This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/
-
Analysis/
1/1
PathDiagnostic.cpp
-
StaticAnalyzer/Core/
-
Core/
1/2
BugReporter.cpp
-
test/Analysis/
-
Analysis/
1
CGColorSpace.c
-
Inputs/expected-plists/
-
expected-plists/
-
malloc-plist.c.plist
-
NSString.m
1/3
malloc-plist.c

Differential D83961

[Analyzer] Fix bug report source locations in minimal output.
Needs ReviewPublic

Authored by balazske on Jul 16 2020, 9:12 AM.

Download Raw Diff

Details

Reviewers

Szelethus
baloghadamsoftware
NoQ

Summary

Fix of the following problem:
If the bug report equivalence class contains multiple
reports and no (minimal) analyzer output was requested
it can happen that the wrong location is used for the warning.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

balazske created this revision.Jul 16 2020, 9:12 AM

Herald added a reviewer: Szelethus. · View Herald TranscriptJul 16 2020, 9:12 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 10 others. · View Herald Transcript

Harbormaster failed remote builds in B64543: Diff 278512!Jul 16 2020, 9:12 AM

Lot of tests are failing because changed warning locations.
These will be updated if the code change looks good.

balazske added reviewers: baloghadamsoftware, NoQ.Jul 16 2020, 9:32 AM

Herald added a subscriber: rnkovacs. · View Herald TranscriptJul 16 2020, 9:32 AM

These will be updated if the code change looks good.

Hard to tell; this entire code is too convoluted, i'd rather look at the changes. Can you update at least some tests?

Fixed some source location changes in tests.
Re-added check for empty path.

Harbormaster failed remote builds in B64668: Diff 278742!Jul 17 2020, 5:51 AM

Big part of the test failures is with the osx.cocoa.RetainCount checker. Only a small part of the errors is fixed now.

clang/lib/Analysis/PathDiagnostic.cpp
369	This change is needed to eliminate crash in tests at `assert(b.hasValue());`.

I find the summary here a bit lacking. We detected this issue in D83120, where a lot of discussion can be found, so its worth linking in. On its own, I'm not immediately sold on whether this is the correct solution, and even if it is, how does it solve the problem. I bet you had to struggle a bit to understand the related machinery to fix this, it'd be invaluable to share the knowledge you gained here as well.

I took a look myself, and the issue fixed here seems to be that PathDiagnostic's constructor doesn't set the associated PathDiagnosticLocation itself, and generateEmptyDiagnosticForReport pretty much resolves to that. The thing I'm still struggling with, is that I'm not terribly sure whether this the same issue raised in the previous patch.

Fix of the following problem:
If the bug report equivalence class contains multiple
reports and no (minimal) analyzer output was requested
it can happen that the wrong location is used for the warning.

I have two burning questions about this:

Are we sure that we used the correct (with the shortest bug path) bug report, but associated it with the wrong location? Mind that everything you touched here, as I understand it, affects sorting, not uniqueing.
If so, some (even if incorrect) location must've been used, where did that come from?

In D83961#2158128, @balazske wrote:

Big part of the test failures is with the osx.cocoa.RetainCount checker.

Every time :^)

clang/lib/StaticAnalyzer/Core/BugReporter.cpp
3007	Is this the only instance when that happens? How about the `text-minimal` output?

The problem in D83120 is fixed by this patch.
What I figured out from the code is that BugReporter::FlushReport calls findReportInEquivalenceClass that returns a report that has not necessary the shortest path. That report is get from the passed bug report class and a different instance is returned if the uniqueing is turned on or off. This report is used to fill the last location in the bug path, if the bug path is empty. So the location in the bug path changes dependent on the setting of uniqueing. The bug path here is empty if the analyzer-output is set to minimal (or not specified). Even in the minimal output case, function PathDiagnosticBuilder::generate is called if it is a path sensitive case. In that function the shortest path is used. So instead of returning an empty path from that function (what is filled later by FlushReport) the last part of the path can be filled here (and use the correct source location from the shortest path).
The problem can happen if not the report with shortest path is returned from findReportInEquivalenceClass, and analyzer-output is set to minimal or default. If the output is not minimal, the bug path is filled by the PathDiagnosticBuilder::generate with correct locations. So changing the output type can result in change of the warning location.
Other way to get the problem is change only the uniqueing setting in bug type and use minimal (or default) output. Then the example report can change and because this example report is used to get the bug location the location can change too (if the equivalence class contains paths with different end locations).

clang/lib/StaticAnalyzer/Core/BugReporter.cpp
3007	I am not totally sure on this but inserted an assert and all the tests passed without triggering it. Is the text-minimal different from the default (when to `--analyzer-output` is given at all)? I think it works like this: Function `PathSensitiveBugReporter::generateDiagnosticForConsumerMap` is called from here, then if it is not a `BasicBugReport` the function `PathDiagnosticBuilder::generate` will be called that is fixed now to return always with non-empty path.

