Fix FN deallocuse with function call (refs #11409) (#5822)

This commit is contained in:
chrchr-github 2024-01-04 22:10:24 +01:00 committed by GitHub
parent efa8a08407
commit 1eee68f039
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 2 deletions

View File

@ -1045,7 +1045,11 @@ void CheckLeakAutoVar::functionCall(const Token *tokName, const Token *tokOpenin
const VarInfo::AllocInfo sp_allocation(sp_af ? sp_af->groupId : (arrayDelete ? NEW_ARRAY : NEW), VarInfo::OWNED, allocTok); const VarInfo::AllocInfo sp_allocation(sp_af ? sp_af->groupId : (arrayDelete ? NEW_ARRAY : NEW), VarInfo::OWNED, allocTok);
changeAllocStatus(varInfo, sp_allocation, vtok, vtok); changeAllocStatus(varInfo, sp_allocation, vtok, vtok);
} else { } else {
const Token* const nextArg = funcArg->nextArgument();
do {
checkTokenInsideExpression(arg, varInfo, /*inFuncCall*/ isLeakIgnore); checkTokenInsideExpression(arg, varInfo, /*inFuncCall*/ isLeakIgnore);
arg = arg->next();
} while ((nextArg && arg != nextArg) || (!nextArg && arg != tokOpeningPar->link()));
} }
// TODO: check each token in argument expression (could contain multiple variables) // TODO: check each token in argument expression (could contain multiple variables)
argNr++; argNr++;
@ -1111,7 +1115,7 @@ void CheckLeakAutoVar::ret(const Token *tok, VarInfo &varInfo, const bool isEndO
for (const Token *tok2 = tok; tok2; tok2 = tok2->next()) { for (const Token *tok2 = tok; tok2; tok2 = tok2->next()) {
if (tok2->str() == ";") if (tok2->str() == ";")
break; break;
if (!Token::Match(tok2, "return|(|{|,")) if (!Token::Match(tok2, "return|(|{|,|*"))
continue; continue;
const Token* tok3 = tok2->next(); const Token* tok3 = tok2->next();

View File

@ -942,6 +942,45 @@ private:
"}\n"); "}\n");
ASSERT_EQUALS("[test.c:4]: (error) Dereferencing 'p' after it is deallocated / released\n", ASSERT_EQUALS("[test.c:4]: (error) Dereferencing 'p' after it is deallocated / released\n",
errout.str()); errout.str());
check("int g(int);\n"
"void f(int* p) {\n"
" free(p);\n"
" g(*p);\n"
"}\n"
"int h(int* p) {\n"
" free(p);\n"
" return g(*p);\n"
"}\n");
ASSERT_EQUALS("[test.c:4]: (error) Dereferencing 'p' after it is deallocated / released\n"
"[test.c:7] -> [test.c:8]: (error) Returning/dereferencing 'p' after it is deallocated / released\n",
errout.str());
check("int g(int);\n"
"void f(int* p) {\n"
" free(p);\n"
" g(1 + *p);\n"
"}\n"
"int h(int* p) {\n"
" free(p);\n"
" return g(1 + *p);\n"
"}\n");
ASSERT_EQUALS("[test.c:4]: (error) Dereferencing 'p' after it is deallocated / released\n"
"[test.c:7] -> [test.c:8]: (error) Returning/dereferencing 'p' after it is deallocated / released\n",
errout.str());
check("int g(int, int);\n"
"void f(int* p) {\n"
" free(p);\n"
" g(0, 1 + *p);\n"
"}\n"
"int h(int* p) {\n"
" free(p);\n"
" return g(0, 1 + *p);\n"
"}\n");
ASSERT_EQUALS("[test.c:4]: (error) Dereferencing 'p' after it is deallocated / released\n"
"[test.c:7] -> [test.c:8]: (error) Returning/dereferencing 'p' after it is deallocated / released\n",
errout.str());
} }
void doublefree1() { // #3895 void doublefree1() { // #3895