, helvetica, sans-serif"><span style="white-space:pre-wrap"><b>Case 1</b></span></font></div><div style="font-size:12.8px"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e317-dc26-7449-e1ef77635b8e"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Consider a function ‘bar’ whose pointer is a field of 'some_obj' and is accessible inside a function ‘foo’. If an object in foo (obtained as an __isl_give) pointer is passed to ‘bar’ which takes this object with an __isl_take annotation, it still raises a leak warning for that object.</span></span><font color="#000000" face="arial, helvetica, sans-serif"><span style="white-space:pre-wrap"><b><br></b></span></font></div><div style="font-size:12.8px"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e317-5957-37ee-ec18cc8d23c6"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p><br><div><div class="gmail-m_1339923580266893754gmail-hljs gmail-m_1339923580266893754gmail-bash" style="overflow-x:auto;padding:0.5em;color:rgb(51,51,51);background:rgb(248,248,248);font-family:monospace"><p dir="ltr" style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_give</span></span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"> </span></span><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">__attribute__((cf_returns_retained))</span></span></p><p style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span id="gmail-docs-internal-guid-862bdbbe-e450-3223-e779-4e46fa46a7b3"></span></p><p dir="ltr" style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_take __attribute__((cf_consumed))</span></span></p><p dir="ltr" style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"><br></span></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">__isl_give obj *foo(some_arguments) {</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">    </span>abc *obj2 = some_<span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="font-weight:bold">function</span>_returning_isl_<wbr>give_pointer(some_parameters);</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">      </span>some_obj->bar(obj2); // Leak warning <span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="font-weight:bold">for</span> obj2</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">    </span>// Some code</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">}</p></div></div><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p></span></div><b style="font-size:12.8px">Case 2</b></div><div style="font-size:12.8px"><b><br></b></div><div style="font-size:12.8px">The below type of false positives are raised only when the clang's static analyzer starts analysis from such functions. Now, the analyzer has no idea about 'fn' whatsoever and hence, it raises a leak warning for 'o'. Had the analyzer entered 'foo' from some other function, it would know what 'fn' was and wouldn't have raised a leak warning for 'o'.</div><div style="font-size:12.8px"><br><div><div class="gmail-m_1339923580266893754gmail-hljs" style="overflow-x:auto;padding:0.5em;color:rgb(51,51,51);background:rgb(248,248,248);font-family:monospace"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e320-ed6c-5ff9-a4131f3e320e"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p><p dir="ltr" style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_give</span></span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"> </span></span><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">__attribute__((cf_returns_retained))</span></span></p><p style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span id="gmail-docs-internal-guid-862bdbbe-e450-3223-e779-4e46fa46a7b3"></span></p><p dir="ltr" style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_take __attribute__((cf_consumed))</span></span></p><p dir="ltr" style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"><br></span></span></p><div><div class="gmail-m_1339923580266893754gmail-hljs gmail-m_1339923580266893754gmail-bash" style="overflow-x:auto;padding:0.5em;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">__isl_give obj *foo(__isl_give (*fn)(__isl_take obj *o), __isl_take obj *o) {</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">     </span>o = some_<span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="font-weight:bold">function</span>_returning_an_<wbr>isl_give_pointer();</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">  </span>o = fn(o); <b>// Leak warning <span class="gmail-m_1339923580266893754gmail-hljs-keyword">for</span> ‘o’</b></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">      </span><span class="gmail-m_1339923580266893754gmail-hljs-built_in" style="color:rgb(57,115,0)">return</span> o;</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">}</p></div></div><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p></span></div></div><br><br><br></div><div style="font-size:12.8px"><b>Use-after-free/Use-after-<wbr>release/Bad-release:</b></div><div style="font-size:12.8px"><table cellspacing="0" cellpadding="0" dir="ltr" border="1" style="table-layout:fixed;font-size:13px;font-family:arial,sans,sans-serif;border-collapse:collapse;border:none"><colgroup><col width="199"><col width="100"></colgroup><tbody><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom;word-wrap:break-word">Use-after-free/Use-after-<wbr>release/Bad-release