balazske mentioned this in D83190: [analyzer] Model iterator random incrementation symmetrically.Jul 21 2020, 9:20 AM

NoQ added inline comments.Jul 21 2020, 12:44 PM

clang/test/Analysis/CGColorSpace.c
8–11	This change doesn't look expected to me. It's not "we've found a report on a different path" (there's only one path here), it's "we're reporting the same report in a different location" (previously it was the uniqueing location, now it's the end-of-path location). That said, RetainCountChecker is special because it has its own `PathSensitiveBugReport` sub-class with custom behavior. I think we should get regular checkers like MallocChecker right first. Are there more changes on tests on regular checkers? Or is the one in `malloc-plist.c` the only one?
clang/test/Analysis/malloc-plist.c
137–140	This sounds like an expected change: we're now displaying the same report on a different path. Except it's the longer path rather than the shorter path, so it still looks suspicious.

balazske marked an inline comment as done.Jul 22 2020, 6:53 AM

balazske added inline comments.

clang/test/Analysis/malloc-plist.c
137–140	This location may be wrong but it is then another problem. The important thing is that after this patch the same location is used for a warning in `text-minimal` mode as it is in `text` mode. Without the patch in `text-minimal` mode a different location is used for this warning, the one at the end of the function. But still in `text` mode (without the patch) the location at `y++` is shown. (The warning in function `function_with_leak4` in the same test is already at a similar location, not at the end of function.)

Every other test failure comes from RetainCount checker except malloc-plist.c.

Change column in malloc-plist test because code was reformatted.

Harbormaster failed remote builds in B65391: Diff 280149!Jul 23 2020, 8:51 AM

In D83961#2166903, @balazske wrote:

Every other test failure comes from RetainCount checker except malloc-plist.c.

Aha, ok. So, anyway, for retain count checker we ultimately only care about plist and html reports, not about text reports. It's also probably easier to write more precise tests after your patch: test functions are unlikely to have multiple possible uniqueing locations, and even if there are they can be discriminated between by warning message text.

But i'd still rather have it explained why does your patch affect the location of RefLeakReports in order to make sure we understand what we're doing. This consequence of the patch wasn't intended - what other unintended consequences does it have? Are we even sure that plist/html reports don't change? Is RefLeakReport even implemented correctly from our current point of view? Or, regardless of correctness, do we want its current implementation to have the old behavior or the new behavior?

I should probably investigate this myself from the fairness/justice point of view but you'll probably land your patch faster if you don't wait on me to get un-busy with other stuff :/ As a bonus, you might be able to get away without updating all the tests if you find out that this change is accidental and not really intended :) Note that you don't need to know Objective-C or know much about the checker to investigate these things; say, CGColorSpace.c is a pure C test with a straightforward resource leak bug. The customizations in RefLeakReport aren't really checker-specific either - we simply didn't ever make up our mind on whether they should apply to all leak reports or to none; they have visual consequences on plist reports though.

clang/test/Analysis/malloc-plist.c
137–140	Oh, wait, the other path isn't in fact shorter. In both cases it leaks immediately after the if-statement, and the path with `y++` is in fact a bit shorter (it immediately hits `PreStmtPurgeDeadSymbols` for the `DeclRefExpr` whereas the other path hits `CallExitBegin` first, because the call is inlined). So it's a good and expected change!

From the beginning on in this patch I assumed that the location of the bug report should be the end of the bug path. But this is probably a wrong approach, specially if the bug report has uniqueing location. In that case the uniqueing location may be a better place for the bug report. Specially for resource leak it is not bad if the report is located at the allocation site (still there is a bug path that shows the full path and place of leak). So another approach can be to allow only bug equivalence classes where the reports have same locations. If this is not true the checker should be fixed that generates the reports.

The behavior with RefLeakReport is correct if the indicated location in minimal output mode should be the end of the bug path. Otherwise it is not correct, the report has a different location (allocation site) than the end of the path (return point) and we want to see the allocation site in minimal mode (or not?). Still there is problem, in text output mode the summary line indicates not the correct place but the end of the bug path:
before the patch:

$ clang -cc1 -internal-isystem ~/clang/llvm1/build/Debug/lib/clang/11.0.0/include -nostdsysteminc -analyze -analyzer-constraints=range -setup-static-analyzer -analyzer-checker=core,osx.cocoa.RetainCount -analyzer-store=region ~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c
~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c:9:23: warning: Potential leak of an object stored into 'X' [osx.cocoa.RetainCount]
  CGColorSpaceRef X = CGColorSpaceCreateDeviceRGB(); // expected-warning{{leak}}
                      ^
1 warning generated.

