[cfe-commits] r150315 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/MallocChecker.cpp test/Analysis/malloc.c test/Analysis/system-header-simulator.h
Anna Zaks
ganna at apple.com
Sat Feb 11 15:46:36 PST 2012
Author: zaks
Date: Sat Feb 11 17:46:36 2012
New Revision: 150315
URL: http://llvm.org/viewvc/llvm-project?rev=150315&view=rev
Log:
[analyzer] Malloc Checker: reduce false negatives rate by assuming that
a pointer cannot escape through calls to system functions. Also, stop
after reporting the first use-after-free.
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
cfe/trunk/test/Analysis/malloc.c
cfe/trunk/test/Analysis/system-header-simulator.h
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp?rev=150315&r1=150314&r2=150315&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp Sat Feb 11 17:46:36 2012
@@ -20,6 +20,7 @@
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
+#include "clang/Basic/SourceManager.h"
#include "llvm/ADT/ImmutableMap.h"
#include "llvm/ADT/SmallString.h"
#include "llvm/ADT/STLExtras.h"
@@ -260,20 +261,41 @@
switch ((*i)->getOwnKind()) {
case OwnershipAttr::Returns: {
MallocMemReturnsAttr(C, CE, *i);
- break;
+ return;
}
case OwnershipAttr::Takes:
case OwnershipAttr::Holds: {
FreeMemAttr(C, CE, *i);
- break;
+ return;
}
}
}
}
+ // Check use after free, when a freed pointer is passed to a call.
+ ProgramStateRef State = C.getState();
+ for (CallExpr::const_arg_iterator I = CE->arg_begin(),
+ E = CE->arg_end(); I != E; ++I) {
+ const Expr *A = *I;
+ if (A->getType().getTypePtr()->isAnyPointerType()) {
+ SymbolRef Sym = State->getSVal(A, C.getLocationContext()).getAsSymbol();
+ if (!Sym)
+ continue;
+ if (checkUseAfterFree(Sym, C, A))
+ return;
+ }
+ }
+
+ // The pointer might escape through a function call.
+ // TODO: This should be rewritten to take into account inlining.
if (Filter.CMallocPessimistic) {
+ SourceLocation FLoc = FD->getLocation();
+ // We assume that the pointers cannot escape through calls to system
+ // functions.
+ if (C.getSourceManager().isInSystemHeader(FLoc))
+ return;
+
ProgramStateRef State = C.getState();
- // The pointer might escape through a function call.
for (CallExpr::const_arg_iterator I = CE->arg_begin(),
E = CE->arg_end(); I != E; ++I) {
const Expr *A = *I;
@@ -282,7 +304,6 @@
if (!Sym)
continue;
checkEscape(Sym, A, C);
- checkUseAfterFree(Sym, C, A);
}
}
}
@@ -767,7 +788,8 @@
return;
// Check if we are returning freed memory.
- checkUseAfterFree(Sym, C, S);
+ if (checkUseAfterFree(Sym, C, S))
+ return;
// Check if the symbol is escaping.
checkEscape(Sym, S, C);
@@ -778,7 +800,7 @@
assert(Sym);
const RefState *RS = C.getState()->get<RegionState>(Sym);
if (RS && RS->isReleased()) {
- if (ExplodedNode *N = C.addTransition()) {
+ if (ExplodedNode *N = C.generateSink()) {
if (!BT_UseFree)
BT_UseFree.reset(new BuiltinBug("Use of dynamically allocated memory "
"after it is freed."));
Modified: cfe/trunk/test/Analysis/malloc.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc.c?rev=150315&r1=150314&r2=150315&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/malloc.c (original)
+++ cfe/trunk/test/Analysis/malloc.c Sat Feb 11 17:46:36 2012
@@ -1,4 +1,6 @@
// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.deadcode.UnreachableCode,experimental.core.CastSize,experimental.unix.Malloc -analyzer-store=region -verify %s
+#include "system-header-simulator.h"
+
typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);
void free(void *);
@@ -237,6 +239,11 @@
int *p = malloc(12);
free(p);
myfoo(p); //expected-warning{{Use of dynamically allocated memory after it is freed}}
+}
+
+void mallocFreeUse_params2() {
+ int *p = malloc(12);
+ free(p);
myfooint(*p); //expected-warning{{Use of dynamically allocated memory after it is freed}}
}
@@ -376,6 +383,12 @@
return;
}
+void doNotInvalidateWhenPassedToSystemCalls(char *s) {
+ char *p = malloc(12);
+ strlen(p);
+ strcpy(p, s); // expected-warning {{leak}}
+}
+
// Below are the known false positives.
// TODO: There should be no warning here.
Modified: cfe/trunk/test/Analysis/system-header-simulator.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/system-header-simulator.h?rev=150315&r1=150314&r2=150315&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/system-header-simulator.h (original)
+++ cfe/trunk/test/Analysis/system-header-simulator.h Sat Feb 11 17:46:36 2012
@@ -8,3 +8,6 @@
extern int errno;
unsigned long strlen(const char *);
+
+char *strcpy(char *restrict s1, const char *restrict s2);
+
More information about the cfe-commits
mailing list