[llvm-bugs] [Bug 50771] New: Static analyzer ignores calls through function pointers

[via llvm-bugs]

https://bugs.llvm.org/show_bug.cgi?id=50771

            Bug ID: 50771
           Summary: Static analyzer ignores calls through function
                    pointers
           Product: clang
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: dcoughlin at apple.com
          Reporter: aaronpuchert at alice-dsl.net
                CC: dcoughlin at apple.com, llvm-bugs at lists.llvm.org

We observed this with Google Test, which stores a pointer to a function
destroying a object in a data structure, and then releases data by calling
through that pointer. A reduced test case is this:

void MatcherBase() {
  void* shared = new int();
  void (*shared_destroy)(void*) = [](void* p) { delete static_cast<int*>(p); };
  shared_destroy(shared);
} // warning: Potential leak of memory pointed to by 'shared'
[cplusplus.NewDeleteLeaks]

The warning disappears when changing the type of shared_destroy to auto, so
we're not converting to a function pointer type but rather keeping an object of
lambda type. Then the call at the end is a direct call and inlined. Similarly
for a global function shared_destroy.

Now I guess that tracing calls through function pointers would be pretty hard,
because then control flow would depend on data flow in a way that's not
amenable to a constrain solver. But we could at least treat the function
pointer call like an opaque call, which also makes the warning disappear:

void shared_destroy(void* p);

void MatcherBase() {
  void* shared = new int();
  shared_destroy(shared);
} // no warning.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210618/a73f8bc7/attachment.html>