This is an archive of the discontinued LLVM Phabricator instance.

Differential D36023

[analyzer] Add array support for MagentaHandleChecker
AbandonedPublic

Authored by haowei on Jul 28 2017, 3:13 PM.

Details

Reviewers
NoQ
dcoughlin
Summary

This commit adds support for syscalls that acquire/release handles in an array for MagentaHandleChecker introduced in D35968 and D36022.

Most magenta handle related syscalls will take a pointer to a local mx_handle_t variable for handle acquisition and take a value of a local mx_handle variable for handle release. A good example would be:

mx_status_t mx_channel_create(uint32_t options,
                              mx_handle_t* out0, mx_handle_t* out1);

and

mx_status_t mx_handle_close(mx_handle_t handle);

However, there are two exceptions, syscall

mx_status_t mx_channel_read(mx_handle_t handle, uint32_t options,
                            void* bytes, mx_handle_t* handles,
                            uint32_t num_bytes, uint32_t num_handles,
                            uint32_t* actual_bytes, uint32_t* actual_handles);

Will read(acquire) "num_handles" of handles and save them to the array pointed to by "handles". The actual number of acquired handles will be saved to the variable pointed to by "actual_handles".

And syscall

mx_status_t mx_channel_write(mx_handle_t handle, uint32_t options,
                             void* bytes, uint32_t num_bytes,
                             mx_handle_t* handles, uint32_t num_handles)

Will release "num_handles" of handles in array "handles".

This patch adds support to handle acquire/release through arrays so these two syscalls can be processed by this checker.

Diff Detail

Revision Contents

Diff 108719

lib/StaticAnalyzer/Checkers/MagentaHandleChecker.cpp

Show First 20 LinesShow All 228 Lines▼ Show 20 Lines void Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddInteger(K); ID.AddInteger(K);
ID.AddPointer(Region); ID.AddPointer(Region);
} }
}; };
static const char *ANNOTATION_PREFIX = "mx_"; static const char *ANNOTATION_PREFIX = "mx_";
static const char *HANDLE_TYPE_NAME = "mx_handle_t"; static const char *HANDLE_TYPE_NAME = "mx_handle_t";
static const char *SYSCALL_RETURN_TYPE_NAME = "mx_status_t"; static const char *SYSCALL_RETURN_TYPE_NAME = "mx_status_t";
static const int MAX_HANDLE_IN_ARRAY = 64;
class MagentaHandleChecker class MagentaHandleChecker
: public Checker<check::DeadSymbols, check::PointerEscape, eval::Call, : public Checker<check::DeadSymbols, check::PointerEscape, eval::Call,
check::PostCall> { check::PostCall> {
std::unique_ptr<BugType> LeakBugType; std::unique_ptr<BugType> LeakBugType;
std::unique_ptr<BugType> DoubleReleaseBugType; std::unique_ptr<BugType> DoubleReleaseBugType;
std::unique_ptr<BugType> UseAfterFreeBugType; std::unique_ptr<BugType> UseAfterFreeBugType;
Show All 35 Lines void reportBug(SymbolRef Sym, ExplodedNode *ErrorNode, CheckerContext &C,
const SourceRange *Range, const std::unique_ptr<BugType> &Type, const SourceRange *Range, const std::unique_ptr<BugType> &Type,
StringRef Msg) const; StringRef Msg) const;
// Utility functions // Utility functions
// Generate function spec info based on inline annotations in declaration // Generate function spec info based on inline annotations in declaration
bool generateSpecForFuncionDecl(const FunctionDecl *FuncDecl) const; bool generateSpecForFuncionDecl(const FunctionDecl *FuncDecl) const;
// Extract magenta related annotation string from declarations // Extract magenta related annotation string from declarations
StringRef extractAnnotationWithoutPrefix(const Decl *D) const; StringRef extractAnnotationWithoutPrefix(const Decl *D) const;
bool CheckExprIsZero(const Expr *ArgExpr, CheckerContext &Ctx) const;
int64_t getArgValueFromExpr(const Expr *ArgExpr, ProgramStateRef State,
const LocationContext *LCtx,
int64_t DefaultVal) const;
ProgramStateRef processHandleArrayArgWithFuncSpec(const CallExpr *CE, ProgramStateRef processHandleArrayArgWithFuncSpec(const CallExpr *CE,
ProgramStateRef State, ProgramStateRef State,
CheckerContext &Ctx, CheckerContext &Ctx,
ArgSpec &CurArgSpec) const; ArgSpec &CurArgSpec) const;
ProgramStateRef conjureFailedState(const CallExpr *CE, ProgramStateRef State, ProgramStateRef conjureFailedState(const CallExpr *CE, ProgramStateRef State,
CheckerContext &Ctx) const; CheckerContext &Ctx) const;
ProgramStateRef allocateSingleHandle(const CallExpr *CE, const Expr *ArgExpr, ProgramStateRef allocateSingleHandle(const CallExpr *CE, const Expr *ArgExpr,
ProgramStateRef State, ProgramStateRef State,
CheckerContext &Ctx) const; CheckerContext &Ctx) const;
ProgramStateRef allocateHandlesForArray(const ElementRegion *EleRegion,
const CallExpr *CE, int HandleCount,
ProgramStateRef State,
CheckerContext &Ctx,
bool EscapeOnAllocation) const;
ProgramStateRef releaseHandlesForArray(const ElementRegion *EleRegion,
const CallExpr *CE, int HandleCount,
ProgramStateRef State,
CheckerContext &Ctx) const;
// Return true only if it is certain that Sym will be Zero // Return true only if it is certain that Sym will be Zero
static bool CheckSymbolConstraintToZero(SymbolRef Sym, ProgramStateRef State); static bool CheckSymbolConstraintToZero(SymbolRef Sym, ProgramStateRef State);
bool isLeaked(SymbolRef SymHandle, const HandleState &CurHandleState, bool isLeaked(SymbolRef SymHandle, const HandleState &CurHandleState,
bool isSymDead, ProgramStateRef State) const; bool isSymDead, ProgramStateRef State) const;
// This is how CSA determines if a pointer is escaped in assignment // This is how CSA determines if a pointer is escaped in assignment
// statement. Copied from ExprEngine::processPointerEscapedOnBind // statement. Copied from ExprEngine::processPointerEscapedOnBind
