clang 22.0.0git
StackAddrEscapeChecker.cpp
Go to the documentation of this file.
1//=== StackAddrEscapeChecker.cpp ----------------------------------*- C++ -*--//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines stack address leak checker, which checks if an invalid
10// stack address is stored into a global or heap location. See CERT DCL30-C.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/AST/ExprCXX.h"
15#include "clang/Basic/SourceManager.h"
16#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
17#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18#include "clang/StaticAnalyzer/Core/Checker.h"
19#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
24#include "llvm/ADT/STLExtras.h"
25#include "llvm/ADT/SmallPtrSet.h"
26#include "llvm/Support/raw_ostream.h"
27using namespace clang;
28using namespace ento;
29
30namespace {
31class StackAddrEscapeChecker
32 : public CheckerFamily<check::PreCall, check::PreStmt<ReturnStmt>,
33 check::EndFunction> {
34 mutable IdentifierInfo *dispatch_semaphore_tII = nullptr;
35
36public:
37 StringRef getDebugTag() const override { return "StackAddrEscapeChecker"; }
38
39 CheckerFrontend StackAddrEscape;
40 CheckerFrontend StackAddrAsyncEscape;
41
42 const BugType StackLeak{&StackAddrEscape,
43 "Stack address leaks outside of stack frame"};
44 const BugType ReturnStack{&StackAddrEscape,
45 "Return of address to stack-allocated memory"};
46 const BugType CapturedStackAsync{
47 &StackAddrAsyncEscape, "Address of stack-allocated memory is captured"};
48
49 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
50 void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
51 void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;
52
53private:
54 void checkAsyncExecutedBlockCaptures(const BlockDataRegion &B,
55 CheckerContext &C) const;
56 void EmitReturnLeakError(CheckerContext &C, const MemRegion *LeakedRegion,
57 const Expr *RetE) const;
58 bool isSemaphoreCaptured(const BlockDecl &B) const;
59 static SourceRange genName(raw_ostream &os, const MemRegion *R,
60 ASTContext &Ctx);
61 static SmallVector<std::pair<const MemRegion *, const StackSpaceRegion *>, 4>
62 getCapturedStackRegions(const BlockDataRegion &B, CheckerContext &C);
63 static bool isNotInCurrentFrame(const StackSpaceRegion *MS,
64 CheckerContext &C);
65};
66} // namespace
67
68SourceRange StackAddrEscapeChecker::genName(raw_ostream &os, const MemRegion *R,
69 ASTContext &Ctx) {
70 // Get the base region, stripping away fields and elements.
71 R = R->getBaseRegion();
72 SourceManager &SM = Ctx.getSourceManager();
73 SourceRange range;
74 os << "Address of ";
75
76 // Check if the region is a compound literal.
77 if (const auto *CR = dyn_cast<CompoundLiteralRegion>(R)) {
78 const CompoundLiteralExpr *CL = CR->getLiteralExpr();
79 os << "stack memory associated with a compound literal "
80 "declared on line "
81 << SM.getExpansionLineNumber(CL->getBeginLoc());
82 range = CL->getSourceRange();
83 } else if (const auto *AR = dyn_cast<AllocaRegion>(R)) {
84 const Expr *ARE = AR->getExpr();
85 SourceLocation L = ARE->getBeginLoc();
86 range = ARE->getSourceRange();
87 os << "stack memory allocated by call to alloca() on line "
88 << SM.getExpansionLineNumber(L);
89 } else if (const auto *BR = dyn_cast<BlockDataRegion>(R)) {
90 const BlockDecl *BD = BR->getCodeRegion()->getDecl();
91 SourceLocation L = BD->getBeginLoc();
92 range = BD->getSourceRange();
93 os << "stack-allocated block declared on line "
94 << SM.getExpansionLineNumber(L);
95 } else if (const auto *VR = dyn_cast<VarRegion>(R)) {
96 os << "stack memory associated with local variable '" << VR->getString()
97 << '\'';
98 range = VR->getDecl()->getSourceRange();
