Home Explore Help
Register Sign In
FangSoftSoft
/
clang
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

[analyzer] Escape pointers stored into top-level parameters with destructors.

Writing stuff into an argument variable is usually equivalent to writing stuff
to a local variable: it will have no effect outside of the function.
There's an important exception from this rule: if the argument variable has
a non-trivial destructor, the destructor would be invoked on
the parent stack frame, exposing contents of the otherwise dead
argument variable to the caller.

If such argument is the last place where a pointer is stored before the function
exits and the function is the one we've started our analysis from (i.e., we have
no caller context for it), we currently diagnose a leak. This is incorrect
because the destructor of the argument still has access to the pointer.
The destructor may deallocate the pointer or even pass it further.

Treat writes into such argument regions as "escapes" instead, suppressing
spurious memory leak reports but not messing with dead symbol removal.

Differential Revision: https://reviews.llvm.org/D60112


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@358321 91177308-0d34-0410-b5e6-96231b3b80d8
Artem Dergachev 6 years ago
parent
31c307cf96
commit
ae2b0cf4c8
2 changed files with 53 additions and 34 deletions
Unified View Show Diff Stats
  1. 30 34
      lib/StaticAnalyzer/Core/ExprEngine.cpp
  2. 23 0
      test/Analysis/malloc.cpp

+ 30 - 34
lib/StaticAnalyzer/Core/ExprEngine.cpp
View File 

@@ -2621,43 +2621,39 @@ void ExprEngine::VisitAtomicExpr(const AtomicExpr *AE, ExplodedNode *Pred,
 
   getCheckerManager().runCheckersForPostStmt(Dst, AfterInvalidateSet, AE, *this);
 
   getCheckerManager().runCheckersForPostStmt(Dst, AfterInvalidateSet, AE, *this);
 
 }
 
 }
 
 
 
-// A value escapes in three possible cases:
 
+// A value escapes in four possible cases:
 
 // (1) We are binding to something that is not a memory region.
 
 // (1) We are binding to something that is not a memory region.
 
-// (2) We are binding to a MemrRegion that does not have stack storage.
 
-// (3) We are binding to a MemRegion with stack storage that the store
 
+// (2) We are binding to a MemRegion that does not have stack storage.
 
+// (3) We are binding to a top-level parameter region with a non-trivial
 
+//     destructor. We won't see the destructor during analysis, but it's there.
 
+// (4) We are binding to a MemRegion with stack storage that the store
 
 //     does not understand.
 
 //     does not understand.
 
-ProgramStateRef ExprEngine::processPointerEscapedOnBind(ProgramStateRef State,
 
-                                                        SVal Loc,
 
-                                                        SVal Val,
 
-                                                        const LocationContext *LCtx) {
 
-  // Are we storing to something that causes the value to "escape"?
 
-  bool escapes = true;
 
-
 
-  // TODO: Move to StoreManager.
 
-  if (Optional<loc::MemRegionVal> regionLoc = Loc.getAs<loc::MemRegionVal>()) {
 
-    escapes = !regionLoc->getRegion()->hasStackStorage();
 
-
 
-    if (!escapes) {
 
-      // To test (3), generate a new state with the binding added.  If it is
 
-      // the same state, then it escapes (since the store cannot represent
 
-      // the binding).
 
-      // Do this only if we know that the store is not supposed to generate the
 
-      // same state.
 
-      SVal StoredVal = State->getSVal(regionLoc->getRegion());
 
-      if (StoredVal != Val)
 
-        escapes = (State == (State->bindLoc(*regionLoc, Val, LCtx)));
 
-    }
 
-  }
 
-
 
-  // If our store can represent the binding and we aren't storing to something
 
-  // that doesn't have local storage then just return and have the simulation
 
-  // state continue as is.
 
-  if (!escapes)
 
-    return State;
 
+ProgramStateRef
 
+ExprEngine::processPointerEscapedOnBind(ProgramStateRef State, SVal Loc,
 
+                                        SVal Val, const LocationContext *LCtx) {
 
+
 
+  // Cases (1) and (2).
 
+  const MemRegion *MR = Loc.getAsRegion();
 
+  if (!MR || !MR->hasStackStorage())
 
+    return escapeValue(State, Val, PSK_EscapeOnBind);
 
+
 
+  // Case (3).
 
+  if (const auto *VR = dyn_cast<VarRegion>(MR->getBaseRegion()))
 
+    if (VR->hasStackParametersStorage() && VR->getStackFrame()->inTopFrame())
 
+      if (const auto *RD = VR->getValueType()->getAsCXXRecordDecl())
 
+        if (!RD->hasTrivialDestructor())
 
+          return escapeValue(State, Val, PSK_EscapeOnBind);
 
+
 
+  // Case (4): in order to test that, generate a new state with the binding
 
+  // added. If it is the same state, then it escapes (since the store cannot
 
+  // represent the binding).
 
+  // Do this only if we know that the store is not supposed to generate the
 
+  // same state.
 
+  SVal StoredVal = State->getSVal(MR);
 
+  if (StoredVal != Val)
 
+    if (State == (State->bindLoc(loc::MemRegionVal(MR), Val, LCtx)))
 
+      return escapeValue(State, Val, PSK_EscapeOnBind);
 
 
 
-  // Otherwise, find all symbols referenced by 'val' that we are tracking
 
-  // and stop tracking them.
 
-  State = escapeValue(State, Val, PSK_EscapeOnBind);
 
   return State;
 
   return State;
 
 }
 
 }

+ 23 - 0
test/Analysis/malloc.cpp
View File 

@@ -141,3 +141,26 @@ char* test_cxa_demangle(const char* sym) {
 
   }
 
   }
 
   return funcname; // no-warning
 
   return funcname; // no-warning
 
 }
 
 }
 
+
 
+namespace argument_leak {
 
+class A {
 
+  char *name;
 
+
 
+public:
 
+  char *getName() {
 
+    if (!name) {
 
+      name = static_cast<char *>(malloc(10));
 
+    }
 
+    return name;
 
+  }
 
+  ~A() {
 
+    if (name) {
 
+      delete[] name;
 
+    }
 
+  }
 
+};
 
+
 
+void test(A a) {
 
+  (void)a.getName();
 
+}
 
+} // namespace argument_leak