▲ Show 20 LinesShow All 249 Lines▼ Show 20 Linesbool MagentaHandleChecker::evalCallWithFuncSpec(const CallExpr *CE,
Ctx.addTransition(State); Ctx.addTransition(State);
FuncKindMap[FD] = ANNOATATED_FUNC; FuncKindMap[FD] = ANNOATATED_FUNC;
return true; return true;
} }
ProgramStateRef MagentaHandleChecker::processHandleArrayArgWithFuncSpec( ProgramStateRef MagentaHandleChecker::processHandleArrayArgWithFuncSpec(
const CallExpr *CE, ProgramStateRef State, CheckerContext &Ctx, const CallExpr *CE, ProgramStateRef State, CheckerContext &Ctx,
ArgSpec &CurArgSpec) const { ArgSpec &CurArgSpec) const {
// A place holder. This function is used to process handle acquire/release if (CurArgSpec.getInputCArgIdx() == -1)
// via an array. Its code will be included in follow up commits return nullptr;
const LocationContext *LCtx = Ctx.getLocationContext();
SValBuilder &Bldr = Ctx.getSValBuilder();
const Expr *HandleBufExpr = CE->getArg(CurArgSpec.getIndex());
const Expr *InputSizeExpr = CE->getArg(CurArgSpec.getInputCArgIdx());
if (CheckExprIsZero(HandleBufExpr, Ctx) ||
CheckExprIsZero(InputSizeExpr, Ctx))
return nullptr;
bool ArgEscaped = isArgumentEscaped(State->getSVal(HandleBufExpr, LCtx));
const MemRegion *MemHandleBuf =
State->getSVal(HandleBufExpr, LCtx).getAsRegion();
// Determine how many handles should be allocated/released, it may have
// following cases:
// 1. handlebuf is a pointer to a local mx_handle_t variable, in this case
// only 1 handle should be allocated/released and InputSizeExpr is ignored
// 2. handlebuf is an array and InputSizeExpr can be resolved to a concrete
// int, let's denote it as inputsize. If 0 < inputsize <= 4,
// allocate/release exact number of handles as indicated by inputsize.
// If inputsize <= 0, consider it as an error and fallback to
// conservativeEvalCall. If inputsize > 4, in allocation, allocate only 4
// handles. In release, release all handles that may bound to this array.
// 3. handlebuf is an array and InputSizeExpr cannot be resolved to a concrete
// integer. In allocation, assume inputsize is 4 and do the same thing as
// condition 2. In release, release all handles that may bound to this
// array.
// This is a workaround due to the fact that CSA will execute a loop for only
// 4 times even though the loop bound is known by default.
if (!MemHandleBuf)
return nullptr;
if (CurArgSpec.isAllocation()) {
// Acquire an array of handles, the output count should not be null.
if (CurArgSpec.getOutputCArgIdx() == -1)
return nullptr;
const Expr *OutputSizeExpr = CE->getArg(CurArgSpec.getOutputCArgIdx());
if (CheckExprIsZero(OutputSizeExpr, Ctx))
return nullptr;
int64_t ExtVal = getArgValueFromExpr(InputSizeExpr, State, LCtx, 4);
if (ExtVal < 0)
return nullptr;
if (!isa<ElementRegion>(MemHandleBuf)) {
if (isa<VarRegion>(MemHandleBuf)) {
// Condition 1
State = allocateSingleHandle(CE, HandleBufExpr, State, Ctx);
if (!State)
return nullptr;
} else {
// The pointer to array may came from top-level function argument
// In this case, the handles are escaped at allocation. So do nothing.
return nullptr; return nullptr;
} }
} else {
if (ExtVal > 4)
ExtVal = 4;
// It is condition 2 or 3
const ElementRegion *EleRegion = dyn_cast<ElementRegion>(MemHandleBuf);
State = allocateHandlesForArray(EleRegion, CE, ExtVal, State, Ctx,
ArgEscaped);
if (!State)
return nullptr;
}
// Process the actual_handle returned
SVal ActHandleSVal = State->getSVal(OutputSizeExpr, LCtx);
SVal ConcreteInvSVal = Bldr.makeIntVal(llvm::APSInt::get(ExtVal));
State = State->bindLoc(ActHandleSVal, ConcreteInvSVal, LCtx);
} else if (CurArgSpec.isRelease()) {
int64_t ExtVal = getArgValueFromExpr(InputSizeExpr, State, LCtx, -1);
if (!isa<ElementRegion>(MemHandleBuf)) {
if (isa<VarRegion>(MemHandleBuf)) {
// It is condition 1
ExtVal = 1;
SVal HandleBufSVal = State->getSVal(MemHandleBuf);
SymbolRef SymHandleBuf = HandleBufSVal.getAsSymbol();
if (!SymHandleBuf)
return nullptr;
const HandleState *HS = State->get<HStateMap>(SymHandleBuf);
if (HS) {
if (HS->isReleased()) {
reportDoubleRelease(SymHandleBuf, CE->getSourceRange(), Ctx);
