search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
29.24k stars 12.07k forks source link

Analyzer: tuple.h raises "Use of memory after it is freed" error for unique_ptr::reset() #31580

Open llvmbot opened 7 years ago

llvmbot commented 7 years ago
Bugzilla Link 32232
Version unspecified
OS Linux
Reporter LLVM Bugzilla Contributor
CC @AnnaZaks

Extended Description

The static analyzer is raising a use-after-free error in the context of a call to unique_ptr::reset().

LLVM version: clang version 5.0.0 (trunk 296321)

Platform: Linux; target: Linux

Code: https://cs.chromium.org/chromium/src/ipc/ipc_mojo_bootstrap.cc?rcl=8c9318ff000fb082c3e33eab2cb7758fcd868a27&l=127

Log: In file included from ../../ipc/ipc_mojo_bootstrap.cc:5: In file included from ../../ipc/ipc_mojo_bootstrap.h:10: In file included from ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/memory:80: In file included from ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/functional:56:

../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:103:38: warning: Use of memory after it is freed _Head& _M_head() { return _M_head_impl; } ^ ../../ipc/ipc_mojobootstrap.cc:880:5: note: Calling 'ChannelAssociatedGroupController::ShutDown' controller->ShutDown(); ^~~~~~~ ../../ipc/ipc_mojo_bootstrap.cc:126:5: note: Calling 'ChannelAssociatedGroupController::OnPipeError' OnPipeError(); ^~~~~ ../../ipc/ipc_mojobootstrap.cc:610:5: note: Loop condition is false. Execution continues on line 620 for (auto iter = endpoints.begin(); iter != endpoints_.end();) { ^ ../../ipc/ipc_mojo_bootstrap.cc:626:3: note: Calling '~scoped_refptr' } ^ ../../base/memory/refcounted.h:310:5: note: Taking true branch if (ptr) ^ ../../base/memory/ref_counted.h:311:7: note: Calling 'scopedrefptr::Release' Release(ptr); ^~~~~ ../../base/memory/ref_counted.h:409:3: note: Calling 'RefCountedThreadSafe::Release' ptr->Release(); ^~~~~~ ../../base/memory/ref_counted.h:184:9: note: Assuming the condition is true if (subtle::RefCountedThreadSafeBase::Release()) { ^~~~~~~~~~~ ../../base/memory/ref_counted.h:184:5: note: Taking true branch if (subtle::RefCountedThreadSafeBase::Release()) { ^ ../../base/memory/ref_counted.h:185:7: note: Calling 'DefaultRefCountedThreadSafeTraits::Destruct' Traits::Destruct(static_cast<const T>(this)); ^~~~~~~~~~~~~ ../../base/memory/ref_counted.h:157:5: note: Calling 'RefCountedThreadSafe::DeleteInternal' RefCountedThreadSafe<T, ^~~~~~~ ../../base/memory/ref_counted.h:194:44: note: Memory is released static void DeleteInternal(const T x) { delete x; } ^~~~ ../../base/memory/ref_counted.h:157:5: note: Returning; memory was released via 1st parameter RefCountedThreadSafe<T, ^~~~~~~ ../../base/memory/ref_counted.h:185:7: note: Returning; memory was released via 1st parameter Traits::Destruct(static_cast<const T*>(this)); ^~~~~~~~~~~~~ ../../base/memory/ref_counted.h:409:3: note: Returning; memory was released ptr->Release(); ^~~~~~ ../../base/memory/refcounted.h:311:7: note: Returning; memory was released via 1st parameter Release(ptr); ^~~~~ ../../ipc/ipc_mojo_bootstrap.cc:626:3: note: Returning from '~scoped_refptr' } ^ ../../ipc/ipc_mojo_bootstrap.cc:126:5: note: Returning; memory was released OnPipeError(); ^~~~~ ../../ipc/ipc_mojo_bootstrap.cc:127:5: note: Calling 'uniqueptr::reset' connector.reset(); ^~~~~~ ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:243:7: note: Calling 'get' swap(std::get<0>(_M_t), p); ^~~~~ ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:532:14: note: Calling '__get_helper' { return get_helper<__i>(__t); } ^~~~~~ ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:518:14: note: Calling '_Tuple_impl::_M_head' { return __t._M_head(); } ^~~~~ ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:151:50: note: Calling '_Head_base::_M_head' _Head& _M_head() { return _Base::_M_head(); } ^~~~ ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/tuple:103:38: note: Use of memory after it is freed _Head& _M_head() { return _M_head_impl; } ^ ~~~~

0f73b9cf-134f-41af-a8b1-14d9f305ee95 commented 7 years ago

Included this internally in rdar://problem/30958661 Re-enable reporting bugs that end in C++ stdlib

llvmbot commented 7 years ago

assigned to @tkremenek