This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
8/9
StackAddrEscapeChecker.cpp
-
test/Analysis/
-
Analysis/
6/7
copy-elision.cpp
-
cxx-uninitialized-object-ptr-ref.cpp
-
loop-block-counts.c
-
stack-addr-ps.cpp

Differential D107078

[analyzer] Catch leaking stack addresses via stack variables
ClosedPublic

Authored by steakhal on Jul 29 2021, 7:36 AM.

Download Raw Diff

Details

Reviewers

NoQ
vsavchenko
martong
Szelethus

Commits

rG6ad47e1c4fbf: [analyzer] Catch leaking stack addresses via stack variables

Summary

Not only global variables can hold references to dead stack variables.
Consider this example:

void write_stack_address_to(char **q) {
  char local;
  *q = &local;
}

void test_stack() {
  char *p;
  write_stack_address_to(&p);
}

The address of local is assigned to p, which becomes a dangling
pointer after write_stack_address_to() returns.

The StackAddrEscapeChecker was looking for bindings in the store which
referred to variables of the popped stack frame, but it only considered
global variables in this regard. This patch relaxes this, catching
stack variable bindings as well.

This patch also works for temporary objects like:

struct Bar {
  const int &ref;
  explicit Bar(int y) : ref(y) {
    // Okay.
  } // End of the constructor call, `ref` is dangling now. Warning!
};

void test() {
  Bar{33}; // Temporary object, so the corresponding memregion is
           // *not* a VarRegion.
}

The return value optimization aka. copy-elision might kick in but that
is modeled by passing an imaginary CXXThisRegion which refers to the
parent stack frame which is supposed to be the return slot.
Objects residing in the return slot outlive the scope of the inner
call, thus we should expect no warning about them - except if we
explicitly disable copy-elision.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

steakhal created this revision.Jul 29 2021, 7:36 AM

Herald added subscribers: manas, ASDenysPetrov, dkrupp and 8 others. · View Herald TranscriptJul 29 2021, 7:36 AM

steakhal requested review of this revision.Jul 29 2021, 7:36 AM

Herald added a project: Restricted Project. · View Herald TranscriptJul 29 2021, 7:36 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Remove the CXXThisRegion edge case handling.

This is awesome!

clang/test/Analysis/copy-elision.cpp
9–10	Should we use `-verify=no-elide` here as well? Since we set the `DNO_ELIDE_FLAG`?
195	It would be useful to have a test with `// RUN: -analyzer-output=text \` to make sure that we have a note placed for `v` at `consume(make3(v))`. Do we have such a note? This could be done perhaps in another test file.

Thanks for the quick response.

clang/test/Analysis/copy-elision.cpp
9–10	According to the comment a few lines below: Copy elision always occurs in C++17, otherwise it's under an on-by-default flag. So I think even though one passes the `elide-constructors=false` analyzer config, we follow the language semantics, which requires us to elide those copies, thus no copy should happen.

Harbormaster completed remote builds in B116986: Diff 362791.Jul 29 2021, 9:33 AM

I'm going to check how the notes look like on real code.

clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
397–399	I'm actually not sure about this. We the `genName()` returns the appropriate `SourceRange` for `CXXTempObject`s, which will be added to the bug report regardless. That might be enough. I'm going to check that.
clang/test/Analysis/copy-elision.cpp
195	I could do that, but we should consider the size of the test file. The notes will duplicate each `expected-warning` and add even more besides those. Should I add them to this file or to another test file covering the same? If we decide to have that I think it would be valuable to do that in a follow-up patch IMO. The size of this is already hitting the limit.
400–419	I'm going to move this somewhere else. Probably outside of the namespace `address_vector_tests` to the end of this file.

steakhal requested review of this revision.Jul 29 2021, 10:10 AM

steakhal added inline comments.

clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
397–399	`getName()` operates on the `Referred` memregion, although I'm highlighting the `Referrer` memregion. So, the note is not redundant.

martong added inline comments.Jul 30 2021, 6:31 AM

clang/test/Analysis/copy-elision.cpp
9–10	If copy elision always occur then `DNO_ELIDE_FLAG` has no effect, and as such it is misleading to have it in this RUN line.

Removed the deceiving -DNO_ELIDE_FLAG define from the c++17 run line.

steakhal marked an inline comment as done.Jul 30 2021, 8:12 AM

steakhal added inline comments.

clang/test/Analysis/copy-elision.cpp
9–10	You are right. Fixed.

Harbormaster completed remote builds in B117191: Diff 363101.Jul 30 2021, 9:02 AM

Y'all writing really good patches lately.

The updates on the C++ tests look spot on to me. I'm not sure if these tests contain any actual UB but the checker was anyway designed to be a bit more aggressive than that and that's exactly the kind of stuff we wanted it to warn us about. And even if it turns out to have been a bad idea from the start, that's a separate story.

I'll have some bikeshedding about warning and note text but overall I really like it.

clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
397–398	This is part of the path, right? We're reporting these bugs at `checkEndFunction` rather than at the store site so the destruction has already happened by the time we report it. In this case it should be a path note, not an extra blue-bubble note. As for wording, I suggest `full-expression` with a dash (that's what other clang diagnostics use) and probably drop the initial "The"(?)

