[PATCH] D27599: [analyzer] Teach the analyzer that pointers can escape into __cxa_demangle

Thu, 15 Dec 2016 15:06:23 -0800 

This revision was automatically updated to reflect the committed changes.
Closed by commit rL289886: [analyzer] Teach the analyzer that pointers can 
escape into __cxa_demangle (authored by zaks).

Changed prior to commit:
  https://reviews.llvm.org/D27599?vs=80842&id=81672#toc

Repository:
  rL LLVM

https://reviews.llvm.org/D27599

Files:
  cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp
  cfe/trunk/test/Analysis/Inputs/system-header-simulator-cxx.h
  cfe/trunk/test/Analysis/malloc.cpp


Index: cfe/trunk/test/Analysis/malloc.cpp
===================================================================
--- cfe/trunk/test/Analysis/malloc.cpp
+++ cfe/trunk/test/Analysis/malloc.cpp
@@ -1,6 +1,8 @@
 // RUN: %clang_cc1 -w -analyze 
-analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,cplusplus.NewDelete
 -analyzer-store=region -verify %s
 // RUN: %clang_cc1 -triple i386-unknown-linux-gnu -w -analyze 
-analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,cplusplus.NewDelete
 -analyzer-store=region -verify %s
 
+#include "Inputs/system-header-simulator-cxx.h"
+
 typedef __typeof(sizeof(int)) size_t;
 void *malloc(size_t);
 void free(void *);
@@ -125,3 +127,15 @@
     p->m(); // no-crash // no-warning
   }
 }
+
+// Allow __cxa_demangle to escape.
+char* test_cxa_demangle(const char* sym) {
+  size_t funcnamesize = 256;
+  char* funcname = (char*)malloc(funcnamesize);
+  int status;
+  char* ret = abi::__cxa_demangle(sym, funcname, &funcnamesize, &status);
+  if (status == 0) {
+    funcname = ret;
+  }
+  return funcname; // no-warning
+}
Index: cfe/trunk/test/Analysis/Inputs/system-header-simulator-cxx.h
===================================================================
--- cfe/trunk/test/Analysis/Inputs/system-header-simulator-cxx.h
+++ cfe/trunk/test/Analysis/Inputs/system-header-simulator-cxx.h
@@ -240,3 +240,12 @@
 void* operator new[] (std::size_t size, void* ptr) throw() { return ptr; };
 void operator delete (void* ptr, void*) throw() {};
 void operator delete[] (void* ptr, void*) throw() {};
+
+namespace __cxxabiv1 {
+extern "C" {
+extern char *__cxa_demangle(const char *mangled_name,
+                            char *output_buffer,
+                            size_t *length,
+                            int *status);
+}}
+namespace abi = __cxxabiv1;
Index: cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp
===================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp
+++ cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp
@@ -382,6 +382,11 @@
   if (II->isStr("funopen"))
     return true;
 
+  // - __cxa_demangle - can reallocate memory and can return the pointer to
+  // the input buffer.
+  if (II->isStr("__cxa_demangle"))
+    return true;
+
   StringRef FName = II->getName();
 
   // - CoreFoundation functions that end with "NoCopy" can free a passed-in



Index: cfe/trunk/test/Analysis/malloc.cpp
===================================================================
--- cfe/trunk/test/Analysis/malloc.cpp
+++ cfe/trunk/test/Analysis/malloc.cpp
@@ -1,6 +1,8 @@
 // RUN: %clang_cc1 -w -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,cplusplus.NewDelete -analyzer-store=region -verify %s
 // RUN: %clang_cc1 -triple i386-unknown-linux-gnu -w -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,cplusplus.NewDelete -analyzer-store=region -verify %s
 
+#include "Inputs/system-header-simulator-cxx.h"
+
 typedef __typeof(sizeof(int)) size_t;
 void *malloc(size_t);
 void free(void *);
@@ -125,3 +127,15 @@
     p->m(); // no-crash // no-warning
   }
 }
+
+// Allow __cxa_demangle to escape.
+char* test_cxa_demangle(const char* sym) {
+  size_t funcnamesize = 256;
+  char* funcname = (char*)malloc(funcnamesize);
+  int status;
+  char* ret = abi::__cxa_demangle(sym, funcname, &funcnamesize, &status);
+  if (status == 0) {
+    funcname = ret;
+  }
+  return funcname; // no-warning
+}
Index: cfe/trunk/test/Analysis/Inputs/system-header-simulator-cxx.h
===================================================================
--- cfe/trunk/test/Analysis/Inputs/system-header-simulator-cxx.h
+++ cfe/trunk/test/Analysis/Inputs/system-header-simulator-cxx.h
@@ -240,3 +240,12 @@
 void* operator new[] (std::size_t size, void* ptr) throw() { return ptr; };
 void operator delete (void* ptr, void*) throw() {};
 void operator delete[] (void* ptr, void*) throw() {};
+
+namespace __cxxabiv1 {
+extern "C" {
+extern char *__cxa_demangle(const char *mangled_name,
+                            char *output_buffer,
+                            size_t *length,
+                            int *status);
+}}
+namespace abi = __cxxabiv1;
Index: cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp
===================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp
+++ cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp
@@ -382,6 +382,11 @@
   if (II->isStr("funopen"))
     return true;
 
+  // - __cxa_demangle - can reallocate memory and can return the pointer to
+  // the input buffer.
+  if (II->isStr("__cxa_demangle"))
+    return true;
+
   StringRef FName = II->getName();
 
   // - CoreFoundation functions that end with "NoCopy" can free a passed-in

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to