This is an archive of the discontinued LLVM Phabricator instance.

Differential D118880

[analyzer] Improve NoOwnershipChangeVisitor's understanding of deallocators
ClosedPublic

Authored by Szelethus on Feb 3 2022, 1:34 AM.

Details

Reviewers
NoQ
steakhal
martong
balazske
ASDenysPetrov
Commits
rGd832078904c6: [analyzer] Improve NoOwnershipChangeVisitor's understanding of deallocators
Summary

The problem with leak bug reports is that the most interesting event in the code is likely the one that did not happen -- lack of ownership change and lack of deallocation, which is often present within the same function that the analyzer inlined anyway, but not on the path of execution on which the bug occured. We struggle to understand that a function was responsible for freeing the memory, but failed.

D105819 added a new visitor to improve memory leak bug reports. In addition to inspecting the ExplodedNodes of the bug pat, the visitor tries to guess whether the function was supposed to free memory, but failed to. Initially (in D108753), this was done by checking whether a CXXDeleteExpr is present in the function. If so, we assume that the function was at least party responsible, and prevent the analyzer from pruning bug report notes in it. This patch improves this heuristic by recognizing all deallocator functions that MallocChecker itself recognizes, by reusing MallocChecker::isFreeingCall.

Diff Detail

Event Timeline

Szelethus created this revision.Feb 3 2022, 1:34 AM
Herald added subscribers: manas, gamesh411, dkrupp and 8 others. · View Herald TranscriptFeb 3 2022, 1:34 AM
Szelethus requested review of this revision.Feb 3 2022, 1:34 AM
Herald added a subscriber: cfe-commits. · View Herald TranscriptFeb 3 2022, 1:34 AM
Harbormaster completed remote builds in B147326: Diff 405541.Feb 3 2022, 2:03 AM
Szelethus updated this revision to Diff 405979.Feb 4 2022, 9:08 AM
Szelethus edited the summary of this revision. (Show Details)

Move CallDescription specific changes to D119004.

Szelethus added a parent revision: D119004: [NFC][analyzer] Allow CallDescriptions to be matched with CallExprs.Feb 4 2022, 9:08 AM
Harbormaster completed remote builds in B147649: Diff 405979.Feb 4 2022, 9:57 AM
steakhal added a comment.Feb 7 2022, 6:52 AM

I like it.
nits here and there;

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h
102 ↗(On Diff #405541)

CallExpr

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
750

What about having a const reference, or a const pointer to const?

802

You should probably add an example of when is it imprecise and an explanation of why we have this function.

807
837–838

I guess, this gets fixed by this patch.

837–838

Without braces, it would be slightly more compact & readable IMO.

837–838

Could you clarify what this wants to denote? I'm just curious.

1123
clang/test/Analysis/NewDeleteLeaks.cpp
169

I guess we would not have the warning if bar would accept the pointer P, since that way it would escape.
Am I correct?

Szelethus updated this revision to Diff 407121.Feb 9 2022, 4:30 AM
Szelethus marked 8 inline comments as done.

Fixes according to reviewer comments.

clang/test/Analysis/NewDeleteLeaks.cpp
169

That is correct, but as an earlier todo states, we don't currently employ any heuristics to guess whether bar was responsible for storing P (as opposed to deallocating it, which is what this patch is about), but failed to.

steakhal accepted this revision.Feb 9 2022, 5:09 AM

I'm content. Thanks for the patch.

This revision is now accepted and ready to land.Feb 9 2022, 5:09 AM
Harbormaster completed remote builds in B148455: Diff 407121.Feb 9 2022, 5:16 AM
Closed by commit rGd832078904c6: [analyzer] Improve NoOwnershipChangeVisitor's understanding of deallocators (authored by Szelethus). · Explain WhyMar 3 2022, 2:28 AM
This revision was automatically updated to reflect the committed changes.
Szelethus added a commit: rGd832078904c6: [analyzer] Improve NoOwnershipChangeVisitor's understanding of deallocators.
Herald added a project: Restricted Project. · View Herald TranscriptMar 3 2022, 2:28 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
76 lines
test/
Analysis/
58 lines

