Teach SimpleSValBuilder that (in the absence of more information) stack memory doesn't alias symbolic memory. This is a heuristic/hack, but works well in practice. Fixes <rdar://problem/10978247>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152065 91177308-0d34-0410-b5e6-96231b3b80d8
diff --git a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
index 5cf9f47..d0558f1 100644
--- a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
+++ b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@@ -714,6 +714,24 @@
// The two regions are from the same base region. See if they're both a
// type of region we know how to compare.
+ const MemSpaceRegion *LeftMS = LeftBase->getMemorySpace();
+ const MemSpaceRegion *RightMS = RightBase->getMemorySpace();
+
+ // Heuristic: assume that no symbolic region (whose memory space is
+ // unknown) is on the stack.
+ // FIXME: we should be able to be more precise once we can do better
+ // aliasing constraints for symbolic regions, but this is a reasonable,
+ // albeit unsound, assumption that holds most of the time.
+ if (isa<StackSpaceRegion>(LeftMS) ^ isa<StackSpaceRegion>(RightMS)) {
+ switch (op) {
+ default:
+ break;
+ case BO_EQ:
+ return makeTruthVal(false, resultTy);
+ case BO_NE:
+ return makeTruthVal(true, resultTy);
+ }
+ }
// FIXME: If/when there is a getAsRawOffset() for FieldRegions, this
// ElementRegion path and the FieldRegion path below should be unified.
diff --git a/test/Analysis/malloc.c b/test/Analysis/malloc.c
index bfe1bef..0bc09ea 100644
--- a/test/Analysis/malloc.c
+++ b/test/Analysis/malloc.c
@@ -728,6 +728,38 @@
return 0;// expected-warning {{leak}}
}
+// <rdar://problem/10978247>.
+// some people use stack allocated memory as an optimization to avoid
+// a heap allocation for small work sizes. This tests the analyzer's
+// understanding that the malloc'ed memory is not the same as stackBuffer.
+void radar10978247(int myValueSize) {
+ char stackBuffer[128];
+ char *buffer;
+
+ if (myValueSize <= sizeof(stackBuffer))
+ buffer = stackBuffer;
+ else
+ buffer = malloc(myValueSize);
+
+ // do stuff with the buffer
+ if (buffer != stackBuffer)
+ free(buffer);
+}
+
+void radar10978247_positive(int myValueSize) {
+ char stackBuffer[128];
+ char *buffer;
+
+ if (myValueSize <= sizeof(stackBuffer))
+ buffer = stackBuffer;
+ else
+ buffer = malloc(myValueSize);
+
+ // do stuff with the buffer
+ if (buffer == stackBuffer) // expected-warning {{leak}}
+ return;
+}
+
// ----------------------------------------------------------------------------
// Below are the known false positives.
diff --git a/test/Analysis/ptr-arith.c b/test/Analysis/ptr-arith.c
index 995470a..fb37f1c 100644
--- a/test/Analysis/ptr-arith.c
+++ b/test/Analysis/ptr-arith.c
@@ -269,7 +269,7 @@
int a;
if (&a == p)
- WARN; // expected-warning{{}}
+ WARN; // no-warning
if (&a != p)
WARN; // expected-warning{{}}
if (&a > p)