$ clang -cc1 -internal-isystem ~/clang/llvm1/build/Debug/lib/clang/11.0.0/include -nostdsysteminc -analyze -analyzer-constraints=range -setup-static-analyzer -analyzer-checker=core,osx.cocoa.RetainCount -analyzer-store=region ~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c -analyzer-output text
~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c:11:1: warning: Potential leak of an object stored into 'X' [osx.cocoa.RetainCount]
}
^
~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c:9:23: note: Call to function 'CGColorSpaceCreateDeviceRGB' returns a Core Foundation object of type 'CGColorSpaceRef' with a +1 retain count
  CGColorSpaceRef X = CGColorSpaceCreateDeviceRGB(); // expected-warning{{leak}}
                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c:10:3: note: Reference count incremented. The object now has a +2 retain count
  CGColorSpaceRetain(X);
  ^~~~~~~~~~~~~~~~~~~~~
~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c:11:1: note: Object leaked: object allocated and stored into 'X' is not referenced later in this execution path and has a retain count of +2
}
^
1 warning generated.

after the patch:

$ clang -cc1 -internal-isystem ~/clang/llvm1/build/Debug/lib/clang/11.0.0/include -nostdsysteminc -analyze -analyzer-constraints=range -setup-static-analyzer -analyzer-checker=core,osx.cocoa.RetainCount -analyzer-store=region ~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c
~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c:11:1: warning: Potential leak of an object stored into 'X' [osx.cocoa.RetainCount]
}
^
1 warning generated.

$ clang -cc1 -internal-isystem ~/clang/llvm1/build/Debug/lib/clang/11.0.0/include -nostdsysteminc -analyze -analyzer-constraints=range -setup-static-analyzer -analyzer-checker=core,osx.cocoa.RetainCount -analyzer-store=region ~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c -analyzer-output text
~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c:11:1: warning: Potential leak of an object stored into 'X' [osx.cocoa.RetainCount]
}
^
~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c:9:23: note: Call to function 'CGColorSpaceCreateDeviceRGB' returns a Core Foundation object of type 'CGColorSpaceRef' with a +1 retain count
  CGColorSpaceRef X = CGColorSpaceCreateDeviceRGB(); // expected-warning{{leak}}
                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c:10:3: note: Reference count incremented. The object now has a +2 retain count
  CGColorSpaceRetain(X);
  ^~~~~~~~~~~~~~~~~~~~~
~/clang/llvm1/llvm-project/clang/test/Analysis/CGColorSpace.c:11:1: note: Object leaked: object allocated and stored into 'X' is not referenced later in this execution path and has a retain count of +2
}
^
1 warning generated.

So it should be clarified how this should work, have the end of the bug path or the "location" of the bug report as display location of the bug report.

I believe i clarified above how this checker should work. For testing purposes (which is the only reason to ever use the minimal output) i prefer to have it at the end of path, because that tells more about the bug path and therefore more important to test.

The question i'm asking is more about API contracts of the PathSensitiveBugReport class over its virtual methods. Right now i don't care whether the entire system behaves correctly or not. I want you to explain how the change in one component caused a change in another component, so that to avoid introducing pairs of mutually cancelling bugs. In other words, this is a unit-test question, not an integration-test question.

Then the current solution is good, print always end of the bug path.
A change to the bug reporting component was made that caused reported position of bugs to change. New is the end of the path, old is the location set by the checker (BugReport::getLocation value). The location is often same as end of the path. The RefLeakReport has a special getLocation function and there is a difference between this location (that is the allocation site) and the end of the path.

Revision Contents

Path

Size

clang/

lib/

Analysis/

PathDiagnostic.cpp

18 lines

StaticAnalyzer/

Core/

BugReporter.cpp

9 lines

test/

Analysis/

CGColorSpace.c

4 lines

Inputs/

expected-plists/

malloc-plist.c.plist

8 lines

NSString.m

42 lines

malloc-plist.c

4 lines

Diff 280149

clang/lib/Analysis/PathDiagnostic.cpp

//===- PathDiagnostic.cpp - Path-Specific Diagnostic Handling -------------===//		//===- PathDiagnostic.cpp - Path-Specific Diagnostic Handling -------------===//
		Lint: Lint Inline Actions clang-format not found in user's PATH; not linting file. Lint: Lint: clang-format not found in user's PATH; not linting file.
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
▲ Show 20 Lines • Show All 335 Lines • ▼ Show 20 Lines	static bool compareCrossTUSourceLocs(FullSourceLoc XL, FullSourceLoc YL) {
return XL.getFileID() < YL.getFileID();		return XL.getFileID() < YL.getFileID();
}		}

