[all-commits] [llvm/llvm-project] 190449: [analyzer] Detect leaks of stack addresses via out...

Arseniy Zaostrovnykh via All-commits all-commits at lists.llvm.org
Tue Aug 27 23:37:21 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 190449a5d2a9ddfc2180dce11714a4443f0f29f0
      https://github.com/llvm/llvm-project/commit/190449a5d2a9ddfc2180dce11714a4443f0f29f0
  Author: Arseniy Zaostrovnykh <necto.ne at gmail.com>
  Date:   2024-08-28 (Wed, 28 Aug 2024)

  Changed paths:
    M clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
    M clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
    M clang/lib/StaticAnalyzer/Core/BugReporter.cpp
    M clang/lib/StaticAnalyzer/Core/ExplodedGraph.cpp
    M clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
    M clang/test/Analysis/copy-elision.cpp
    M clang/test/Analysis/incorrect-checker-names.cpp
    M clang/test/Analysis/loop-block-counts.c
    M clang/test/Analysis/stack-addr-ps.c
    M clang/test/Analysis/stack-addr-ps.cpp
    M clang/test/Analysis/stack-capture-leak-no-arc.mm
    M clang/test/Analysis/stackaddrleak.c

  Log Message:
  -----------
  [analyzer] Detect leaks of stack addresses via output params, indirect globals 3/3 (#105648)

Fix some false negatives of StackAddrEscapeChecker:
- Output parameters
  ```
  void top(int **out) {
    int local = 42;
    *out = &local; // Noncompliant
  }
  ```
- Indirect global pointers
  ```
  int **global;

  void top() {
    int local = 42;
    *global = &local; // Noncompliant
  }
  ```

Note that now StackAddrEscapeChecker produces a diagnostic if a function
with an output parameter is analyzed as top-level or as a callee. I took
special care to make sure the reports point to the same primary location
and, in many cases, feature the same primary message. That is the
motivation to modify Core/BugReporter.cpp and Core/ExplodedGraph.cpp

To avoid false positive reports when a global indirect pointer is
assigned a local address, invalidated, and then reset, I rely on the
fact that the invalidation symbol will be a DerivedSymbol of a
ConjuredSymbol that refers to the same memory region.

The checker still has a false negative for non-trivial escaping via a
returned value. It requires a more sophisticated traversal akin to
scanReachableSymbols, which out of the scope of this change.

CPP-4734

---------

This is the last of the 3 stacked PRs, it must not be merged before
https://github.com/llvm/llvm-project/pull/105652 and
https://github.com/llvm/llvm-project/pull/105653



To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications

More information about the All-commits mailing list