forked from OSchip/llvm-project
[analyzer] Escape pointers stored into top-level parameters with destructors.
Writing stuff into an argument variable is usually equivalent to writing stuff to a local variable: it will have no effect outside of the function. There's an important exception from this rule: if the argument variable has a non-trivial destructor, the destructor would be invoked on the parent stack frame, exposing contents of the otherwise dead argument variable to the caller. If such argument is the last place where a pointer is stored before the function exits and the function is the one we've started our analysis from (i.e., we have no caller context for it), we currently diagnose a leak. This is incorrect because the destructor of the argument still has access to the pointer. The destructor may deallocate the pointer or even pass it further. Treat writes into such argument regions as "escapes" instead, suppressing spurious memory leak reports but not messing with dead symbol removal. Differential Revision: https://reviews.llvm.org/D60112 llvm-svn: 358321
This commit is contained in:
parent
5e67abd91f
commit
7d4694547a
|
@ -2621,43 +2621,39 @@ void ExprEngine::VisitAtomicExpr(const AtomicExpr *AE, ExplodedNode *Pred,
|
||||||
getCheckerManager().runCheckersForPostStmt(Dst, AfterInvalidateSet, AE, *this);
|
getCheckerManager().runCheckersForPostStmt(Dst, AfterInvalidateSet, AE, *this);
|
||||||
}
|
}
|
||||||
|
|
||||||
// A value escapes in three possible cases:
|
// A value escapes in four possible cases:
|
||||||
// (1) We are binding to something that is not a memory region.
|
// (1) We are binding to something that is not a memory region.
|
||||||
// (2) We are binding to a MemrRegion that does not have stack storage.
|
// (2) We are binding to a MemRegion that does not have stack storage.
|
||||||
// (3) We are binding to a MemRegion with stack storage that the store
|
// (3) We are binding to a top-level parameter region with a non-trivial
|
||||||
|
// destructor. We won't see the destructor during analysis, but it's there.
|
||||||
|
// (4) We are binding to a MemRegion with stack storage that the store
|
||||||
// does not understand.
|
// does not understand.
|
||||||
ProgramStateRef ExprEngine::processPointerEscapedOnBind(ProgramStateRef State,
|
ProgramStateRef
|
||||||
SVal Loc,
|
ExprEngine::processPointerEscapedOnBind(ProgramStateRef State, SVal Loc,
|
||||||
SVal Val,
|
SVal Val, const LocationContext *LCtx) {
|
||||||
const LocationContext *LCtx) {
|
|
||||||
// Are we storing to something that causes the value to "escape"?
|
|
||||||
bool escapes = true;
|
|
||||||
|
|
||||||
// TODO: Move to StoreManager.
|
// Cases (1) and (2).
|
||||||
if (Optional<loc::MemRegionVal> regionLoc = Loc.getAs<loc::MemRegionVal>()) {
|
const MemRegion *MR = Loc.getAsRegion();
|
||||||
escapes = !regionLoc->getRegion()->hasStackStorage();
|
if (!MR || !MR->hasStackStorage())
|
||||||
|
return escapeValue(State, Val, PSK_EscapeOnBind);
|
||||||
|
|
||||||
if (!escapes) {
|
// Case (3).
|
||||||
// To test (3), generate a new state with the binding added. If it is
|
if (const auto *VR = dyn_cast<VarRegion>(MR->getBaseRegion()))
|
||||||
// the same state, then it escapes (since the store cannot represent
|
if (VR->hasStackParametersStorage() && VR->getStackFrame()->inTopFrame())
|
||||||
// the binding).
|
if (const auto *RD = VR->getValueType()->getAsCXXRecordDecl())
|
||||||
// Do this only if we know that the store is not supposed to generate the
|
if (!RD->hasTrivialDestructor())
|
||||||
// same state.
|
return escapeValue(State, Val, PSK_EscapeOnBind);
|
||||||
SVal StoredVal = State->getSVal(regionLoc->getRegion());
|
|
||||||
if (StoredVal != Val)
|
|
||||||
escapes = (State == (State->bindLoc(*regionLoc, Val, LCtx)));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// If our store can represent the binding and we aren't storing to something
|
// Case (4): in order to test that, generate a new state with the binding
|
||||||
// that doesn't have local storage then just return and have the simulation
|
// added. If it is the same state, then it escapes (since the store cannot
|
||||||
// state continue as is.
|
// represent the binding).
|
||||||
if (!escapes)
|
// Do this only if we know that the store is not supposed to generate the
|
||||||
return State;
|
// same state.
|
||||||
|
SVal StoredVal = State->getSVal(MR);
|
||||||
|
if (StoredVal != Val)
|
||||||
|
if (State == (State->bindLoc(loc::MemRegionVal(MR), Val, LCtx)))
|
||||||
|
return escapeValue(State, Val, PSK_EscapeOnBind);
|
||||||
|
|
||||||
// Otherwise, find all symbols referenced by 'val' that we are tracking
|
|
||||||
// and stop tracking them.
|
|
||||||
State = escapeValue(State, Val, PSK_EscapeOnBind);
|
|
||||||
return State;
|
return State;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -141,3 +141,26 @@ char* test_cxa_demangle(const char* sym) {
|
||||||
}
|
}
|
||||||
return funcname; // no-warning
|
return funcname; // no-warning
|
||||||
}
|
}
|
||||||
|
|
||||||
|
namespace argument_leak {
|
||||||
|
class A {
|
||||||
|
char *name;
|
||||||
|
|
||||||
|
public:
|
||||||
|
char *getName() {
|
||||||
|
if (!name) {
|
||||||
|
name = static_cast<char *>(malloc(10));
|
||||||
|
}
|
||||||
|
return name;
|
||||||
|
}
|
||||||
|
~A() {
|
||||||
|
if (name) {
|
||||||
|
delete[] name;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
void test(A a) {
|
||||||
|
(void)a.getName();
|
||||||
|
}
|
||||||
|
} // namespace argument_leak
|
||||||
|
|
Loading…
Reference in New Issue