From: Ted Kremenek Date: Mon, 5 Mar 2012 23:06:19 +0000 (+0000) Subject: Teach SimpleSValBuilder that (in the absence of more information) stack memory doesn... X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a99f874bf2ade1e32f0feda7d5b8211171440f02;p=clang Teach SimpleSValBuilder that (in the absence of more information) stack memory doesn't alias symbolic memory. This is a heuristic/hack, but works well in practice. Fixes . git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152065 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp index 5cf9f475c7..d0558f1af4 100644 --- a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp +++ b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp @@ -714,6 +714,24 @@ SVal SimpleSValBuilder::evalBinOpLL(ProgramStateRef state, // The two regions are from the same base region. See if they're both a // type of region we know how to compare. + const MemSpaceRegion *LeftMS = LeftBase->getMemorySpace(); + const MemSpaceRegion *RightMS = RightBase->getMemorySpace(); + + // Heuristic: assume that no symbolic region (whose memory space is + // unknown) is on the stack. + // FIXME: we should be able to be more precise once we can do better + // aliasing constraints for symbolic regions, but this is a reasonable, + // albeit unsound, assumption that holds most of the time. + if (isa(LeftMS) ^ isa(RightMS)) { + switch (op) { + default: + break; + case BO_EQ: + return makeTruthVal(false, resultTy); + case BO_NE: + return makeTruthVal(true, resultTy); + } + } // FIXME: If/when there is a getAsRawOffset() for FieldRegions, this // ElementRegion path and the FieldRegion path below should be unified. diff --git a/test/Analysis/malloc.c b/test/Analysis/malloc.c index bfe1befb53..0bc09ead6b 100644 --- a/test/Analysis/malloc.c +++ b/test/Analysis/malloc.c @@ -728,6 +728,38 @@ int my_main_warn(FILE *f) { return 0;// expected-warning {{leak}} } +// . +// some people use stack allocated memory as an optimization to avoid +// a heap allocation for small work sizes. This tests the analyzer's +// understanding that the malloc'ed memory is not the same as stackBuffer. +void radar10978247(int myValueSize) { + char stackBuffer[128]; + char *buffer; + + if (myValueSize <= sizeof(stackBuffer)) + buffer = stackBuffer; + else + buffer = malloc(myValueSize); + + // do stuff with the buffer + if (buffer != stackBuffer) + free(buffer); +} + +void radar10978247_positive(int myValueSize) { + char stackBuffer[128]; + char *buffer; + + if (myValueSize <= sizeof(stackBuffer)) + buffer = stackBuffer; + else + buffer = malloc(myValueSize); + + // do stuff with the buffer + if (buffer == stackBuffer) // expected-warning {{leak}} + return; +} + // ---------------------------------------------------------------------------- // Below are the known false positives. diff --git a/test/Analysis/ptr-arith.c b/test/Analysis/ptr-arith.c index 995470a369..fb37f1c791 100644 --- a/test/Analysis/ptr-arith.c +++ b/test/Analysis/ptr-arith.c @@ -269,7 +269,7 @@ void symbolic_region(int *p) { int a; if (&a == p) - WARN; // expected-warning{{}} + WARN; // no-warning if (&a != p) WARN; // expected-warning{{}} if (&a > p)