[cfe-dev] Ownership attribute for malloc etc. checking
Andrew McGregor
andrewmcgr at gmail.com
Mon Jul 12 16:33:18 PDT 2010
So, prior to deducing ownership annotations (which I think I see how to do
now, for non-pathological code), here's my latest version of the attributes.
The PreVisitBind implements the same algorithm as already used by the
Objective C ownership checker: if the pointer escaped from this scope by
assignment, let it go. However, assigning to fields of a stack-storage
structure does not transfer ownership.
The remaining issue is still that void foo(void ** it) {it=malloc(42);}
warns. How would I check for assignment to a pointee of an argument in
PreVisitBind?
This is a git diff, if that won't apply I have plenty of options for
regenerating it. (As an aside, why isn't the project using git?)
Andrew
On Fri, Jul 2, 2010 at 5:18 PM, Ted Kremenek <kremenek at apple.com> wrote:
> On Jul 1, 2010, at 8:08 PM, Andrew McGregor wrote:
>
> Ok, I get what you're saying, PreVisit seems the right answer.
>
> On Fri, Jul 2, 2010 at 2:41 PM, Jordy Rose <jediknil at belkadan.com> wrote:
>
>>
>>
>> > struct it * __attribute((ownership_returns(malloc))) foo(void) {
>> > struct it *rv = malloc(sizeof(struct it));
>> > if (!rv)
>> > return NULL; // Does not warn here.
>> > char *textString = malloc(128*sizeof(char));
>> > if(textString == NULL)
>> > free(rv);
>> > return NULL; // Warns about a memory leak here
>> > rv->s = textString;
>> > return rv; // Does NOT warn here
>> > }
>>
>> ...the code is just missing braces around the second if -- the second
>> "return NULL" is unconditional!
>>
>> Clang should catch this. Filing a bug. *grin*
>>
>
> D'oh!
>
> So looking at this version:
>
> void __attribute((ownership_returns(malloc))) foo2(void) {
> struct it *rv = malloc(sizeof(struct it));
> if (!rv)
> return NULL;
> char *textString = malloc(128*sizeof(char));
> if(textString == NULL) {
> free(rv);
> return NULL;
> }
> rv->s = textString;
> return rv; // warns of a leak here
> }
>
> How could I make the assignment before the final return relinquish
> ownership of the pointer?
>
>
> CheckerVisitor also supports PreVisitBind (which is callback that occurs
> before the RHS gets bound to the LHS). You can use that to monitor
> ownership transfer. We can also add PostVisitBind if that would be useful.
>
> That said, what are the semantics of the ownership algorithm? Does a leak
> get flagged here, or does the escape of the value to a field silence the
> warning?
>
> FWIW, ownership checking in the presence of data containers has been
> researched quite a bit. Here's some off-hand references that might be
> useful:
>
> Static Detection of Leaks in Polymorphic Containers, ICSE 2006
> http://suif.stanford.edu/~dlheine/icse06-preprint.pdf
>
> A practical flow-sensitive and context-sensitive C and C++ memory leak
> detector
> http://portal.acm.org/citation.cfm?doid=781131.781150
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20100713/00170d8d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clang-ownership-pointers.patch
Type: text/x-patch
Size: 32436 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20100713/00170d8d/attachment.bin>
More information about the cfe-dev
mailing list