static bool compare(const PathDiagnostic &X, const PathDiagnostic &Y) {		static bool compare(const PathDiagnostic &X, const PathDiagnostic &Y) {
FullSourceLoc XL = X.getLocation().asLocation();		FullSourceLoc XL = X.getLocation().asLocation();
FullSourceLoc YL = Y.getLocation().asLocation();		FullSourceLoc YL = Y.getLocation().asLocation();
if (XL != YL)		if (XL != YL)
return compareCrossTUSourceLocs(XL, YL);		return compareCrossTUSourceLocs(XL, YL);
		PathDiagnosticRange XR = X.getLocation().asRange();
		PathDiagnosticRange YR = Y.getLocation().asRange();
		if (XR.isValid() && !YR.isValid())
		return true;
		if (!XR.isValid() && YR.isValid())
		return false;
		if (XR.isValid() && YR.isValid()) {
		if (XR.isPoint && !YR.isPoint)
		return true;
		if (!XR.isPoint && YR.isPoint)
		return false;
		if (!XR.isPoint && !YR.isPoint) {
		FullSourceLoc XRE{XR.getEnd(), XL.getManager()};
		FullSourceLoc YRE{YR.getEnd(), YL.getManager()};
		if (XRE != YRE)
		return compareCrossTUSourceLocs(XRE, YRE);
		}
		}
		balazskeAuthorUnsubmitted Done Reply Inline Actions This change is needed to eliminate crash in tests at `assert(b.hasValue());`. balazske: This change is needed to eliminate crash in tests at `assert(b.hasValue());`.
if (X.getBugType() != Y.getBugType())		if (X.getBugType() != Y.getBugType())
return X.getBugType() < Y.getBugType();		return X.getBugType() < Y.getBugType();
if (X.getCategory() != Y.getCategory())		if (X.getCategory() != Y.getCategory())
return X.getCategory() < Y.getCategory();		return X.getCategory() < Y.getCategory();
if (X.getVerboseDescription() != Y.getVerboseDescription())		if (X.getVerboseDescription() != Y.getVerboseDescription())
return X.getVerboseDescription() < Y.getVerboseDescription();		return X.getVerboseDescription() < Y.getVerboseDescription();
if (X.getShortDescription() != Y.getShortDescription())		if (X.getShortDescription() != Y.getShortDescription())
return X.getShortDescription() < Y.getShortDescription();		return X.getShortDescription() < Y.getShortDescription();
▲ Show 20 Lines • Show All 861 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/BugReporter.cpp

//===- BugReporter.cpp - Generate PathDiagnostics for bugs ----------------===//		//===- BugReporter.cpp - Generate PathDiagnostics for bugs ----------------===//
		Lint: Lint Inline Actions clang-format not found in user's PATH; not linting file. Lint: Lint: clang-format not found in user's PATH; not linting file.
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
▲ Show 20 Lines • Show All 1,983 Lines • ▼ Show 20 Lines	PathDiagnosticBuilder::generate(const PathDiagnosticConsumer *PDC) const {

// See whether we need to silence the checker/package.		// See whether we need to silence the checker/package.
// FIXME: This will not work if the report was emitted with an incorrect tag.		// FIXME: This will not work if the report was emitted with an incorrect tag.
for (const std::string &CheckerOrPackage : Opts.SilencedCheckersAndPackages) {		for (const std::string &CheckerOrPackage : Opts.SilencedCheckersAndPackages) {
if (ErrorTag.startswith(CheckerOrPackage))		if (ErrorTag.startswith(CheckerOrPackage))
return nullptr;		return nullptr;
}		}

if (!PDC->shouldGenerateDiagnostics())
return generateEmptyDiagnosticForReport(R, getSourceManager());

// Construct the final (warning) event for the bug report.		// Construct the final (warning) event for the bug report.
auto EndNotes = VisitorsDiagnostics->find(ErrorNode);		auto EndNotes = VisitorsDiagnostics->find(ErrorNode);
PathDiagnosticPieceRef LastPiece;		PathDiagnosticPieceRef LastPiece;
if (EndNotes != VisitorsDiagnostics->end()) {		if (EndNotes != VisitorsDiagnostics->end()) {
assert(!EndNotes->second.empty());		assert(!EndNotes->second.empty());
LastPiece = EndNotes->second[0];		LastPiece = EndNotes->second[0];
} else {		} else {
LastPiece = BugReporterVisitor::getDefaultEndPath(*this, ErrorNode,		LastPiece = BugReporterVisitor::getDefaultEndPath(*this, ErrorNode,
*getBugReport());		*getBugReport());
}		}
Construct.PD->setEndOfPath(LastPiece);		Construct.PD->setEndOfPath(LastPiece);

		if (!PDC->shouldGenerateDiagnostics())
		return std::move(Construct.PD);