Diff 412644

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 392 Lines▼ Show 20 Lines#define CHECK_FN(NAME) \
const CallDescriptionMap<CheckFn> FreeingMemFnMap{ const CallDescriptionMap<CheckFn> FreeingMemFnMap{
{{"free", 1}, &MallocChecker::checkFree}, {{"free", 1}, &MallocChecker::checkFree},
{{"if_freenameindex", 1}, &MallocChecker::checkIfFreeNameIndex}, {{"if_freenameindex", 1}, &MallocChecker::checkIfFreeNameIndex},
{{"kfree", 1}, &MallocChecker::checkFree}, {{"kfree", 1}, &MallocChecker::checkFree},
{{"g_free", 1}, &MallocChecker::checkFree}, {{"g_free", 1}, &MallocChecker::checkFree},
}; };
bool isFreeingCall(const CallEvent &Call) const; bool isFreeingCall(const CallEvent &Call) const;
static bool isFreeingOwnershipAttrCall(const FunctionDecl *Func);
friend class NoOwnershipChangeVisitor;
CallDescriptionMap<CheckFn> AllocatingMemFnMap{ CallDescriptionMap<CheckFn> AllocatingMemFnMap{
{{"alloca", 1}, &MallocChecker::checkAlloca}, {{"alloca", 1}, &MallocChecker::checkAlloca},
{{"_alloca", 1}, &MallocChecker::checkAlloca}, {{"_alloca", 1}, &MallocChecker::checkAlloca},
{{"malloc", 1}, &MallocChecker::checkBasicAlloc}, {{"malloc", 1}, &MallocChecker::checkBasicAlloc},
{{"malloc", 3}, &MallocChecker::checkKernelMalloc}, {{"malloc", 3}, &MallocChecker::checkKernelMalloc},
{{"calloc", 2}, &MallocChecker::checkCalloc}, {{"calloc", 2}, &MallocChecker::checkCalloc},
{{"valloc", 1}, &MallocChecker::checkBasicAlloc}, {{"valloc", 1}, &MallocChecker::checkBasicAlloc},
▲ Show 20 LinesShow All 328 Lines▼ Show 20 Lines
} // end anonymous namespace } // end anonymous namespace
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Definition of NoOwnershipChangeVisitor. // Definition of NoOwnershipChangeVisitor.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor { class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor {
// The symbol whose (lack of) ownership change we are interested in.
SymbolRef Sym; SymbolRef Sym;
const MallocChecker &Checker;
steakhalUnsubmitted
Done
ReplyInline Actions

What about having a const reference, or a const pointer to const?

steakhal: What about having a const reference, or a const pointer to const?
using OwnerSet = llvm::SmallPtrSet<const MemRegion *, 8>; using OwnerSet = llvm::SmallPtrSet<const MemRegion *, 8>;
// Collect which entities point to the allocated memory, and could be // Collect which entities point to the allocated memory, and could be
// responsible for deallocating it. // responsible for deallocating it.
class OwnershipBindingsHandler : public StoreManager::BindingsHandler { class OwnershipBindingsHandler : public StoreManager::BindingsHandler {
SymbolRef Sym; SymbolRef Sym;
OwnerSet &Owners; OwnerSet &Owners;
Show All 35 Linesprotected:
getFunctionName(const ExplodedNode *CallEnterN) { getFunctionName(const ExplodedNode *CallEnterN) {
if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>( if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>(
CallEnterN->getLocationAs<CallEnter>()->getCallExpr())) CallEnterN->getLocationAs<CallEnter>()->getCallExpr()))
if (const FunctionDecl *FD = CE->getDirectCallee()) if (const FunctionDecl *FD = CE->getDirectCallee())
return FD->getQualifiedNameAsString(); return FD->getQualifiedNameAsString();
return ""; return "";
} }
/// Syntactically checks whether the callee is a deallocating function. Since
steakhalUnsubmitted
Done
ReplyInline Actions

You should probably add an example of when is it imprecise and an explanation of why we have this function.

