[cfe-commits] r150313 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/MallocChecker.cpp test/Analysis/malloc-annotations.c test/Analysis/malloc.c
Anna Zaks
ganna at apple.com
Sat Feb 11 13:44:39 PST 2012
Author: zaks
Date: Sat Feb 11 15:44:39 2012
New Revision: 150313
URL: http://llvm.org/viewvc/llvm-project?rev=150313&view=rev
Log:
[analyzer] Malloc Checker: Report a leak when we are returning freed
memory.
(As per one test case, the existing checker thought that this could
cause a lot of false positives - not sure if that's valid, to be
verified.)
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
cfe/trunk/test/Analysis/malloc-annotations.c
cfe/trunk/test/Analysis/malloc.c
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp?rev=150313&r1=150312&r2=150313&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp Sat Feb 11 15:44:39 2012
@@ -760,10 +760,16 @@
const Expr *E = S->getRetValue();
if (!E)
return;
+
+ // Check if we are returning a symbol.
SymbolRef Sym = C.getState()->getSVal(E, C.getLocationContext()).getAsSymbol();
if (!Sym)
return;
+ // Check if we are returning freed memory.
+ checkUseAfterFree(Sym, C, S);
+
+ // Check if the symbol is escaping.
checkEscape(Sym, S, C);
}
Modified: cfe/trunk/test/Analysis/malloc-annotations.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc-annotations.c?rev=150313&r1=150312&r2=150313&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/malloc-annotations.c (original)
+++ cfe/trunk/test/Analysis/malloc-annotations.c Sat Feb 11 15:44:39 2012
@@ -128,12 +128,10 @@
free(p); // no-warning
}
-// This case would inflict a double-free elsewhere.
-// However, this case is considered an analyzer bug since it causes false-positives.
int * af4() {
int *p = my_malloc(12);
my_free(p);
- return p; // no-warning
+ return p; // expected-warning{{Use of dynamically allocated}}
}
// This case is (possibly) ok, be conservative
Modified: cfe/trunk/test/Analysis/malloc.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc.c?rev=150313&r1=150312&r2=150313&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/malloc.c (original)
+++ cfe/trunk/test/Analysis/malloc.c Sat Feb 11 15:44:39 2012
@@ -251,6 +251,20 @@
struct StructWithInt {
int g;
};
+
+int *mallocReturnFreed() {
+ int *p = malloc(12);
+ free(p);
+ return p; // expected-warning {{Use of dynamically allocated}}
+}
+
+int useAfterFreeStruct() {
+ struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
+ px->g = 5;
+ free(px);
+ return px->g; // expected-warning {{Use of dynamically allocated}}
+}
+
void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
void mallocEscapeFooNonSymbolArg() {
More information about the cfe-commits
mailing list