Index: lib/StaticAnalyzer/Checkers/AllocationState.h =================================================================== --- lib/StaticAnalyzer/Checkers/AllocationState.h +++ lib/StaticAnalyzer/Checkers/AllocationState.h @@ -24,7 +24,8 @@ /// This function provides an additional visitor that augments the bug report /// with information relevant to memory errors caused by the misuse of /// AF_InternalBuffer symbols. -std::unique_ptr getDanglingBufferBRVisitor(SymbolRef Sym); +std::unique_ptr +getDanglingBufferBRVisitor(SymbolRef Sym, ProgramStateRef State); } // end namespace allocation_state Index: lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp =================================================================== --- lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp +++ lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp @@ -54,9 +54,17 @@ public: class DanglingBufferBRVisitor : public BugReporterVisitor { SymbolRef PtrToBuf; + const MemRegion *ObjRegion; public: - DanglingBufferBRVisitor(SymbolRef Sym) : PtrToBuf(Sym) {} + DanglingBufferBRVisitor(SymbolRef Sym, ProgramStateRef State) + : PtrToBuf(Sym), ObjRegion(nullptr) { + RawPtrMapTy Map = State->get(); + for (auto const Entry : Map) { + if (Entry.second.contains(Sym)) + ObjRegion = Entry.first; + } + } static void *getTag() { static int Tag = 0; @@ -72,15 +80,11 @@ BugReporterContext &BRC, BugReport &BR) override; - // FIXME: Scan the map once in the visitor's constructor and do a direct - // lookup by region. - bool isSymbolTracked(ProgramStateRef State, SymbolRef Sym) { - RawPtrMapTy Map = State->get(); - for (const auto Entry : Map) { - if (Entry.second.contains(Sym)) - return true; - } - return false; + bool isSymbolTracked(ProgramStateRef State) { + const PtrSet *SymbolSet = State->get(ObjRegion); + if (!SymbolSet) + return false; + return SymbolSet->contains(PtrToBuf); } }; @@ -180,7 +184,6 @@ // `RefState` in MallocChecker's `RegionState` program state map. State = allocation_state::markReleased(State, Symbol, Origin); } - State = State->remove(ObjRegion); C.addTransition(State); return; } @@ -193,11 +196,6 @@ PtrSet::Factory &F = State->getStateManager().get_context(); RawPtrMapTy RPM = State->get(); for (const auto Entry : RPM) { - if (!SymReaper.isLiveRegion(Entry.first)) { - // Due to incomplete destructor support, some dead regions might - // remain in the program state map. Clean them up. - State = State->remove(Entry.first); - } if (const PtrSet *OldSet = State->get(Entry.first)) { PtrSet CleanedUpSet = *OldSet; for (const auto Symbol : Entry.second) { @@ -217,8 +215,7 @@ const ExplodedNode *N, const ExplodedNode *PrevN, BugReporterContext &BRC, BugReport &BR) { - if (!isSymbolTracked(N->getState(), PtrToBuf) || - isSymbolTracked(PrevN->getState(), PtrToBuf)) + if (!isSymbolTracked(N->getState()) || isSymbolTracked(PrevN->getState())) return nullptr; const Stmt *S = PathDiagnosticLocation::getStmt(N); @@ -238,9 +235,10 @@ namespace ento { namespace allocation_state { -std::unique_ptr getDanglingBufferBRVisitor(SymbolRef Sym) { +std::unique_ptr +getDanglingBufferBRVisitor(SymbolRef Sym, ProgramStateRef State) { return llvm::make_unique< - DanglingInternalBufferChecker::DanglingBufferBRVisitor>(Sym); + DanglingInternalBufferChecker::DanglingBufferBRVisitor>(Sym, State); } } // end namespace allocation_state Index: lib/StaticAnalyzer/Checkers/MallocChecker.cpp =================================================================== --- lib/StaticAnalyzer/Checkers/MallocChecker.cpp +++ lib/StaticAnalyzer/Checkers/MallocChecker.cpp @@ -1994,9 +1994,10 @@ R->addRange(Range); R->addVisitor(llvm::make_unique(Sym)); - const RefState *RS = C.getState()->get(Sym); + ProgramStateRef State = C.getState(); + const RefState *RS = State->get(Sym); if (RS->getAllocationFamily() == AF_InternalBuffer) - R->addVisitor(allocation_state::getDanglingBufferBRVisitor(Sym)); + R->addVisitor(allocation_state::getDanglingBufferBRVisitor(Sym, State)); C.emitReport(std::move(R)); }