[cfe-dev] How does Clang Static Analyzer deal with malloc()?

[Anna Zaks]

> On Jun 23, 2014, at 9:37 AM, Arthur Yoo <phjy007 at gmail.com> wrote:
> 
> Hi all,
> 
> I have some problem on the result of Clang Static Analyzer dealing with malloc().  Here is the simple test code, which I tried:
> 
> int *pi;
> 
> pi = (int *)malloc(sizeof(int));
> 
> *pi = 8;
> 
> free(pi);
> 
>  
> The pi is a pointer variable. After malloc() being called, pi points to an object which is located on the heap. However, in the Clang Static Analyzer, I found that after malloc() being called, pi pointed to element{SymRegion{conj_$2{void *}},0 S32b,int}. Then I tried to get the super region of SymRegion{conj_$2{void *}}. What confused me is that, the super region of SymRegion{conj_$2{void *}} was UnkonwnSpaceRegion. I thought its super region should be HeapSapceRegion, because I use malloc() for dynamic memory allocation in the code. But now I get the different result. So I wonder how does Static Analyzer deal with malloc()? Does Static Analyzer regard malloc() as an ordinary function which returns an pointer?
> 
You can find out more about how heap region is used and constructed from commit r158136. The SymRegion should have heapRegion() as it's parent. Maybe the printing is off?

>  
> What’s more, I have a question on the method isInSystemHeader() of CallEvent. I use it to test whether the CallEvent is an system function call, such as scanf(), printf() and etc. But it seems it does work. It seems that Static Analyzer cannot tell whether a function call is in system header rightly. And my Clang version is 3.5.
> 
>  

It should work. How are you testing this? 

> Thanks a lot.
> 
> 
> -- 
> Best regards,
> Arthur Yoo
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140623/23115177/attachment.html>