99 } else if (const auto *LER = dyn_cast<CXXLifetimeExtendedObjectRegion>(R)) {
100 QualType Ty = LER->getValueType().getLocalUnqualifiedType();
101 os << "stack memory associated with temporary object of type '";
102 Ty.print(os, Ctx.getPrintingPolicy());
103 os << "' lifetime extended by local variable";
104 if (const IdentifierInfo *ID = LER->getExtendingDecl()->getIdentifier())
105 os << " '" << ID->getName() << '\'';
106 range = LER->getExpr()->getSourceRange();
107 } else if (const auto *TOR = dyn_cast<CXXTempObjectRegion>(R)) {
108 QualType Ty = TOR->getValueType().getLocalUnqualifiedType();
109 os << "stack memory associated with temporary object of type '";
110 Ty.print(os, Ctx.getPrintingPolicy());
111 os << "'";
112 range = TOR->getExpr()->getSourceRange();
113 } else {
114 llvm_unreachable("Invalid region in ReturnStackAddressChecker.");
115 }
116
117 return range;
118}
119
120bool StackAddrEscapeChecker::isNotInCurrentFrame(const StackSpaceRegion *MS,
121 CheckerContext &C) {
122 return MS->getStackFrame() != C.getStackFrame();
123}
124
125bool StackAddrEscapeChecker::isSemaphoreCaptured(const BlockDecl &B) const {
126 if (!dispatch_semaphore_tII)
127 dispatch_semaphore_tII = &B.getASTContext().Idents.get("dispatch_semaphore_t");
128 for (const auto &C : B.captures()) {
129 const auto *T = C.getVariable()->getType()->getAs<TypedefType>();
130 if (T && T->getDecl()->getIdentifier() == dispatch_semaphore_tII)
131 return true;
132 }
133 return false;
134}
135
136SmallVector<std::pair<const MemRegion *, const StackSpaceRegion *>, 4>
137StackAddrEscapeChecker::getCapturedStackRegions(const BlockDataRegion &B,
138 CheckerContext &C) {
139 SmallVector<std::pair<const MemRegion *, const StackSpaceRegion *>, 4>
140 Regions;
141 ProgramStateRef State = C.getState();
142 for (auto Var : B.referenced_vars()) {
143 SVal Val = State->getSVal(Var.getCapturedRegion());
144 if (const MemRegion *Region = Val.getAsRegion()) {
145 if (const auto *Space =
146 Region->getMemorySpaceAs<StackSpaceRegion>(State)) {
147 Regions.emplace_back(Region, Space);
148 }
149 }
150 }
151 return Regions;
152}
153
154static void EmitReturnedAsPartOfError(llvm::raw_ostream &OS, SVal ReturnedVal,
155 const MemRegion *LeakedRegion) {
156 if (const MemRegion *ReturnedRegion = ReturnedVal.getAsRegion()) {
157 if (isa<BlockDataRegion>(ReturnedRegion)) {
158 OS << " is captured by a returned block";
159 return;
160 }
161 }
162
163 // Generic message
164 OS << " returned to caller";
165}
166
167void StackAddrEscapeChecker::EmitReturnLeakError(CheckerContext &C,
168 const MemRegion *R,
169 const Expr *RetE) const {
170 ExplodedNode *N = C.generateNonFatalErrorNode();
171 if (!N)
172 return;
173
174 // Generate a report for this bug.
175 SmallString<128> buf;
176 llvm::raw_svector_ostream os(buf);
177
178 // Error message formatting
179 SourceRange range = genName(os, R, C.getASTContext());
180 EmitReturnedAsPartOfError(os, C.getSVal(RetE), R);
181
182 auto report =
183 std::make_unique<PathSensitiveBugReport>(ReturnStack, os.str(), N);
184 report->addRange(RetE->getSourceRange());
185 if (range.isValid())
186 report->addRange(range);
187 C.emitReport(std::move(report));
188}
189
190void StackAddrEscapeChecker::checkAsyncExecutedBlockCaptures(
191 const BlockDataRegion &B, CheckerContext &C) const {
192 // There is a not-too-uncommon idiom
193 // where a block passed to dispatch_async captures a semaphore
194 // and then the thread (which called dispatch_async) is blocked on waiting
195 // for the completion of the execution of the block
196 // via dispatch_semaphore_wait. To avoid false-positives (for now)
197 // we ignore all the blocks which have captured
198 // a variable of the type "dispatch_semaphore_t".
