[PATCH] D63720: [analyzer] ExprEngine: Escape pointers in bitwise operations

Mon, 24 Jun 2019 17:45:34 -0700 

This revision was automatically updated to reflect the committed changes.
Closed by commit rL364259: [analyzer] ExprEngine: Escape pointers in bitwise 
operations (authored by Charusso, committed by ).
Herald added a project: LLVM.
Herald added a subscriber: llvm-commits.

Changed prior to commit:
  https://reviews.llvm.org/D63720?vs=206344&id=206345#toc

Repository:
  rL LLVM

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63720/new/

https://reviews.llvm.org/D63720

Files:
  cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp
  cfe/trunk/test/Analysis/symbol-escape.cpp


Index: cfe/trunk/test/Analysis/symbol-escape.cpp
===================================================================
--- cfe/trunk/test/Analysis/symbol-escape.cpp
+++ cfe/trunk/test/Analysis/symbol-escape.cpp
@@ -0,0 +1,33 @@
+// RUN: %clang_analyze_cc1 \
+// RUN:  -analyzer-checker=core,cplusplus.NewDeleteLeaks \
+// RUN:  -verify %s
+
+// expected-no-diagnostics: Whenever we cannot evaluate an operation we escape
+//                          the operands. After the evaluation it would be an
+//                          Unknown value and the tracking would be lost.
+
+typedef unsigned __INTPTR_TYPE__ uintptr_t;
+
+class C {};
+
+C *simple_escape_in_bitwise_op(C *Foo) {
+  C *Bar = new C();
+  Bar = reinterpret_cast<C *>(reinterpret_cast<uintptr_t>(Bar) & 0x1);
+  (void)Bar;
+  // no-warning: "Potential leak of memory pointed to by 'Bar'" was here.
+
+  return Bar;
+}
+
+C **indirect_escape_in_bitwise_op() {
+  C *Qux = new C();
+  C **Baz = &Qux;
+  Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) | 0x1);
+  Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) &
+                              ~static_cast<uintptr_t>(0x1));
+  // no-warning: "Potential leak of memory pointed to by 'Qux'" was here.
+
+  delete *Baz;
+  return Baz;
+}
+
Index: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp
===================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -100,6 +100,10 @@
       SVal Result = evalBinOp(state, Op, LeftV, RightV, B->getType());
       if (!Result.isUnknown()) {
         state = state->BindExpr(B, LCtx, Result);
+      } else {
+        // If we cannot evaluate the operation escape the operands.
+        state = escapeValue(state, LeftV, PSK_EscapeOther);
+        state = escapeValue(state, RightV, PSK_EscapeOther);
       }
 
       Bldr.generateNode(B, *it, state);



Index: cfe/trunk/test/Analysis/symbol-escape.cpp
===================================================================
--- cfe/trunk/test/Analysis/symbol-escape.cpp
+++ cfe/trunk/test/Analysis/symbol-escape.cpp
@@ -0,0 +1,33 @@
+// RUN: %clang_analyze_cc1 \
+// RUN:  -analyzer-checker=core,cplusplus.NewDeleteLeaks \
+// RUN:  -verify %s
+
+// expected-no-diagnostics: Whenever we cannot evaluate an operation we escape
+//                          the operands. After the evaluation it would be an
+//                          Unknown value and the tracking would be lost.
+
+typedef unsigned __INTPTR_TYPE__ uintptr_t;
+
+class C {};
+
+C *simple_escape_in_bitwise_op(C *Foo) {
+  C *Bar = new C();
+  Bar = reinterpret_cast<C *>(reinterpret_cast<uintptr_t>(Bar) & 0x1);
+  (void)Bar;
+  // no-warning: "Potential leak of memory pointed to by 'Bar'" was here.
+
+  return Bar;
+}
+
+C **indirect_escape_in_bitwise_op() {
+  C *Qux = new C();
+  C **Baz = &Qux;
+  Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) | 0x1);
+  Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) &
+		               ~static_cast<uintptr_t>(0x1));
+  // no-warning: "Potential leak of memory pointed to by 'Qux'" was here.
+
+  delete *Baz;
+  return Baz;
+}
+
Index: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp
===================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -100,6 +100,10 @@
       SVal Result = evalBinOp(state, Op, LeftV, RightV, B->getType());
       if (!Result.isUnknown()) {
         state = state->BindExpr(B, LCtx, Result);
+      } else {
+        // If we cannot evaluate the operation escape the operands.
+        state = escapeValue(state, LeftV, PSK_EscapeOther);
+        state = escapeValue(state, RightV, PSK_EscapeOther);
       }
 
       Bldr.generateNode(B, *it, state);

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to