[PATCH] D71224: [analyzer] Escape symbols stored into specific region after a conservative evalcall.
Gábor Horváth via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Tue Dec 10 13:33:13 PST 2019
xazax.hun added a comment.
In D71224#1778179 <https://reviews.llvm.org/D71224#1778179>, @NoQ wrote:
> In any case, every checker is allowed to make their own decisions about escaping. Escape on its own is not material, it's all about how the checker reacts to escapes. Say, it's up to MallocChecker to decide whether the function may or may not release memory that escapes on call.
>
> I think a valid approach would be to simply look up the function in your `CallDescriptionMap` and then abort the `checkPointerEscape` callback when it's found.
>
> Yet, it annoys me a bit that we didn't make everything magically work in an "out of the box" manner. Can we eliminate the first pointer escape (that happens before PostCall) but only keep the secondary escape?
I don't think this is a good enough model currently. The problem is that, it does not play well with annotations. E.g. the checker can see a symbol escaping, but it does not have a whole lot of information how. For example, currently, there is no way to check if the output parameter through which the escape happened was annotated somehow.
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D71224/new/
https://reviews.llvm.org/D71224
More information about the cfe-commits
mailing list