[PATCH] D71224: [analyzer] Escape symbols stored into specific region after a conservative evalcall.
Gábor Horváth via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Tue Dec 10 11:32:52 PST 2019
xazax.hun marked an inline comment as done.
xazax.hun added inline comments.
================
Comment at: clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:624
+ if (const MemRegion *MR = Call.getArgSVal(Arg).getAsRegion())
+ if (!MR->hasStackStorage())
+ Escaped.push_back(State->getSVal(MR, Pointee));
----------------
NoQ wrote:
> Ok, so this patch interacts with D71152 in a non-trivial manner. We should re-use the logic that decides whether an escape on bind occurs.
Yeah, I just started to look into it and some skeletons fell out.
Let's consider the following example:
```
void leak() {
zx_handle_t sa, sb;
if (zx_channel_create(0, &sa, &sb))
return;
zx_handle_close(sb);
}
```
After using the same logic we can no longer detect the leak. The reason is, after `zx_channel_create` both `sa` and `sb` regions are escaped (and they become escaped during the conservative call) and then after the PostCall callback, when we attached the traits to our symbols, we will trigger pointer escape immediately, and lose the traits we just added.
I am not immediately sure what to do here. I feel like the main source of the problem is the fact that `zx_channel_create` should not escape anything and the checker has now way to communicate that to the analyzer core. Any ideas?
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D71224/new/
https://reviews.llvm.org/D71224
More information about the cfe-commits
mailing list