[PATCH] D124436: [analyzer] Fix Static Analyzer g_memdup false-positive

Bal√°zs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Tue Apr 26 00:35:42 PDT 2022


steakhal created this revision.
steakhal added reviewers: NoQ, Szelethus, martong, xazax.hun, ASDenysPetrov.
Herald added subscribers: manas, dkrupp, donat.nagy, mikhail.ramalho, a.sidorin, rnkovacs, szepet, baloghadamsoftware.
Herald added a project: All.
steakhal requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.

`g_memdup()` allocates and copies memory, thus we should not assume that
the returned memory region is uninitialized because it might not be the
case.

PS: It would be even better to copy the bindings to mimic the actual
content of the buffer, but this works too.

Fixes #53617


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D124436

Files:
  clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
  clang/test/Analysis/gmalloc.c


Index: clang/test/Analysis/gmalloc.c
===================================================================
--- clang/test/Analysis/gmalloc.c
+++ clang/test/Analysis/gmalloc.c
@@ -21,6 +21,7 @@
 gpointer g_try_realloc_n(gpointer mem, gsize n_blocks, gsize n_block_bytes);
 void g_free(gpointer mem);
 gpointer g_memdup(gconstpointer mem, guint byte_size);
+gpointer g_strconcat(gconstpointer string1, ...);
 
 static const gsize n_bytes = 1024;
 
@@ -167,3 +168,16 @@
   g_free(g6);
   g_free(g7);
 }
+
+void f8(void) {
+  typedef struct {
+    gpointer str;
+  } test_struct;
+
+  test_struct *s1 = (test_struct *)g_malloc0(sizeof(test_struct));
+  test_struct *s2 = (test_struct *)g_memdup(s1, sizeof(test_struct));
+  gpointer str = g_strconcat("text", s1->str, s2->str, NULL); // no-warning
+  g_free(str);
+  g_free(s2);
+  g_free(s1);
+}
Index: clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1408,8 +1408,8 @@
 void MallocChecker::checkGMemdup(const CallEvent &Call,
                                  CheckerContext &C) const {
   ProgramStateRef State = C.getState();
-  State = MallocMemAux(C, Call, Call.getArgExpr(1), UndefinedVal(), State,
-                       AF_Malloc);
+  State =
+      MallocMemAux(C, Call, Call.getArgExpr(1), UnknownVal(), State, AF_Malloc);
   State = ProcessZeroAllocCheck(Call, 1, State);
   C.addTransition(State);
 }


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D124436.425136.patch
Type: text/x-patch
Size: 1546 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20220426/8adfbcae/attachment.bin>


More information about the cfe-commits mailing list