d6d84b5d14
This commit ensures that the `CallDescription`s in `MallocChecker` are matched with the mode `CDM::CLibrary`, so: - they don't match methods or functions within user-defined namespaces; - they also match builtin variants of these functions (if any), so the checker can model `__builtin_alloca()` like `alloca()`. This change fixes https://github.com/llvm/llvm-project/issues/81597. New tests were added to verify that `std::malloc` and `std::free` (from `<cstdlib>`) are modeled, but a method that's named e.g. `free` isn't confused with the memory release function. The responsibility for modeling `__builtin_alloca` and `__builtin_alloca_with_align` was moved from `BuiltinFunctionChecker` to `MallocChecker`, to avoid buggy interactions between the checkers and ensure that the builtin and non-builtin variants are handled by exactly the same logic. This change might be a step backwards for the users who don't have `unix.Malloc` enabled; but I suspect that `__builtin_alloca()` is so rare that it would be a waste of time to implement backwards compatibility for them. There were several test files that relied on `__builtin_alloca()` calls to get an `AllocaRegion`, these were modified to enable `unix.Malloc`. One of these files (cxx-uninitialized-object-ptr-ref.cpp) had some tests that relied on the fact that `malloc()` was treated as a "black box" in them, these were updated to use `calloc()` (to get initialized memory) and `free()` (to avoid memory leak reports). While I was developing this change, I found a very suspicious assert in `MallocChecker`. As it isn't blocking the goals of this commit, I just marked it with a FIXME, but I'll try to investigate and fix it in a follow-up change.
59 lines
2.2 KiB
C
59 lines
2.2 KiB
C
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc -verify -std=c99 -Dbool=_Bool -Wno-bool-conversion %s
|
|
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc -verify -x c++ -Wno-bool-conversion %s
|
|
|
|
typedef __INTPTR_TYPE__ intptr_t;
|
|
char const *p;
|
|
|
|
void f0(void) {
|
|
char const str[] = "This will change";
|
|
p = str;
|
|
} // expected-warning{{Address of stack memory associated with local variable 'str' is still referred to by the global variable 'p' upon returning to the caller. This will be a dangling reference}}
|
|
|
|
void f1(void) {
|
|
char const str[] = "This will change";
|
|
p = str;
|
|
p = 0; // no-warning
|
|
}
|
|
|
|
void f2(void) {
|
|
p = (const char *) __builtin_alloca(12);
|
|
} // expected-warning{{Address of stack memory allocated by call to alloca() on line 19 is still referred to by the global variable 'p' upon returning to the caller. This will be a dangling reference}}
|
|
|
|
// PR 7383 - previously the stack address checker would crash on this example
|
|
// because it would attempt to do a direct load from 'pr7383_list'.
|
|
static int pr7383(__const char *__)
|
|
{
|
|
return 0;
|
|
}
|
|
extern __const char *__const pr7383_list[];
|
|
|
|
// Test that we catch multiple returns via globals when analyzing a function.
|
|
void test_multi_return(void) {
|
|
static int *a, *b;
|
|
int x;
|
|
a = &x;
|
|
b = &x;
|
|
} // expected-warning{{Address of stack memory associated with local variable 'x' is still referred to by the static variable 'a' upon returning}} expected-warning{{Address of stack memory associated with local variable 'x' is still referred to by the static variable 'b' upon returning}}
|
|
|
|
intptr_t returnAsNonLoc(void) {
|
|
int x;
|
|
return (intptr_t)&x; // expected-warning{{Address of stack memory associated with local variable 'x' returned to caller}} expected-warning{{address of stack memory associated with local variable 'x' returned}}
|
|
}
|
|
|
|
bool returnAsBool(void) {
|
|
int x;
|
|
return &x; // no-warning
|
|
}
|
|
|
|
void assignAsNonLoc(void) {
|
|
extern intptr_t ip;
|
|
int x;
|
|
ip = (intptr_t)&x;
|
|
} // expected-warning{{Address of stack memory associated with local variable 'x' is still referred to by the global variable 'ip' upon returning}}
|
|
|
|
void assignAsBool(void) {
|
|
extern bool b;
|
|
int x;
|
|
b = &x;
|
|
} // no-warning
|