} else {
State = State->set<HStateMap>(SymHandleBuf,
HandleState::getReleased(HS));
}
}
} else {
// The pointer to the array comes from top-level function argument
// Because caller is not in current TU, we don't know where the handles
// are allocated. Do noting here.
return nullptr;
}
} else {
const ElementRegion *EleRegion = dyn_cast<ElementRegion>(MemHandleBuf);
ProgramStateRef NewState = nullptr;
if (ExtVal < 0 || ExtVal > 5) {
// Condition 2
NewState = releaseHandlesForArray(EleRegion, CE, MAX_HANDLE_IN_ARRAY,
State, Ctx);
} else {
// Condition 3
NewState = releaseHandlesForArray(EleRegion, CE, ExtVal, State, Ctx);
}
if (!NewState)
return nullptr;
State = NewState;
}
}
return State;
}
// Process the handle escaped situation. // Process the handle escaped situation.
// When a function is not inlined for any reasons, if one of its // When a function is not inlined for any reasons, if one of its
// arguments is an acquired handle, treat it as an escaped handle. // arguments is an acquired handle, treat it as an escaped handle.
// It should be processed by checkPointerEscape in the future. // It should be processed by checkPointerEscape in the future.
void MagentaHandleChecker::processUninlinedCalls(ProgramStateRef State, void MagentaHandleChecker::processUninlinedCalls(ProgramStateRef State,
const CallEvent &Call, const CallEvent &Call,
CheckerContext &Ctx) const { CheckerContext &Ctx) const {
▲ Show 20 LinesShow All 76 Lines▼ Show 20 LinesProgramStateRef MagentaHandleChecker::allocateSingleHandle(
// handle_allocate(out); // handle_allocate(out);
// } // }
// It should be considered as handle escape. // It should be considered as handle escape.
if (isArgumentEscaped(ArgSVal)) if (isArgumentEscaped(ArgSVal))
return State->set<HStateMap>(SymHandle, HandleState::getEscaped(&HS)); return State->set<HStateMap>(SymHandle, HandleState::getEscaped(&HS));
return State->set<HStateMap>(SymHandle, HS); return State->set<HStateMap>(SymHandle, HS);
} }
int64_t MagentaHandleChecker::getArgValueFromExpr(const Expr *ArgExpr,
ProgramStateRef State,
const LocationContext *LCtx,
int64_t DefaultVal) const {
int64_t ExtVal = DefaultVal;
SVal InputSizeSVal = State->getSVal(ArgExpr, LCtx);
if (InputSizeSVal.getBaseKind() == SVal::NonLocKind &&
InputSizeSVal.getSubKind() == nonloc::ConcreteIntKind) {
ExtVal =
InputSizeSVal.castAs<nonloc::ConcreteInt>().getValue().getExtValue();
} else if (InputSizeSVal.getBaseKind() == SVal::LocKind &&
InputSizeSVal.getSubKind() == loc::ConcreteIntKind) {
ExtVal = InputSizeSVal.castAs<loc::ConcreteInt>().getValue().getExtValue();
}
return ExtVal;
}
ProgramStateRef MagentaHandleChecker::allocateHandlesForArray(
const ElementRegion *EleRegion, const CallExpr *CE, int HandleCount,
ProgramStateRef State, CheckerContext &Ctx, bool EscapeOnAllocation) const {
if (!EleRegion)
return nullptr;
const SubRegion *SuperRegion =
dyn_cast<SubRegion>(EleRegion->getSuperRegion());
if (!SuperRegion)
return nullptr;
QualType EleType = dyn_cast<TypedValueRegion>(EleRegion)->getValueType();
SValBuilder &Bldr = Ctx.getSValBuilder();
MemRegionManager &MemRegionMgr = Bldr.getRegionManager();
const LocationContext *LCtx = Ctx.getLocationContext();
ASTContext &ASTCtx = State->getStateManager().getContext();
NonLoc StartIndexNonLoc = EleRegion->getIndex();
int StartIndex = 0;
if (StartIndexNonLoc.getSubKind() == nonloc::ConcreteIntKind)
StartIndex =
StartIndexNonLoc.castAs<nonloc::ConcreteInt>().getValue().getExtValue();
for (int i = StartIndex; i < StartIndex + HandleCount; ++i) {
NonLoc AryIndex = Bldr.makeArrayIndex(i);
const ElementRegion *CurElementRegion =
MemRegionMgr.getElementRegion(EleType, AryIndex, SuperRegion, ASTCtx);
if (!CurElementRegion)
return nullptr;
Loc ElementLoc = Bldr.makeLoc(CurElementRegion);
DefinedOrUnknownSVal ConjuredHandleSVal = Bldr.conjureSymbolVal(
CurElementRegion, CE, LCtx, EleType, Ctx.blockCount());
State = State->bindLoc(ElementLoc, ConjuredHandleSVal, LCtx);
SymbolRef SymHandle = ConjuredHandleSVal.getAsSymbol();
if (!SymHandle)
return nullptr;
