[PATCH] D139534: [analyzer] Don't escape local static memregions on bind
Balázs Benics via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Wed Dec 21 09:15:48 PST 2022
steakhal updated this revision to Diff 484600.
steakhal added a comment.
- Add two test cases demonstrating the false-positives this patch will introduce. These are semantically equivalent to the one mentioned in the comments by @NoQ.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D139534/new/
https://reviews.llvm.org/D139534
Files:
clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
clang/test/Analysis/malloc-static-storage.cpp
Index: clang/test/Analysis/malloc-static-storage.cpp
===================================================================
--- /dev/null
+++ clang/test/Analysis/malloc-static-storage.cpp
@@ -0,0 +1,77 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc -verify %s
+
+typedef __typeof(sizeof(int)) size_t;
+void* malloc(size_t size);
+void *calloc(size_t num, size_t size);
+void free(void * ptr);
+
+void escape(void *);
+void next_statement();
+
+void conditional_malloc(bool coin) {
+ static int *p;
+
+ if (coin) {
+ p = (int *)malloc(sizeof(int));
+ }
+ p = 0; // Pointee of 'p' dies, which is recognized at the next statement.
+ next_statement(); // expected-warning {{Potential memory leak}}
+}
+
+void malloc_twice() {
+ static int *p;
+ p = (int *)malloc(sizeof(int));
+ next_statement();
+ p = (int *)malloc(sizeof(int));
+ next_statement(); // expected-warning {{Potential memory leak}}
+ p = 0;
+ next_statement(); // expected-warning {{Potential memory leak}}
+}
+
+void malloc_escape() {
+ static int *p;
+ p = (int *)malloc(sizeof(int));
+ escape(p); // no-leak
+ p = 0; // no-leak
+}
+
+void free_whatever_escaped();
+void malloc_escape_reversed() {
+ static int *p;
+ escape(&p);
+ p = (int *)malloc(sizeof(int));
+ free_whatever_escaped();
+ p = 0; // FIXME: We should not report a leak here.
+ next_statement(); // expected-warning {{Potential memory leak}}
+}
+
+int *malloc_return_static() {
+ static int *p = (int *)malloc(sizeof(int));
+ return p; // no-leak
+}
+
+int malloc_unreachable(int rng) {
+ // 'p' does not escape and never freed :(
+ static int *p;
+
+ // For the second invocation of this function, we leak the previous pointer.
+ // FIXME: We should catch this at some point.
+ p = (int *)malloc(sizeof(int));
+ *p = 0;
+
+ if (rng > 0)
+ *p = rng;
+
+ return *p; // FIXME: We just leaked 'p'. We should warn about this.
+}
+
+void malloc_cond(bool cond) {
+ static int *p;
+ if (cond) {
+ p = (int*)malloc(sizeof(int));
+ free_whatever_escaped();
+ p = 0; // FIXME: We should not report a leak here.
+ next_statement(); // expected-warning {{Potential memory leak}}
+ }
+ escape(&p);
+}
Index: clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -3462,7 +3462,8 @@
for (const std::pair<SVal, SVal> &LocAndVal : LocAndVals) {
// Cases (1) and (2).
const MemRegion *MR = LocAndVal.first.getAsRegion();
- if (!MR || !MR->hasStackStorage()) {
+ if (!MR ||
+ !isa<StackSpaceRegion, StaticGlobalSpaceRegion>(MR->getMemorySpace())) {
Escaped.push_back(LocAndVal.second);
continue;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D139534.484600.patch
Type: text/x-patch
Size: 2785 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20221221/5a5b4b64/attachment.bin>
More information about the cfe-commits
mailing list