1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
/* { dg-additional-options "-fanalyzer-call-summaries" } */
#include <stdlib.h>
#include "analyzer-decls.h"
extern int foo (int);
static int __attribute__((noinline))
do_stuff (int *p, int n)
{
int sum = 0;
int i;
for (i = 0; i < n; i++)
p[i] = i;
for (i = 0; i < n; i++)
sum += foo (p[i]); /* { dg-bogus "uninitialized" } */
return sum;
}
static int __attribute__((noinline))
do_stuff_2 (int *p, int n)
{
return 0;
}
/* Various examples of functions that use either a malloc buffer
or a local buffer, do something, then conditionally free the
buffer, tracking whether "free" is necessary in various
ways.
In each case, there ought to be only two paths through the function,
not four. */
/* Repeated (n > 10) predicate. */
int test_repeated_predicate_1 (int n)
{
int buf[10];
int *ptr;
int result;
if (n > 10)
ptr = (int *)malloc (sizeof (int) * n);
else
ptr = buf;
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
result = do_stuff (ptr, n);
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
if (n > 10)
free (ptr); /* { dg-bogus "not on the heap" } */
return result; /* { dg-bogus "leak" } */
}
/* A simpler version of the above. */
int test_repeated_predicate_2 (int n)
{
int buf[10];
int *ptr;
int result;
if (n > 10)
ptr = (int *)malloc (sizeof (int) * n);
else
ptr = buf;
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
result = do_stuff_2 (ptr, n);
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
if (n > 10)
free (ptr); /* { dg-bogus "not on the heap" } */
return result; /* { dg-bogus "leak" } */
}
/* A predicate that sets a flag for the 2nd test. */
int test_explicit_flag (int n)
{
int buf[10];
int *ptr;
int result;
int need_to_free = 0;
if (n > 10)
{
ptr = (int *)malloc (sizeof (int) * n);
need_to_free = 1;
}
else
ptr = buf;
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
result = do_stuff (ptr, n);
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
if (need_to_free)
free (ptr); /* { dg-bogus "not on the heap" } */
return result; /* { dg-bogus "leak" } */
}
/* Pointer comparison. */
int test_pointer_comparison (int n)
{
int buf[10];
int *ptr;
int result;
if (n > 10)
ptr = (int *)malloc (sizeof (int) * n);
else
ptr = buf;
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
result = do_stuff (ptr, n);
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
if (ptr != buf)
free (ptr); /* { dg-bogus "not on the heap" } */
return result; /* { dg-bogus "leak" } */
}
/* Set a flag based on a conditional, then use it, then reuse the
conditional. */
int test_initial_flag (int n)
{
int buf[10];
int *ptr;
int result;
int on_heap = 0;
if (n > 10)
on_heap = 1;
else
on_heap = 0;
/* Due to state-merging, we lose the relationship between 'n > 10'
and 'on_heap' here; we have to rely on feasibility-checking
in the diagnostic_manager to reject the false warnings. */
__analyzer_dump_exploded_nodes (0); /* { dg-warning "1 processed enode" } */
if (on_heap)
ptr = (int *)malloc (sizeof (int) * n);
else
ptr = buf;
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
result = do_stuff (ptr, n);
__analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
if (n > 10)
free (ptr); /* { dg-bogus "not on the heap" } */
return result; /* { dg-bogus "leak" } */
}
|