if (ConjuredHandleSVal.getBaseKind() == SVal::NonLocKind)
State =
State->assumeInclusiveRange(ConjuredHandleSVal, llvm::APSInt::get(1),
llvm::APSInt::get(INT_MAX), true);
HandleState HS =
HandleState::getAllocated(dyn_cast<MemRegion>(CurElementRegion));
if (EscapeOnAllocation) {
State = State->set<HStateMap>(SymHandle, HandleState::getEscaped(&HS));
} else {
State = State->set<HStateMap>(SymHandle, HS);
}
}
return State;
}
ProgramStateRef MagentaHandleChecker::releaseHandlesForArray(
const ElementRegion *EleRegion, const CallExpr *CE, int HandleCount,
ProgramStateRef State, CheckerContext &Ctx) const {
if (!EleRegion)
return nullptr;
const SubRegion *SuperRegion =
dyn_cast<SubRegion>(EleRegion->getSuperRegion());
if (!SuperRegion)
return nullptr;
QualType EleType = dyn_cast<TypedValueRegion>(EleRegion)->getValueType();
SValBuilder &Bldr = Ctx.getSValBuilder();
MemRegionManager &MemRegionMgr = Bldr.getRegionManager();
ASTContext &ASTCtx = State->getStateManager().getContext();
NonLoc StartIndexNonLoc = EleRegion->getIndex();
int StartIndex = 0;
if (StartIndexNonLoc.getSubKind() == nonloc::ConcreteIntKind)
StartIndex =
StartIndexNonLoc.castAs<nonloc::ConcreteInt>().getValue().getExtValue();
for (int i = StartIndex; i < StartIndex + HandleCount; ++i) {
NonLoc AryIndex = Bldr.makeArrayIndex(i);
const ElementRegion *CurElementRegion =
MemRegionMgr.getElementRegion(EleType, AryIndex, SuperRegion, ASTCtx);
if (!CurElementRegion)
return nullptr;
SVal CurHandleSVal = State->getSVal(CurElementRegion);
SymbolRef SymHandle = CurHandleSVal.getAsSymbol();
if (!SymHandle)
continue;
// If SymHandle is SymbolDerived type. It means no more handles in
// the rest of the array. Break
if (isa<SymbolDerived>(SymHandle))
break;
const HandleState *SymState = State->get<HStateMap>(SymHandle);
if (!SymState)
continue;
if (SymState->isReleased()) {
reportDoubleRelease(SymHandle, CE->getSourceRange(), Ctx);
} else {
State =
State->set<HStateMap>(SymHandle, HandleState::getReleased(SymState));
}
}
return State;
}
bool MagentaHandleChecker::isLeaked(SymbolRef SymHandle, bool MagentaHandleChecker::isLeaked(SymbolRef SymHandle,
const HandleState &CurHandleState, const HandleState &CurHandleState,
bool isSymDead, bool isSymDead,
ProgramStateRef State) const { ProgramStateRef State) const {
if (isSymDead && CurHandleState.isAllocated()) { if (isSymDead && CurHandleState.isAllocated()) {
// Check if handle value is MX_HANDLE_INVALID. If so, not a leak. // Check if handle value is MX_HANDLE_INVALID. If so, not a leak.
if (CheckSymbolConstraintToZero(SymHandle, State)) if (CheckSymbolConstraintToZero(SymHandle, State))
return false; return false;
▲ Show 20 LinesShow All 105 Lines▼ Show 20 Lines for (const auto *AnnAttr : D->specific_attrs<AnnotateAttr>()) {
StringRef AnnAttrStr = AnnAttr->getAnnotation(); StringRef AnnAttrStr = AnnAttr->getAnnotation();
if (AnnAttrStr.startswith(ANNOTATION_PREFIX)) if (AnnAttrStr.startswith(ANNOTATION_PREFIX))
return AnnAttrStr.substr(std::strlen(ANNOTATION_PREFIX)); return AnnAttrStr.substr(std::strlen(ANNOTATION_PREFIX));
} }
} }
return StringRef(); return StringRef();
} }
bool MagentaHandleChecker::CheckExprIsZero(const Expr *ArgExpr,
CheckerContext &Ctx) const {
ProgramStateRef State = Ctx.getState();
const LocationContext *LCtx = Ctx.getLocationContext();
SVal ExprSVal = State->getSVal(ArgExpr, LCtx);
Optional<DefinedOrUnknownSVal> DSVal = ExprSVal.getAs<DefinedOrUnknownSVal>();
if (DSVal.hasValue())
return !State->assume(DSVal.getValue(), true);
return false;
}
void MagentaHandleChecker::reportBug(SymbolRef Sym, ExplodedNode *ErrorNode, void MagentaHandleChecker::reportBug(SymbolRef Sym, ExplodedNode *ErrorNode,
CheckerContext &C, CheckerContext &C,
const SourceRange *Range, const SourceRange *Range,
const std::unique_ptr<BugType> &Type, const std::unique_ptr<BugType> &Type,
StringRef Msg) const { StringRef Msg) const {
if (!ErrorNode || !Sym) if (!ErrorNode || !Sym)
return; return;
auto R = llvm::make_unique<BugReport>(*Type, Msg, ErrorNode); auto R = llvm::make_unique<BugReport>(*Type, Msg, ErrorNode);
Show All 38 Lines

