[PATCH] D107078: [analyzer] Catch leaking stack addresses via stack variables

Balázs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Thu Jul 29 07:36:19 PDT 2021 

steakhal created this revision.
steakhal added reviewers: NoQ, vsavchenko, martong, Szelethus.
Herald added subscribers: manas, ASDenysPetrov, dkrupp, donat.nagy, mikhail.ramalho, a.sidorin, rnkovacs, szepet, baloghadamsoftware, xazax.hun, whisperity.
steakhal requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.

Not only global variables can hold references to dead stack variables.
Consider this example:

  void write_stack_address_to(char **q) {
    char local;
    *q = &local;
  }
  
  void test_stack() {
    char *p;
    write_stack_address_to(&p);
  }

The address of `local` is assigned to `p`, which becomes a dangling
pointer after `write_stack_address_to()` returns.

The `StackAddrEscapeChecker` was looking for bindings in the store which
referred to variables of the popped stack frame, but it only considered
global variables in this regard. This patch relaxes this, catching
stack variable bindings as well.

---

This patch also works for temporary objects like:

  struct Bar {
    const int &ref;
    explicit Bar(int y) : ref(y) {
      // Okay.
    } // End of the constructor call, `ref` is dangling now. Warning!
  };
  
  void test() {
    Bar{33}; // Temporary object, so the corresponding memregion is
             // *not* a VarRegion.
  }



---

The **r**eturn **v**alue **o**ptimization aka. //copy-elision// might kick in but that
is modeled by passing an imaginary `CXXThisRegion` which refers to the
parent stack frame which is supposed to be the //return slot//.
Objects residing in the //return slot// outlive the scope of the inner
call, thus we should expect no warning about them - except if we
explicitly disable //copy-elision//.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D107078

Files:
  clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
  clang/test/Analysis/copy-elision.cpp
  clang/test/Analysis/cxx-uninitialized-object-ptr-ref.cpp
  clang/test/Analysis/loop-block-counts.c
  clang/test/Analysis/stack-addr-ps.cpp

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D107078.362771.patch
Type: text/x-patch
Size: 16103 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20210729/5d5fc90c/attachment-0001.bin>

More information about the cfe-commits mailing list