diff options
| author | Artem Dergachev <artem.dergachev@gmail.com> | 2019-02-22 00:09:56 +0000 |
|---|---|---|
| committer | Artem Dergachev <artem.dergachev@gmail.com> | 2019-02-22 00:09:56 +0000 |
| commit | 10dd12360934cb8ecfb803a4b72841e9ca8bf622 (patch) | |
| tree | 5a13f0f2221572393c356493b3f93ba9393121a9 /clang/test | |
| parent | 7479b3dd2024a4a0beff24dd3bbaefdde6ad1e3b (diff) | |
| download | bcm5719-llvm-10dd12360934cb8ecfb803a4b72841e9ca8bf622.tar.gz bcm5719-llvm-10dd12360934cb8ecfb803a4b72841e9ca8bf622.zip | |
[analyzer] MIGChecker: Fix an FN when the object is released in a destructor.
When a MIG server routine argument is released in an automatic destructor,
the Static Analyzer thinks that this happens after the return statement, and so
the violation of the MIG convention doesn't happen.
Of course, it doesn't quite work that way, so this is a false negative.
Add a hack that makes the checker double-check at the end of function
that no argument was released when the routine fails with an error.
rdar://problem/35380337
Differential Revision: https://reviews.llvm.org/D58392
llvm-svn: 354642
Diffstat (limited to 'clang/test')
| -rw-r--r-- | clang/test/Analysis/mig.mm | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/clang/test/Analysis/mig.mm b/clang/test/Analysis/mig.mm index 6bcd45b36a1..77b477ed2d9 100644 --- a/clang/test/Analysis/mig.mm +++ b/clang/test/Analysis/mig.mm @@ -56,6 +56,31 @@ kern_return_t release_twice(mach_port_name_t port, vm_address_t addr1, vm_addres // expected-note@-1{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}} } +// Make sure we find the bug when the object is destroyed within an +// automatic destructor. +MIG_SERVER_ROUTINE +kern_return_t test_vm_deallocate_in_automatic_dtor(mach_port_name_t port, vm_address_t address, vm_size_t size) { + struct WillDeallocate { + mach_port_name_t port; + vm_address_t address; + vm_size_t size; + ~WillDeallocate() { + vm_deallocate(port, address, size); // expected-note{{Value passed through parameter 'address' is deallocated}} + } + } will_deallocate{port, address, size}; + + if (size > 10) { + // expected-note@-1{{Assuming 'size' is > 10}} + // expected-note@-2{{Taking true branch}} + return KERN_ERROR; + // expected-note@-1{{Calling '~WillDeallocate'}} + // expected-note@-2{{Returning from '~WillDeallocate'}} + // expected-warning@-3{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}} + // expected-note@-4 {{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}} + } + return KERN_SUCCESS; +} + // Check that we work on Objective-C messages and blocks. @interface I - (kern_return_t)fooAtPort:(mach_port_name_t)port withAddress:(vm_address_t)address ofSize:(vm_size_t)size; |
