[analyzer] Fix the 'ptr = ptr' false negative in the Malloc checker.

author Anna Zaks <ganna@apple.com>

Wed, 2 May 2012 00:05:20 +0000 (00:05 +0000)

committer Anna Zaks <ganna@apple.com>

Wed, 2 May 2012 00:05:20 +0000 (00:05 +0000)
author Anna Zaks <ganna@apple.com>
Wed, 2 May 2012 00:05:20 +0000 (00:05 +0000)
committer Anna Zaks <ganna@apple.com>
Wed, 2 May 2012 00:05:20 +0000 (00:05 +0000)
diff --git a/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

index 8bce88a769771c068922ea490e206844f4c6a681..55c32ec1ebbd3a532aa29b535f19e9c079e2d8a7 100644 (file)
--- a/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -137,6 +137,9 @@ public:
      return true;
    }
  
+  void printState(raw_ostream &Out, ProgramStateRef State,
+                  const char *NL, const char *Sep) const;
+
  private:
    void initIdentifierInfo(ASTContext &C) const;
  
@@ -1118,7 +1121,11 @@ void MallocChecker::checkBind(SVal loc, SVal val, const Stmt *S,
        // To test (3), generate a new state with the binding added.  If it is
        // the same state, then it escapes (since the store cannot represent
        // the binding).
-      escapes = (state == (state->bindLoc(*regionLoc, val)));
+      // Do this only if we know that the store is not supposed to generate the
+      // same state.
+      SVal StoredVal = state->getSVal(regionLoc->getRegion());
+      if (StoredVal != val)
+        escapes = (state == (state->bindLoc(*regionLoc, val)));
      }
      if (!escapes) {
        // Case 4: We do not currently model what happens when a symbol is
@@ -1452,6 +1459,14 @@ MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N,
    return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint);
  }
  
+void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
+                               const char *NL, const char *Sep) const {
+
+  RegionStateTy RS = State->get<RegionState>();
+
+  if (!RS.isEmpty())
+    Out << "Has Malloc data" << NL;
+}
  
  #define REGISTER_CHECKER(name) \
  void ento::register##name(CheckerManager &mgr) {\
diff --git a/test/Analysis/malloc.c b/test/Analysis/malloc.c

index c7ac56a3d07b2063de4b2280e9727088f3b5670c..9c09051c31b49b17e7f53bd90c1b97a8946dae0d 100644 (file)
--- a/test/Analysis/malloc.c
+++ b/test/Analysis/malloc.c
@@ -792,6 +792,12 @@ void radar11270219(void) {
    strcmp(x, y); // no warning
  }
  
+void radar_11358224_test_double_assign_ints_positive_2()
+{
+  void *ptr = malloc(16);
+  ptr = ptr; // expected-warning {{leak}}
+}
+
  // ----------------------------------------------------------------------------
  // Below are the known false positives.
author	Anna Zaks <ganna@apple.com>
	Wed, 2 May 2012 00:05:20 +0000 (00:05 +0000)
committer	Anna Zaks <ganna@apple.com>
	Wed, 2 May 2012 00:05:20 +0000 (00:05 +0000)
lib/StaticAnalyzer/Checkers/MallocChecker.cpp		patch \| blob \| history
test/Analysis/malloc.c		patch \| blob \| history