In D107078#2917892, @NoQ wrote:

Y'all writing really good patches lately.

Awesome, thank you!

clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
397–398	This is part of the path, right? We're reporting these bugs at `checkEndFunction` rather than at the store site so the destruction has already happened by the time we report it. In this case it should be a path note, not an extra blue-bubble note. I'm not exactly sure how to address this. AFAIK there is no way currently detecting the completion of a full-expression. I was thinking of `Check::RegionChanges`, `Check::PostStmt<Expr>`, `Check::Live`, but none of these fits my needs. Do you have anything specific in mind that could help me? Aside from that, the report looks reasonable even with a 'blue' bubble: (scan-build): (CodeChecker): As for wording, I suggest full-expression with a dash (that's what other clang diagnostics use) and probably drop the initial "The"(?) I see, thanks.

The temporary -> Temporary
full expression -> full-expression

I did not fix the extra blue 'bubble' note issue, and I think that is out of the scope of this patch.

Harbormaster completed remote builds in B118108: Diff 364393.Aug 5 2021, 3:15 AM

In D107078#2927899, @steakhal wrote:

I did not fix the extra blue 'bubble' note issue, and I think that is out of the scope of this patch.

This is an on-by-default checker. We should not knowingly regress it, even if temporarily.

clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
397–398	Wait, no, in your example the end of the full-expression is not part of the path; it happens after the warning is emitted. If it was, the right thing to do would have been to catch the destruction of the object of interest rather than the end of the full-expression as such. But in this case the note seems to be redundant. Lifetime of the temporary object is fairly irrelevant to the report. It only matters that such lifetime is longer than that of the stack address. But the note doesn't tell the user how long that lifetime is; it only says how short it is. So i think this note is redundant.

Removed the extra note about the temporary expression.

In D107078#2933682, @NoQ wrote:

In D107078#2927899, @steakhal wrote:

I did not fix the extra blue 'bubble' note issue, and I think that is out of the scope of this patch.

This is an on-by-default checker. We should not knowingly regress it, even if temporarily.

I'm not exactly sure what would I regress, but to be on the safe side I won't emit any extra notes this time.

WDYT about the current form?

Harbormaster completed remote builds in B118638: Diff 365133.Aug 9 2021, 3:22 AM

It looks good to me, my concerns are addressed. But please wait for @NoQ 's approval.

This revision is now accepted and ready to land.Aug 17 2021, 10:07 AM

In D107078#2933682, @NoQ wrote:

In D107078#2927899, @steakhal wrote:

I did not fix the extra blue 'bubble' note issue, and I think that is out of the scope of this patch.

This is an on-by-default checker. We should not knowingly regress it, even if temporarily.

I'm not exactly sure what would I regress, but to be on the safe side I won't emit any extra notes this time.

Yup that's what i meant, you can't introduce a note and address problems with it in a follow-up patch; it should be either fully addressed immediately or go under a flag until fixed. I think we're good now that the note is not there.

I think i see one bug in the code but other than that i think we're good to go.

clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
325–326	You probably meant `\|\|`?

steakhal marked an inline comment as done.Aug 17 2021, 11:26 PM

steakhal added inline comments.

clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
325–326	No, I think `&&` is justified here. We have to make sure that the popped frame is the one that was referred to by some other frame, below that frame.
397–398	Okay, I won't emit the extra note.

I plan to commit to this tomorrow. @NoQ @martong

Oh wait, it's not yet accepted by @NoQ. Then, consider this as a polite ping.

Thanks, all clear now!

clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp
325–326	Uh-oh, I misunderstood the whole thing. Looks correct indeed!

Closed by commit rG6ad47e1c4fbf: [analyzer] Catch leaking stack addresses via stack variables (authored by steakhal). · Explain WhyAug 27 2021, 2:31 AM

This revision was automatically updated to reflect the committed changes.

steakhal added a commit: rG6ad47e1c4fbf: [analyzer] Catch leaking stack addresses via stack variables.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

StackAddrEscapeChecker.cpp

86 lines

test/

Analysis/

copy-elision.cpp

61 lines

cxx-uninitialized-object-ptr-ref.cpp

18 lines

loop-block-counts.c

3 lines

stack-addr-ps.cpp

25 lines

Diff 369050

clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp

//=== StackAddrEscapeChecker.cpp ----------------------------------- C++ ---//		//=== StackAddrEscapeChecker.cpp ----------------------------------- C++ ---//
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
// This file defines stack address leak checker, which checks if an invalid		// This file defines stack address leak checker, which checks if an invalid
// stack address is stored into a global or heap location. See CERT DCL30-C.		// stack address is stored into a global or heap location. See CERT DCL30-C.
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/ExprCXX.h"		#include "clang/AST/ExprCXX.h"
#include "clang/Basic/SourceManager.h"		#include "clang/Basic/SourceManager.h"
		#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"		#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"		#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"		#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "llvm/ADT/SmallString.h"		#include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h"		#include "llvm/Support/raw_ostream.h"
▲ Show 20 Lines • Show All 273 Lines • ▼ Show 20 Lines	void StackAddrEscapeChecker::checkEndFunction(const ReturnStmt *RS,

