[clang] [analyzer] Detect leaks of stack addresses via output params, indirect globals 3/3 (PR #105648)

Mikael Holmén via cfe-commits cfe-commits at lists.llvm.org
Thu Aug 29 02:28:29 PDT 2024


mikaelholmen wrote:

Hello,

The following starts crashing with this patch:
```
clang -cc1 -analyze -analyzer-checker=core bbi-98571.c
```
Result:
```
bbi-98571.c:2:14: warning: expected ';' at end of declaration list
    2 |   struct a *b
      |              ^
      |              ;
bbi-98571.c:5:8: warning: expected ';' at end of declaration list
    5 |   int d
      |        ^
      |        ;
bbi-98571.c:11:4: warning: passing arguments to 'f' without a prototype is deprecated in all versions of C and is not supported in C23 [-Wdeprecated-non-prototype]
   11 |   f(h);
      |    ^
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: build-all/bin/clang -cc1 -analyze -analyzer-checker=core bbi-98571.c
1.	<eof> parser at end of file
2.	While analyzing stack: 
	#0 Calling g
 #0 0x0000555c2d234d97 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (build-all/bin/clang+0x7f7cd97)
 #1 0x0000555c2d2328fe llvm::sys::RunSignalHandlers() (build-all/bin/clang+0x7f7a8fe)
 #2 0x0000555c2d23545f SignalHandler(int) Signals.cpp:0:0
 #3 0x00007f49e8845cf0 __restore_rt (/lib64/libpthread.so.0+0x12cf0)
 #4 0x0000555c2f3124a8 clang::ento::MemRegion::getBaseRegion() const (build-all/bin/clang+0xa05a4a8)
 #5 0x0000555c2f0f5d82 (anonymous namespace)::StackAddrEscapeChecker::checkEndFunction(clang::ReturnStmt const*, clang::ento::CheckerContext&) const::CallBack::HandleBinding(clang::ento::StoreManager&, void const*, clang::ento::MemRegion const*, clang::ento::SVal) StackAddrEscapeChecker.cpp:0:0
 #6 0x0000555c2f351937 (anonymous namespace)::RegionStoreManager::iterBindings(void const*, clang::ento::StoreManager::BindingsHandler&) RegionStore.cpp:0:0
 #7 0x0000555c2f0f51c5 void clang::ento::check::EndFunction::_checkEndFunction<(anonymous namespace)::StackAddrEscapeChecker>(void*, clang::ReturnStmt const*, clang::ento::CheckerContext&) StackAddrEscapeChecker.cpp:0:0
 #8 0x0000555c2f29ee6a clang::ento::CheckerManager::runCheckersForEndFunction(clang::ento::NodeBuilderContext&, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::ExprEngine&, clang::ReturnStmt const*) (build-all/bin/clang+0x9fe6e6a)
 #9 0x0000555c2f2d3c96 clang::ento::ExprEngine::processEndOfFunction(clang::ento::NodeBuilderContext&, clang::ento::ExplodedNode*, clang::ReturnStmt const*) (build-all/bin/clang+0xa01bc96)
#10 0x0000555c2f2a8e63 clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&, clang::ento::ExplodedNode*) (build-all/bin/clang+0x9ff0e63)
#11 0x0000555c2f2a870a clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (build-all/bin/clang+0x9ff070a)
#12 0x0000555c2f2a801a clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (build-all/bin/clang+0x9ff001a)
#13 0x0000555c2ee23955 (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) AnalysisConsumer.cpp:0:0
#14 0x0000555c2edfc78b (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) AnalysisConsumer.cpp:0:0
#15 0x0000555c2f3a7ea7 clang::ParseAST(clang::Sema&, bool, bool) (build-all/bin/clang+0xa0efea7)
#16 0x0000555c2def1e80 clang::FrontendAction::Execute() (build-all/bin/clang+0x8c39e80)
#17 0x0000555c2de5e5bf clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (build-all/bin/clang+0x8ba65bf)
#18 0x0000555c2dfdfa8e clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (build-all/bin/clang+0x8d27a8e)
#19 0x0000555c2aaa0576 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (build-all/bin/clang+0x57e8576)
#20 0x0000555c2aa9cd1d ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) driver.cpp:0:0
#21 0x0000555c2aa9ba64 clang_main(int, char**, llvm::ToolContext const&) (build-all/bin/clang+0x57e3a64)
#22 0x0000555c2aaad347 main (build-all/bin/clang+0x57f5347)
#23 0x00007f49e63ead85 __libc_start_main (/lib64/libc.so.6+0x3ad85)
#24 0x0000555c2aa9a62e _start (build-all/bin/clang+0x57e262e)
Segmentation fault (core dumped)
```
[bbi-98571.c.gz](https://github.com/user-attachments/files/16796839/bbi-98571.c.gz)


https://github.com/llvm/llvm-project/pull/105648


More information about the cfe-commits mailing list