false positives</td><td style="padding:2px 3px;vertical-align:bottom">(Total = 72)</td></tr><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom">obj_copy() false positives</td><td style="padding:2px 3px;vertical-align:bottom;text-align:right">72</td></tr></tbody></table><br></div></div><div style="font-size:12.8px"><font size="4"><b>obj_copy()</b></font></div><div style="font-size:12.8px"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e323-a6a3-77d7-3da273125b0d"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p><br><div><div class="gmail-m_1339923580266893754gmail-hljs gmail-m_1339923580266893754gmail-ruby" style="overflow-x:auto;padding:0.5em;background:rgb(248,248,248);font-family:monospace"><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p><p dir="ltr" style="color:rgb(51,51,51);font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_give</span></span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"> </span></span><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">__attribute__((cf_returns_retained))</span></span></p><p style="color:rgb(51,51,51);font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span id="gmail-docs-internal-guid-862bdbbe-e450-3223-e779-4e46fa46a7b3"></span></p><p dir="ltr" style="color:rgb(51,51,51);font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_take __attribute__((cf_consumed))</span></span></p><p dir="ltr" style="color:rgb(51,51,51);font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"><br></span></span></p><div><div class="gmail-m_1339923580266893754gmail-hljs gmail-m_1339923580266893754gmail-cpp" style="overflow-x:auto;padding:0.5em;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">__<span class="gmail-m_1339923580266893754gmail-hljs-function">isl_give isl_basic_map *<span class="gmail-m_1339923580266893754gmail-hljs-title" style="color:rgb(136,0,0);font-weight:bold">bar</span><span class="gmail-m_1339923580266893754gmail-hljs-params">(__isl_take isl_basic_map *bmap)</span></span>;</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">__<span class="gmail-m_1339923580266893754gmail-hljs-function">isl_give isl_basic_map *<span class="gmail-m_1339923580266893754gmail-hljs-title" style="color:rgb(136,0,0);font-weight:bold">isl_basic_map_dup</span><span class="gmail-m_1339923580266893754gmail-hljs-params">(__isl_keep isl_basic_map *bmap)</span></span>;</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">__<span class="gmail-m_1339923580266893754gmail-hljs-function">isl_give isl_basic_map *<span class="gmail-m_1339923580266893754gmail-hljs-title" style="color:rgb(136,0,0);font-weight:bold">isl_basic_map_copy</span><span class="gmail-m_1339923580266893754gmail-hljs-params">(__isl_keep isl_basic_map *bmap)</span></span></p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">{</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">       </span><span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="font-weight:bold">if</span> (!bmap)</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">        </span><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">      </span>return <span class="gmail-m_1339923580266893754gmail-hljs-literal" style="color:rgb(120,169,96)">NULL</span>;</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(51,51,51)"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">  </span></span><font color="#ff0000"><span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="font-weight:bold">if</span> (ISL_F_ISSET(bmap, ISL_BASIC_SET_FINAL)) {</font></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font color="#ff0000"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">   </span><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">      </span>bmap->ref++;</font></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font color="#ff0000"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">      </span>return bmap;</font></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font color="#ff0000"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">    </span>}</font></p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>bmap = isl_basic_map_dup(bmap);</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">        </span><span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="font-weight:bold">if</span> (bmap)</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">      </span>ISL_F_SET(bmap, ISL_BASIC_SET_FINAL);</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">  </span>return bmap;</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e324-bb76-d9df-7e97c63f27f3"></span></p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">}</p></div></div><br><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">__isl_give isl_basic_map *foo(__isl_take isl_basic_map *bmap) {</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">       </span>isl_basic_map *temp;</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">   </span>isl_basic_map *temp2 = bmap;</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">   </span>bmap = isl_basic_map_reverse(bmap);</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(51,51,51)"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">      </span></span><span style="color:rgb(51,51,51)">temp = bar(</span><font color="#ff0000">isl_basic_map_copy(bmap)</font><span style="color:rgb(51,51,51)">);</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(51,51,51)"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">      </span></span><span style="color:rgb(51,51,51)">isl_basic_map_free(bmap); </span><font color="#ff0000"><b><span class="gmail-m_1339923580266893754gmail-hljs-regexp">//</span> Use-after-release warning <span class="gmail-m_1339923580266893754gmail-hljs-keyword">for</span> ‘bmap’</b></font></p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">   </span><span class="gmail-m_1339923580266893754gmail-hljs-keyword" style="font-weight:bold">return</span> temp;</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">}</p></div></div><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p></span></div><div style="font-size:12.8px">In the above example, as the analyzer has access to isl_basic_map_copy(), it analyses its body as well only to find that 'bmap' and the object returned from isl_basic_map_copy(bmap) point to the same memory location. Hence, when the <i>copy </i>is passed inside 'bar', the original 'bmap' is released which raises the 'use-after-release' warning for 'bmap' when it returns from 'bar'.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><b><br></b></div><div style="font-size:12.8px"><font size="4"><b>False Negatives</b></font></div><div style="font-size:12.8px">Now, let's take a look at some of the mistakes which are overlooked by the analyzer.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><b>Callee-side Parameter Checking</b></div><div style="font-size:12.8px"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e32b-3cba-365b-e8cb59404975"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Currently, callee side checking of annotations on parameters is not performed. For example, the current RetainCountChecker doesn’t warn if an object passed with __isl_take is not freed in a function. Also, the current checker doesn’t warn if an object passed with __isl_keep is further passed with an __isl_take argument to some function. Consider the following examples.</span></span><b><br></b></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e32b-8682-d2e2-68bb9261ab50"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p><br><div><div class="gmail-m_1339923580266893754gmail-hljs gmail-m_1339923580266893754gmail-bash" style="overflow-x:auto;padding:0.5em;color:rgb(51,51,51);background:rgb(248,248,248);font-family:monospace"><p dir="ltr" style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_give</span></span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"> </span></span><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">__attribute__((cf_returns_retained))</span></span></p><p style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span id="gmail-docs-internal-guid-862bdbbe-e450-3223-e779-4e46fa46a7b3"></span></p><p dir="ltr" style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_take __attribute__((cf_consumed))</span></span></p><p dir="ltr" style="font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"><br></span></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">__isl_give isl_basic_<span class="gmail-m_1339923580266893754gmail-hljs-built_in" style="color:rgb(57,115,0)">set</span> *foo(__isl_take isl_basic_<span class="gmail-m_1339923580266893754gmail-hljs-built_in" style="color:rgb(57,115,0)">set</span> *bset1, __isl_take isl_basic_<span class="gmail-m_1339923580266893754gmail-hljs-built_in" style="color:rgb(57,115,0)">set</span> *bset2){</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">     </span>bset2 = isl_basic_<span class="gmail-m_1339923580266893754gmail-hljs-built_in" style="color:rgb(57,115,0)">set</span>_cow(bset2);</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">  </span><span class="gmail-m_1339923580266893754gmail-hljs-built_in" style="color:rgb(57,115,0)">return</span> bset2;<span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">        </span><b>// No leak warning <span class="gmail-m_1339923580266893754gmail-hljs-keyword">for</span> bset1 is raised here.</b></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">}</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">__isl_give isl_basic_<span class="gmail-m_1339923580266893754gmail-hljs-built_in" style="color:rgb(57,115,0)">set</span> *bar(__isl_keep isl_basic_<span class="gmail-m_1339923580266893754gmail-hljs-built_in" style="color:rgb(57,115,0)">set</span> *bset1){</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-indent:36pt"><span class="gmail-m_1339923580266893754gmail-hljs-built_in" style="color:rgb(57,115,0)">return</span> isl_basic_<span class="gmail-m_1339923580266893754gmail-hljs-built_in" style="color:rgb(57,115,0)">set</span>_free(bset1);<span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><b>// No bad release warning <span class="gmail-m_1339923580266893754gmail-hljs-keyword">for</span> bset1 is raised here.</b></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">}</p></div></div><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p></span></div><div style="font-size:12.8px"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-dca4b36a-e32b-f5c6-dd2a-6b565ad2a00c"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><b>Returning a Reference Counted Object After Passing it to a Function as an __isl_take Object.