PathDiagnosticLocation PrevLoc = Construct.PD->getLocation();		PathDiagnosticLocation PrevLoc = Construct.PD->getLocation();
// From the error node to the root, ascend the bug path and construct the bug		// From the error node to the root, ascend the bug path and construct the bug
// report.		// report.
while (Construct.ascendToPrevNode()) {		while (Construct.ascendToPrevNode()) {
generatePathDiagnosticsForNode(Construct, PrevLoc);		generatePathDiagnosticsForNode(Construct, PrevLoc);

auto VisitorNotes = VisitorsDiagnostics->find(Construct.getCurrentNode());		auto VisitorNotes = VisitorsDiagnostics->find(Construct.getCurrentNode());
if (VisitorNotes == VisitorsDiagnostics->end())		if (VisitorNotes == VisitorsDiagnostics->end())
▲ Show 20 Lines • Show All 976 Lines • ▼ Show 20 Lines	std::unique_ptr<DiagnosticForConsumerMapTy> Diagnostics =
generateDiagnosticForConsumerMap(report, Consumers, bugReports);		generateDiagnosticForConsumerMap(report, Consumers, bugReports);

for (auto &P : *Diagnostics) {		for (auto &P : *Diagnostics) {
PathDiagnosticConsumer *Consumer = P.first;		PathDiagnosticConsumer *Consumer = P.first;
std::unique_ptr<PathDiagnostic> &PD = P.second;		std::unique_ptr<PathDiagnostic> &PD = P.second;

// If the path is empty, generate a single step path with the location		// If the path is empty, generate a single step path with the location
// of the issue.		// of the issue.
		// This can happen if report is BasicBugReport.
		SzelethusUnsubmitted Not Done Reply Inline Actions Is this the only instance when that happens? How about the `text-minimal` output? Szelethus: Is this the only instance when that happens? How about the `text-minimal` output?
		balazskeAuthorUnsubmitted Done Reply Inline Actions I am not totally sure on this but inserted an assert and all the tests passed without triggering it. Is the text-minimal different from the default (when to `--analyzer-output` is given at all)? I think it works like this: Function `PathSensitiveBugReporter::generateDiagnosticForConsumerMap` is called from here, then if it is not a `BasicBugReport` the function `PathDiagnosticBuilder::generate` will be called that is fixed now to return always with non-empty path. balazske: I am not totally sure on this but inserted an assert and all the tests passed without…
if (PD->path.empty()) {		if (PD->path.empty()) {
PathDiagnosticLocation L = report->getLocation();		PathDiagnosticLocation L = report->getLocation();
auto piece = std::make_unique<PathDiagnosticEventPiece>(		auto piece = std::make_unique<PathDiagnosticEventPiece>(
L, report->getDescription());		L, report->getDescription());
for (SourceRange Range : report->getRanges())		for (SourceRange Range : report->getRanges())
piece->addRange(Range);		piece->addRange(Range);
PD->setEndOfPath(std::move(piece));		PD->setEndOfPath(std::move(piece));
}		}

PathPieces &Pieces = PD->getMutablePieces();		PathPieces &Pieces = PD->getMutablePieces();
if (getAnalyzerOptions().ShouldDisplayNotesAsEvents) {		if (getAnalyzerOptions().ShouldDisplayNotesAsEvents) {
// For path diagnostic consumers that don't support extra notes,		// For path diagnostic consumers that don't support extra notes,
▲ Show 20 Lines • Show All 254 Lines • Show Last 20 Lines

clang/test/Analysis/CGColorSpace.c

	// RUN: %clang_analyze_cc1 -analyzer-checker=core,osx.cocoa.RetainCount -analyzer-store=region -verify %s			// RUN: %clang_analyze_cc1 -analyzer-checker=core,osx.cocoa.RetainCount -analyzer-store=region -verify %s

	typedef struct CGColorSpace *CGColorSpaceRef;			typedef struct CGColorSpace *CGColorSpaceRef;
	extern CGColorSpaceRef CGColorSpaceCreateDeviceRGB(void);			extern CGColorSpaceRef CGColorSpaceCreateDeviceRGB(void);
	extern CGColorSpaceRef CGColorSpaceRetain(CGColorSpaceRef space);			extern CGColorSpaceRef CGColorSpaceRetain(CGColorSpaceRef space);
	extern void CGColorSpaceRelease(CGColorSpaceRef space);			extern void CGColorSpaceRelease(CGColorSpaceRef space);

	void f() {			void f() {
	CGColorSpaceRef X = CGColorSpaceCreateDeviceRGB(); // expected-warning{{leak}}			CGColorSpaceRef X = CGColorSpaceCreateDeviceRGB();
	CGColorSpaceRetain(X);			CGColorSpaceRetain(X);
	}			} // expected-warning{{leak}}
				NoQUnsubmitted Not Done Reply Inline Actions This change doesn't look expected to me. It's not "we've found a report on a different path" (there's only one path here), it's "we're reporting the same report in a different location" (previously it was the uniqueing location, now it's the end-of-path location). That said, RetainCountChecker is special because it has its own `PathSensitiveBugReport` sub-class with custom behavior. I think we should get regular checkers like MallocChecker right first. Are there more changes on tests on regular checkers? Or is the one in `malloc-plist.c` the only one? NoQ: This change doesn't look expected to me. It's not "we've found a report on a different path"…

