Author: charusso Date: Mon Jun 24 17:44:33 2019 New Revision: 364259 URL: http://llvm.org/viewvc/llvm-project?rev=364259&view=rev Log: [analyzer] ExprEngine: Escape pointers in bitwise operations
Summary: After evaluation it would be an Unknown value and tracking would be lost. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D63720 Added: cfe/trunk/test/Analysis/symbol-escape.cpp Modified: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp Modified: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp?rev=364259&r1=364258&r2=364259&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp Mon Jun 24 17:44:33 2019 @@ -100,6 +100,10 @@ void ExprEngine::VisitBinaryOperator(con SVal Result = evalBinOp(state, Op, LeftV, RightV, B->getType()); if (!Result.isUnknown()) { state = state->BindExpr(B, LCtx, Result); + } else { + // If we cannot evaluate the operation escape the operands. + state = escapeValue(state, LeftV, PSK_EscapeOther); + state = escapeValue(state, RightV, PSK_EscapeOther); } Bldr.generateNode(B, *it, state); Added: cfe/trunk/test/Analysis/symbol-escape.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/symbol-escape.cpp?rev=364259&view=auto ============================================================================== --- cfe/trunk/test/Analysis/symbol-escape.cpp (added) +++ cfe/trunk/test/Analysis/symbol-escape.cpp Mon Jun 24 17:44:33 2019 @@ -0,0 +1,33 @@ +// RUN: %clang_analyze_cc1 \ +// RUN: -analyzer-checker=core,cplusplus.NewDeleteLeaks \ +// RUN: -verify %s + +// expected-no-diagnostics: Whenever we cannot evaluate an operation we escape +// the operands. After the evaluation it would be an +// Unknown value and the tracking would be lost. + +typedef unsigned __INTPTR_TYPE__ uintptr_t; + +class C {}; + +C *simple_escape_in_bitwise_op(C *Foo) { + C *Bar = new C(); + Bar = reinterpret_cast<C *>(reinterpret_cast<uintptr_t>(Bar) & 0x1); + (void)Bar; + // no-warning: "Potential leak of memory pointed to by 'Bar'" was here. + + return Bar; +} + +C **indirect_escape_in_bitwise_op() { + C *Qux = new C(); + C **Baz = &Qux; + Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) | 0x1); + Baz = reinterpret_cast<C **>(reinterpret_cast<uintptr_t>(Baz) & + ~static_cast<uintptr_t>(0x1)); + // no-warning: "Potential leak of memory pointed to by 'Qux'" was here. + + delete *Baz; + return Baz; +} + _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits