We are more aggressive in our assumptions here - we assume that the functions will free the memory (indirectly, eventually ~ the memory gets relinquished) and report use-after-free if someone tries to free it after it. Elsewhere, we just stop tracking. I am not sure if it's OK to assume that every ObjC method ending with NoCopy will definitely free. Do you disagree?
Thanks, Anna. On Jun 22, 2012, at 7:50 PM, Jordan Rose wrote: > Can we just go with the same NoCopy convention we have for functions, e.g. > anything that ends in "NoCopy" might free memory? > > > On Jun 22, 2012, at 3:42 PM, Anna Zaks wrote: > >> Author: zaks >> Date: Fri Jun 22 17:42:30 2012 >> New Revision: 159043 >> >> URL: http://llvm.org/viewvc/llvm-project?rev=159043&view=rev >> Log: >> [analyzer] Teach malloc checker that initWith[Bytes|Characters}NoCopy >> relinquish memory. >> >> Modified: >> cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp >> cfe/trunk/test/Analysis/malloc.mm >> >> Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp >> URL: >> http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp?rev=159043&r1=159042&r2=159043&view=diff >> ============================================================================== >> --- cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (original) >> +++ cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp Fri Jun 22 >> 17:42:30 2012 >> @@ -504,7 +504,9 @@ >> // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; >> // Unless 'freeWhenDone' param set to 0. >> // TODO: Check that the memory was allocated with malloc. >> - if (S.getNameForSlot(0) == "dataWithBytesNoCopy" && >> + if ((S.getNameForSlot(0) == "dataWithBytesNoCopy" || >> + S.getNameForSlot(0) == "initWithBytesNoCopy" || >> + S.getNameForSlot(0) == "initWithCharactersNoCopy") && >> !isFreeWhenDoneSetToZero(Call, S)){ >> unsigned int argIdx = 0; >> C.addTransition(FreeMemAux(C, Call.getArg(argIdx), >> >> Modified: cfe/trunk/test/Analysis/malloc.mm >> URL: >> http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/malloc.mm?rev=159043&r1=159042&r2=159043&view=diff >> ============================================================================== >> --- cfe/trunk/test/Analysis/malloc.mm (original) >> +++ cfe/trunk/test/Analysis/malloc.mm Fri Jun 22 17:42:30 2012 >> @@ -21,6 +21,16 @@ >> NSData *nsdata = [[NSData alloc] initWithBytesNoCopy:data length:dataLength >> freeWhenDone:1]; // no-warning >> } >> >> +void testNSStringFreeWhenDoneYES3(NSUInteger dataLength) { >> + unsigned char *data = (unsigned char *)malloc(42); >> + NSString *nsstr = [[NSString alloc] initWithBytesNoCopy:data >> length:dataLength encoding:NSUTF8StringEncoding freeWhenDone:1]; >> +} >> + >> +void testNSStringFreeWhenDoneYES4(NSUInteger dataLength) { >> + unichar *data = (unichar*)malloc(42); >> + NSString *nsstr = [[NSString alloc] initWithCharactersNoCopy:data >> length:dataLength freeWhenDone:1]; >> + free(data); //expected-warning {{Attempt to free non-owned memory}} >> +} >> >> void testNSStringFreeWhenDoneYES(NSUInteger dataLength) { >> unsigned char *data = (unsigned char *)malloc(42); >> >> >> _______________________________________________ >> cfe-commits mailing list >> [email protected] >> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits > _______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
