replica
/
hanchenye-llvm-project
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[analyzer] ExprEngine: Escape pointers in bitwise operations 

Summary:
After evaluation it would be an Unknown value and tracking would be lost.

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy,
             dkrupp, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D63720

llvm-svn: 364259
This commit is contained in:
Csaba Dabis 2019-06-25 00:44:33 +00:00
parent 2cc3b3856e
commit 49885b1245
2 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
View File

@ -100,6 +100,10 @@ void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
SVal Result = evalBinOp(state, Op, LeftV, RightV, B->getType());
if (!Result.isUnknown()) {
state = state->BindExpr(B, LCtx, Result);
} else {
// If we cannot evaluate the operation escape the operands.
state = escapeValue(state, LeftV, PSK_EscapeOther);
state = escapeValue(state, RightV, PSK_EscapeOther);
}
Bldr.generateNode(B, *it, state);

33
clang/test/Analysis/symbol-escape.cpp Normal file
View File

@ -0,0 +1,33 @@
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,cplusplus.NewDeleteLeaks \
// RUN: -verify %s
// expected-no-diagnostics: Whenever we cannot evaluate an operation we escape
// the operands. After the evaluation it would be an
// Unknown value and the tracking would be lost.
typedef unsigned __INTPTR_TYPE__ uintptr_t;
class C {};
C *simple_escape_in_bitwise_op(C *Foo) {
C *Bar = new C();
Bar = reinterpret_cast<C *>(reinterpret_cast<uintptr_t>(Bar) & 0x1);
(void)Bar;
// no-warning: "Potential leak of memory pointed to by 'Bar'" was here.
return Bar;
}
C **indirect_escape_in_bitwise_op() {
C *Qux = new C();
C **Baz = &Qux;
Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) | 0x1);
Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) &
~static_cast<uintptr_t>(0x1));
// no-warning: "Potential leak of memory pointed to by 'Qux'" was here.
delete *Baz;
return Baz;
}