[cfe-dev] Clang on Windows fails to detect trivial double free in static analysis

<Alexander G. Riccio> via cfe-dev cfe-dev at lists.llvm.org
Sat Jan 2 12:57:09 PST 2016 

When I build the attached C program in windows, using Clang built from a
very recent tree version (trunk 256686), Clang fails to detect the trivial
double free, as evidenced in the resulting plist file (attached).

What's going on here? I have a gut feeling that it has something to do with
Clang's ignorance of SAL, which allows MSVC to detect the condition
generically:

void __cdecl free(
    _Pre_maybenull_ _Post_invalid_ void* _Block
    );

(from C:/Program Files (x86)/Windows
Kits/10/Include/10.0.10240.0/ucrt/corecrt_malloc.h)

I'm also attaching the verbose compilation output.

Sincerely,
Alexander Riccio
--
"Change the world or go home."
about.me/ariccio

<http://about.me/ariccio>
If left to my own devices, I will build more.
⁂
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160102/e1a18731/attachment.html>
-------------- next part --------------
C:\LLVM\build\Debug\bin>clang.exe -H -v --analyze "C:\Users\Alexander Riccio\Documents\basically_flawed_c_program\basically_flawed_c_program.c"
clang version 3.8.0 (trunk 256686)
Target: i686-pc-windows-msvc
Thread model: posix
InstalledDir: C:\LLVM\build\Debug\bin
 "C:\\LLVM\\build\\Debug\\bin\\clang.exe" -cc1 -triple i686-pc-windows-msvc18.0.0 -analyze -disable-free -main-file-name basically_flawed_c_program.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-eagerly-assume -analyzer-checker=core -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -mrelocation-model static -mthread-model posix -mdisable-fp-elim -fmath-errno -masm-verbose -mconstructor-aliases -target-cpu pentium4 -v -H -dwarf-column-info -debugger-tuning=gdb -resource-dir "C:\\LLVM\\build\\Debug\\bin\\..\\lib\\clang\\3.8.0" -internal-isystem "C:\\LLVM\\build\\Debug\\bin\\..\\lib\\clang\\3.8.0\\include" -internal-isystem "C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\VC\\include" -internal-isystem "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.10240.0\\ucrt" -internal-isystem "C:\\Program Files (x86)\\Windows Kits\\10\\include\\10.0.10240.0\\shared" -internal-isystem "C:\\Program Files (x86)\\Windows Kits\\10\\include\\10.0.10240.0\\um" -internal-isystem "C:\\Program Files (x86)\\Windows Kits\\10\\include\\10.0.10240.0\\winrt" -fdebug-compilation-dir "C:\\LLVM\\build\\Debug\\bin" -ferror-limit 19 -fmessage-length 230 -fms-extensions -fms-compatibility -fms-compatibility-version=18 -fno-threadsafe-statics -fdelayed-template-parsing -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -o basically_flawed_c_program.plist -x c "C:\\Users\\Alexander Riccio\\Documents\\basically_flawed_c_program\\basically_flawed_c_program.c"
clang -cc1 version 3.8.0 based upon LLVM 3.8.0svn default target i686-pc-windows-msvc
#include "..." search starts here:
#include <...> search starts here:
 C:\LLVM\build\Debug\bin\..\lib\clang\3.8.0\include
 C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\include
 C:\Program Files (x86)\Windows Kits\10\Include\10.0.10240.0\ucrt
 C:\Program Files (x86)\Windows Kits\10\include\10.0.10240.0\shared
 C:\Program Files (x86)\Windows Kits\10\include\10.0.10240.0\um
 C:\Program Files (x86)\Windows Kits\10\include\10.0.10240.0\winrt
End of search list.
. C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.10240.0\\ucrt\\stdlib.h
.. C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.10240.0\\ucrt\\corecrt.h
... C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\VC\\include\\vcruntime.h
.... C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\VC\\include\\sal.h
..... C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\VC\\include\\ConcurrencySal.h
.... C:\\LLVM\\build\\Debug\\bin\\..\\lib\\clang\\3.8.0\\include\\vadefs.h
..... C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\VC\\include\\vadefs.h
.. C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.10240.0\\ucrt\\corecrt_malloc.h
.. C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.10240.0\\ucrt\\corecrt_search.h
... C:\\LLVM\\build\\Debug\\bin\\..\\lib\\clang\\3.8.0\\include\\stddef.h
.... C:\\LLVM\\build\\Debug\\bin\\..\\lib\\clang\\3.8.0\\include/__stddef_max_align_t.h
.. C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.10240.0\\ucrt\\corecrt_wstdlib.h
.. C:\\LLVM\\build\\Debug\\bin\\..\\lib\\clang\\3.8.0\\include\\limits.h
... C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\VC\\include\\limits.h
.... C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\VC\\include\\vcruntime.h
-------------- next part --------------
A non-text attachment was scrubbed...
Name: basically_flawed_c_program.c
Type: text/x-csrc
Size: 208 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160102/e1a18731/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: basically_flawed_c_program.plist
Type: application/octet-stream
Size: 367 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160102/e1a18731/attachment.obj>

More information about the cfe-dev mailing list