steakhal: You should probably add an example of when is it imprecise and an explanation of why we have…
/// we have no path-sensitive information on this call (we would need a
/// CallEvent instead of a CallExpr for that), its possible that a
/// deallocation function was called indirectly through a function pointer,
/// but we are not able to tell, so this is a best effort analysis.
/// See namespace `memory_passed_to_fn_call_free_through_fn_ptr` in
steakhalUnsubmitted
Done
ReplyInline Actions
return true;
- if (const auto *Func = dyn_cast<FunctionDecl>(Call.getCalleeDecl()))
+ if (const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getCalleeDecl()))
return MallocChecker::isFreeingOwnershipAttrCall(Func);
steakhal:
/// clang/test/Analysis/NewDeleteLeaks.cpp.
bool isFreeingCallAsWritten(const CallExpr &Call) const {
if (Checker.FreeingMemFnMap.lookupAsWritten(Call) ||
Checker.ReallocatingMemFnMap.lookupAsWritten(Call))
return true;
if (const auto *Func =
llvm::dyn_cast_or_null<FunctionDecl>(Call.getCalleeDecl()))
return MallocChecker::isFreeingOwnershipAttrCall(Func);
return false;
}
/// Heuristically guess whether the callee intended to free memory. This is
/// done syntactically, because we are trying to argue about alternative
/// paths of execution, and as a consequence we don't have path-sensitive
/// information.
bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) { bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) {
using namespace clang::ast_matchers; using namespace clang::ast_matchers;
const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee); const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee);
// Given that the stack frame was entered, the body should always be // Given that the stack frame was entered, the body should always be
// theoretically obtainable. In case of body farms, the synthesized body // theoretically obtainable. In case of body farms, the synthesized body
// is not attached to declaration, thus triggering the '!FD->hasBody()' // is not attached to declaration, thus triggering the '!FD->hasBody()'
// branch. That said, would a synthesized body ever intend to handle // branch. That said, would a synthesized body ever intend to handle
// ownership? As of today they don't. And if they did, how would we // ownership? As of today they don't. And if they did, how would we
// put notes inside it, given that it doesn't match any source locations? // put notes inside it, given that it doesn't match any source locations?
if (!FD || !FD->hasBody()) if (!FD || !FD->hasBody())
return false; return false;
// TODO: Operator delete is hardly the only deallocator -- Can we reuse auto Matches = match(findAll(stmt(anyOf(cxxDeleteExpr().bind("delete"),
steakhalUnsubmitted
Done
ReplyInline Actions

I guess, this gets fixed by this patch.

steakhal: I guess, this gets fixed by this patch.
steakhalUnsubmitted
Done
ReplyInline Actions

Without braces, it would be slightly more compact & readable IMO.

steakhal: Without braces, it would be slightly more compact & readable IMO.
steakhalUnsubmitted
Done
ReplyInline Actions

Could you clarify what this wants to denote? I'm just curious.

