[clang] [analyzer] Detect use-after-free for field address (e.g., &ptr->field) (PR #152462)
Balazs Benics via cfe-commits
cfe-commits at lists.llvm.org
Fri Aug 8 10:22:33 PDT 2025
https://github.com/steakhal updated https://github.com/llvm/llvm-project/pull/152462
>From 909f0bce1aec9939eeecdaa8c3f0a028f89d96f4 Mon Sep 17 00:00:00 2001
From: LoboQ1ng <xpess at qq.com>
Date: Thu, 7 Aug 2025 16:52:39 +0800
Subject: [PATCH 1/4] [StaticAnalyzer] [MallocChecker] Detect use-after-free
for field address (e.g., &ptr->field)
---
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 369d6194dbb65..ad1d20779f384 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -3156,8 +3156,14 @@ void MallocChecker::checkPreCall(const CallEvent &Call,
for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
SVal ArgSVal = Call.getArgSVal(I);
if (isa<Loc>(ArgSVal)) {
- SymbolRef Sym = ArgSVal.getAsSymbol();
- if (!Sym)
+ const MemRegion *MR = ArgSVal.getAsRegion();
+ if (!MR)
+ continue;
+ const MemRegion *BaseRegion = MR->getBaseRegion();
+ SymbolRef Sym = nullptr;
+ if (const auto *SR = dyn_cast<SymbolicRegion>(BaseRegion))
+ Sym = SR->getSymbol();
+ if (!Sym)
continue;
if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
return;
>From a19a454b4940b0bc12c765a358eb09088f9f9e46 Mon Sep 17 00:00:00 2001
From: LoboQ1ng <xpess at qq.com>
Date: Thu, 7 Aug 2025 19:19:15 +0800
Subject: [PATCH 2/4] add test case
---
clang/test/Analysis/malloc-checker-arg-uaf.c | 44 ++++++++++++++++++++
1 file changed, 44 insertions(+)
create mode 100644 clang/test/Analysis/malloc-checker-arg-uaf.c
diff --git a/clang/test/Analysis/malloc-checker-arg-uaf.c b/clang/test/Analysis/malloc-checker-arg-uaf.c
new file mode 100644
index 0000000000000..54cfe6633910c
--- /dev/null
+++ b/clang/test/Analysis/malloc-checker-arg-uaf.c
@@ -0,0 +1,44 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=unix.Malloc -verify %s
+
+#include "Inputs/system-header-simulator-for-malloc.h"
+
+struct Obj {
+ int field;
+};
+
+void use(void *ptr);
+
+void test_direct_param_uaf() {
+ int *p = (int *)malloc(sizeof(int));
+ free(p);
+ use(p); // expected-warning{{Use of memory after it is freed}}
+}
+
+void test_struct_field_uaf() {
+ struct Obj *o = (struct Obj *)malloc(sizeof(struct Obj));
+ free(o);
+ use(&o->field); // expected-warning{{Use of memory after it is freed}}
+}
+
+void test_no_warning_const_int() {
+ use((void *)0x1234); // no-warning
+}
+
+void test_no_warning_stack() {
+ int x = 42;
+ use(&x); // no-warning
+}
+
+void test_nested_alloc() {
+ struct Obj *o = (struct Obj *)malloc(sizeof(struct Obj));
+ use(o); // no-warning
+ free(o);
+ use(o); // expected-warning{{Use of memory after it is freed}}
+}
+
+void test_nested_field() {
+ struct Obj *o = malloc(sizeof(struct Obj));
+ int *f = &o->field;
+ free(o);
+ use(f); // expected-warning{{Use of memory after it is freed}}
+}
\ No newline at end of file
>From dbcf8b4d84a9fad6a2b865cf20751339ff96c2c7 Mon Sep 17 00:00:00 2001
From: LoboQ1ng <xpess at qq.com>
Date: Fri, 8 Aug 2025 10:14:58 +0800
Subject: [PATCH 3/4] Update
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-authored-by: DonĂ¡t Nagy <donat.nagy at ericsson.com>
---
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index ad1d20779f384..fb7e80f06385d 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -3156,13 +3156,7 @@ void MallocChecker::checkPreCall(const CallEvent &Call,
for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
SVal ArgSVal = Call.getArgSVal(I);
if (isa<Loc>(ArgSVal)) {
- const MemRegion *MR = ArgSVal.getAsRegion();
- if (!MR)
- continue;
- const MemRegion *BaseRegion = MR->getBaseRegion();
- SymbolRef Sym = nullptr;
- if (const auto *SR = dyn_cast<SymbolicRegion>(BaseRegion))
- Sym = SR->getSymbol();
+ SymbolRef Sym = ArgSVal.getAsSymbol(/*IncludeBaseRegions=*/true);
if (!Sym)
continue;
if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
>From 11715c0a6e8cb982320a9d102fda24ae0553e571 Mon Sep 17 00:00:00 2001
From: Balazs Benics <benicsbalazs at gmail.com>
Date: Fri, 8 Aug 2025 19:21:33 +0200
Subject: [PATCH 4/4] Apply suggestions from code review
---
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp | 2 +-
clang/test/Analysis/malloc-checker-arg-uaf.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index fb7e80f06385d..efb980962e811 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -3157,7 +3157,7 @@ void MallocChecker::checkPreCall(const CallEvent &Call,
SVal ArgSVal = Call.getArgSVal(I);
if (isa<Loc>(ArgSVal)) {
SymbolRef Sym = ArgSVal.getAsSymbol(/*IncludeBaseRegions=*/true);
- if (!Sym)
+ if (!Sym)
continue;
if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
return;
diff --git a/clang/test/Analysis/malloc-checker-arg-uaf.c b/clang/test/Analysis/malloc-checker-arg-uaf.c
index 54cfe6633910c..d48178ebf09bd 100644
--- a/clang/test/Analysis/malloc-checker-arg-uaf.c
+++ b/clang/test/Analysis/malloc-checker-arg-uaf.c
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=unix.Malloc -verify %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc -verify %s
#include "Inputs/system-header-simulator-for-malloc.h"
@@ -37,8 +37,8 @@ void test_nested_alloc() {
}
void test_nested_field() {
- struct Obj *o = malloc(sizeof(struct Obj));
+ struct Obj *o = (struct Obj *)malloc(sizeof(struct Obj));
int *f = &o->field;
free(o);
use(f); // expected-warning{{Use of memory after it is freed}}
-}
\ No newline at end of file
+}
More information about the cfe-commits
mailing list