test/Analysis/mxhandle.c

Show All 14 Lines
extern mx_status_t mx_channel_create( extern mx_status_t mx_channel_create(
uint32_t options, uint32_t options,
MX_SYSCALL_PARAM_ATTR(handle_acquire) mx_handle_t* out0, MX_SYSCALL_PARAM_ATTR(handle_acquire) mx_handle_t* out0,
MX_SYSCALL_PARAM_ATTR(handle_acquire) mx_handle_t* out1); MX_SYSCALL_PARAM_ATTR(handle_acquire) mx_handle_t* out1);
extern mx_status_t mx_handle_close( extern mx_status_t mx_handle_close(
MX_SYSCALL_PARAM_ATTR(handle_release_always) mx_handle_t handle); MX_SYSCALL_PARAM_ATTR(handle_release_always) mx_handle_t handle);
extern mx_status_t mx_channel_read(
MX_SYSCALL_PARAM_ATTR(handle_use) mx_handle_t handle,
uint32_t options,
void* bytes,
mx_handle_t* handles,
uint32_t num_bytes,
uint32_t num_handles,
uint32_t* actual_bytes,
uint32_t* actual_handles);
extern mx_status_t mx_channel_write(
MX_SYSCALL_PARAM_ATTR(handle_use) mx_handle_t handle,
uint32_t options,
const void* bytes,
uint32_t num_bytes,
const mx_handle_t* handles,
uint32_t num_handles);
// Escape is the default behavior for any function take a handle as parameter // Escape is the default behavior for any function take a handle as parameter
// It should work with/without explicit annotations // It should work with/without explicit annotations
void escapeMethod01(mx_handle_t *in); void escapeMethod01(mx_handle_t *in);
void escapeMethod02( void escapeMethod02(
MX_SYSCALL_PARAM_ATTR(handle_escape) mx_handle_t *in); MX_SYSCALL_PARAM_ATTR(handle_escape) mx_handle_t *in);
void escapeMethod03(mx_handle_t in); void escapeMethod03(mx_handle_t in);
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines
mx_handle_t checkNoLeak05(mx_handle_t *out1) { mx_handle_t checkNoLeak05(mx_handle_t *out1) {
mx_handle_t sa, sb; mx_handle_t sa, sb;
mx_channel_create(0, &sa, &sb); mx_channel_create(0, &sa, &sb);
*out1 = sa; *out1 = sa;
return sb; // no warning return sb; // no warning
} }
void checkNoLeak06(mx_handle_t handle) {
mx_handle_t handlebuf[4];
uint32_t hcount;
mx_channel_read(handle, 0, NULL, handlebuf, 0, 4, 0, &hcount);
for (int i = 0; i < hcount; i++) {
mx_handle_close(handlebuf[i]);
}
}
void checkNoLeak07(mx_handle_t handle, uint32_t hcount) {
mx_handle_t handlebuf[6];
mx_channel_read(handle, 0, NULL, handlebuf, 0, hcount, 0, &hcount);
for (int i = 0; i < hcount; i++) {
mx_handle_close(handlebuf[i]);
}
}
void checkNoLeak08(mx_handle_t handle) {
mx_handle_t handlebuf[4];
uint32_t hcount;
mx_channel_read(handle, 0, NULL, handlebuf, 0, 4, 0, &hcount);
if (mx_channel_write(handle, 0, NULL, 0, handlebuf, hcount) < 0) {
for (int i = 0; i < hcount; i++) {
mx_handle_close(handlebuf[i]);
}
}
}
void checkNoLeak09(mx_handle_t handle, uint32_t hcount) {
mx_handle_t handlebuf[6];
mx_channel_read(handle, 0, NULL, handlebuf, 0, hcount, 0, &hcount);
if (mx_channel_write(handle, 0, NULL, 0, handlebuf, hcount) < 0) {
for (int i = 0; i < hcount; i++) {
mx_handle_close(handlebuf[i]);
}
}
}
