Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[analyzer] [fuchsia.HandleChecker] Leak node is generated at wrong place #110580

Open
pskrgag opened this issue Sep 30, 2024 · 2 comments
Open

[analyzer] [fuchsia.HandleChecker] Leak node is generated at wrong place #110580

pskrgag opened this issue Sep 30, 2024 · 2 comments
Labels
clang:static analyzer

Comments

@pskrgag
Copy link
Contributor

pskrgag commented Sep 30, 2024

Consider following code:

#include <stdint.h>
#include <stdio.h>

typedef int zx_status_t;
typedef __typeof__(sizeof(int)) zx_handle_t;

#define ZX_HANDLE_ACQUIRE __attribute__((acquire_handle("Fuchsia")))
#define ZX_HANDLE_RELEASE __attribute__((release_handle("Fuchsia")))

zx_status_t create_handle(zx_handle_t *out0 ZX_HANDLE_ACQUIRE);
zx_status_t handle_close(zx_handle_t handle ZX_HANDLE_RELEASE);

void foo(void)
{
	zx_handle_t handle;
	zx_status_t res = create_handle(&handle);

	if (res == 0) {
		printf("error\n");  // leak reported here
		printf("error1\n");
		printf("error1\n");
	}
}

Error node reported on some very unrelated node. I'd expect error to be report at the end of the function, since there actual leak happens.

This happens, since handle symbol indeed becomes dead. Note, that leak node is generated at the right place if condition is changed to res == 1 (which indicates allocation failure in terms of this checker).

Godbolt https://godbolt.org/z/33xPszdd6
@llvmbot
Copy link
Collaborator

llvmbot commented Sep 30, 2024

@llvm/issue-subscribers-clang-static-analyzer

Author: Pavel Skripkin (pskrgag)

Consider following code: 
#include &lt;stdint.h&gt;
#include &lt;stdio.h&gt;

typedef int zx_status_t;
typedef __typeof__(sizeof(int)) zx_handle_t;

#define ZX_HANDLE_ACQUIRE __attribute__((acquire_handle("Fuchsia")))
#define ZX_HANDLE_RELEASE __attribute__((release_handle("Fuchsia")))

zx_status_t create_handle(zx_handle_t *out0 ZX_HANDLE_ACQUIRE);
zx_status_t handle_close(zx_handle_t handle ZX_HANDLE_RELEASE);

void foo(void)
{
	zx_handle_t handle;
	zx_status_t res = create_handle(&amp;handle);

	if (res == 0) {
		printf("error\n");  // leak reported here
		printf("error1\n");
		printf("error1\n");
	}
}

Error node reported on some very unrelated node. I'd expect error to be report at the end of the function, since there actual leak happens.

This happens, since handle symbol indeed becomes dead. Note, that leak node is generated at the right place if condition is changed to res == 1 (which indicates allocation failure in terms of this checker).

Godbolt https://godbolt.org/z/33xPszdd6

@pskrgag
Copy link
Contributor Author

pskrgag commented Sep 30, 2024

I am not sure where to look at =(. Handle symbol indeed become dead, so seems like problem is not at checker level.

Any tips would be appreciated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clang:static analyzer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pskrgag @llvmbot