<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Analyzer: tuple.h raises "Use of memory after it is freed" error for unique_ptr::reset()"
href="https://bugs.llvm.org/show_bug.cgi?id=32232">32232</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Analyzer: tuple.h raises "Use of memory after it is freed" error for unique_ptr::reset()
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Static Analyzer
</td>
</tr>
<tr>
<th>Assignee</th>
<td>kremenek@apple.com
</td>
</tr>
<tr>
<th>Reporter</th>
<td>marshallk@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>The static analyzer is raising a use-after-free error in the context of a call
to unique_ptr::reset().
LLVM version: clang version 5.0.0 (trunk 296321)
Platform: Linux; target: Linux
Code:
<a href="https://cs.chromium.org/chromium/src/ipc/ipc_mojo_bootstrap.cc?rcl=8c9318ff000fb082c3e33eab2cb7758fcd868a27&l=127">https://cs.chromium.org/chromium/src/ipc/ipc_mojo_bootstrap.cc?rcl=8c9318ff000fb082c3e33eab2cb7758fcd868a27&l=127</a>
Log:
In file included from ../../ipc/ipc_mojo_bootstrap.cc:5:
In file included from ../../ipc/ipc_mojo_bootstrap.h:10:
In file included from
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/memory:80:
In file included from
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/functional:56:
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:103:38:
warning: Use of memory after it is freed
_Head& _M_head() { return _M_head_impl; }
^
../../ipc/ipc_mojo_bootstrap.cc:880:5: note: Calling
'ChannelAssociatedGroupController::ShutDown'
controller_->ShutDown();
^~~~~~~~~~~~~~~~~~~~~~~
../../ipc/ipc_mojo_bootstrap.cc:126:5: note: Calling
'ChannelAssociatedGroupController::OnPipeError'
OnPipeError();
^~~~~~~~~~~~~
../../ipc/ipc_mojo_bootstrap.cc:610:5: note: Loop condition is false. Execution
continues on line 620
for (auto iter = endpoints_.begin(); iter != endpoints_.end();) {
^
../../ipc/ipc_mojo_bootstrap.cc:626:3: note: Calling '~scoped_refptr'
}
^
../../base/memory/ref_counted.h:310:5: note: Taking true branch
if (ptr_)
^
../../base/memory/ref_counted.h:311:7: note: Calling 'scoped_refptr::Release'
Release(ptr_);
^~~~~~~~~~~~~
../../base/memory/ref_counted.h:409:3: note: Calling
'RefCountedThreadSafe::Release'
ptr->Release();
^~~~~~~~~~~~~~
../../base/memory/ref_counted.h:184:9: note: Assuming the condition is true
if (subtle::RefCountedThreadSafeBase::Release()) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/memory/ref_counted.h:184:5: note: Taking true branch
if (subtle::RefCountedThreadSafeBase::Release()) {
^
../../base/memory/ref_counted.h:185:7: note: Calling
'DefaultRefCountedThreadSafeTraits::Destruct'
Traits::Destruct(static_cast<const T*>(this));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/memory/ref_counted.h:157:5: note: Calling
'RefCountedThreadSafe::DeleteInternal'
RefCountedThreadSafe<T,
^~~~~~~~~~~~~~~~~~~~~~~
../../base/memory/ref_counted.h:194:44: note: Memory is released
static void DeleteInternal(const T* x) { delete x; }
^~~~~~~~
../../base/memory/ref_counted.h:157:5: note: Returning; memory was released via
1st parameter
RefCountedThreadSafe<T,
^~~~~~~~~~~~~~~~~~~~~~~
../../base/memory/ref_counted.h:185:7: note: Returning; memory was released via
1st parameter
Traits::Destruct(static_cast<const T*>(this));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/memory/ref_counted.h:409:3: note: Returning; memory was released
ptr->Release();
^~~~~~~~~~~~~~
../../base/memory/ref_counted.h:311:7: note: Returning; memory was released via
1st parameter
Release(ptr_);
^~~~~~~~~~~~~
../../ipc/ipc_mojo_bootstrap.cc:626:3: note: Returning from '~scoped_refptr'
}
^
../../ipc/ipc_mojo_bootstrap.cc:126:5: note: Returning; memory was released
OnPipeError();
^~~~~~~~~~~~~
../../ipc/ipc_mojo_bootstrap.cc:127:5: note: Calling 'unique_ptr::reset'
connector_.reset();
^~~~~~~~~~~~~~~~~~
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:243:7:
note: Calling 'get'
swap(std::get<0>(_M_t), __p);
^~~~~~~~~~~~~~~~~
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:532:14:
note: Calling '__get_helper'
{ return __get_helper<__i>(__t); }
^~~~~~~~~~~~~~~~~~~~~~
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:518:14:
note: Calling '_Tuple_impl::_M_head'
{ return __t._M_head(); }
^~~~~~~~~~~~~
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:151:50:
note: Calling '_Head_base::_M_head'
_Head& _M_head() { return _Base::_M_head(); }
^~~~~~~~~~~~~~~~
../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:103:38:
note: Use of memory after it is freed
_Head& _M_head() { return _M_head_impl; }
^ ~~~~~~~~~~~~</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>