This revision was automatically updated to reflect the committed changes. Closed by commit rG2e5e42d4aeab: [analyzer][MallocChecker] When modeling realloc-like functions, don't early… (authored by Szelethus).
Repository: rG LLVM Github Monorepo CHANGES SINCE LAST ACTION https://reviews.llvm.org/D79415/new/ https://reviews.llvm.org/D79415 Files: clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp clang/test/Analysis/malloc.c Index: clang/test/Analysis/malloc.c =================================================================== --- clang/test/Analysis/malloc.c +++ clang/test/Analysis/malloc.c @@ -1828,6 +1828,21 @@ list_add(list, &x->li); // will free 'x'. } +// MEM34-C. Only free memory allocated dynamically +// Second non-compliant example. +// https://wiki.sei.cmu.edu/confluence/display/c/MEM34-C.+Only+free+memory+allocated+dynamically +enum { BUFSIZE = 256 }; + +void MEM34_C(void) { + char buf[BUFSIZE]; + char *p = (char *)realloc(buf, 2 * BUFSIZE); + // expected-warning@-1{{Argument to realloc() is the address of the local \ +variable 'buf', which is not memory allocated by malloc() [unix.Malloc]}} + if (p == NULL) { + /* Handle error */ + } +} + // ---------------------------------------------------------------------------- // False negatives. Index: clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp =================================================================== --- clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp +++ clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp @@ -2371,13 +2371,7 @@ if (PrtIsNull && SizeIsZero) return State; - // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). assert(!PrtIsNull); - SymbolRef FromPtr = arg0Val.getAsSymbol(); - SVal RetVal = C.getSVal(CE); - SymbolRef ToPtr = RetVal.getAsSymbol(); - if (!FromPtr || !ToPtr) - return nullptr; bool IsKnownToBeAllocated = false; @@ -2406,6 +2400,14 @@ else if (!IsKnownToBeAllocated) Kind = OAR_DoNotTrackAfterFailure; + // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). + SymbolRef FromPtr = arg0Val.getAsSymbol(); + SVal RetVal = C.getSVal(CE); + SymbolRef ToPtr = RetVal.getAsSymbol(); + assert(FromPtr && ToPtr && + "By this point, FreeMemAux and MallocMemAux should have checked " + "whether the argument or the return value is symbolic!"); + // Record the info about the reallocated symbol so that we could properly // process failed reallocation. stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
Index: clang/test/Analysis/malloc.c =================================================================== --- clang/test/Analysis/malloc.c +++ clang/test/Analysis/malloc.c @@ -1828,6 +1828,21 @@ list_add(list, &x->li); // will free 'x'. } +// MEM34-C. Only free memory allocated dynamically +// Second non-compliant example. +// https://wiki.sei.cmu.edu/confluence/display/c/MEM34-C.+Only+free+memory+allocated+dynamically +enum { BUFSIZE = 256 }; + +void MEM34_C(void) { + char buf[BUFSIZE]; + char *p = (char *)realloc(buf, 2 * BUFSIZE); + // expected-warning@-1{{Argument to realloc() is the address of the local \ +variable 'buf', which is not memory allocated by malloc() [unix.Malloc]}} + if (p == NULL) { + /* Handle error */ + } +} + // ---------------------------------------------------------------------------- // False negatives. Index: clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp =================================================================== --- clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp +++ clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp @@ -2371,13 +2371,7 @@ if (PrtIsNull && SizeIsZero) return State; - // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). assert(!PrtIsNull); - SymbolRef FromPtr = arg0Val.getAsSymbol(); - SVal RetVal = C.getSVal(CE); - SymbolRef ToPtr = RetVal.getAsSymbol(); - if (!FromPtr || !ToPtr) - return nullptr; bool IsKnownToBeAllocated = false; @@ -2406,6 +2400,14 @@ else if (!IsKnownToBeAllocated) Kind = OAR_DoNotTrackAfterFailure; + // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). + SymbolRef FromPtr = arg0Val.getAsSymbol(); + SVal RetVal = C.getSVal(CE); + SymbolRef ToPtr = RetVal.getAsSymbol(); + assert(FromPtr && ToPtr && + "By this point, FreeMemAux and MallocMemAux should have checked " + "whether the argument or the return value is symbolic!"); + // Record the info about the reallocated symbol so that we could properly // process failed reallocation. stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
_______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
