diff options
| author | Arseniy Zaostrovnykh <necto.ne@gmail.com> | 2024-08-28 08:36:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-08-28 08:36:59 +0200 |
| commit | 190449a5d2a9ddfc2180dce11714a4443f0f29f0 (patch) | |
| tree | c3e9b347b8e9eb792f85d3e17d95dfd1a1033bb2 /llvm/lib/FileCheck/FileCheck.cpp | |
| parent | e5a5ac0c2355df9911953260aaf519185efa369e (diff) | |
| download | llvm-190449a5d2a9ddfc2180dce11714a4443f0f29f0.zip llvm-190449a5d2a9ddfc2180dce11714a4443f0f29f0.tar.gz llvm-190449a5d2a9ddfc2180dce11714a4443f0f29f0.tar.bz2 | |
[analyzer] Detect leaks of stack addresses via output params, indirect globals 3/3 (#105648)
Fix some false negatives of StackAddrEscapeChecker:
- Output parameters
```
void top(int **out) {
int local = 42;
*out = &local; // Noncompliant
}
```
- Indirect global pointers
```
int **global;
void top() {
int local = 42;
*global = &local; // Noncompliant
}
```
Note that now StackAddrEscapeChecker produces a diagnostic if a function
with an output parameter is analyzed as top-level or as a callee. I took
special care to make sure the reports point to the same primary location
and, in many cases, feature the same primary message. That is the
motivation to modify Core/BugReporter.cpp and Core/ExplodedGraph.cpp
To avoid false positive reports when a global indirect pointer is
assigned a local address, invalidated, and then reset, I rely on the
fact that the invalidation symbol will be a DerivedSymbol of a
ConjuredSymbol that refers to the same memory region.
The checker still has a false negative for non-trivial escaping via a
returned value. It requires a more sophisticated traversal akin to
scanReachableSymbols, which out of the scope of this change.
CPP-4734
---------
This is the last of the 3 stacked PRs, it must not be merged before
https://github.com/llvm/llvm-project/pull/105652 and
https://github.com/llvm/llvm-project/pull/105653
Diffstat (limited to 'llvm/lib/FileCheck/FileCheck.cpp')
0 files changed, 0 insertions, 0 deletions