[cfe-commits] r150313 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/MallocChecker.cpp test/Analysis/malloc-annotations.c test/Analysis/malloc.c

Anna Zaks ganna at apple.com
Sat Feb 11 13:44:39 PST 2012


Author: zaks
Date: Sat Feb 11 15:44:39 2012
New Revision: 150313

URL: http://llvm.org/viewvc/llvm-project?rev=150313&view=rev
Log:
[analyzer] Malloc Checker: Report a leak when we are returning freed
memory.
(As per one test case, the existing checker thought that this could
cause a lot of false positives - not sure if that's valid, to be
verified.)

Modified:
    cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
    cfe/trunk/test/Analysis/malloc-annotations.c
    cfe/trunk/test/Analysis/malloc.c

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp?rev=150313&r1=150312&r2=150313&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp Sat Feb 11 15:44:39 2012
@@ -760,10 +760,16 @@
   const Expr *E = S->getRetValue();
   if (!E)
     return;
+
+  // Check if we are returning a symbol.
   SymbolRef Sym = C.getState()->getSVal(E, C.getLocationContext()).getAsSymbol();
   if (!Sym)
     return;
 
+  // Check if we are returning freed memory.
+  checkUseAfterFree(Sym, C, S);
+
+  // Check if the symbol is escaping.
   checkEscape(Sym, S, C);
 }
 

Modified: cfe/trunk/test/Analysis/malloc-annotations.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc-annotations.c?rev=150313&r1=150312&r2=150313&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/malloc-annotations.c (original)
+++ cfe/trunk/test/Analysis/malloc-annotations.c Sat Feb 11 15:44:39 2012
@@ -128,12 +128,10 @@
   free(p); // no-warning
 }
 
-// This case would inflict a double-free elsewhere.
-// However, this case is considered an analyzer bug since it causes false-positives.
 int * af4() {
   int *p = my_malloc(12);
   my_free(p);
-  return p; // no-warning
+  return p; // expected-warning{{Use of dynamically allocated}}
 }
 
 // This case is (possibly) ok, be conservative

Modified: cfe/trunk/test/Analysis/malloc.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc.c?rev=150313&r1=150312&r2=150313&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/malloc.c (original)
+++ cfe/trunk/test/Analysis/malloc.c Sat Feb 11 15:44:39 2012
@@ -251,6 +251,20 @@
 struct StructWithInt {
   int g;
 };
+
+int *mallocReturnFreed() {
+  int *p = malloc(12);
+  free(p);
+  return p; // expected-warning {{Use of dynamically allocated}}
+}
+
+int useAfterFreeStruct() {
+  struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
+  px->g = 5;
+  free(px);
+  return px->g; // expected-warning {{Use of dynamically allocated}}
+}
+
 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
 
 void mallocEscapeFooNonSymbolArg() {





More information about the cfe-commits mailing list