	void fb() {			void fb() {
	CGColorSpaceRef X = CGColorSpaceCreateDeviceRGB();			CGColorSpaceRef X = CGColorSpaceCreateDeviceRGB();
	CGColorSpaceRetain(X);			CGColorSpaceRetain(X);
	CGColorSpaceRelease(X);			CGColorSpaceRelease(X);
	CGColorSpaceRelease(X); // no-warning			CGColorSpaceRelease(X); // no-warning
	}			}

clang/test/Analysis/Inputs/expected-plists/malloc-plist.c.plist

Show First 20 Lines • Show All 3,758 Lines • ▼ Show 20 Lines	<key>edges</key>
<key>col</key><integer>9</integer>		<key>col</key><integer>9</integer>
<key>file</key><integer>0</integer>		<key>file</key><integer>0</integer>
</dict>		</dict>
</array>		</array>
<key>end</key>		<key>end</key>
<array>		<array>
<dict>		<dict>
<key>line</key><integer>138</integer>		<key>line</key><integer>138</integer>
<key>col</key><integer>9</integer>		<key>col</key><integer>7</integer>
<key>file</key><integer>0</integer>		<key>file</key><integer>0</integer>
</dict>		</dict>
<dict>		<dict>
<key>line</key><integer>138</integer>		<key>line</key><integer>138</integer>
<key>col</key><integer>9</integer>		<key>col</key><integer>7</integer>
<key>file</key><integer>0</integer>		<key>file</key><integer>0</integer>
</dict>		</dict>
</array>		</array>
</dict>		</dict>
</array>		</array>
</dict>		</dict>
<dict>		<dict>
<key>kind</key><string>event</string>		<key>kind</key><string>event</string>
<key>location</key>		<key>location</key>
<dict>		<dict>
<key>line</key><integer>138</integer>		<key>line</key><integer>138</integer>
<key>col</key><integer>9</integer>		<key>col</key><integer>7</integer>
<key>file</key><integer>0</integer>		<key>file</key><integer>0</integer>
</dict>		</dict>
<key>depth</key><integer>1</integer>		<key>depth</key><integer>1</integer>
<key>extended_message</key>		<key>extended_message</key>
<string>Potential leak of memory pointed to by 'x'</string>		<string>Potential leak of memory pointed to by 'x'</string>
<key>message</key>		<key>message</key>
<string>Potential leak of memory pointed to by 'x'</string>		<string>Potential leak of memory pointed to by 'x'</string>
</dict>		</dict>
</array>		</array>
<key>description</key><string>Potential leak of memory pointed to by 'x'</string>		<key>description</key><string>Potential leak of memory pointed to by 'x'</string>
<key>category</key><string>Memory error</string>		<key>category</key><string>Memory error</string>
<key>type</key><string>Memory leak</string>		<key>type</key><string>Memory leak</string>
<key>check_name</key><string>unix.Malloc</string>		<key>check_name</key><string>unix.Malloc</string>
<!-- This hash is experimental and going to change! -->		<!-- This hash is experimental and going to change! -->
<key>issue_hash_content_of_line_in_context</key><string>0ddc87e8a7e7104428af3905f3057611</string>		<key>issue_hash_content_of_line_in_context</key><string>0ddc87e8a7e7104428af3905f3057611</string>
<key>issue_context_kind</key><string>function</string>		<key>issue_context_kind</key><string>function</string>
<key>issue_context</key><string>function_with_leak3</string>		<key>issue_context</key><string>function_with_leak3</string>
<key>issue_hash_function_offset</key><string>1</string>		<key>issue_hash_function_offset</key><string>1</string>
<key>location</key>		<key>location</key>
<dict>		<dict>
<key>line</key><integer>138</integer>		<key>line</key><integer>138</integer>
<key>col</key><integer>9</integer>		<key>col</key><integer>7</integer>
<key>file</key><integer>0</integer>		<key>file</key><integer>0</integer>
</dict>		</dict>
<key>ExecutedLines</key>		<key>ExecutedLines</key>
<dict>		<dict>
<key>0</key>		<key>0</key>
<array>		<array>
<integer>135</integer>		<integer>135</integer>
<integer>136</integer>		<integer>136</integer>
▲ Show 20 Lines • Show All 1,447 Lines • Show Last 20 Lines

clang/test/Analysis/NSString.m

Show First 20 Lines • Show All 119 Lines • ▼ Show 20 Lines
}		}

NSArray f6(NSString s) {		NSArray f6(NSString s) {
return [s componentsSeparatedByCharactersInSet:0]; // expected-warning {{Argument to 'NSString' method 'componentsSeparatedByCharactersInSet:' cannot be nil}}		return [s componentsSeparatedByCharactersInSet:0]; // expected-warning {{Argument to 'NSString' method 'componentsSeparatedByCharactersInSet:' cannot be nil}}
}		}

NSString* f7(NSString* s1, NSString* s2, NSString* s3) {		NSString* f7(NSString* s1, NSString* s2, NSString* s3) {

