xazax.hun added a comment.
Looks good so far, some comments inline.
================
Comment at: lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp:58
+
+ auto *TypeDecl = TypedR->getValueType().getTypePtr()->getAsCXXRecordDecl();
+ if (TypeDecl->getName() != "basic_string")
----------------
QualType should have overloaded `->` operator, I think you can remove the
`getTypePtr`.
================
Comment at: lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp:65
+ if (Call.isCalled(CStrFn)) {
+ SymbolRef RawPtr = Call.getReturnValue().getAsSymbol();
+ State = State->set<RawPtrMap>(TypedR, RawPtr);
----------------
I wonder if we can always get a symbol.
I can think of two cases when the call above could fail:
* Non-standard implementation that does not return a pointer
* The analyzer able to inline stuff and the returned value is a constant (a
specific address that is shared between all empty strings in some
implementation?)
Even though I do find any of the above likely. @NoQ what do you think? Does
this worth a check?
================
Comment at: lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp:73
+ if (State->contains<RawPtrMap>(TypedR)) {
+ const SymbolRef *StrBufferPtr = State->get<RawPtrMap>(TypedR);
+ const Expr *Origin = Call.getOriginExpr();
----------------
What if no symbol is associated with the region? Won't this return null that we
dereference later on?
================
Comment at: test/Analysis/dangling-internal-buffer.cpp:24
+
+void deref_after_scope_char() {
+ const char *c;
----------------
I would like to see test cases that does not trigger warning.
https://reviews.llvm.org/D47135
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
