[cfe-dev] Ownership attribute for malloc etc. checking

Andrew McGregor andrewmcgr at gmail.com
Thu Jul 1 17:56:30 PDT 2010 

On Tue, Jun 29, 2010 at 1:03 PM, Jordy Rose <jediknil at belkadan.com> wrote:

>
> >> Why does that matter? Because an ownership_takes() or ownership_holds()
> >> function might have a return value! If it's also ownership_returns(),
> >> then
> >> you're fine, but otherwise you need to set a symbolic return value.
> (You
> >> can see how this is done in MallocMemAux(), or in StreamChecker.cpp
> with
> >> fopen.) There should probably be a test for this as well.
> >
> >
> > It isn't necessarily the case that an ownership_takes() function that
> > returns a pointer generated that pointer from an ownership_takes
> argument,
> > or allocated anything, so what would you set the region to, in the
> absence
> > of other information?  They default to Unknown, yes?
>
> I believe so, but for return values from function calls we prefer to use a
> "conjured symbol value". This is a kind of value that can be reasoned about
> symbolically in later statements -- for example, we can bound its value if
> it's an integer, or mark that it's null or non-null if it's a pointer.


So, I'm still not sure I understand what you mean me to do here... could you
elaborate?

Since you seem to be the symbolic value expert, I'll ask about the case I'm
trying to solve now.  I added some symbolic checks to the free handling,
similar to realloc, to prevent warnings in the common case of error handling
for allocation handlers.

So now this works:

char *  __attribute((ownership_returns(malloc))) foo(void) {
  char *textString = malloc(128*sizeof(char));
  if(textString == NULL)
    return NULL; // No warning here
  return textString;
}

But now I have this:

struct it {
  char * s;
};

struct it *  __attribute((ownership_returns(malloc))) foo(void) {
  struct it *rv = malloc(sizeof(struct it));
  if (!rv)
    return NULL; // Does not warn here.
  char *textString = malloc(128*sizeof(char));
  if(textString == NULL)
    free(rv);
    return NULL; // Warns about a memory leak here
  rv->s = textString;
  return rv; // Does NOT warn here
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20100702/65513574/attachment.html>

More information about the cfe-dev mailing list