[clang] 73dcbd4 - [analyzer] Fix StackAddrEscapeChecker crash on temporary object fields (#66493)
via cfe-commits
cfe-commits at lists.llvm.org
Wed Sep 20 04:54:25 PDT 2023
Author: Balazs Benics
Date: 2023-09-20T13:54:21+02:00
New Revision: 73dcbd411b4573a4283d30307e48fde0f84423e5
URL: https://github.com/llvm/llvm-project/commit/73dcbd411b4573a4283d30307e48fde0f84423e5
DIFF: https://github.com/llvm/llvm-project/commit/73dcbd411b4573a4283d30307e48fde0f84423e5.diff
LOG: [analyzer] Fix StackAddrEscapeChecker crash on temporary object fields (#66493)
Basically, the issue was that we should have unwrapped the
base region before we special handle temp object regions.
Fixes https://github.com/llvm/llvm-project/issues/66221
I also decided to add some extra range information to the diagnostics
to make it consistent with the other reporting path.
Added:
clang/test/Analysis/stackaddrleak.cpp
Modified:
clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
Removed:
################################################################################
diff --git a/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
index 19ff8c8e2a171ae..ea09c43cc5ce90d 100644
--- a/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
@@ -369,7 +369,7 @@ void StackAddrEscapeChecker::checkEndFunction(const ReturnStmt *RS,
"Stack address stored into global variable");
for (const auto &P : Cb.V) {
- const MemRegion *Referrer = P.first;
+ const MemRegion *Referrer = P.first->getBaseRegion();
const MemRegion *Referred = P.second;
// Generate a report for this bug.
@@ -384,6 +384,8 @@ void StackAddrEscapeChecker::checkEndFunction(const ReturnStmt *RS,
<< CommonSuffix;
auto Report =
std::make_unique<PathSensitiveBugReport>(*BT_stackleak, Out.str(), N);
+ if (Range.isValid())
+ Report->addRange(Range);
Ctx.emitReport(std::move(Report));
return;
}
@@ -397,8 +399,14 @@ void StackAddrEscapeChecker::checkEndFunction(const ReturnStmt *RS,
return "stack";
}(Referrer->getMemorySpace());
- // This cast supposed to succeed.
- const VarRegion *ReferrerVar = cast<VarRegion>(Referrer->getBaseRegion());
+ // We should really only have VarRegions here.
+ // Anything else is really surprising, and we should get notified if such
+ // ever happens.
+ const auto *ReferrerVar = dyn_cast<VarRegion>(Referrer);
+ if (!ReferrerVar) {
+ assert(false && "We should have a VarRegion here");
+ continue; // Defensively skip this one.
+ }
const std::string ReferrerVarName =
ReferrerVar->getDecl()->getDeclName().getAsString();
diff --git a/clang/test/Analysis/stackaddrleak.cpp b/clang/test/Analysis/stackaddrleak.cpp
new file mode 100644
index 000000000000000..3daffb35a6cd9a6
--- /dev/null
+++ b/clang/test/Analysis/stackaddrleak.cpp
@@ -0,0 +1,25 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s
+
+using size_t = decltype(sizeof(int));
+void *operator new(size_t, void *p) { return p; }
+
+struct myfunction {
+ union storage_t {
+ char buffer[100];
+ size_t max_align;
+ } storage;
+
+ template <typename Func> myfunction(Func fn) {
+ new (&storage.buffer) Func(fn);
+ }
+ void operator()();
+};
+
+myfunction create_func() {
+ int n;
+ auto c = [&n] {};
+ return c; // expected-warning {{Address of stack memory associated with local variable 'n' is still referred to by a temporary object on the stack upon returning to the caller. This will be a dangling reference}}
+}
+void gh_66221() {
+ create_func()();
+}
More information about the cfe-commits
mailing list