Query Regarding RetainCountChecker | Clang Static Analyzer

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Query Regarding RetainCountChecker | Clang Static Analyzer

Xin Wang via cfe-dev
Dear all,

Consider the following hypothetical test cases (using the Integer Set Library objects and annotations) which is passed through the RetainCountChecker.


// Case 1
#define __isl_give __attribute__((cf_returns_retained))
#define __isl_take __attribute__((cf_consumed))

// Declaration of isl_basic_map_cow(). Definition is in another .c file and hence is not visible to the static analyzer.
__isl_give isl_basic_map *isl_basic_map_cow(__isl_take isl_basic_map *bmap);


__isl_give isl_basic_map *foo(__isl_take isl_basic_map *bmap) {
isl_basic_map *temp = bmap;
bmap = isl_basic_map_cow(bmap);
free(bmap);
return temp; // Leak warning is raised for 'bmap' here.
}

// Case 2
#define __isl_give __attribute__((cf_returns_retained))
#define __isl_take __attribute__((cf_consumed))

// Declaration of isl_basic_map_cow(). Definition is in another .c file and hence is not visible to the static analyzer.
__isl_give isl_basic_map *isl_basic_map_cow(__isl_take isl_basic_map *bmap);


__isl_give isl_basic_map *foo(__isl_take isl_basic_map *bmap) {
isl_basic_map *temp = bmap;
bmap = isl_basic_map_cow(bmap);
free(bmap);
return bmap; // Use-after-free warning is raised for 'bmap' here.
}

My question:
  • Looking at the warnings raised in both the cases. could someone please explain me why is a leak warning being raised in Case 1? isl_basic_map_cow() returns an object with a +1 retain count which is then freed.

Thank you.


Regards,
Malhar Thakkar


_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Query Regarding RetainCountChecker | Clang Static Analyzer

Xin Wang via cfe-dev
These warnings seem reasonable to me, because we can be certain that
free() doesn't decrement reference counts - instead it frees the memory
(release doesn't imply freeing the memory - something else may still
retain). So `bmap' is freed but not released, therefore we have a
warning from RetainCountChecker regarding a memory leak *and*, in case
2, a warning from MallocChecker regarding use-after-free.

On 6/20/17 6:55 AM, Malhar Thakkar via cfe-dev wrote:

> Dear all,
>
> Consider the following hypothetical test cases (using the Integer Set
> Library objects and annotations) which is passed through the
> RetainCountChecker.
>
>
> *// Case 1*
> *#define __isl_give **__attribute__((cf_returns_retained))*
> *#define __isl_take __attribute__((cf_consumed))*
> *
> *
> *// Declaration of isl_basic_map_cow(). Definition is in another .c
> file and hence is not visible to the static analyzer.*
> __isl_give isl_basic_map *isl_basic_map_cow(__isl_take isl_basic_map
> *bmap);
>
>
> __isl_give isl_basic_map **foo*(__isl_take isl_basic_map *bmap) {
> isl_basic_map *temp = bmap;
> bmap = isl_basic_map_cow(bmap);
> free(bmap);
> return temp; *// Leak warning is raised for 'bmap' here.*
> }
>
> *// Case 2*
> *#define __isl_give **__attribute__((cf_returns_retained))*
> *#define __isl_take __attribute__((cf_consumed))*
> *
> *
> *// Declaration of isl_basic_map_cow(). **Definition is in another .c
> file and hence is not visible to the static analyzer.*
> __isl_give isl_basic_map *isl_basic_map_cow(__isl_take isl_basic_map
> *bmap);
>
>
> __isl_give isl_basic_map **foo*(__isl_take isl_basic_map *bmap) {
> isl_basic_map *temp = bmap;
> bmap = isl_basic_map_cow(bmap);
> free(bmap);
> return bmap; *// Use-after-free warning is raised for 'bmap' here.*
> }
>
> My question:
>
>   * Looking at the warnings raised in both the cases. could someone
>     please explain me why is a leak warning being raised in Case 1?
>     isl_basic_map_cow() returns an object with a +1 retain count which
>     is then freed.
>
>
> Thank you.
>
>
> Regards,
> Malhar Thakkar
>
> ᐧ
>
>
> _______________________________________________
> cfe-dev mailing list
> [hidden email]
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Query Regarding RetainCountChecker | Clang Static Analyzer

Xin Wang via cfe-dev


On Tue, Jun 20, 2017 at 9:30 PM, Artem Dergachev <[hidden email]> wrote:
These warnings seem reasonable to me, because we can be certain that free() doesn't decrement reference counts - instead it frees the memory (release doesn't imply freeing the memory - something else may still retain). So `bmap' is freed but not released, therefore we have a warning from RetainCountChecker regarding a memory leak *and*, in case 2, a warning from MallocChecker regarding use-after-free.

Oh, I see. Thank you so much. :) 

Regards,
Malhar


On 6/20/17 6:55 AM, Malhar Thakkar via cfe-dev wrote:
Dear all,

Consider the following hypothetical test cases (using the Integer Set Library objects and annotations) which is passed through the RetainCountChecker.


*// Case 1*
*#define __isl_give **__attribute__((cf_returns_retained))*
*#define __isl_take __attribute__((cf_consumed))*
*
*
*// Declaration of isl_basic_map_cow(). Definition is in another .c file and hence is not visible to the static analyzer.*
__isl_give isl_basic_map *isl_basic_map_cow(__isl_take isl_basic_map *bmap);


__isl_give isl_basic_map **foo*(__isl_take isl_basic_map *bmap) {
isl_basic_map *temp = bmap;
bmap = isl_basic_map_cow(bmap);
free(bmap);
return temp; *// Leak warning is raised for 'bmap' here.*
}

*// Case 2*
*#define __isl_give **__attribute__((cf_returns_retained))*
*#define __isl_take __attribute__((cf_consumed))*
*
*
*// Declaration of isl_basic_map_cow(). **Definition is in another .c file and hence is not visible to the static analyzer.*
__isl_give isl_basic_map *isl_basic_map_cow(__isl_take isl_basic_map *bmap);


__isl_give isl_basic_map **foo*(__isl_take isl_basic_map *bmap) {
isl_basic_map *temp = bmap;
bmap = isl_basic_map_cow(bmap);
free(bmap);
return bmap; *// Use-after-free warning is raised for 'bmap' here.*
}

My question:

  * Looking at the warnings raised in both the cases. could someone
    please explain me why is a leak warning being raised in Case 1?
    isl_basic_map_cow() returns an object with a +1 retain count which
    is then freed.


Thank you.


Regards,
Malhar Thakkar




_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev



_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Loading...