[cfe-dev] Query Regarding RetainCountChecker | Clang Static Analyzer

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Tue Jun 20 09:00:37 PDT 2017 

These warnings seem reasonable to me, because we can be certain that 
free() doesn't decrement reference counts - instead it frees the memory 
(release doesn't imply freeing the memory - something else may still 
retain). So `bmap' is freed but not released, therefore we have a 
warning from RetainCountChecker regarding a memory leak *and*, in case 
2, a warning from MallocChecker regarding use-after-free.

On 6/20/17 6:55 AM, Malhar Thakkar via cfe-dev wrote:
> Dear all,
>
> Consider the following hypothetical test cases (using the Integer Set 
> Library objects and annotations) which is passed through the 
> RetainCountChecker.
>
>
> *// Case 1*
> *#define __isl_give **__attribute__((cf_returns_retained))*
> *#define __isl_take __attribute__((cf_consumed))*
> *
> *
> *// Declaration of isl_basic_map_cow(). Definition is in another .c 
> file and hence is not visible to the static analyzer.*
> __isl_give isl_basic_map *isl_basic_map_cow(__isl_take isl_basic_map 
> *bmap);
>
>
> __isl_give isl_basic_map **foo*(__isl_take isl_basic_map *bmap) {
> isl_basic_map *temp = bmap;
> bmap = isl_basic_map_cow(bmap);
> free(bmap);
> return temp; *// Leak warning is raised for 'bmap' here.*
> }
>
> *// Case 2*
> *#define __isl_give **__attribute__((cf_returns_retained))*
> *#define __isl_take __attribute__((cf_consumed))*
> *
> *
> *// Declaration of isl_basic_map_cow(). **Definition is in another .c 
> file and hence is not visible to the static analyzer.*
> __isl_give isl_basic_map *isl_basic_map_cow(__isl_take isl_basic_map 
> *bmap);
>
>
> __isl_give isl_basic_map **foo*(__isl_take isl_basic_map *bmap) {
> isl_basic_map *temp = bmap;
> bmap = isl_basic_map_cow(bmap);
> free(bmap);
> return bmap; *// Use-after-free warning is raised for 'bmap' here.*
> }
>
> My question:
>
>   * Looking at the warnings raised in both the cases. could someone
>     please explain me why is a leak warning being raised in Case 1?
>     isl_basic_map_cow() returns an object with a +1 retain count which
>     is then freed.
>
>
> Thank you.
>
>
> Regards,
> Malhar Thakkar
>
>>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

More information about the cfe-dev mailing list