[analyzer] ExprEngine: Escape pointers in bitwise operations
Summary: After evaluation it would be an Unknown value and tracking would be lost. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D63720 llvm-svn: 364259
This commit is contained in:
parent
2cc3b3856e
commit
49885b1245
|
@ -100,6 +100,10 @@ void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
|
|||
SVal Result = evalBinOp(state, Op, LeftV, RightV, B->getType());
|
||||
if (!Result.isUnknown()) {
|
||||
state = state->BindExpr(B, LCtx, Result);
|
||||
} else {
|
||||
// If we cannot evaluate the operation escape the operands.
|
||||
state = escapeValue(state, LeftV, PSK_EscapeOther);
|
||||
state = escapeValue(state, RightV, PSK_EscapeOther);
|
||||
}
|
||||
|
||||
Bldr.generateNode(B, *it, state);
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
// RUN: %clang_analyze_cc1 \
|
||||
// RUN: -analyzer-checker=core,cplusplus.NewDeleteLeaks \
|
||||
// RUN: -verify %s
|
||||
|
||||
// expected-no-diagnostics: Whenever we cannot evaluate an operation we escape
|
||||
// the operands. After the evaluation it would be an
|
||||
// Unknown value and the tracking would be lost.
|
||||
|
||||
typedef unsigned __INTPTR_TYPE__ uintptr_t;
|
||||
|
||||
class C {};
|
||||
|
||||
C *simple_escape_in_bitwise_op(C *Foo) {
|
||||
C *Bar = new C();
|
||||
Bar = reinterpret_cast<C *>(reinterpret_cast<uintptr_t>(Bar) & 0x1);
|
||||
(void)Bar;
|
||||
// no-warning: "Potential leak of memory pointed to by 'Bar'" was here.
|
||||
|
||||
return Bar;
|
||||
}
|
||||
|
||||
C **indirect_escape_in_bitwise_op() {
|
||||
C *Qux = new C();
|
||||
C **Baz = &Qux;
|
||||
Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) | 0x1);
|
||||
Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) &
|
||||
~static_cast<uintptr_t>(0x1));
|
||||
// no-warning: "Potential leak of memory pointed to by 'Qux'" was here.
|
||||
|
||||
delete *Baz;
|
||||
return Baz;
|
||||
}
|
||||
|
Loading…
Reference in New Issue