[cfe-dev] How does Clang Static Analyzer deal with malloc()?

[Arthur Yoo]

Hi all,

I have some problem on the result of Clang Static Analyzer dealing with
malloc().  Here is the simple test code, which I tried:

int *pi;

pi = (int *)malloc(sizeof(int));

*pi = 8;

free(pi);



The *pi* is a pointer variable. After malloc() being called, *pi* points to
an object which is located on the heap. However, in the Clang Static
Analyzer, I found that after malloc() being called, *pi* pointed to*
element{SymRegion{conj_$2{void *}},0 S32b,int}*. Then I tried to get the
super region of *SymRegion{conj_$2{void *}}. *What confused me is that, the
super region of *SymRegion{conj_$2{void *}}* was *UnkonwnSpaceRegion*. I
thought its super region should be HeapSapceRegion, because I use malloc()
for dynamic memory allocation in the code. But now I get the different
result. So I wonder how does Static Analyzer deal with malloc()? Does
Static Analyzer regard malloc() as an ordinary function which returns an
pointer?



What’s more, I have a question on the method* isInSystemHeader() *of
CallEvent. I use it to test whether the CallEvent is an system function
call, such as *scanf(), printf()* and etc. But it seems it does work. It
seems that Static Analyzer cannot tell whether a function call is in system
header rightly. And my Clang version is 3.5.



Thanks a lot.

-- 
Best regards,
Arthur Yoo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140624/5b8e1dae/attachment.html>