ProgramStateRef State = Ctx.getState();		ProgramStateRef State = Ctx.getState();

// Iterate over all bindings to global variables and see if it contains		// Iterate over all bindings to global variables and see if it contains
// a memory region in the stack space.		// a memory region in the stack space.
class CallBack : public StoreManager::BindingsHandler {		class CallBack : public StoreManager::BindingsHandler {
private:		private:
CheckerContext &Ctx;		CheckerContext &Ctx;
const StackFrameContext *CurSFC;		const StackFrameContext *PoppedFrame;

		/// Look for stack variables referring to popped stack variables.
		/// Returns true only if it found some dangling stack variables
		/// referred by an other stack variable from different stack frame.
		bool checkForDanglingStackVariable(const MemRegion *Referrer,
		const MemRegion *Referred) {
		const auto *ReferrerMemSpace =
		Referrer->getMemorySpace()->getAs<StackSpaceRegion>();
		const auto *ReferredMemSpace =
		Referred->getMemorySpace()->getAs<StackSpaceRegion>();

		if (!ReferrerMemSpace \|\| !ReferredMemSpace)
		return false;

		const auto *ReferrerFrame = ReferrerMemSpace->getStackFrame();
		const auto *ReferredFrame = ReferredMemSpace->getStackFrame();

		if (ReferrerMemSpace && ReferredMemSpace) {
		if (ReferredFrame == PoppedFrame &&
		ReferrerFrame->isParentOf(PoppedFrame)) {
		NoQUnsubmitted Done Reply Inline Actions You probably meant `\|\|`? NoQ: You probably meant `\|\|`?
		steakhalAuthorUnsubmitted Done Reply Inline Actions No, I think `&&` is justified here. We have to make sure that the popped frame is the one that was referred to by some other frame, below that frame. steakhal: No, I think `&&` is justified here. We have to make sure that the popped frame is the one that…
		NoQUnsubmitted Not Done Reply Inline Actions Uh-oh, I misunderstood the whole thing. Looks correct indeed! NoQ: Uh-oh, I misunderstood the whole thing. Looks correct indeed!
		V.emplace_back(Referrer, Referred);
		return true;
		}
		}
		return false;
		}

public:		public:
SmallVector<std::pair<const MemRegion , const MemRegion >, 10> V;		SmallVector<std::pair<const MemRegion , const MemRegion >, 10> V;

CallBack(CheckerContext &CC) : Ctx(CC), CurSFC(CC.getStackFrame()) {}		CallBack(CheckerContext &CC) : Ctx(CC), PoppedFrame(CC.getStackFrame()) {}

bool HandleBinding(StoreManager &SMgr, Store S, const MemRegion *Region,		bool HandleBinding(StoreManager &SMgr, Store S, const MemRegion *Region,
SVal Val) override {		SVal Val) override {
		const MemRegion *VR = Val.getAsRegion();
		if (!VR)
		return true;

		if (checkForDanglingStackVariable(Region, VR))
		return true;

		// Check the globals for the same.
if (!isa<GlobalsSpaceRegion>(Region->getMemorySpace()))		if (!isa<GlobalsSpaceRegion>(Region->getMemorySpace()))
return true;		return true;
const MemRegion *VR = Val.getAsRegion();		if (VR && VR->hasStackStorage() && !isArcManagedBlock(VR, Ctx) &&
if (VR && isa<StackSpaceRegion>(VR->getMemorySpace()) &&		!isNotInCurrentFrame(VR, Ctx))
!isArcManagedBlock(VR, Ctx) && !isNotInCurrentFrame(VR, Ctx))
V.emplace_back(Region, VR);		V.emplace_back(Region, VR);
return true;		return true;
}		}
};		};

CallBack Cb(Ctx);		CallBack Cb(Ctx);
State->getStateManager().getStoreManager().iterBindings(State->getStore(),		State->getStateManager().getStoreManager().iterBindings(State->getStore(),
Cb);		Cb);
Show All 10 Lines	if (!BT_stackleak)
BT_stackleak = std::make_unique<BuiltinBug>(		BT_stackleak = std::make_unique<BuiltinBug>(
CheckNames[CK_StackAddrEscapeChecker],		CheckNames[CK_StackAddrEscapeChecker],
"Stack address stored into global variable",		"Stack address stored into global variable",
"Stack address was saved into a global variable. "		"Stack address was saved into a global variable. "
"This is dangerous because the address will become "		"This is dangerous because the address will become "
"invalid after returning from the function");		"invalid after returning from the function");

for (const auto &P : Cb.V) {		for (const auto &P : Cb.V) {
		const MemRegion *Referrer = P.first;
		const MemRegion *Referred = P.second;

