I have some questions about CSA invalidation behaviour for the case where some arguments can escape after call.
1. There is a condition in CallEvent::invalidateRegions():
The contents of PreserveArgs changed by findPtrToConstParams() is used later for setting a special invalidation trait for its items: TK_PreserveContents. But, as I understand, if some pointer passed to function can escape, all the pointers passed to function get invalidated independently on can they escape or not. Why we don't just filter the escaping regions and invalidate them but invalidate all the pointers instead?
2. For AnyFunctionCall, we think that void* arguments of can escape:
if (CallEvent::argumentsMayEscape() || hasVoidPointerToNonConstArg())
But because of (1), this means that all other pointers passed to such function (including pointers to const) are invalidated. Checkers that use argumentsMayEscape() method explicitly check that the call is located in system header. So, should we move the check for system header into argumentsMayEscape()? It looks like the commit that introduced this behaviour was targeting system header functions only. And should we avoid the invalidation of pointers to constant memory if some pointer argument can escape?