[analyzer] Teach the analyzer that pointers can escape into __cxa_demangle

This fixes a reported false positive in the malloc checker. Differential Revision: https://reviews.llvm.org/D27599 llvm-svn: 289886
2016-12-15 22:55:18 +00:00 · 2016-12-15 22:55:18 +00:00 · 44cdeb1da2
parent 6d4e76b988
commit 44cdeb1da2
3 changed files with 28 additions and 0 deletions
--- a/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
+++ b/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
@ -382,6 +382,11 @@ bool AnyFunctionCall::argumentsMayEscape() const {
  if (II->isStr("funopen"))
    return true;

+  // - __cxa_demangle - can reallocate memory and can return the pointer to
+  // the input buffer.
+  if (II->isStr("__cxa_demangle"))
+    return true;
+
  StringRef FName = II->getName();

  // - CoreFoundation functions that end with "NoCopy" can free a passed-in
--- a/clang/test/Analysis/Inputs/system-header-simulator-cxx.h
+++ b/clang/test/Analysis/Inputs/system-header-simulator-cxx.h
@ -240,3 +240,12 @@ void* operator new (std::size_t size, void* ptr) throw() { return ptr; };
 void* operator new[] (std::size_t size, void* ptr) throw() { return ptr; };
 void operator delete (void* ptr, void*) throw() {};
 void operator delete[] (void* ptr, void*) throw() {};
+
+namespace __cxxabiv1 {
+extern "C" {
+extern char *__cxa_demangle(const char *mangled_name,
+                            char *output_buffer,
+                            size_t *length,
+                            int *status);
+}}
+namespace abi = __cxxabiv1;
--- a/clang/test/Analysis/malloc.cpp
+++ b/clang/test/Analysis/malloc.cpp
@ -1,6 +1,8 @@
 // RUN: %clang_cc1 -w -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,cplusplus.NewDelete -analyzer-store=region -verify %s
 // RUN: %clang_cc1 -triple i386-unknown-linux-gnu -w -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,cplusplus.NewDelete -analyzer-store=region -verify %s

+#include "Inputs/system-header-simulator-cxx.h"
+
 typedef __typeof(sizeof(int)) size_t;
 void *malloc(size_t);
 void free(void *);
@ -125,3 +127,15 @@ namespace PR31226 {
    p->m(); // no-crash // no-warning
  }
 }
+
+// Allow __cxa_demangle to escape.
+char* test_cxa_demangle(const char* sym) {
+  size_t funcnamesize = 256;
+  char* funcname = (char*)malloc(funcnamesize);
+  int status;
+  char* ret = abi::__cxa_demangle(sym, funcname, &funcnamesize, &status);
+  if (status == 0) {
+    funcname = ret;
+  }
+  return funcname; // no-warning
+}