Index: include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h =================================================================== --- include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h +++ include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h @@ -253,9 +253,16 @@ /// which the return value has already been bound to the origin expression. SVal getReturnValue() const; + /// \brief Returns true if the type of any of the non-null arguments satisfies + /// the condition. + bool hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const; + /// \brief Returns true if any of the arguments appear to represent callbacks. bool hasNonZeroCallbackArg() const; + /// \brief Returns true if any of the arguments is void*. + bool hasVoidPointerToNonConstArg() const; + /// \brief Returns true if any of the arguments are known to escape to long- /// term storage, even if this method will not modify them. // NOTE: The exact semantics of this are still being defined! Index: lib/StaticAnalyzer/Checkers/MallocChecker.cpp =================================================================== --- lib/StaticAnalyzer/Checkers/MallocChecker.cpp +++ lib/StaticAnalyzer/Checkers/MallocChecker.cpp @@ -2390,7 +2390,7 @@ if (const ObjCMethodCall *Msg = dyn_cast(Call)) { // If it's not a framework call, or if it takes a callback, assume it // can free memory. - if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) + if (!Call->isInSystemHeader() || Call->argumentsMayEscape()) return true; // If it's a method we know about, handle it explicitly post-call. Index: lib/StaticAnalyzer/Core/CallEvent.cpp =================================================================== --- lib/StaticAnalyzer/Core/CallEvent.cpp +++ lib/StaticAnalyzer/Core/CallEvent.cpp @@ -50,11 +50,7 @@ return ResultTy; } -static bool isCallbackArg(SVal V, QualType T) { - // If the parameter is 0, it's harmless. - if (V.isZeroConstant()) - return false; - +static bool isCallback(QualType T) { // If a parameter is a block or a callback, assume it can modify pointer. if (T->isBlockPointerType() || T->isFunctionPointerType() || @@ -75,32 +71,53 @@ return true; } } - return false; } -bool CallEvent::hasNonZeroCallbackArg() const { +static bool isVoidPointerToNonConst(QualType T) { + if (const PointerType *PT = T->getAs()) { + QualType PointeeTy = PT->getPointeeType(); + if (PointeeTy.isConstQualified()) + return false; + return PointeeTy->isVoidType(); + } else + return false; +} + +bool CallEvent::hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const { unsigned NumOfArgs = getNumArgs(); // If calling using a function pointer, assume the function does not - // have a callback. TODO: We could check the types of the arguments here. + // satisfy the callback. + // TODO: We could check the types of the arguments here. if (!getDecl()) return false; unsigned Idx = 0; for (CallEvent::param_type_iterator I = param_type_begin(), - E = param_type_end(); + E = param_type_end(); I != E && Idx < NumOfArgs; ++I, ++Idx) { if (NumOfArgs <= Idx) break; - if (isCallbackArg(getArgSVal(Idx), *I)) + // If the parameter is 0, it's harmless. + if (getArgSVal(Idx).isZeroConstant()) + continue; + + if (Condition(*I)) return true; } - return false; } +bool CallEvent::hasNonZeroCallbackArg() const { + return hasNonNullArgumentsWithType(isCallback); +} + +bool CallEvent::hasVoidPointerToNonConstArg() const { + return hasNonNullArgumentsWithType(isVoidPointerToNonConst); +} + bool CallEvent::isGlobalCFunction(StringRef FunctionName) const { const FunctionDecl *FD = dyn_cast_or_null(getDecl()); if (!FD) @@ -326,7 +343,7 @@ } bool AnyFunctionCall::argumentsMayEscape() const { - if (hasNonZeroCallbackArg()) + if (CallEvent::argumentsMayEscape() || hasVoidPointerToNonConstArg()) return true; const FunctionDecl *D = getDecl(); Index: test/Analysis/Inputs/system-header-simulator.h =================================================================== --- test/Analysis/Inputs/system-header-simulator.h +++ test/Analysis/Inputs/system-header-simulator.h @@ -82,6 +82,12 @@ void fakeSystemHeaderCallInt(int *); void fakeSystemHeaderCallIntPtr(int **); +// Some data strauctures may hold onto the pointer and free it later. +void fake_insque(void *, void *); +typedef struct fake_rb_tree { void *opaque[8]; } fake_rb_tree_t; +void fake_rb_tree_init(fake_rb_tree_t *, const void *); +void *fake_rb_tree_insert_node(fake_rb_tree_t *, void *); + typedef struct __SomeStruct { char * p; } SomeStruct; Index: test/Analysis/malloc.c =================================================================== --- test/Analysis/malloc.c +++ test/Analysis/malloc.c @@ -1657,6 +1657,23 @@ return p; } +// Some data structures may hold onto the pointer and free it later. +void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) { + int *data = (int *)malloc(32); + fake_insque(queue, data); // no warning +} + +void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) { + int *data = (int *)malloc(32); + fake_rb_tree_init(rbt, data); +} //expected-warning{{Potential leak}} + +void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) { + int *data = (int *)malloc(32); + fake_rb_tree_init(rbt, data); + fake_rb_tree_insert_node(rbt, data); // no warning +} + // ---------------------------------------------------------------------------- // False negatives.