// Generate a report for this bug.		// Generate a report for this bug.
		const StringRef CommonSuffix =
		"upon returning to the caller. This will be a dangling reference";
SmallString<128> Buf;		SmallString<128> Buf;
llvm::raw_svector_ostream Out(Buf);		llvm::raw_svector_ostream Out(Buf);
SourceRange Range = genName(Out, P.second, Ctx.getASTContext());		const SourceRange Range = genName(Out, Referred, Ctx.getASTContext());
Out << " is still referred to by the ";
if (isa<StaticGlobalSpaceRegion>(P.first->getMemorySpace()))		if (isa<CXXTempObjectRegion>(Referrer)) {
Out << "static";		Out << " is still referred to by a temporary object on the stack "
else		<< CommonSuffix;
Out << "global";		auto Report =
Out << " variable '";		std::make_unique<PathSensitiveBugReport>(*BT_stackleak, Out.str(), N);
const VarRegion *VR = cast<VarRegion>(P.first->getBaseRegion());		Ctx.emitReport(std::move(Report));
Out << *VR->getDecl()		return;
<< "' upon returning to the caller. This will be a dangling reference";		}

		const StringRef ReferrerMemorySpace = [](const MemSpaceRegion *Space) {
		NoQUnsubmitted Done Reply Inline Actions This is part of the path, right? We're reporting these bugs at `checkEndFunction` rather than at the store site so the destruction has already happened by the time we report it. In this case it should be a path note, not an extra blue-bubble note. As for wording, I suggest `full-expression` with a dash (that's what other clang diagnostics use) and probably drop the initial "The"(?) NoQ: This is part of the path, right? We're reporting these bugs at `checkEndFunction` rather than…
		steakhalAuthorUnsubmitted Done Reply Inline Actions This is part of the path, right? We're reporting these bugs at `checkEndFunction` rather than at the store site so the destruction has already happened by the time we report it. In this case it should be a path note, not an extra blue-bubble note. I'm not exactly sure how to address this. AFAIK there is no way currently detecting the completion of a full-expression. I was thinking of `Check::RegionChanges`, `Check::PostStmt<Expr>`, `Check::Live`, but none of these fits my needs. Do you have anything specific in mind that could help me? Aside from that, the report looks reasonable even with a 'blue' bubble: (scan-build): (CodeChecker): As for wording, I suggest full-expression with a dash (that's what other clang diagnostics use) and probably drop the initial "The"(?) I see, thanks. steakhal: > This is part of the path, right? We're reporting these bugs at `checkEndFunction` rather than…
		NoQUnsubmitted Done Reply Inline Actions Wait, no, in your example the end of the full-expression is not part of the path; it happens after the warning is emitted. If it was, the right thing to do would have been to catch the destruction of the object of interest rather than the end of the full-expression as such. But in this case the note seems to be redundant. Lifetime of the temporary object is fairly irrelevant to the report. It only matters that such lifetime is longer than that of the stack address. But the note doesn't tell the user how long that lifetime is; it only says how short it is. So i think this note is redundant. NoQ: Wait, no, in your example the end of the full-expression is not part of the path; it happens…
		steakhalAuthorUnsubmitted Done Reply Inline Actions Okay, I won't emit the extra note. steakhal: Okay, I won't emit the extra note.
		if (isa<StaticGlobalSpaceRegion>(Space))
		steakhalAuthorUnsubmitted Done Reply Inline Actions I'm actually not sure about this. We the `genName()` returns the appropriate `SourceRange` for `CXXTempObject`s, which will be added to the bug report regardless. That might be enough. I'm going to check that. steakhal: I'm actually not sure about this. We the `genName()` returns the appropriate `SourceRange` for…
		steakhalAuthorUnsubmitted Done Reply Inline Actions `getName()` operates on the `Referred` memregion, although I'm highlighting the `Referrer` memregion. So, the note is not redundant. steakhal: `getName()` operates on the `Referred` memregion, although I'm highlighting the `Referrer`…
		return "static";
		if (isa<GlobalsSpaceRegion>(Space))
		return "global";
		assert(isa<StackSpaceRegion>(Space));
		return "stack";
		}(Referrer->getMemorySpace());

		// This cast supposed to succeed.
		const VarRegion *ReferrerVar = cast<VarRegion>(Referrer->getBaseRegion());
		const std::string ReferrerVarName =
		ReferrerVar->getDecl()->getDeclName().getAsString();

		Out << " is still referred to by the " << ReferrerMemorySpace
		<< " variable '" << ReferrerVarName << "' " << CommonSuffix;
auto Report =		auto Report =
std::make_unique<PathSensitiveBugReport>(*BT_stackleak, Out.str(), N);		std::make_unique<PathSensitiveBugReport>(*BT_stackleak, Out.str(), N);
if (Range.isValid())		if (Range.isValid())
Report->addRange(Range);		Report->addRange(Range);

Ctx.emitReport(std::move(Report));		Ctx.emitReport(std::move(Report));
}		}
}		}
Show All 21 Lines

