[analyzer] Malloc Checker: Report a leak when we are returning freed
memory. (As per one test case, the existing checker thought that this could cause a lot of false positives - not sure if that's valid, to be verified.) llvm-svn: 150313
This commit is contained in:
parent
d3571e5ad3
commit
3aa5225d5e
|
@ -760,10 +760,16 @@ void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const {
|
|||
const Expr *E = S->getRetValue();
|
||||
if (!E)
|
||||
return;
|
||||
|
||||
// Check if we are returning a symbol.
|
||||
SymbolRef Sym = C.getState()->getSVal(E, C.getLocationContext()).getAsSymbol();
|
||||
if (!Sym)
|
||||
return;
|
||||
|
||||
// Check if we are returning freed memory.
|
||||
checkUseAfterFree(Sym, C, S);
|
||||
|
||||
// Check if the symbol is escaping.
|
||||
checkEscape(Sym, S, C);
|
||||
}
|
||||
|
||||
|
|
|
@ -128,12 +128,10 @@ void af3() {
|
|||
free(p); // no-warning
|
||||
}
|
||||
|
||||
// This case would inflict a double-free elsewhere.
|
||||
// However, this case is considered an analyzer bug since it causes false-positives.
|
||||
int * af4() {
|
||||
int *p = my_malloc(12);
|
||||
my_free(p);
|
||||
return p; // no-warning
|
||||
return p; // expected-warning{{Use of dynamically allocated}}
|
||||
}
|
||||
|
||||
// This case is (possibly) ok, be conservative
|
||||
|
|
|
@ -251,6 +251,20 @@ void mallocFailedOrNot() {
|
|||
struct StructWithInt {
|
||||
int g;
|
||||
};
|
||||
|
||||
int *mallocReturnFreed() {
|
||||
int *p = malloc(12);
|
||||
free(p);
|
||||
return p; // expected-warning {{Use of dynamically allocated}}
|
||||
}
|
||||
|
||||
int useAfterFreeStruct() {
|
||||
struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
|
||||
px->g = 5;
|
||||
free(px);
|
||||
return px->g; // expected-warning {{Use of dynamically allocated}}
|
||||
}
|
||||
|
||||
void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
|
||||
|
||||
void mallocEscapeFooNonSymbolArg() {
|
||||
|
|
Loading…
Reference in New Issue