-
Notifications
You must be signed in to change notification settings - Fork 12.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[analyzer] Improve suppress-on-sink behavior in incomplete analyses.
Warnings with suppress-on-sink are discarded during FlushReports when BugReporter notices that all paths in ExplodedGraph that pass through the warning eventually run into a sink node. However, suppress-on-sink fails to filter out false positives when the analysis terminates too early - by running into analyzer limits, such as block count limits or graph size limits - and the interruption hits the narrow window between throwing the leak report and reaching the no-return function call. In such case the report is there, however suppression-on-sink doesn't work, because the sink node was never constructed in the incomplete ExplodedGraph. This patch implements a very partial solution: also suppress reports thrown against a statement-node that corresponds to a statement that belongs to a no-return block of the CFG. rdar://problem/28832541 Differential Revision: https://reviews.llvm.org/D28023 llvm-svn: 290341
- Loading branch information
Showing
2 changed files
with
57 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-config max-nodes=12 -verify %s | ||
|
||
// Here we test how "suppress on sink" feature of certain bugtypes interacts | ||
// with reaching analysis limits. | ||
|
||
// If we report a warning of a bug-type with "suppress on sink" attribute set | ||
// (such as MallocChecker's memory leak warning), then failing to reach the | ||
// reason for the sink (eg. no-return function such as "exit()") due to analysis | ||
// limits (eg. max-nodes option), we may produce a false positive. | ||
|
||
typedef __typeof(sizeof(int)) size_t; | ||
void *malloc(size_t); | ||
|
||
extern void exit(int) __attribute__ ((__noreturn__)); | ||
|
||
void clang_analyzer_warnIfReached(void); | ||
|
||
void test_single_cfg_block_sink() { | ||
void *p = malloc(1); // no-warning (wherever the leak warning may occur here) | ||
|
||
// Due to max-nodes option in the run line, we should reach the first call | ||
// but bail out before the second call. | ||
// If the test on these two lines starts failing, see if modifying | ||
// the max-nodes run-line helps. | ||
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} | ||
clang_analyzer_warnIfReached(); // no-warning | ||
|
||
// Even though we do not reach this line, we should still suppress | ||
// the leak report. | ||
exit(0); | ||
} |