mirrors/llvm-project
0
0
Fork 0
mirror of https://github.com/llvm/llvm-project.git synced 2025-04-17 01:36:38 +00:00
Code Issues Projects Releases Wiki Activity
llvm-project/clang/test/Analysis/stack-capture-leak-no-arc.mm
Arseniy Zaostrovnykh 190449a5d2
[analyzer] Detect leaks of stack addresses via output params, indirect globals 3/3 (#105648) 
Fix some false negatives of StackAddrEscapeChecker:
- Output parameters
  ```
  void top(int **out) {
    int local = 42;
    *out = &local; // Noncompliant
  }
  ```
- Indirect global pointers
  ```
  int **global;

  void top() {
    int local = 42;
    *global = &local; // Noncompliant
  }
  ```

Note that now StackAddrEscapeChecker produces a diagnostic if a function
with an output parameter is analyzed as top-level or as a callee. I took
special care to make sure the reports point to the same primary location
and, in many cases, feature the same primary message. That is the
motivation to modify Core/BugReporter.cpp and Core/ExplodedGraph.cpp

To avoid false positive reports when a global indirect pointer is
assigned a local address, invalidated, and then reset, I rely on the
fact that the invalidation symbol will be a DerivedSymbol of a
ConjuredSymbol that refers to the same memory region.

The checker still has a false negative for non-trivial escaping via a
returned value. It requires a more sophisticated traversal akin to
scanReachableSymbols, which out of the scope of this change.

CPP-4734

---------

This is the last of the 3 stacked PRs, it must not be merged before
https://github.com/llvm/llvm-project/pull/105652 and
https://github.com/llvm/llvm-project/pull/105653
2024-08-28 08:36:59 +02:00

82 lines
2.3 KiB
Plaintext
Raw Permalink Blame History

// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -analyzer-checker=core,alpha.core.StackAddressAsyncEscape -fblocks -verify %s
typedef struct dispatch_queue_s *dispatch_queue_t;
typedef void (^dispatch_block_t)(void);
void dispatch_async(dispatch_queue_t queue, dispatch_block_t block);
extern dispatch_queue_t queue;
void f(int);
void test_block_inside_block_async_no_leak() {
int x = 123;
int *p = &x;
void (^inner)(void) = ^void(void) {
int y = x;
++y;
};
// Block_copy(...) copies the captured block ("inner") too,
// there is no leak in this case.
dispatch_async(queue, ^void(void) {
int z = x;
++z;
inner();
}); // no-warning
}
dispatch_block_t test_block_inside_block_async_leak() {
int x = 123;
void (^inner)(void) = ^void(void) {
int y = x;
++y;
};
void (^outer)(void) = ^void(void) {
int z = x;
++z;
inner();
};
return outer; // expected-warning-re{{Address of stack-allocated block declared on line {{.+}} is captured by a returned block}}
}
// The block literal defined in this function could leak once being
// called.
void output_block(dispatch_block_t * blk) {
int x = 0;
*blk = ^{ f(x); }; // expected-warning {{Address of stack-allocated block declared on line 43 is still referred to by the caller variable 'blk' upon returning to the caller. This will be a dangling reference [core.StackAddressEscape]}}
}
// The block literal captures nothing thus is treated as a constant.
void output_constant_block(dispatch_block_t * blk) {
*blk = ^{ };
}
// A block can leak if it captures at least one variable and is not
// under ARC when its' stack frame expires.
void test_block_leak() {
__block dispatch_block_t blk;
int x = 0;
dispatch_block_t p = ^{
blk = ^{ // expected-warning {{Address of stack-allocated block declared on line 57 is still referred to by the caller variable 'blk' upon returning to the caller. This will be a dangling reference [core.StackAddressEscape]}}
f(x);
};
};
p();
blk();
output_block(&blk);
blk();
}
// A block captures nothing is a constant thus never leaks.
void test_constant_block_no_leak() {
__block dispatch_block_t blk;
dispatch_block_t p = ^{
blk = ^{
f(0);
};
};
p();
blk();
output_constant_block(&blk);
blk();
}
Reference in New Issue View Git Blame Copy Permalink