</b></span></span><br></div><div style="font-size:12.8px"><font color="#000000" face="Arial"><span style="white-space:pre-wrap">Example</span></font></div><div style="font-size:12.8px"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e32c-837f-3d9d-5cdbf4a4f70b"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p><br><div><div class="gmail-m_1339923580266893754gmail-hljs gmail-m_1339923580266893754gmail-cpp" style="overflow-x:auto;padding:0.5em;background:rgb(248,248,248);font-family:monospace"><p dir="ltr" style="color:rgb(51,51,51);font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_give</span></span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"> </span></span><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">__attribute__((cf_returns_retained))</span></span></p><p style="color:rgb(51,51,51);font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span id="gmail-docs-internal-guid-862bdbbe-e450-3223-e779-4e46fa46a7b3"></span></p><p dir="ltr" style="color:rgb(51,51,51);font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)">#<span class="gmail-hljs-meta-keyword" style="font-weight:bold">define</span> __isl_take __attribute__((cf_consumed))</span></span></p><p dir="ltr" style="color:rgb(51,51,51);font-size:small;line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span><span class="gmail-hljs-meta" style="color:rgb(31,113,153)"><br></span></span></p><p style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">__isl_null isl_basic_map *isl_basic_map_free(__isl_take isl_basic_map *bmap);</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt">__<span class="gmail-m_1339923580266893754gmail-hljs-function">isl_give isl_basic_map *<span class="gmail-m_1339923580266893754gmail-hljs-title" style="color:rgb(136,0,0);font-weight:bold">dummy</span><span class="gmail-m_1339923580266893754gmail-hljs-params">(__isl_keep isl_basic_map *bmap)</span> </span>{</p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="font-size:12.8px;white-space:pre-wrap">      </span><span style="font-size:12.8px">isl_basic_map *temp = isl_basic_map_copy(bmap);</span><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="font-size:12.8px;white-space:pre-wrap">  </span><br></p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">     </span>isl_basic_map_free(temp);</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(51,51,51)"><span class="gmail-m_1339923580266893754gmail-Apple-tab-span" style="white-space:pre-wrap">        </span></span><span style="color:rgb(51,51,51)">return temp; </span><span class="gmail-m_1339923580266893754gmail-hljs-comment"><b><font color="#000000">// No use-after-release warning raised here.</font></b></span></p><p dir="ltr" style="color:rgb(51,51,51);line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span class="gmail-m_1339923580266893754gmail-hljs-comment" style="color:rgb(136,136,136)">}</span></p></div></div><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p></span></div><div style="font-size:12.8px"><span id="gmail-m_1339923580266893754gmail-docs-internal-guid-862bdbbe-e32d-1023-b20e-322e0b5de8fa"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">Note 1:</span><span style="font-family:"Source Code Pro";color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">The above kind of false negatives occur only when the definition of function to which it is passed as an __isl_take argument (isl_basic_map_free() in this case) is not present in the same file as the one being analyzed. The visibility of obj_free() leads to the analyzer following the path in obj_free() where an explicit free() is called and then Clang Static Analyzer’s MallocChecker raises a use-after-free warning.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"> </p><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">Note 2: </span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">If temp were passed passed to some other function as an __isl_take argument rather than returning it from ‘dummy’, it would’ve produced a ‘use-after-release’ warning like it should.</span></span><br></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">I am currently in talk with my mentors, Dr. Devin Coughlin, Dr. Sven Verdoolaege and Dr. Alexandre Isoard to come up with a good solution to fix the aforementioned false positives and false negatives.</span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">According to them, and I agree, coming up with a solution for function pointers is probably the most difficult task.</span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Let me know your thoughts on the same.</span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Thank you.</span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Regards,</span></div><div style="font-size:12.8px"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Malhar Thakkar</span></div></div><div hspace="streak-pt-mark" style="max-height:1px"><img alt="" style="width:0px;max-height:0px;overflow:hidden" src="https://mailfoogae.appspot.com/t?sender=aY3MxM2IxMDMxQGlpdGguYWMuaW4%3D&type=zerocontent&guid=48e2442c-6013-4b37-85a7-4c82f17116c0"><font color="#ffffff" size="1">ᐧ</font></div>