caio/clang-p2996
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
41a94de75caacb979070ec7a010dfe3c4e9f116f
clang-p2996/clang/test/Analysis/loop-block-counts.c
Arseniy Zaostrovnykh 190449a5d2 [analyzer] Detect leaks of stack addresses via output params, indirect globals 3/3 (#105648) 
Fix some false negatives of StackAddrEscapeChecker:
- Output parameters
  ```
  void top(int **out) {
    int local = 42;
    *out = &local; // Noncompliant
  }
  ```
- Indirect global pointers
  ```
  int **global;

  void top() {
    int local = 42;
    *global = &local; // Noncompliant
  }
  ```

Note that now StackAddrEscapeChecker produces a diagnostic if a function
with an output parameter is analyzed as top-level or as a callee. I took
special care to make sure the reports point to the same primary location
and, in many cases, feature the same primary message. That is the
motivation to modify Core/BugReporter.cpp and Core/ExplodedGraph.cpp

To avoid false positive reports when a global indirect pointer is
assigned a local address, invalidated, and then reset, I rely on the
fact that the invalidation symbol will be a DerivedSymbol of a
ConjuredSymbol that refers to the same memory region.

The checker still has a false negative for non-trivial escaping via a
returned value. It requires a more sophisticated traversal akin to
scanReachableSymbols, which out of the scope of this change.

CPP-4734

---------

This is the last of the 3 stacked PRs, it must not be merged before
https://github.com/llvm/llvm-project/pull/105652 and
https://github.com/llvm/llvm-project/pull/105653
2024-08-28 08:36:59 +02:00

30 lines
730 B
C
Raw Blame History

// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s
void clang_analyzer_eval(int);
void callee(void **p) {
int x;
*p = &x;
// expected-warning@-1 {{Address of stack memory associated with local \
variable 'x' is still referred to by the caller variable 'arr' upon \
returning to the caller}}
}
void loop(void) {
void *arr[2];
for (int i = 0; i < 2; ++i)
callee(&arr[i]);
// FIXME: Should be UNKNOWN.
clang_analyzer_eval(arr[0] == arr[1]); // expected-warning{{FALSE}}
}
void loopWithCall(void) {
void *arr[2];
for (int i = 0; i < 2; ++i) {
int x;
arr[i] = &x;
}
// FIXME: Should be UNKNOWN.
clang_analyzer_eval(arr[0] == arr[1]); // expected-warning{{TRUE}}
}
Reference in New Issue View Git Blame Copy Permalink