NSString* s4 = (NSString*)		NSString s4 = (NSString )
CFStringCreateWithFormat(kCFAllocatorDefault, 0, // expected-warning{{leak}}		CFStringCreateWithFormat(kCFAllocatorDefault, 0,
(CFStringRef) __builtin___CFStringMakeConstantString("%@ %@ (%@)"),		(CFStringRef)__builtin___CFStringMakeConstantString("%@ %@ (%@)"),
s1, s2, s3);		s1, s2, s3);

CFRetain(s4);		CFRetain(s4);
return s4;		return s4; // expected-warning{{leak}}
}		}

NSMutableArray* f8() {		NSMutableArray* f8() {

NSString* s = [[NSString alloc] init];		NSString* s = [[NSString alloc] init];
NSMutableArray* a = [[NSMutableArray alloc] initWithCapacity:2];		NSMutableArray* a = [[NSMutableArray alloc] initWithCapacity:2];
[a addObject:s];		[a addObject:s];
[s release]; // no-warning		[s release]; // no-warning
▲ Show 20 Lines • Show All 54 Lines • ▼ Show 20 Lines
@end		@end
@implementation TestAutorelease		@implementation TestAutorelease
-(NSString*) getString {		-(NSString*) getString {
NSString *str = [[NSString alloc] init];		NSString *str = [[NSString alloc] init];
return [str autorelease]; // no-warning		return [str autorelease]; // no-warning
}		}
- (void)m1		- (void)m1
{		{
NSString *s = [[NSString alloc] init]; // expected-warning{{leak}}		NSString *s = [[NSString alloc] init];
[s retain];		[s retain];
[s autorelease];		[s autorelease];
}		} // expected-warning{{leak}}
- (void)m2		- (void)m2
{		{
NSString *s = [[[NSString alloc] init] autorelease]; // expected-warning{{leak}}		NSString *s = [[[NSString alloc] init] autorelease];
[s retain];		[s retain];
}		} // expected-warning{{leak}}
- (void)m3		- (void)m3
{		{
NSString *s = [[[NSString alloc] init] autorelease];		NSString *s = [[[NSString alloc] init] autorelease];
[s retain];		[s retain];
[s autorelease];		[s autorelease];
}		}
- (void)m4		- (void)m4
{		{
NSString *s = [[NSString alloc] init]; // expected-warning{{leak}}		NSString *s = [[NSString alloc] init];
[s retain];		[s retain];
}		} // expected-warning{{leak}}
- (void)m5		- (void)m5
{		{
NSString *s = [[NSString alloc] init];		NSString *s = [[NSString alloc] init];
[s autorelease];		[s autorelease];
}		}
@end		@end

@interface C1 : NSObject {}		@interface C1 : NSObject {}
▲ Show 20 Lines • Show All 122 Lines • ▼ Show 20 Lines	void test_objc_atomicCompareAndSwap_parameter(NSString **old) {
NSString *s = [[NSString alloc] init]; // no-warning		NSString *s = [[NSString alloc] init]; // no-warning
if (!objc_atomicCompareAndSwapPtr(0, s, old))		if (!objc_atomicCompareAndSwapPtr(0, s, old))
[s release];		[s release];
else		else
[*old release];		[*old release];
}		}

void test_objc_atomicCompareAndSwap_parameter_no_direct_release(NSString **old) {		void test_objc_atomicCompareAndSwap_parameter_no_direct_release(NSString **old) {
NSString *s = [[NSString alloc] init]; // expected-warning{{leak}}		NSString *s = [[NSString alloc] init];
if (!objc_atomicCompareAndSwapPtr(0, s, old))		if (!objc_atomicCompareAndSwapPtr(0, s, old))
return;		return; // expected-warning{{leak}}
else		else
[*old release];		[*old release];
}		}


// Test stringWithFormat (<rdar://problem/6815234>)		// Test stringWithFormat (<rdar://problem/6815234>)
void test_stringWithFormat() {		void test_stringWithFormat() {
NSString *string = [[NSString stringWithFormat:@"%ld", (long) 100] retain];		NSString *string = [[NSString stringWithFormat:@"%ld", (long) 100] retain];
[string release];		[string release];
[string release]; // expected-warning{{Incorrect decrement of the reference count}}		[string release]; // expected-warning{{Incorrect decrement of the reference count}}
}		}

// Test isTrackedObjectType().		// Test isTrackedObjectType().
typedef NSString* WonkyTypedef;		typedef NSString* WonkyTypedef;
@interface TestIsTracked		@interface TestIsTracked
+ (WonkyTypedef)newString;		+ (WonkyTypedef)newString;
@end		@end

void test_isTrackedObjectType(void) {		void test_isTrackedObjectType(void) {
NSString *str = [TestIsTracked newString]; // expected-warning{{Potential leak}}		NSString *str = [TestIsTracked newString];
}		} // expected-warning{{Potential leak}}