clang/test/Analysis/copy-elision.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -std=c++11 -verify -analyzer-config eagerly-assume=false %s		// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -std=c++11 \
// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -std=c++17 -verify -analyzer-config eagerly-assume=false %s		// RUN: -analyzer-config eagerly-assume=false -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -std=c++11 -analyzer-config elide-constructors=false -DNO_ELIDE_FLAG -verify -analyzer-config eagerly-assume=false %s		// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -std=c++17 \
// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -std=c++17 -analyzer-config elide-constructors=false -DNO_ELIDE_FLAG -verify -analyzer-config eagerly-assume=false %s		// RUN: -analyzer-config eagerly-assume=false -verify %s
		// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -std=c++11 \
		// RUN: -analyzer-config elide-constructors=false -DNO_ELIDE_FLAG \
		// RUN: -analyzer-config eagerly-assume=false -verify=expected,no-elide %s
		// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -std=c++17 \
		// RUN: -analyzer-config elide-constructors=false \
		// RUN: -analyzer-config eagerly-assume=false -verify %s
		martongUnsubmitted Done Reply Inline Actions Should we use `-verify=no-elide` here as well? Since we set the `DNO_ELIDE_FLAG`? martong: Should we use `-verify=no-elide` here as well? Since we set the `DNO_ELIDE_FLAG`?
		steakhalAuthorUnsubmitted Done Reply Inline Actions According to the comment a few lines below: Copy elision always occurs in C++17, otherwise it's under an on-by-default flag. So I think even though one passes the `elide-constructors=false` analyzer config, we follow the language semantics, which requires us to elide those copies, thus no copy should happen. steakhal: According to the comment a few lines below: > Copy elision always occurs in C++17, otherwise…
		martongUnsubmitted Done Reply Inline Actions If copy elision always occur then `DNO_ELIDE_FLAG` has no effect, and as such it is misleading to have it in this RUN line. martong: If copy elision always occur then `DNO_ELIDE_FLAG` has no effect, and as such it is misleading…
		steakhalAuthorUnsubmitted Done Reply Inline Actions You are right. Fixed. steakhal: You are right. Fixed.

// Copy elision always occurs in C++17, otherwise it's under		// Copy elision always occurs in C++17, otherwise it's under
// an on-by-default flag.		// an on-by-default flag.
#if __cplusplus >= 201703L		#if __cplusplus >= 201703L
#define ELIDE 1		#define ELIDE 1
#else		#else
#ifndef NO_ELIDE_FLAG		#ifndef NO_ELIDE_FLAG
#define ELIDE 1		#define ELIDE 1
▲ Show 20 Lines • Show All 131 Lines • ▼ Show 20 Lines	public:
ClassWithoutDestructor(ClassWithoutDestructor &&c) : v(c.v) { push(); }		ClassWithoutDestructor(ClassWithoutDestructor &&c) : v(c.v) { push(); }
ClassWithoutDestructor(const ClassWithoutDestructor &c) : v(c.v) { push(); }		ClassWithoutDestructor(const ClassWithoutDestructor &c) : v(c.v) { push(); }

void push() { v.push(this); }		void push() { v.push(this); }
};		};

ClassWithoutDestructor make1(AddressVector<ClassWithoutDestructor> &v) {		ClassWithoutDestructor make1(AddressVector<ClassWithoutDestructor> &v) {
return ClassWithoutDestructor(v);		return ClassWithoutDestructor(v);
		// no-elide-warning@-1 {{Address of stack memory associated with temporary \
		object of type 'address_vector_tests::ClassWithoutDestructor' is still \
		referred to by the stack variable 'v' upon returning to the caller}}
}		}
ClassWithoutDestructor make2(AddressVector<ClassWithoutDestructor> &v) {		ClassWithoutDestructor make2(AddressVector<ClassWithoutDestructor> &v) {
return make1(v);		return make1(v);
		// no-elide-warning@-1 {{Address of stack memory associated with temporary \
		object of type 'address_vector_tests::ClassWithoutDestructor' is still \
		referred to by the stack variable 'v' upon returning to the caller}}
}		}
ClassWithoutDestructor make3(AddressVector<ClassWithoutDestructor> &v) {		ClassWithoutDestructor make3(AddressVector<ClassWithoutDestructor> &v) {
return make2(v);		return make2(v);
		// no-elide-warning@-1 {{Address of stack memory associated with temporary \
		object of type 'address_vector_tests::ClassWithoutDestructor' is still \
		referred to by the stack variable 'v' upon returning to the caller}}
}		}

void testMultipleReturns() {		void testMultipleReturns() {
AddressVector<ClassWithoutDestructor> v;		AddressVector<ClassWithoutDestructor> v;
ClassWithoutDestructor c = make3(v);		ClassWithoutDestructor c = make3(v);

#if ELIDE		#if ELIDE
clang_analyzer_eval(v.len == 1); // expected-warning{{TRUE}}		clang_analyzer_eval(v.len == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[0] == &c); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[0] == &c); // expected-warning{{TRUE}}
#else		#else
clang_analyzer_eval(v.len == 5); // expected-warning{{TRUE}}		clang_analyzer_eval(v.len == 5); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[0] != v.buf[1]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[0] != v.buf[1]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[1] != v.buf[2]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[1] != v.buf[2]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[2] != v.buf[3]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[2] != v.buf[3]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[3] != v.buf[4]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[3] != v.buf[4]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[4] == &c); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[4] == &c); // expected-warning{{TRUE}}
#endif		#endif
}		}