void checkNoLeak10() { void checkNoLeak10() {
mx_handle_t sa, sb; mx_handle_t sa, sb;
if (mx_channel_create(0, &sa, &sb) < 0) { if (mx_channel_create(0, &sa, &sb) < 0) {
return; return;
} }
mx_handle_close(sa); mx_handle_close(sa);
mx_handle_close(sb); mx_handle_close(sb);
} }
void checkNoLeak11(mx_handle_t handle, uint32_t hcount) {
mx_handle_t handlebuf[6];
mx_status_t r = mx_channel_read(handle, 0, NULL,
handlebuf, 0, hcount, 0, &hcount);
if (r < 0) {
return;
}
for (int i = 0; i < hcount; i++) {
mx_handle_close(handlebuf[i]);
}
}
void checkNoLeak12(int tag) { void checkNoLeak12(int tag) {
mx_handle_t sa, sb; mx_handle_t sa, sb;
if (mx_channel_create(0, &sa, &sb) < 0) { if (mx_channel_create(0, &sa, &sb) < 0) {
return; return;
} }
if (tag) { if (tag) {
escapeMethod01(&sa); escapeMethod01(&sa);
escapeMethod01(&sb); escapeMethod01(&sb);
▲ Show 20 LinesShow All 51 Lines▼ Show 20 Linesvoid checkLeak02(int tag) {
mx_handle_t sa, sb; mx_handle_t sa, sb;
mx_channel_create(0, &sa, &sb); mx_channel_create(0, &sa, &sb);
if (tag) { if (tag) {
mx_handle_close(sa); mx_handle_close(sa);
} }
mx_handle_close(sb); // expected-warning {{Potential leak of handle}} mx_handle_close(sb); // expected-warning {{Potential leak of handle}}
} }
void checkLeak03(mx_handle_t handle) {
mx_handle_t handlebuf[4];
uint32_t hcount;
mx_status_t r = mx_channel_read(handle, 0, NULL, handlebuf, 0, 4, 0, &hcount);
if (r < 0) {
return;
}
for (int i = 0; i < hcount -1; i++) {
mx_handle_close(handlebuf[i]);
}
} // expected-warning {{Potential leak of handle}}
void checkLeak04(mx_handle_t handle) {
mx_handle_t handlebuf[3];
uint32_t hcount;
mx_status_t r = mx_channel_read(handle, 0, NULL, handlebuf, 0, 3, 0, &hcount);
if (r < 0) {
return;
}
if (mx_channel_write(handle, 0, NULL, 0, handlebuf, hcount - 1) < 0) {
for (int i = 0; i < hcount; i++) {
mx_handle_close(handlebuf[i]);
}
}
} // expected-warning {{Potential leak of handle}}
void checkLeak05(mx_handle_t handle, uint32_t hcount) {
mx_handle_t handlebuf[6];
mx_status_t r = mx_channel_read(
handle, 0, NULL, handlebuf, 0, hcount, 0, &hcount);
if (r < 0) {
return;
}
if (mx_channel_write(handle, 0, NULL, 0, handlebuf, hcount - 1) < 0) {
for (int i = 0; i < hcount; i++) {
mx_handle_close(handlebuf[i]);
}
}
} // expected-warning {{Potential leak of handle}}
void checkLeak06(mx_handle_t handle, uint32_t hcount) {
mx_handle_t handlebuf[6];
mx_channel_read(handle, 0, NULL, handlebuf, 0, hcount, 0, &hcount);
mx_channel_write(handle, 0, NULL, 0, handlebuf, hcount); // It may fail and handles are not released.
} // expected-warning {{Potential leak of handle}}
void checkLeak07() { void checkLeak07() {
mx_handle_t sa, sb; mx_handle_t sa, sb;
mx_channel_create(0, &sa, &sb); mx_channel_create(0, &sa, &sb);
useHandle01(sa); useHandle01(sa);
mx_handle_close(sb); // expected-warning {{Potential leak of handle}} mx_handle_close(sb); // expected-warning {{Potential leak of handle}}
} }
Show All 28 Lines