This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] RetainCount: Allow offsets in return values.
ClosedPublic

Authored by NoQ on Apr 22 2019, 7:36 PM.

Download Raw Diff

Details

Reviewers

Commits

rGe264ac6ae19a: [analyzer] RetainCount: Allow offsets in return values.
rL359263: [analyzer] RetainCount: Allow offsets in return values.
rC359263: [analyzer] RetainCount: Allow offsets in return values.

Summary

Because RetainCountChecker has custom "local" reasoning about escapes, it has a separate facility to deal with tracked symbols at end of analysis and check them for leaks regardless of whether they're dead or not. This facility iterates over the list of tracked symbols and reports them as leaks, but it needs to treat the return value specially.

Some custom allocators tend to return the value with an offset, storing extra metadata at the beginning of the buffer. In this case the return value would be a non-base region. In order to avoid false positives, we still need to find the original symbol within the return value, otherwise it'll be unable to match it to the item in the list of tracked symbols.

I don't really understand how this whole facility works in general. In particular, i don't understand why doesn't it take the function's contract into account (i.e., should this function generally return at +0 or at +1?), but the fix still seems to make sense to me.

Diff Detail

Repository: rC Clang

Event Timeline

NoQ created this revision.Apr 22 2019, 7:36 PM

Herald added a project: Restricted Project. · View Herald TranscriptApr 22 2019, 7:36 PM

Herald added subscribers: cfe-commits, Charusso, dkrupp and 7 others. · View Herald Transcript

dcoughlin accepted this revision.Apr 23 2019, 9:31 PM

This revision is now accepted and ready to land.Apr 23 2019, 9:31 PM

Closed by commit rC359263: [analyzer] RetainCount: Allow offsets in return values. (authored by NoQ). · Explain WhyApr 25 2019, 7:05 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Checkers/

RetainCountChecker/

RetainCountChecker.cpp

6 lines

test/

Analysis/

retain-release.mm

32 lines

Diff 196781

lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp

Show First 20 Lines • Show All 964 Lines • ▼ Show 20 Lines	ExplodedNode * RetainCountChecker::processReturn(const ReturnStmt *S,
if (!S)		if (!S)
return Pred;		return Pred;

const Expr *RetE = S->getRetValue();		const Expr *RetE = S->getRetValue();
if (!RetE)		if (!RetE)
return Pred;		return Pred;

ProgramStateRef state = C.getState();		ProgramStateRef state = C.getState();
SymbolRef Sym =		// We need to dig down to the symbolic base here because various
state->getSValAsScalarOrLoc(RetE, C.getLocationContext()).getAsLocSymbol();		// custom allocators do sometimes return the symbol with an offset.
		SymbolRef Sym = state->getSValAsScalarOrLoc(RetE, C.getLocationContext())
		.getAsLocSymbol(/IncludeBaseRegions=/true);
if (!Sym)		if (!Sym)
return Pred;		return Pred;

// Get the reference count binding (if any).		// Get the reference count binding (if any).
const RefVal *T = getRefBinding(state, Sym);		const RefVal *T = getRefBinding(state, Sym);
if (!T)		if (!T)
return Pred;		return Pred;

▲ Show 20 Lines • Show All 526 Lines • Show Last 20 Lines

test/Analysis/retain-release.mm

	Show First 20 Lines • Show All 509 Lines • ▼ Show 20 Lines
	CFTypeRef CFSomethingSomethingAutorelease();			CFTypeRef CFSomethingSomethingAutorelease();

	void foo() {			void foo() {
	CFSomethingSomethingRetain(); // no-crash			CFSomethingSomethingRetain(); // no-crash
	CFSomethingSomethingAutorelease(); // no-crash			CFSomethingSomethingAutorelease(); // no-crash
	}			}

	}			}

				namespace reinterpret_casts {

				void *foo() {
				void p = const_cast<void >(
				reinterpret_cast<const void *>(CFArrayCreate(0, 0, 0, 0)));
				void q = reinterpret_cast<void >(
				reinterpret_cast<char *>(p) + 1);
				// FIXME: Should warn about a leak here. The function should return at +0,
				// but it returns at +1 instead.
				return q;
				}

				void *fooCreate() {
				void p = const_cast<void >(
				reinterpret_cast<const void *>(CFArrayCreate(0, 0, 0, 0)));
				void q = reinterpret_cast<void >(
				reinterpret_cast<char *>(p) + 1);
				// The function follows the Create Rule.
				return q; // no-warning
				}

				void *fooBar() CF_RETURNS_RETAINED {
				void p = const_cast<void >(
				reinterpret_cast<const void *>(CFArrayCreate(0, 0, 0, 0)));
				void q = reinterpret_cast<void >(
				reinterpret_cast<char *>(p) + 1);
				// The function follows the Create Rule.
				return q; // no-warning
				}

				}