void consume(ClassWithoutDestructor c) {		void consume(ClassWithoutDestructor c) {
c.push();		c.push();
		// expected-warning@-1 {{Address of stack memory associated with local \
		variable 'c' is still referred to by the stack variable 'v' upon returning \
		martongUnsubmitted Not Done Reply Inline Actions It would be useful to have a test with `// RUN: -analyzer-output=text \` to make sure that we have a note placed for `v` at `consume(make3(v))`. Do we have such a note? This could be done perhaps in another test file. martong: It would be useful to have a test with `// RUN: -analyzer-output=text \` to make sure that we…
		steakhalAuthorUnsubmitted Done Reply Inline Actions I could do that, but we should consider the size of the test file. The notes will duplicate each `expected-warning` and add even more besides those. Should I add them to this file or to another test file covering the same? If we decide to have that I think it would be valuable to do that in a follow-up patch IMO. The size of this is already hitting the limit. steakhal: I could do that, but we should consider the size of the test file. The notes will duplicate…
		to the caller}}
}		}

void testArgumentConstructorWithoutDestructor() {		void testArgumentConstructorWithoutDestructor() {
AddressVector<ClassWithoutDestructor> v;		AddressVector<ClassWithoutDestructor> v;

consume(make3(v));		consume(make3(v));

#if ELIDE		#if ELIDE
▲ Show 20 Lines • Show All 54 Lines • ▼ Show 20 Lines	#else
clang_analyzer_eval(v.buf[1] == v.buf[3]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[1] == v.buf[3]); // expected-warning{{TRUE}}
#endif		#endif
}		}

struct TestCtorInitializer {		struct TestCtorInitializer {
ClassWithDestructor c;		ClassWithDestructor c;
TestCtorInitializer(AddressVector<ClassWithDestructor> &v)		TestCtorInitializer(AddressVector<ClassWithDestructor> &v)
: c(ClassWithDestructor(v)) {}		: c(ClassWithDestructor(v)) {}
		// no-elide-warning@-1 {{Address of stack memory associated with temporary \
		object of type 'address_vector_tests::ClassWithDestructor' is still referred \
		to by the stack variable 'v' upon returning to the caller}}
};		};

void testCtorInitializer() {		void testCtorInitializer() {
AddressVector<ClassWithDestructor> v;		AddressVector<ClassWithDestructor> v;
{		{
TestCtorInitializer t(v);		TestCtorInitializer t(v);
// Check if the last destructor is an automatic destructor.		// Check if the last destructor is an automatic destructor.
// A temporary destructor would have fired by now.		// A temporary destructor would have fired by now.
Show All 17 Lines	#else
clang_analyzer_eval(v.buf[0] == v.buf[2]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[0] == v.buf[2]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[1] == v.buf[3]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[1] == v.buf[3]); // expected-warning{{TRUE}}
#endif		#endif
}		}


ClassWithDestructor make1(AddressVector<ClassWithDestructor> &v) {		ClassWithDestructor make1(AddressVector<ClassWithDestructor> &v) {
return ClassWithDestructor(v);		return ClassWithDestructor(v);
		// no-elide-warning@-1 {{Address of stack memory associated with temporary \
		object of type 'address_vector_tests::ClassWithDestructor' is still referred \
		to by the stack variable 'v' upon returning to the caller}}
}		}
ClassWithDestructor make2(AddressVector<ClassWithDestructor> &v) {		ClassWithDestructor make2(AddressVector<ClassWithDestructor> &v) {
return make1(v);		return make1(v);
		// no-elide-warning@-1 {{Address of stack memory associated with temporary \
		object of type 'address_vector_tests::ClassWithDestructor' is still referred \
		to by the stack variable 'v' upon returning to the caller}}
}		}
ClassWithDestructor make3(AddressVector<ClassWithDestructor> &v) {		ClassWithDestructor make3(AddressVector<ClassWithDestructor> &v) {
return make2(v);		return make2(v);
		// no-elide-warning@-1 {{Address of stack memory associated with temporary \
		object of type 'address_vector_tests::ClassWithDestructor' is still referred \
		to by the stack variable 'v' upon returning to the caller}}
}		}

void testMultipleReturnsWithDestructors() {		void testMultipleReturnsWithDestructors() {
AddressVector<ClassWithDestructor> v;		AddressVector<ClassWithDestructor> v;
{		{
ClassWithDestructor c = make3(v);		ClassWithDestructor c = make3(v);
// Check if the last destructor is an automatic destructor.		// Check if the last destructor is an automatic destructor.
// A temporary destructor would have fired by now.		// A temporary destructor would have fired by now.
Show All 27 Lines	#else
clang_analyzer_eval(v.buf[3] == v.buf[6]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[3] == v.buf[6]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[5] == v.buf[8]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[5] == v.buf[8]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[7] == v.buf[9]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[7] == v.buf[9]); // expected-warning{{TRUE}}
#endif		#endif
}		}

void consume(ClassWithDestructor c) {		void consume(ClassWithDestructor c) {
c.push();		c.push();
		// expected-warning@-1 {{Address of stack memory associated with local \
		variable 'c' is still referred to by the stack variable 'v' upon returning \
		to the caller}}
}		}

void testArgumentConstructorWithDestructor() {		void testArgumentConstructorWithDestructor() {
AddressVector<ClassWithDestructor> v;		AddressVector<ClassWithDestructor> v;

consume(make3(v));		consume(make3(v));

