<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/152446>152446</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Clang Static Analyzer (MallocChecker) misses use-after-free via field address (e.g. &ptr->field)
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            clang
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          LoboQ1ng
      </td>
    </tr>
</table>

<pre>
    Clang Static Analyzer's `MallocChecker` currently **fails to detect use-after-free** when the memory is accessed via the address of a field inside a freed structure.

For example, the following use-after-free goes undetected:

```c
#include <stdlib.h>

struct Obj {
  int field;
};

void use(void *);

void test() {
  struct Obj *o = malloc(sizeof(struct Obj));
  free(o);
  use(&o->field); // ⚠️ No warning reported by CSA (MallocChecker)
}
```
In this example, the heap memory pointed to by o has been freed, yet &o->field is passed to a function. This is a classic use-after-free bug, but MallocChecker does not currently report it.
Root Cause
In MallocChecker.cpp, argument checking currently relies on:
```cpp
SymbolRef Sym = ArgSVal.getAsSymbol();
```
This fails for field address expressions like &ptr->field, because such expressions produce a MemRegionVal, and getAsSymbol() does not extract the base symbol in those cases.
</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJxslN9vozgQx_-aycsoiJgQ4IEHmjbSSbd3uua078YewLvGRrZpm_3rV4a0m3RXQsI_v54fnxnuveoNUQ35A-SPGz6Hwbr6b9va_3am37RWXuqj5qbHc-BBCWwM15cf5IAVHuGQfuFaW3EcSHwnB4cUxewcmaAvCKwB1nRcaY_BoqRAIuDsacu7QG7bOaL1DL4OZDAMhCON1l1QeeRCkPck8UXxZYtL6ch7tB1y7BRpicp4JSlOHZFEH9wswuwogbSBtDlZh_TGx0kTsOMi0lmt7asy_Sc7sLfkcTarkSQha1YNOKTrJ-KEZcoIPUtCyI4-SK3aZIDsaT27vo__tt8QigdIG0RlwmorZHEBisfrIG1erJLRCmDlMlxCUd1vB_IBWAms-lC8fYQ1FiF7xHFJArDSqx9kuzj4OBU132UR15iX9mZpNQHYwW4he1qNXXYR2AnYCeGJQdVAk8LTCR5KKE_4j8VX7kyMo6PJukAS2wsezw0CK--ZYNXV8ZtgQtr8FROu_OcEDcSndwomq0xUDjaKWxy4x5bIrOmONy4U8M7ySM7EF26CjWDMRgRlTYL_x8ciVyh0xF58JqCd-yjZzgHvHEAZ0TA23KC9Oo0qRNKerQ145DGOi1t3txMxTVGWu34eyQQUcT0G7lZNK_JozZW6D-SmCdLmfBlbq5-pw_NlXNLduP78leukp9D4dXuF5ArPTZQXr9cS7Ky7ls17JdHbFP_KGo9afacYyim4GwyO2JKInqGfxXB3YXJWziIW3xcan6lX1nzlenHVSPzNtF9RpLfguAhLtlsepZdjqCIQ1hMK7sknG1lnssoqvqF6V-T7fF_kVbkZ6oqnpZSFzA9ty3h2OGRFVpT7LKu6Xc66bKNqlrI8LdMiPeyqvExYu6di1-2qXSnyXSdgn9LIlU60fhkT6_qN8n6mepez_f6w0bwl7ZeWyJiIzQ8Yi93R1fHCtp17D_tUKx_8L4mggqY_98o_1QSOyvvYcu4hjM3uPknASkr65PfcVJvZ6XoIYfKRm6VWexWGuU2EHYGdomnX33Zy9huJAOy0uOqBna7evtTsZwAAAP__-xHvHA">