[PATCH] D105821: [analyzer] [WIP] Model destructor for std::unique_ptr
Artem Dergachev via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Sun Aug 8 21:48:47 PDT 2021
NoQ added inline comments.
================
Comment at: clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp:440
+ State, {std::make_pair(CC->getCXXThisVal(), ArgVal)},
+ C.getLocationContext(), PSK_DirectEscapeOnCall, &Call);
----------------
RedDocMD wrote:
> It seems to me that this pointer escape doesn't work.
> For the following code:
> ```lang=cpp
> void foo() {
> auto ptr = std::unique_ptr<int>(new int(13));
> // Leak warning emitted here
> }
> ```
> the exploded graph shows the SVal for `new int(13)` as allocated instead of escaped (which eventually triggers the warning).
It shouldn't work in this case. The variable is local. Write to a local variable doesn't constitute an escape because access to a local variable from elsewhere is impossible.
I believe we should explicitly tell `MallocChecker` that memory is released, given that we know that this is exactly what happens. We could do this similarly to how `InnerPointerChecker` tells `MallocChecker` that `std::string::c_str()` is released when the string is destroyed.
Another solution would be to force an escape by calling `escapeValue()` directly. That'll definitely notify all checkers that the raw pointer value should be dropped but that wouldn't allow us to ultimately find use-after-free of that value.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D105821/new/
https://reviews.llvm.org/D105821
More information about the cfe-commits
mailing list