199 if (isSemaphoreCaptured(*B.getDecl()))
200 return;
201 auto Regions = getCapturedStackRegions(B, C);
202 for (const MemRegion *Region : llvm::make_first_range(Regions)) {
203 // The block passed to dispatch_async may capture another block
204 // created on the stack. However, there is no leak in this situaton,
205 // no matter if ARC or no ARC is enabled:
206 // dispatch_async copies the passed "outer" block (via Block_copy)
207 // and if the block has captured another "inner" block,
208 // the "inner" block will be copied as well.
209 if (isa<BlockDataRegion>(Region))
210 continue;
211 ExplodedNode *N = C.generateNonFatalErrorNode();
212 if (!N)
213 continue;
214 SmallString<128> Buf;
215 llvm::raw_svector_ostream Out(Buf);
216 SourceRange Range = genName(Out, Region, C.getASTContext());
217 Out << " is captured by an asynchronously-executed block";
218 auto Report = std::make_unique<PathSensitiveBugReport>(CapturedStackAsync,
219 Out.str(), N);
220 if (Range.isValid())
221 Report->addRange(Range);
222 C.emitReport(std::move(Report));
223 }
224}
225
226void StackAddrEscapeChecker::checkPreCall(const CallEvent &Call,
227 CheckerContext &C) const {
228 if (!StackAddrAsyncEscape.isEnabled())
229 return;
230 if (!Call.isGlobalCFunction("dispatch_after") &&
231 !Call.isGlobalCFunction("dispatch_async"))
232 return;
233 for (unsigned Idx = 0, NumArgs = Call.getNumArgs(); Idx < NumArgs; ++Idx) {
234 if (const BlockDataRegion *B = dyn_cast_or_null<BlockDataRegion>(
235 Call.getArgSVal(Idx).getAsRegion()))
236 checkAsyncExecutedBlockCaptures(*B, C);
237 }
238}
239
240/// A visitor made for use with a ScanReachableSymbols scanner, used
241/// for finding stack regions within an SVal that live on the current
242/// stack frame of the given checker context. This visitor excludes
243/// NonParamVarRegion that data is bound to in a BlockDataRegion's
244/// bindings, since these are likely uninteresting, e.g., in case a
245/// temporary is constructed on the stack, but it captures values
246/// that would leak.
247class FindStackRegionsSymbolVisitor final : public SymbolVisitor {
248 CheckerContext &Ctxt;
249 const StackFrameContext *PoppedStackFrame;
250 SmallVectorImpl<const MemRegion *> &EscapingStackRegions;
251 llvm::SmallPtrSet<const MemRegion *, 16> VisitedRegions;
252
253public:
254 explicit FindStackRegionsSymbolVisitor(
255 CheckerContext &Ctxt,
256 SmallVectorImpl<const MemRegion *> &StorageForStackRegions)
257 : Ctxt(Ctxt), PoppedStackFrame(Ctxt.getStackFrame()),
258 EscapingStackRegions(StorageForStackRegions) {}
259
260 bool VisitSymbol(SymbolRef sym) override { return true; }
261
262 bool VisitMemRegion(const MemRegion *MR) override {
263 if (!VisitedRegions.insert(MR).second)
264 return true;
265
266 SaveIfEscapes(MR);
267
268 if (const BlockDataRegion *BDR = MR->getAs<BlockDataRegion>())
269 return VisitBlockDataRegionCaptures(BDR);
270
271 return true;
272 }
273
274private:
275 void SaveIfEscapes(const MemRegion *MR) {
276 const auto *SSR = MR->getMemorySpaceAs<StackSpaceRegion>(Ctxt.getState());
277
278 if (!SSR)
279 return;
280
281 const StackFrameContext *CapturedSFC = SSR->getStackFrame();
282 if (CapturedSFC == PoppedStackFrame ||
283 PoppedStackFrame->isParentOf(CapturedSFC))
284 EscapingStackRegions.push_back(MR);
285 }
286
287 bool VisitBlockDataRegionCaptures(const BlockDataRegion *BDR) {
288 for (auto Var : BDR->referenced_vars()) {
289 SVal Val = Ctxt.getState()->getSVal(Var.getCapturedRegion());
290 const MemRegion *Region = Val.getAsRegion();
291 if (Region) {
292 SaveIfEscapes(Region);
293 VisitMemRegion(Region);
294 }
295 }
296
297 return false;
298 }
299};
300
301/// Given some memory regions that are flagged by FindStackRegionsSymbolVisitor,
302/// this function filters out memory regions that are being returned that are
303/// likely not true leaks:
304/// 1. If returning a block data region that has stack memory space
305/// 2. If returning a constructed object that has stack memory space
306static SmallVector<const MemRegion *> FilterReturnExpressionLeaks(
307 const SmallVectorImpl<const MemRegion *> &MaybeEscaped, CheckerContext &C,
308 const Expr *RetE, SVal &RetVal) {
309
310 SmallVector<const MemRegion *> WillEscape;
311
312 const MemRegion *RetRegion = RetVal.getAsRegion();
313
314 // Returning a record by value is fine. (In this case, the returned
315 // expression will be a copy-constructor, possibly wrapped in an
316 // ExprWithCleanups node.)
