[PATCH] D71224: [analyzer] Escape symbols stored into specific region after a conservative evalcall.
Gábor Horváth via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Tue Dec 10 14:37:25 PST 2019
xazax.hun added a comment.
I think I found the main problem with the current model, at least for the FuchsiaHandleCheck.
Consider the following two snippets:
zx_handle_t *get_handle_address();
void escape_store_to_escaped_region01() {
zx_handle_t sb;
if (zx_channel_create(0, get_handle_address(), &sb))
return;
zx_handle_close(sb);
}
void leak() {
zx_handle_t sa, sb;
if (zx_channel_create(0, &sa, &sb))
return;
zx_handle_close(sb);
}
In the first one I want the first handle to be escaped in the second one I do not want it to be escaped.
With my current proposed changes the checker will receive a pointer escape callback for both but it does not have enough info to differentiate between the two cases.
If I do not act upon this kind of escape I end up reporting a false positive in the first case. If I act on this escape I end up missing a true positive in the second case.
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D71224/new/
https://reviews.llvm.org/D71224
More information about the cfe-commits
mailing list