#if ELIDE		#if ELIDE
Show All 20 Lines	#else
clang_analyzer_eval(v.buf[1] == v.buf[4]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[1] == v.buf[4]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[3] == v.buf[6]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[3] == v.buf[6]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[5] == v.buf[10]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[5] == v.buf[10]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[7] == v.buf[8]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[7] == v.buf[8]); // expected-warning{{TRUE}}
clang_analyzer_eval(v.buf[8] == v.buf[9]); // expected-warning{{TRUE}}		clang_analyzer_eval(v.buf[8] == v.buf[9]); // expected-warning{{TRUE}}
#endif		#endif
}		}

		struct Foo {
		Foo(Foo **q) {
		*q = this;
		}
		};

		Foo make1(Foo **r) {
		return Foo(r);
		// no-elide-warning@-1 {{Address of stack memory associated with temporary \
		object of type 'address_vector_tests::Foo' is still referred to by the stack \
		variable 'z' upon returning to the caller}}
		}

		void test_copy_elision() {
		Foo *z;
		// If the copy elided, 'z' points to 'tmp', otherwise it's a dangling pointer.
		Foo tmp = make1(&z);
		(void)tmp;
		}

		steakhalAuthorUnsubmitted Done Reply Inline Actions I'm going to move this somewhere else. Probably outside of the namespace `address_vector_tests` to the end of this file. steakhal: I'm going to move this somewhere else. Probably outside of the namespace `address_vector_tests`…
} // namespace address_vector_tests		} // namespace address_vector_tests

clang/test/Analysis/cxx-uninitialized-object-ptr-ref.cpp

Show First 20 Lines • Show All 65 Lines • ▼ Show 20 Lines
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Alloca tests.		// Alloca tests.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

struct UntypedAllocaTest {		struct UntypedAllocaTest {
void *allocaPtr;		void *allocaPtr;
int dontGetFilteredByNonPedanticMode = 0;		int dontGetFilteredByNonPedanticMode = 0;

		// expected-warning-re@+3 {{Address of stack memory allocated by call to \
		alloca() on line {{[0-9]+}} is still referred to by a temporary object on the \
		stack upon returning to the caller. This will be a dangling reference}}
UntypedAllocaTest() : allocaPtr(__builtin_alloca(sizeof(int))) {		UntypedAllocaTest() : allocaPtr(__builtin_alloca(sizeof(int))) {
// All good!		// All good!
}		}
};		};

void fUntypedAllocaTest() {		void fUntypedAllocaTest() {
UntypedAllocaTest();		UntypedAllocaTest();
}		}

struct TypedAllocaTest1 {		struct TypedAllocaTest1 {
int *allocaPtr; // expected-note{{uninitialized pointee 'this->allocaPtr'}}		int *allocaPtr; // expected-note{{uninitialized pointee 'this->allocaPtr'}}
int dontGetFilteredByNonPedanticMode = 0;		int dontGetFilteredByNonPedanticMode = 0;

TypedAllocaTest1() // expected-warning{{1 uninitialized field}}		TypedAllocaTest1() // expected-warning{{1 uninitialized field}}
: allocaPtr(static_cast<int *>(__builtin_alloca(sizeof(int)))) {}		: allocaPtr(static_cast<int *>(__builtin_alloca(sizeof(int)))) {}
		// expected-warning-re@-2 {{Address of stack memory allocated by call to \
		alloca() on line {{[0-9]+}} is still referred to by a temporary object on the \
		stack upon returning to the caller. This will be a dangling reference}}
};		};

void fTypedAllocaTest1() {		void fTypedAllocaTest1() {
TypedAllocaTest1();		TypedAllocaTest1();
}		}

struct TypedAllocaTest2 {		struct TypedAllocaTest2 {
int *allocaPtr;		int *allocaPtr;
int dontGetFilteredByNonPedanticMode = 0;		int dontGetFilteredByNonPedanticMode = 0;

		// expected-warning-re@+5 {{Address of stack memory allocated by call to \
		alloca() on line {{[0-9]+}} is still referred to by a temporary object on the \
		stack upon returning to the caller. This will be a dangling reference}}
TypedAllocaTest2()		TypedAllocaTest2()
: allocaPtr(static_cast<int *>(__builtin_alloca(sizeof(int)))) {		: allocaPtr(static_cast<int *>(__builtin_alloca(sizeof(int)))) {
*allocaPtr = 55555;		*allocaPtr = 55555;
// All good!		// All good!
}		}
};		};

void fTypedAllocaTest2() {		void fTypedAllocaTest2() {
▲ Show 20 Lines • Show All 229 Lines • ▼ Show 20 Lines	void fVoidPointerTest2() {
void *vptr = malloc(sizeof(int));		void *vptr = malloc(sizeof(int));
VoidPointerTest2(&vptr, char());		VoidPointerTest2(&vptr, char());
}		}

class VoidPointerRRefTest1 {		class VoidPointerRRefTest1 {
void *&&vptrrref; // expected-note {{here}}		void *&&vptrrref; // expected-note {{here}}

public:		public:
		// expected-warning@+3 {{Address of stack memory associated with local \
		variable 'vptr' is still referred to by a temporary object on the stack \
		upon returning to the caller. This will be a dangling reference}}
VoidPointerRRefTest1(void vptr, char) : vptrrref(static_cast<void &&>(vptr)) { // expected-warning {{binding reference member 'vptrrref' to stack allocated parameter 'vptr'}}		VoidPointerRRefTest1(void vptr, char) : vptrrref(static_cast<void &&>(vptr)) { // expected-warning {{binding reference member 'vptrrref' to stack allocated parameter 'vptr'}}
// All good!		// All good!
}		}
};		};

