[cfe-dev] [Clang Static Analyzer] Lifetime checker

Bhargava Shastry via cfe-dev cfe-dev at lists.llvm.org
Mon Dec 21 01:56:49 PST 2015

Hi all,

I am starting work on a cppcoreguidelines [1] checker related to object
lifetime in C++ code. In the long term, the idea is to make the
`NewDeleteChecker` more robust by modeling STL functions. Afaik, the
`NewDeleteChecker` already catches local use-after-free and mem-leak
bugs. However, as [1] suggests, the long-term view is to conservatively
flag scenarios where dangling pointers can be created.

After experimenting with Clang SA checkers, I concluded that in the
short term, it would be nice to model lifetime of stack vars. Something
as simple as the following example:

1 #include <cstddef>
2 void f() {
3 int* p = NULL;
4 {
5 int i = 0;
6 p = &i;
7 *p = 42; // ok
8 } // i's lifetime ends here
9 *p = 1; // ERROR, p was invalidated when i went out of scope
10 }

The `StackAddressEscape` checker flags a warning when the address of a
stack-local variable is returned or assigned to a global. But there
lifetime is `modeled` by simply checking if addresses can escape a stack
frame. More fine-grained checking (scopes) is missing.

1. Why doesn't Clang SA proper not mark `i` as dead on Line 9?
2. What is the missing code that can link `i`'s lifetime to validity of `p`?

I would be happy to contribute patches to catch this simple case.



More information about the cfe-dev mailing list