// Test isTrackedCFObjectType().		// Test isTrackedCFObjectType().
@interface TestIsCFTracked		@interface TestIsCFTracked
+ (CFStringRef) badNewCFString;		+ (CFStringRef) badNewCFString;
+ (CFStringRef) newCFString;		+ (CFStringRef) newCFString;
@end		@end

@implementation TestIsCFTracked		@implementation TestIsCFTracked
+ (CFStringRef) newCFString {		+ (CFStringRef) newCFString {
return CFStringCreateWithFormat(kCFAllocatorDefault, ((void*)0), ((CFStringRef) __builtin___CFStringMakeConstantString ("" "%d" "")), 100); // no-warning		return CFStringCreateWithFormat(kCFAllocatorDefault, ((void*)0), ((CFStringRef) __builtin___CFStringMakeConstantString ("" "%d" "")), 100); // no-warning
}		}
+ (CFStringRef) badNewCFString {		+ (CFStringRef) badNewCFString {
return CFStringCreateWithFormat(kCFAllocatorDefault, ((void*)0), ((CFStringRef) __builtin___CFStringMakeConstantString ("" "%d" "")), 100); // expected-warning{{leak}}		return CFStringCreateWithFormat(kCFAllocatorDefault, ((void*)0), ((CFStringRef) __builtin___CFStringMakeConstantString ("" "%d" "")), 100); // expected-warning{{leak}}
}		}

// Test @synchronized		// Test @synchronized
void test_synchronized(id x) {		void test_synchronized(id x) {
@synchronized(x) {		@synchronized(x) {
NSString *string = [[NSString stringWithFormat:@"%ld", (long) 100] retain]; // expected-warning {{leak}}		NSString *string = [[NSString stringWithFormat:@"%ld", (long)100] retain];
}
}		}
		} // expected-warning {{leak}}
@end		@end

void testOSCompareAndSwapXXBarrier_parameter(NSString **old) {		void testOSCompareAndSwapXXBarrier_parameter(NSString **old) {
NSString *s = [[NSString alloc] init]; // no-warning		NSString *s = [[NSString alloc] init]; // no-warning
if (!COMPARE_SWAP_BARRIER((intptr_t) 0, (intptr_t) s, (intptr_t*) old))		if (!COMPARE_SWAP_BARRIER((intptr_t) 0, (intptr_t) s, (intptr_t*) old))
[s release];		[s release];
else		else
[*old release];		[*old release];
Show All 33 Lines

clang/test/Analysis/malloc-plist.c

Show First 20 Lines • Show All 128 Lines • ▼ Show 20 Lines	static void function_with_leak2() {
int m = 0; //expected-warning{{Potential leak}}		int m = 0; //expected-warning{{Potential leak}}
}		}
void use_function_with_leak2() {		void use_function_with_leak2() {
function_with_leak2();		function_with_leak2();
}		}

static void function_with_leak3(int y) {		static void function_with_leak3(int y) {
char x = (char)malloc(12);		char x = (char)malloc(12);
if (y)		if (y)
y++;		y++; //expected-warning{{Potential leak}}
}//expected-warning{{Potential leak}}		}
void use_function_with_leak3(int y) {		void use_function_with_leak3(int y) {
		NoQUnsubmitted Not Done Reply Inline Actions This sounds like an expected change: we're now displaying the same report on a different path. Except it's the longer path rather than the shorter path, so it still looks suspicious. NoQ: This sounds like an expected change: we're now displaying the same report on a different path.
		balazskeAuthorUnsubmitted Done Reply Inline Actions This location may be wrong but it is then another problem. The important thing is that after this patch the same location is used for a warning in `text-minimal` mode as it is in `text` mode. Without the patch in `text-minimal` mode a different location is used for this warning, the one at the end of the function. But still in `text` mode (without the patch) the location at `y++` is shown. (The warning in function `function_with_leak4` in the same test is already at a similar location, not at the end of function.) balazske: This location may be wrong but it is then another problem. The important thing is that after…
		NoQUnsubmitted Not Done Reply Inline Actions Oh, wait, the other path isn't in fact shorter. In both cases it leaks immediately after the if-statement, and the path with `y++` is in fact a bit shorter (it immediately hits `PreStmtPurgeDeadSymbols` for the `DeclRefExpr` whereas the other path hits `CallExitBegin` first, because the call is inlined). So it's a good and expected change! NoQ: Oh, wait, the other path isn't in fact shorter. In both cases it leaks immediately after the if…
function_with_leak3(y);		function_with_leak3(y);
}		}

static void function_with_leak4(int y) {		static void function_with_leak4(int y) {
char x = (char)malloc(12);		char x = (char)malloc(12);
if (y)		if (y)
y++;		y++;
else		else
▲ Show 20 Lines • Show All 61 Lines • Show Last 20 Lines