void fVoidPointerRRefTest1() {		void fVoidPointerRRefTest1() {
void *vptr = malloc(sizeof(int));		void *vptr = malloc(sizeof(int));
VoidPointerRRefTest1(vptr, char());		VoidPointerRRefTest1(vptr, char());
}		}

class VoidPointerRRefTest2 {		class VoidPointerRRefTest2 {
void **&&vpptrrref; // expected-note {{here}}		void **&&vpptrrref; // expected-note {{here}}

public:		public:
		// expected-warning@+3 {{Address of stack memory associated with local \
		variable 'vptr' is still referred to by a temporary object on the stack \
		upon returning to the caller. This will be a dangling reference}}
VoidPointerRRefTest2(void vptr, char) : vpptrrref(static_cast<void &&>(vptr)) { // expected-warning {{binding reference member 'vpptrrref' to stack allocated parameter 'vptr'}}		VoidPointerRRefTest2(void vptr, char) : vpptrrref(static_cast<void &&>(vptr)) { // expected-warning {{binding reference member 'vpptrrref' to stack allocated parameter 'vptr'}}
// All good!		// All good!
}		}
};		};

void fVoidPointerRRefTest2() {		void fVoidPointerRRefTest2() {
void *vptr = malloc(sizeof(int));		void *vptr = malloc(sizeof(int));
VoidPointerRRefTest2(&vptr, char());		VoidPointerRRefTest2(&vptr, char());
}		}

class VoidPointerLRefTest {		class VoidPointerLRefTest {
void *&vptrrref; // expected-note {{here}}		void *&vptrrref; // expected-note {{here}}

public:		public:
		// expected-warning@+3 {{Address of stack memory associated with local \
		variable 'vptr' is still referred to by a temporary object on the stack \
		upon returning to the caller. This will be a dangling reference}}
VoidPointerLRefTest(void vptr, char) : vptrrref(static_cast<void &>(vptr)) { // expected-warning {{binding reference member 'vptrrref' to stack allocated parameter 'vptr'}}		VoidPointerLRefTest(void vptr, char) : vptrrref(static_cast<void &>(vptr)) { // expected-warning {{binding reference member 'vptrrref' to stack allocated parameter 'vptr'}}
// All good!		// All good!
}		}
};		};

void fVoidPointerLRefTest() {		void fVoidPointerLRefTest() {
void *vptr = malloc(sizeof(int));		void *vptr = malloc(sizeof(int));
VoidPointerLRefTest(vptr, char());		VoidPointerLRefTest(vptr, char());
▲ Show 20 Lines • Show All 552 Lines • Show Last 20 Lines

clang/test/Analysis/loop-block-counts.c

	// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s			// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s

	void clang_analyzer_eval(int);			void clang_analyzer_eval(int);

	void callee(void **p) {			void callee(void **p) {
	int x;			int x;
	*p = &x;			*p = &x;
				// expected-warning@-1 {{Address of stack memory associated with local \
				variable 'x' is still referred to by the stack variable 'arr' upon \
				returning to the caller}}
	}			}

	void loop() {			void loop() {
	void *arr[2];			void *arr[2];
	for (int i = 0; i < 2; ++i)			for (int i = 0; i < 2; ++i)
	callee(&arr[i]);			callee(&arr[i]);
	// FIXME: Should be UNKNOWN.			// FIXME: Should be UNKNOWN.
	clang_analyzer_eval(arr[0] == arr[1]); // expected-warning{{FALSE}}			clang_analyzer_eval(arr[0] == arr[1]); // expected-warning{{FALSE}}
	Show All 11 Lines

clang/test/Analysis/stack-addr-ps.cpp

Show First 20 Lines • Show All 131 Lines • ▼ Show 20 Lines	namespace rdar13296133 {
}		}

bool returnAsBoolViaPointer() {		bool returnAsBoolViaPointer() {
ConvertsToPointer obj;		ConvertsToPointer obj;
return obj; // no-warning		return obj; // no-warning
}		}
}		}

		void write_stack_address_to(char **q) {
		char local;
		*q = &local;
		// expected-warning@-1 {{Address of stack memory associated with local \
		variable 'local' is still referred to by the stack variable 'p' upon \
		returning to the caller}}
		}

		void test_stack() {
		char *p;
		write_stack_address_to(&p);
		}

		struct C {
		~C() {} // non-trivial class
		};

		C make1() {
		C c;
		return c; // no-warning
		}

		void test_copy_elision() {
		C c1 = make1();
		}

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Catch leaking stack addresses via stack variablesClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 369050

clang/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp

clang/test/Analysis/copy-elision.cpp

clang/test/Analysis/cxx-uninitialized-object-ptr-ref.cpp

clang/test/Analysis/loop-block-counts.c

clang/test/Analysis/stack-addr-ps.cpp

[analyzer] Catch leaking stack addresses via stack variables
ClosedPublic