hello sir
in my quest of finding a bug ( which ended up being a feature ) along with it’s
source in the analyzer, I tested the code on these 2 code snippets and here’s
how I went towards it
(1)
int main()
{
int *ptr = (int *)malloc(sizeof(int));
return 0;
}
link to running example (https://godbolt.org/z/1jGW1qYez
<https://godbolt.org/z/1jGW1qYez>)
(2)
int definaltly_main()
{
int *ptr = (int *)malloc(sizeof(int));
return 0;
}
link to running example (https://godbolt.org/z/bzjMYex4M
<https://godbolt.org/z/bzjMYex4M>)
where on second snipper analyzer is warning us about the leak as it should be,
but in the first one it isn’t.
and as the gimple representation of both looks exactly the same apart from
function name, which made me think that either intentionally or
unintentionally, analyzer handles case of main() differently than any other
function.
so while looking at it’s exploded graphs I found out that the only 2
differences in them
1. There is one less exploded node(after node E-8) created in first one ( I
earlier thought state merging or state pruning is taking place here but it
isn’t because the results are not affected even after disabling those using
`-fno-analyzer-state-purge` and `-fno-analyzer-state-merge` options )
2. no diagnosis for malloc leak happening at the end of first one even though
there exist a pointer in unchecked state at the end ( according to the malloc
state machine )
In quest to find the cause I started navigating through the source code of the
analyser starting off with the run_checkers() function in engine.cc which looks
like the entry point of the analyser ( found via the commit history of the
analyzer ). But finally it ended at
`impl_region_model_context::on_state_leak()` function where I found out that
analyzer is intentionally skipping the leak report when it is in main.
This gave rise to some questions
1. why does the analyzer make exceptions with the main() function ?
2. even if it is not complaining about the leak then this still doesn’t explain
the reason for one less exploded node in this case of main() function.
thanks
- Ankur
