[analyzer] Teach the analyzer that pointers can escape into __cxa_demangle

AnnaZaks · AnnaZaks · commit 328d2d9361af · 2016-12-15T22:55:18.000Z
This fixes a reported false positive in the malloc checker. Differential Revision: https://reviews.llvm.org/D27599 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@289886 91177308-0d34-0410-b5e6-96231b3b80d8
diff --git a/lib/StaticAnalyzer/Core/CallEvent.cpp b/lib/StaticAnalyzer/Core/CallEvent.cpp
@@ -382,6 +382,11 @@ bool AnyFunctionCall::argumentsMayEscape() const {
   if (II->isStr("funopen"))
     return true;
 
+  // - __cxa_demangle - can reallocate memory and can return the pointer to
+  // the input buffer.
+  if (II->isStr("__cxa_demangle"))
+    return true;
+
   StringRef FName = II->getName();
 
   // - CoreFoundation functions that end with "NoCopy" can free a passed-in
diff --git a/test/Analysis/Inputs/system-header-simulator-cxx.h b/test/Analysis/Inputs/system-header-simulator-cxx.h
@@ -240,3 +240,12 @@ void* operator new (std::size_t size, void* ptr) throw() { return ptr; };
 void* operator new[] (std::size_t size, void* ptr) throw() { return ptr; };
 void operator delete (void* ptr, void*) throw() {};
 void operator delete[] (void* ptr, void*) throw() {};
+
+namespace __cxxabiv1 {
+extern "C" {
+extern char *__cxa_demangle(const char *mangled_name,
+                            char *output_buffer,
+                            size_t *length,
+                            int *status);
+}}
+namespace abi = __cxxabiv1;
diff --git a/test/Analysis/malloc.cpp b/test/Analysis/malloc.cpp
@@ -1,6 +1,8 @@
 // RUN: %clang_cc1 -w -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,cplusplus.NewDelete -analyzer-store=region -verify %s
 // RUN: %clang_cc1 -triple i386-unknown-linux-gnu -w -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,cplusplus.NewDelete -analyzer-store=region -verify %s
 
+#include "Inputs/system-header-simulator-cxx.h"
+
 typedef __typeof(sizeof(int)) size_t;
 void *malloc(size_t);
 void free(void *);
@@ -125,3 +127,15 @@ namespace PR31226 {
     p->m(); // no-crash // no-warning
   }
 }
+
+// Allow __cxa_demangle to escape.
+char* test_cxa_demangle(const char* sym) {
+  size_t funcnamesize = 256;
+  char* funcname = (char*)malloc(funcnamesize);
+  int status;
+  char* ret = abi::__cxa_demangle(sym, funcname, &funcnamesize, &status);
+  if (status == 0) {
+    funcname = ret;
+  }
+  return funcname; // no-warning
+}
