Author: dcoughlin Date: Tue Sep 8 18:50:22 2015 New Revision: 247103 URL: http://llvm.org/viewvc/llvm-project?rev=247103&view=rev Log: Revert "[Static Analyzer] BugReporter.cpp:2869: Assertion failed: !RemainingNodes.empty() && "No error node found in the trimmed graph""
This is making our internal build bot fail because it results in extra warnings being emitted past what should be sink nodes. (There is actually an example of this in the updated malloc.c test in the reverted commit.) I'm working on a patch to fix the original issue by adding a new checker API to explicitly create error nodes. This API will ensure that error nodes are always tagged in order to prevent them from being reclaimed. This reverts commit r246188. Removed: cfe/trunk/test/Analysis/PR24184.cpp Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h cfe/trunk/test/Analysis/malloc.c Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h?rev=247103&r1=247102&r2=247103&view=diff ============================================================================== --- cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h (original) +++ cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h Tue Sep 8 18:50:22 2015 @@ -287,10 +287,7 @@ private: bool MarkAsSink, ExplodedNode *P = nullptr, const ProgramPointTag *Tag = nullptr) { - // It may not be safe to use the "Pred" node with no tag because the "Pred" - // node may be recycled in the reclamation function. - if (!State || (State == Pred->getState() && !Tag && !MarkAsSink && - Pred->getLocation().getTag())) + if (!State || (State == Pred->getState() && !Tag && !MarkAsSink)) return Pred; Changed = true; Removed: cfe/trunk/test/Analysis/PR24184.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/PR24184.cpp?rev=247102&view=auto ============================================================================== --- cfe/trunk/test/Analysis/PR24184.cpp (original) +++ cfe/trunk/test/Analysis/PR24184.cpp (removed) @@ -1,97 +0,0 @@ -// RUN: %clang_cc1 -w -analyze -analyzer-eagerly-assume -fcxx-exceptions -analyzer-checker=core -analyzer-checker=alpha.core.PointerArithm,alpha.core.CastToStruct -analyzer-max-loop 64 -verify %s -// RUN: %clang_cc1 -w -analyze -analyzer-checker=core -analyzer-checker=cplusplus -fcxx-exceptions -analyzer-checker alpha.core.PointerArithm,alpha.core.CastToStruct -analyzer-max-loop 63 -verify %s - -// These tests used to hit an assertion in the bug report. Test case from http://llvm.org/PR24184. -typedef struct { - int cbData; - unsigned pbData; -} CRYPT_DATA_BLOB; - -typedef enum { DT_NONCE_FIXED } DATA_TYPE; -int a; -typedef int *vcreate_t(int *, DATA_TYPE, int, int); -void fn1(unsigned, unsigned) { - char b = 0; - for (; 1; a++, &b + a * 0) // expected-warning{{Pointer arithmetic done on non-array variables means reliance on memory layout, which is dangerous}} - ; -} - -vcreate_t fn2; -struct A { - CRYPT_DATA_BLOB value; - int m_fn1() { - int c; - value.pbData == 0; - fn1(0, 0); - } -}; -struct B { - A IkeHashAlg; - A IkeGType; - A NoncePhase1_r; -}; -class C { - int m_fn2(B *); - void m_fn3(B *, int, int, int); -}; -int C::m_fn2(B *p1) { - int *d; - int e = p1->IkeHashAlg.m_fn1(); - unsigned f = p1->IkeGType.m_fn1(), h; - int g; - d = fn2(0, DT_NONCE_FIXED, (char)0, p1->NoncePhase1_r.value.cbData); - h = 0 | 0; - m_fn3(p1, 0, 0, 0); -} - -// case 2: -typedef struct { - int cbData; - unsigned char *pbData; -} CRYPT_DATA_BLOB_1; -typedef unsigned uint32_t; -void fn1_1(void *p1, const void *p2) { p1 != p2; } - -void fn2_1(uint32_t *p1, unsigned char *p2, uint32_t p3) { - unsigned i = 0; - for (0; i < p3; i++) - fn1_1(p1 + i, p2 + i * 0); // expected-warning{{Pointer arithmetic done on non-array variables means reliance on memory layout, which is dangerous}} -} - -struct A_1 { - CRYPT_DATA_BLOB_1 value; - uint32_t m_fn1() { - uint32_t a; - if (value.pbData) - fn2_1(&a, value.pbData, value.cbData); - return 0; - } -}; -struct { - A_1 HashAlgId; -} *b; -void fn3() { - uint32_t c, d; - d = b->HashAlgId.m_fn1(); - d << 0 | 0 | 0; - c = 0; - 0 | 1 << 0 | 0 && b; -} - -// case 3: -struct ST { - char c; -}; -char *p; -int foo1(ST); -int foo2() { - ST *p1 = (ST *)(p); // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} - while (p1->c & 0x0F || p1->c & 0x07) - p1 = p1 + foo1(*p1); -} - -int foo3(int *node) { - int i = foo2(); - if (i) - return foo2(); -} \ No newline at end of file Modified: cfe/trunk/test/Analysis/malloc.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc.c?rev=247103&r1=247102&r2=247103&view=diff ============================================================================== --- cfe/trunk/test/Analysis/malloc.c (original) +++ cfe/trunk/test/Analysis/malloc.c Tue Sep 8 18:50:22 2015 @@ -1386,8 +1386,7 @@ char* reallocButNoMalloc(struct HasPtr * int *s; char *b = realloc(a->p, size); char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} - //PR24184: Object "a->p" is returned after being freed by calling "realloc". - return a->p; // expected-warning {{Use of memory after it is freed}} + return a->p; } // We should not warn in this case since the caller will presumably free a->p in all cases. _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits