[llvm-bugs] [Bug 50771] New: Static analyzer ignores calls through function pointers
via llvm-bugs
llvm-bugs at lists.llvm.org
Fri Jun 18 13:04:10 PDT 2021
https://bugs.llvm.org/show_bug.cgi?id=50771
Bug ID: 50771
Summary: Static analyzer ignores calls through function
pointers
Product: clang
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P
Component: Static Analyzer
Assignee: dcoughlin at apple.com
Reporter: aaronpuchert at alice-dsl.net
CC: dcoughlin at apple.com, llvm-bugs at lists.llvm.org
We observed this with Google Test, which stores a pointer to a function
destroying a object in a data structure, and then releases data by calling
through that pointer. A reduced test case is this:
void MatcherBase() {
void* shared = new int();
void (*shared_destroy)(void*) = [](void* p) { delete static_cast<int*>(p); };
shared_destroy(shared);
} // warning: Potential leak of memory pointed to by 'shared'
[cplusplus.NewDeleteLeaks]
The warning disappears when changing the type of shared_destroy to auto, so
we're not converting to a function pointer type but rather keeping an object of
lambda type. Then the call at the end is a direct call and inlined. Similarly
for a global function shared_destroy.
Now I guess that tracing calls through function pointers would be pretty hard,
because then control flow would depend on data flow in a way that's not
amenable to a constrain solver. But we could at least treat the function
pointer call like an opaque call, which also makes the warning disappear:
void shared_destroy(void* p);
void MatcherBase() {
void* shared = new int();
shared_destroy(shared);
} // no warning.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210618/a73f8bc7/attachment.html>
More information about the llvm-bugs
mailing list