[llvm-bugs] [Bug 32232] New: Analyzer: tuple.h raises "Use of memory after it is freed" error for unique_ptr::reset()

via llvm-bugs llvm-bugs at lists.llvm.org
Fri Mar 10 14:25:23 PST 2017 

https://bugs.llvm.org/show_bug.cgi?id=32232

            Bug ID: 32232
           Summary: Analyzer: tuple.h raises "Use of memory after it is
                    freed" error for unique_ptr::reset()
           Product: clang
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Static Analyzer
          Assignee: kremenek at apple.com
          Reporter: marshallk at google.com
                CC: llvm-bugs at lists.llvm.org

The static analyzer is raising a use-after-free error in the context of a call
to unique_ptr::reset().

LLVM version: clang version 5.0.0 (trunk 296321)

Platform: Linux; target: Linux

Code:
https://cs.chromium.org/chromium/src/ipc/ipc_mojo_bootstrap.cc?rcl=8c9318ff000fb082c3e33eab2cb7758fcd868a27&l=127


Log:
In file included from ../../ipc/ipc_mojo_bootstrap.cc:5:
In file included from ../../ipc/ipc_mojo_bootstrap.h:10:
In file included from
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/memory:80:
In file included from
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/functional:56:

../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:103:38:
warning: Use of memory after it is freed
      _Head&       _M_head()       { return _M_head_impl; }
                                     ^
../../ipc/ipc_mojo_bootstrap.cc:880:5: note: Calling
'ChannelAssociatedGroupController::ShutDown'
    controller_->ShutDown();
    ^~~~~~~~~~~~~~~~~~~~~~~
../../ipc/ipc_mojo_bootstrap.cc:126:5: note: Calling
'ChannelAssociatedGroupController::OnPipeError'
    OnPipeError();
    ^~~~~~~~~~~~~
../../ipc/ipc_mojo_bootstrap.cc:610:5: note: Loop condition is false. Execution
continues on line 620
    for (auto iter = endpoints_.begin(); iter != endpoints_.end();) {
    ^
../../ipc/ipc_mojo_bootstrap.cc:626:3: note: Calling '~scoped_refptr'
  }
  ^
../../base/memory/ref_counted.h:310:5: note: Taking true branch
    if (ptr_)
    ^
../../base/memory/ref_counted.h:311:7: note: Calling 'scoped_refptr::Release'
      Release(ptr_);
      ^~~~~~~~~~~~~
../../base/memory/ref_counted.h:409:3: note: Calling
'RefCountedThreadSafe::Release'
  ptr->Release();
  ^~~~~~~~~~~~~~
../../base/memory/ref_counted.h:184:9: note: Assuming the condition is true
    if (subtle::RefCountedThreadSafeBase::Release()) {
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/memory/ref_counted.h:184:5: note: Taking true branch
    if (subtle::RefCountedThreadSafeBase::Release()) {
    ^
../../base/memory/ref_counted.h:185:7: note: Calling
'DefaultRefCountedThreadSafeTraits::Destruct'
      Traits::Destruct(static_cast<const T*>(this));
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/memory/ref_counted.h:157:5: note: Calling
'RefCountedThreadSafe::DeleteInternal'
    RefCountedThreadSafe<T,
    ^~~~~~~~~~~~~~~~~~~~~~~
../../base/memory/ref_counted.h:194:44: note: Memory is released
  static void DeleteInternal(const T* x) { delete x; }
                                           ^~~~~~~~
../../base/memory/ref_counted.h:157:5: note: Returning; memory was released via
1st parameter
    RefCountedThreadSafe<T,
    ^~~~~~~~~~~~~~~~~~~~~~~
../../base/memory/ref_counted.h:185:7: note: Returning; memory was released via
1st parameter
      Traits::Destruct(static_cast<const T*>(this));
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/memory/ref_counted.h:409:3: note: Returning; memory was released
  ptr->Release();
  ^~~~~~~~~~~~~~
../../base/memory/ref_counted.h:311:7: note: Returning; memory was released via
1st parameter
      Release(ptr_);
      ^~~~~~~~~~~~~
../../ipc/ipc_mojo_bootstrap.cc:626:3: note: Returning from '~scoped_refptr'
  }
  ^
../../ipc/ipc_mojo_bootstrap.cc:126:5: note: Returning; memory was released
    OnPipeError();
    ^~~~~~~~~~~~~
../../ipc/ipc_mojo_bootstrap.cc:127:5: note: Calling 'unique_ptr::reset'
    connector_.reset();
    ^~~~~~~~~~~~~~~~~~
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:243:7:
note: Calling 'get'
        swap(std::get<0>(_M_t), __p);
             ^~~~~~~~~~~~~~~~~
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:532:14:
note: Calling '__get_helper'
    { return __get_helper<__i>(__t); }
             ^~~~~~~~~~~~~~~~~~~~~~
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:518:14:
note: Calling '_Tuple_impl::_M_head'
    { return __t._M_head(); }
             ^~~~~~~~~~~~~
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:151:50:
note: Calling '_Head_base::_M_head'
      _Head&            _M_head()       { return _Base::_M_head(); }
                                                 ^~~~~~~~~~~~~~~~
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:103:38:
note: Use of memory after it is freed
      _Head&       _M_head()       { return _M_head_impl; }
                                     ^      ~~~~~~~~~~~~

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170310/59992f20/attachment.html>

More information about the llvm-bugs mailing list