[LLVMbugs] [Bug 14536] New: False positive: NSData initWithBytesNoCopy: only consumes a reference if successfully initialized

Fri Dec 7 05:56:59 PST 2012

http://llvm.org/bugs/show_bug.cgi?id=14536

             Bug #: 14536
           Summary: False positive: NSData initWithBytesNoCopy: only
                    consumes a reference if successfully initialized
           Product: clang
           Version: 3.2
          Platform: Macintosh
        OS/Version: MacOS X
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
        AssignedTo: kremenek at apple.com
        ReportedBy: hanauska at equinux.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

The following code results in a false positive:

unsigned dataLen = 64;
void * data = calloc(1, dataLen);
NSData * result = [[NSData alloc] initWithBytesNoCopy:data length:dataLen];
if (!result) {
    free(data);
}

Analyzer assumes that initWithBytesNoCopy: takes over ownership and thus the
free() call will ultimately lead to a double free at some later time. This is
in theory correctly, initWithBytesNoCopy: takes over ownership, yet the
documentation does not say, that it will also free the pointer in case the init
method fails for whatever internal reason. Despite the fact that already the
alloc call can fail, resulting in an nil ref and thus an init call on nil, in
which case data will leak for sure. The if statement makes sure that the free
call is only performed if the alloc or init call has failed and thus ownership
was not transferred.

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.