317 if (const ExprWithCleanups *Cleanup = dyn_cast<ExprWithCleanups>(RetE))
318 RetE = Cleanup->getSubExpr();
319 bool IsConstructExpr =
320 isa<CXXConstructExpr>(RetE) && RetE->getType()->isRecordType();
321
322 // The CK_CopyAndAutoreleaseBlockObject cast causes the block to be copied
323 // so the stack address is not escaping here.
324 bool IsCopyAndAutoreleaseBlockObj = false;
325 if (const auto *ICE = dyn_cast<ImplicitCastExpr>(RetE)) {
326 IsCopyAndAutoreleaseBlockObj =
327 isa_and_nonnull<BlockDataRegion>(RetRegion) &&
328 ICE->getCastKind() == CK_CopyAndAutoreleaseBlockObject;
329 }
330
331 for (const MemRegion *MR : MaybeEscaped) {
332 if (RetRegion == MR && (IsCopyAndAutoreleaseBlockObj || IsConstructExpr))
333 continue;
334
335 WillEscape.push_back(MR);
336 }
337
338 return WillEscape;
339}
340
341/// For use in finding regions that live on the checker context's current
342/// stack frame, deep in the SVal representing the return value.
343static SmallVector<const MemRegion *>
344FindEscapingStackRegions(CheckerContext &C, const Expr *RetE, SVal RetVal) {
345 SmallVector<const MemRegion *> FoundStackRegions;
346
347 FindStackRegionsSymbolVisitor Finder(C, FoundStackRegions);
348 ScanReachableSymbols Scanner(C.getState(), Finder);
349 Scanner.scan(RetVal);
350
351 return FilterReturnExpressionLeaks(FoundStackRegions, C, RetE, RetVal);
352}
353
354void StackAddrEscapeChecker::checkPreStmt(const ReturnStmt *RS,
355 CheckerContext &C) const {
356 if (!StackAddrEscape.isEnabled())
357 return;
358
359 const Expr *RetE = RS->getRetValue();
360 if (!RetE)
361 return;
362 RetE = RetE->IgnoreParens();
363
364 SVal V = C.getSVal(RetE);
365
366 SmallVector<const MemRegion *> EscapedStackRegions =
367 FindEscapingStackRegions(C, RetE, V);
368
369 for (const MemRegion *ER : EscapedStackRegions)
370 EmitReturnLeakError(C, ER, RetE);
371}
372
373static const MemSpaceRegion *getStackOrGlobalSpaceRegion(ProgramStateRef State,
374 const MemRegion *R) {
375 assert(R);
376 if (const auto *MemSpace = R->getMemorySpace(State);
377 isa<StackSpaceRegion, GlobalsSpaceRegion>(MemSpace))
378 return MemSpace;
379
380 // If R describes a lambda capture, it will be a symbolic region
381 // referring to a field region of another symbolic region.
