xazax.hun marked an inline comment as done.
xazax.hun added inline comments.
================
Comment at: clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:624
+ if (const MemRegion *MR = Call.getArgSVal(Arg).getAsRegion())
+ if (!MR->hasStackStorage())
+ Escaped.push_back(State->getSVal(MR, Pointee));
----------------
NoQ wrote:
> Ok, so this patch interacts with D71152 in a non-trivial manner. We should
> re-use the logic that decides whether an escape on bind occurs.
Yeah, I just started to look into it and some skeletons fell out.
Let's consider the following example:
```
void leak() {
zx_handle_t sa, sb;
if (zx_channel_create(0, &sa, &sb))
return;
zx_handle_close(sb);
}
```
After using the same logic we can no longer detect the leak. The reason is,
after `zx_channel_create` both `sa` and `sb` regions are escaped (and they
become escaped during the conservative call) and then after the PostCall
callback, when we attached the traits to our symbols, we will trigger pointer
escape immediately, and lose the traits we just added.
I am not immediately sure what to do here. I feel like the main source of the
problem is the fact that `zx_channel_create` should not escape anything and the
checker has now way to communicate that to the analyzer core. Any ideas?
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D71224/new/
https://reviews.llvm.org/D71224
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
