[clang] [StaticAnalyzer][MallocChecker] Detect use-after-free for field address (e.g., &ptr->field) (PR #152462)
via cfe-commits
cfe-commits at lists.llvm.org
Thu Aug 7 02:07:09 PDT 2025
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-clang
Author: None (LoboQ1ng)
<details>
<summary>Changes</summary>
This patch improves MallocChecker to detect use-after-free bugs when
a freed structure's field is passed by address (e.g., `&ptr->field`).
Previously, MallocChecker would miss such cases, as it only checked the top-level symbol of argument values.
This patch analyzes the base region of arguments and extracts the symbolic region (if any), allowing UAF detection even for field address expressions.
---
Full diff: https://github.com/llvm/llvm-project/pull/152462.diff
1 Files Affected:
- (modified) clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (+8-2)
``````````diff
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 369d6194dbb65..ad1d20779f384 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -3156,8 +3156,14 @@ void MallocChecker::checkPreCall(const CallEvent &Call,
for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
SVal ArgSVal = Call.getArgSVal(I);
if (isa<Loc>(ArgSVal)) {
- SymbolRef Sym = ArgSVal.getAsSymbol();
- if (!Sym)
+ const MemRegion *MR = ArgSVal.getAsRegion();
+ if (!MR)
+ continue;
+ const MemRegion *BaseRegion = MR->getBaseRegion();
+ SymbolRef Sym = nullptr;
+ if (const auto *SR = dyn_cast<SymbolicRegion>(BaseRegion))
+ Sym = SR->getSymbol();
+ if (!Sym)
continue;
if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
return;
``````````
</details>
https://github.com/llvm/llvm-project/pull/152462
More information about the cfe-commits
mailing list