[clang] 5a2e595 - [analyzer] Fix Static Analyzer g_memdup false-positive

Balazs Benics via cfe-commits cfe-commits at lists.llvm.org
Mon May 2 01:36:16 PDT 2022 

Author: Balazs Benics
Date: 2022-05-02T10:35:51+02:00
New Revision: 5a2e595eb8337e6e36da8ec2289b5c4097522f5b

URL: https://github.com/llvm/llvm-project/commit/5a2e595eb8337e6e36da8ec2289b5c4097522f5b
DIFF: https://github.com/llvm/llvm-project/commit/5a2e595eb8337e6e36da8ec2289b5c4097522f5b.diff

LOG: [analyzer] Fix Static Analyzer g_memdup false-positive

`g_memdup()` allocates and copies memory, thus we should not assume that
the returned memory region is uninitialized because it might not be the
case.

PS: It would be even better to copy the bindings to mimic the actual
content of the buffer, but this works too.

Fixes #53617

Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D124436

Added: 
    

Modified: 
    clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
    clang/test/Analysis/gmalloc.c

Removed: 
    


################################################################################
diff  --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 0bbef394f43e5..ae9a7bc6a3914 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1408,8 +1408,8 @@ void MallocChecker::checkGMalloc0(const CallEvent &Call,
 void MallocChecker::checkGMemdup(const CallEvent &Call,
                                  CheckerContext &C) const {
   ProgramStateRef State = C.getState();
-  State = MallocMemAux(C, Call, Call.getArgExpr(1), UndefinedVal(), State,
-                       AF_Malloc);
+  State =
+      MallocMemAux(C, Call, Call.getArgExpr(1), UnknownVal(), State, AF_Malloc);
   State = ProcessZeroAllocCheck(Call, 1, State);
   C.addTransition(State);
 }

diff  --git a/clang/test/Analysis/gmalloc.c b/clang/test/Analysis/gmalloc.c
index 51f972856b1bb..240138e8a7a05 100644
--- a/clang/test/Analysis/gmalloc.c
+++ b/clang/test/Analysis/gmalloc.c
@@ -21,6 +21,7 @@ gpointer g_try_malloc0_n(gsize n_blocks, gsize n_block_bytes);
 gpointer g_try_realloc_n(gpointer mem, gsize n_blocks, gsize n_block_bytes);
 void g_free(gpointer mem);
 gpointer g_memdup(gconstpointer mem, guint byte_size);
+gpointer g_strconcat(gconstpointer string1, ...);
 
 static const gsize n_bytes = 1024;
 
@@ -167,3 +168,16 @@ void f7(void) {
   g_free(g6);
   g_free(g7);
 }
+
+void f8(void) {
+  typedef struct {
+    gpointer str;
+  } test_struct;
+
+  test_struct *s1 = (test_struct *)g_malloc0(sizeof(test_struct));
+  test_struct *s2 = (test_struct *)g_memdup(s1, sizeof(test_struct));
+  gpointer str = g_strconcat("text", s1->str, s2->str, NULL); // no-warning
+  g_free(str);
+  g_free(s2);
+  g_free(s1);
+}

More information about the cfe-commits mailing list