382 if (const auto *SymReg = R->getBaseRegion()->getAs<SymbolicRegion>()) {
383 if (const auto *OriginReg = SymReg->getSymbol()->getOriginRegion())
384 return getStackOrGlobalSpaceRegion(State, OriginReg);
385 }
386 return nullptr;
387}
388
389static const MemRegion *getOriginBaseRegion(const MemRegion *Reg) {
390 Reg = Reg->getBaseRegion();
391 while (const auto *SymReg = dyn_cast<SymbolicRegion>(Reg)) {
392 const auto *OriginReg = SymReg->getSymbol()->getOriginRegion();
393 if (!OriginReg)
394 break;
395 Reg = OriginReg->getBaseRegion();
396 }
397 return Reg;
398}
399
400static std::optional<std::string> printReferrer(ProgramStateRef State,
401 const MemRegion *Referrer) {
402 assert(Referrer);
403 const StringRef ReferrerMemorySpace = [](const MemSpaceRegion *Space) {
404 if (isa<StaticGlobalSpaceRegion>(Space))
405 return "static";
406 if (isa<GlobalsSpaceRegion>(Space))
407 return "global";
408 assert(isa<StackSpaceRegion>(Space));
409 // This case covers top-level and inlined analyses.
410 return "caller";
411 }(getStackOrGlobalSpaceRegion(State, Referrer));
412
413 while (!Referrer->canPrintPretty()) {
414 if (const auto *SymReg = dyn_cast<SymbolicRegion>(Referrer);
415 SymReg && SymReg->getSymbol()->getOriginRegion()) {
416 Referrer = SymReg->getSymbol()->getOriginRegion()->getBaseRegion();
417 } else if (isa<CXXThisRegion>(Referrer)) {
418 // Skip members of a class, it is handled in CheckExprLifetime.cpp as
419 // warn_bind_ref_member_to_parameter or
420 // warn_init_ptr_member_to_parameter_addr
421 return std::nullopt;
422 } else if (isa<AllocaRegion>(Referrer)) {
423 // Skip alloca() regions, they indicate advanced memory management
424 // and higher likelihood of CSA false positives.
425 return std::nullopt;
426 } else {
427 assert(false && "Unexpected referrer region type.");
428 return std::nullopt;
429 }
430 }
431 assert(Referrer);
432 assert(Referrer->canPrintPretty());
433
434 std::string buf;
435 llvm::raw_string_ostream os(buf);
436 os << ReferrerMemorySpace << " variable ";
437 Referrer->printPretty(os);
438 return buf;
439}
440
441/// Check whether \p Region refers to a freshly minted symbol after an opaque
442/// function call.
443static bool isInvalidatedSymbolRegion(const MemRegion *Region) {
444 const auto *SymReg = Region->getAs<SymbolicRegion>();
445 if (!SymReg)
446 return false;
447 SymbolRef Symbol = SymReg->getSymbol();
448
449 const auto *DerS = dyn_cast<SymbolDerived>(Symbol);
450 return DerS && isa_and_nonnull<SymbolConjured>(DerS->getParentSymbol());
451}
452
453void StackAddrEscapeChecker::checkEndFunction(const ReturnStmt *RS,
454 CheckerContext &Ctx) const {
455 if (!StackAddrEscape.isEnabled())
456 return;
457
458 ExplodedNode *Node = Ctx.getPredecessor();
459
460 bool ExitingTopFrame =
461 Ctx.getPredecessor()->getLocationContext()->inTopFrame();
462
463 if (ExitingTopFrame &&
464 Node->getLocation().getTag() == ExprEngine::cleanupNodeTag() &&
465 Node->getFirstPred()) {
466 // When finishing analysis of a top-level function, engine proactively
467 // removes dead symbols thus preventing this checker from looking through
468 // the output parameters. Take 1 step back, to the node where these symbols
469 // and their bindings are still present
470 Node = Node->getFirstPred();
471 }
472
473 // Iterate over all bindings to global variables and see if it contains
474 // a memory region in the stack space.
475 class CallBack : public StoreManager::BindingsHandler {
476 private:
477 CheckerContext &Ctx;
478 ProgramStateRef State;
479 const StackFrameContext *PoppedFrame;
480 const bool TopFrame;
481
482 /// Look for stack variables referring to popped stack variables.