steakhal: Could you clarify what this wants to denote? I'm just curious.
// isFreeingCall() or something thats already here? callExpr().bind("call")))),
auto Deallocations = match( *FD->getBody(), ACtx);
stmt(hasDescendant(cxxDeleteExpr().bind("delete")) for (BoundNodes Match : Matches) {
), *FD->getBody(), ACtx); if (Match.getNodeAs<CXXDeleteExpr>("delete"))
// TODO: Ownership my change with an attempt to store the allocated memory. return true;
return !Deallocations.empty();
if (const auto *Call = Match.getNodeAs<CallExpr>("call"))
if (isFreeingCallAsWritten(*Call))
return true;
}
// TODO: Ownership might change with an attempt to store the allocated
// memory, not only through deallocation. Check for attempted stores as
// well.
return false;
} }
virtual bool virtual bool
wasModifiedInFunction(const ExplodedNode *CallEnterN, wasModifiedInFunction(const ExplodedNode *CallEnterN,
const ExplodedNode *CallExitEndN) override { const ExplodedNode *CallExitEndN) override {
if (!doesFnIntendToHandleOwnership( if (!doesFnIntendToHandleOwnership(
CallExitEndN->getFirstPred()->getLocationContext()->getDecl(), CallExitEndN->getFirstPred()->getLocationContext()->getDecl(),
CallExitEndN->getState()->getAnalysisManager().getASTContext())) CallExitEndN->getState()->getAnalysisManager().getASTContext()))
▲ Show 20 LinesShow All 52 Lines▼ Show 20 Lines for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {
SVal V = Call.getArgSVal(I); SVal V = Call.getArgSVal(I);
if (V.getAsSymbol() == Sym) if (V.getAsSymbol() == Sym)
return emitNote(N); return emitNote(N);
} }
return nullptr; return nullptr;
} }
public: public:
NoOwnershipChangeVisitor(SymbolRef Sym) NoOwnershipChangeVisitor(SymbolRef Sym, const MallocChecker *Checker)
: NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough), : NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough), Sym(Sym),
Sym(Sym) {} Checker(*Checker) {}
void Profile(llvm::FoldingSetNodeID &ID) const override { void Profile(llvm::FoldingSetNodeID &ID) const override {
static int Tag = 0; static int Tag = 0;
ID.AddPointer(&Tag); ID.AddPointer(&Tag);
ID.AddPointer(Sym); ID.AddPointer(Sym);
} }
void *getTag() const { void *getTag() const {
▲ Show 20 LinesShow All 168 Lines▼ Show 20 Linesstatic bool isStandardNewDelete(const FunctionDecl *FD) {
return !L.isValid() || return !L.isValid() ||
FD->getASTContext().getSourceManager().isInSystemHeader(L); FD->getASTContext().getSourceManager().isInSystemHeader(L);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Methods of MallocChecker and MallocBugVisitor. // Methods of MallocChecker and MallocBugVisitor.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
bool MallocChecker::isFreeingCall(const CallEvent &Call) const { bool MallocChecker::isFreeingOwnershipAttrCall(const FunctionDecl *Func) {
if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call)) if (Func->hasAttrs()) {
return true;
const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());
if (Func && Func->hasAttrs()) {
for (const auto *I : Func->specific_attrs<OwnershipAttr>()) { for (const auto *I : Func->specific_attrs<OwnershipAttr>()) {
OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds)
return true; return true;
} }
} }
return false; return false;
} }
bool MallocChecker::isFreeingCall(const CallEvent &Call) const {
if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call))
return true;
if (const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl()))
steakhalUnsubmitted
Done
ReplyInline Actions
return true;
- if (const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()))
+ if (const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl()))
return isFreeingOwnershipAttrCall(Func);
steakhal:
return isFreeingOwnershipAttrCall(Func);
return false;
}
bool MallocChecker::isMemCall(const CallEvent &Call) const { bool MallocChecker::isMemCall(const CallEvent &Call) const {
if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) || if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) ||
ReallocatingMemFnMap.lookup(Call)) ReallocatingMemFnMap.lookup(Call))
return true; return true;
if (!ShouldIncludeOwnershipAnnotatedFunctions) if (!ShouldIncludeOwnershipAnnotatedFunctions)
return false; return false;
▲ Show 20 LinesShow All 1,656 Lines▼ Show 20 Linesvoid MallocChecker::HandleLeak(SymbolRef Sym, ExplodedNode *N,
} }
auto R = std::make_unique<PathSensitiveBugReport>( auto R = std::make_unique<PathSensitiveBugReport>(
*BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
AllocNode->getLocationContext()->getDecl()); AllocNode->getLocationContext()->getDecl());
R->markInteresting(Sym); R->markInteresting(Sym);
R->addVisitor<MallocBugVisitor>(Sym, true); R->addVisitor<MallocBugVisitor>(Sym, true);
if (ShouldRegisterNoOwnershipChangeVisitor) if (ShouldRegisterNoOwnershipChangeVisitor)
R->addVisitor<NoOwnershipChangeVisitor>(Sym); R->addVisitor<NoOwnershipChangeVisitor>(Sym, this);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const CheckerContext &C) const
{ {
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
RegionStateTy OldRS = state->get<RegionState>(); RegionStateTy OldRS = state->get<RegionState>();
▲ Show 20 LinesShow All 831 LinesShow Last 20 Lines

clang/test/Analysis/NewDeleteLeaks.cpp

Show All 29 Lines
void foo() { void foo() {
sink(new int(5)); // expected-note {{Memory is allocated}} sink(new int(5)); // expected-note {{Memory is allocated}}
} // expected-warning {{Potential memory leak [cplusplus.NewDeleteLeaks]}} } // expected-warning {{Potential memory leak [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential memory leak}} // expected-note@-1 {{Potential memory leak}}
} // namespace memory_allocated_in_fn_call } // namespace memory_allocated_in_fn_call
namespace memory_passed_to_fn_call { // Realize that sink() intends to deallocate memory, assume that it should've
// taken care of the leaked object as well.
namespace memory_passed_to_fn_call_delete {
void sink(int *P) { void sink(int *P) {
if (coin()) // ownership-note {{Assuming the condition is false}} if (coin()) // ownership-note {{Assuming the condition is false}}
// ownership-note@-1 {{Taking false branch}} // ownership-note@-1 {{Taking false branch}}
delete P; delete P;
} // ownership-note {{Returning without deallocating memory or storing the pointer for later deallocation}} } // ownership-note {{Returning without deallocating memory or storing the pointer for later deallocation}}
void foo() { void foo() {
int *ptr = new int(5); // expected-note {{Memory is allocated}} int *ptr = new int(5); // expected-note {{Memory is allocated}}
sink(ptr); // ownership-note {{Calling 'sink'}} sink(ptr); // ownership-note {{Calling 'sink'}}
// ownership-note@-1 {{Returning from 'sink'}} // ownership-note@-1 {{Returning from 'sink'}}
} // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}} } // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential leak}} // expected-note@-1 {{Potential leak}}
} // namespace memory_passed_to_fn_call } // namespace memory_passed_to_fn_call_delete
namespace memory_passed_to_fn_call_free {
void sink(int *P) {
if (coin()) // ownership-note {{Assuming the condition is false}}
// ownership-note@-1 {{Taking false branch}}
free(P);
} // ownership-note {{Returning without deallocating memory or storing the pointer for later deallocation}}
void foo() {
int *ptr = (int *)malloc(sizeof(int)); // expected-note {{Memory is allocated}}
sink(ptr); // ownership-note {{Calling 'sink'}}
// ownership-note@-1 {{Returning from 'sink'}}
} // expected-warning {{Potential leak of memory pointed to by 'ptr' [unix.Malloc]}}
// expected-note@-1 {{Potential leak}}
} // namespace memory_passed_to_fn_call_free
// Function pointers cannot be resolved syntactically.
namespace memory_passed_to_fn_call_free_through_fn_ptr {
void (*freeFn)(void *) = free;
void sink(int *P) {
if (coin())
freeFn(P);
}
void foo() {
int *ptr = (int *)malloc(sizeof(int)); // expected-note {{Memory is allocated}}
sink(ptr);
} // expected-warning {{Potential leak of memory pointed to by 'ptr' [unix.Malloc]}}
// expected-note@-1 {{Potential leak}}
} // namespace memory_passed_to_fn_call_free_through_fn_ptr
namespace memory_shared_with_ptr_of_shorter_lifetime { namespace memory_shared_with_ptr_of_shorter_lifetime {
void sink(int *P) { void sink(int *P) {
int *Q = P; int *Q = P;
if (coin()) // ownership-note {{Assuming the condition is false}} if (coin()) // ownership-note {{Assuming the condition is false}}
// ownership-note@-1 {{Taking false branch}} // ownership-note@-1 {{Taking false branch}}
delete P; delete P;
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines
void foo() { void foo() {
int *ptr = new int(5); // expected-note {{Memory is allocated}} int *ptr = new int(5); // expected-note {{Memory is allocated}}
sink(ptr); sink(ptr);
} // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}} } // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential leak}} // expected-note@-1 {{Potential leak}}
} // namespace memory_passed_into_fn_that_doesnt_intend_to_free } // namespace memory_passed_into_fn_that_doesnt_intend_to_free
namespace memory_passed_into_fn_that_doesnt_intend_to_free2 {
void bar();
void sink(int *P) {
// Correctly realize that calling bar() doesn't mean that this function would
// like to deallocate anything.
bar();
steakhalUnsubmitted
Done
ReplyInline Actions

I guess we would not have the warning if bar would accept the pointer P, since that way it would escape.
Am I correct?

steakhal: I guess we would not have the warning if `bar` would accept the pointer `P`, since that way it…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

That is correct, but as an earlier todo states, we don't currently employ any heuristics to guess whether bar was responsible for storing P (as opposed to deallocating it, which is what this patch is about), but failed to.

Szelethus: That is correct, but as an earlier todo states, we don't currently employ any heuristics to…
}
void foo() {
int *ptr = new int(5); // expected-note {{Memory is allocated}}
sink(ptr);
} // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential leak}}
} // namespace memory_passed_into_fn_that_doesnt_intend_to_free2
namespace refkind_from_unoallocated_to_allocated { namespace refkind_from_unoallocated_to_allocated {
// RefKind of the symbol changed from nothing to Allocated. We don't want to // RefKind of the symbol changed from nothing to Allocated. We don't want to
// emit notes when the RefKind changes in the stack frame. // emit notes when the RefKind changes in the stack frame.
static char *malloc_wrapper_ret() { static char *malloc_wrapper_ret() {
return (char *)malloc(12); // expected-note {{Memory is allocated}} return (char *)malloc(12); // expected-note {{Memory is allocated}}
} }
void use_ret() { void use_ret() {
char *v; char *v;
v = malloc_wrapper_ret(); // expected-note {{Calling 'malloc_wrapper_ret'}} v = malloc_wrapper_ret(); // expected-note {{Calling 'malloc_wrapper_ret'}}
// expected-note@-1 {{Returned allocated memory}} // expected-note@-1 {{Returned allocated memory}}
} // expected-warning {{Potential leak of memory pointed to by 'v' [unix.Malloc]}} } // expected-warning {{Potential leak of memory pointed to by 'v' [unix.Malloc]}}
// expected-note@-1 {{Potential leak of memory pointed to by 'v'}} // expected-note@-1 {{Potential leak of memory pointed to by 'v'}}
} // namespace refkind_from_unoallocated_to_allocated } // namespace refkind_from_unoallocated_to_allocated