483 /// Returns true only if it found some dangling stack variables
484 /// referred by an other stack variable from different stack frame.
485 bool checkForDanglingStackVariable(const MemRegion *Referrer,
486 const MemRegion *Referred) {
487 const auto *ReferrerMemSpace =
488 getStackOrGlobalSpaceRegion(State, Referrer);
489 const auto *ReferredMemSpace =
490 Referred->getMemorySpaceAs<StackSpaceRegion>(State);
491
492 if (!ReferrerMemSpace || !ReferredMemSpace)
493 return false;
494
495 const auto *ReferrerStackSpace =
496 ReferrerMemSpace->getAs<StackSpaceRegion>();
497
498 if (!ReferrerStackSpace)
499 return false;
500
501 if (const auto *ReferredFrame = ReferredMemSpace->getStackFrame();
502 ReferredFrame != PoppedFrame) {
503 return false;
504 }
505
506 if (ReferrerStackSpace->getStackFrame()->isParentOf(PoppedFrame)) {
507 V.emplace_back(Referrer, Referred);
508 return true;
509 }
510 if (isa<StackArgumentsSpaceRegion>(ReferrerMemSpace) &&
511 // Not a simple ptr (int*) but something deeper, e.g. int**
512 isa<SymbolicRegion>(Referrer->getBaseRegion()) &&
513 ReferrerStackSpace->getStackFrame() == PoppedFrame && TopFrame) {
514 // Output parameter of a top-level function
515 V.emplace_back(Referrer, Referred);
516 return true;
517 }
518 return false;
519 }
520
521 // Keep track of the variables that were invalidated through an opaque
522 // function call. Even if the initial values of such variables were bound to
523 // an address of a local variable, we cannot claim anything now, at the
524 // function exit, so skip them to avoid false positives.
525 void recordInInvalidatedRegions(const MemRegion *Region) {
526 if (isInvalidatedSymbolRegion(Region))
527 ExcludedRegions.insert(getOriginBaseRegion(Region));
528 }
529
530 public:
531 SmallVector<std::pair<const MemRegion *, const MemRegion *>, 10> V;
532 // ExcludedRegions are skipped from reporting.
533 // I.e., if a referrer in this set, skip the related bug report.
534 // It is useful to avoid false positive for the variables that were
535 // reset to a conjured value after an opaque function call.
536 llvm::SmallPtrSet<const MemRegion *, 4> ExcludedRegions;
537
538 CallBack(CheckerContext &CC, bool TopFrame)
539 : Ctx(CC), State(CC.getState()), PoppedFrame(CC.getStackFrame()),
540 TopFrame(TopFrame) {}
541
542 bool HandleBinding(StoreManager &SMgr, Store S, const MemRegion *Region,
543 SVal Val) override {
544 recordInInvalidatedRegions(Region);
545 const MemRegion *VR = Val.getAsRegion();
546 if (!VR)
547 return true;
548
549 if (checkForDanglingStackVariable(Region, VR))
550 return true;
551
552 // Check the globals for the same.
553 if (!isa_and_nonnull<GlobalsSpaceRegion>(
554 getStackOrGlobalSpaceRegion(State, Region)))
555 return true;
556
557 if (VR) {
558 if (const auto *S = VR->getMemorySpaceAs<StackSpaceRegion>(State);
559 S && !isNotInCurrentFrame(S, Ctx)) {
560 V.emplace_back(Region, VR);
561 }
562 }
563 return true;
564 }
565 };
566
567 CallBack Cb(Ctx, ExitingTopFrame);
568 ProgramStateRef State = Node->getState();
569 State->getStateManager().getStoreManager().iterBindings(State->getStore(),
570 Cb);
571
572 if (Cb.V.empty())
573 return;
574
575 // Generate an error node.
576 ExplodedNode *N = Ctx.generateNonFatalErrorNode(State, Node);
577 if (!N)
578 return;
579
580 for (const auto &P : Cb.V) {
581 const MemRegion *Referrer = P.first->getBaseRegion();
582 const MemRegion *Referred = P.second;
583 if (Cb.ExcludedRegions.contains(getOriginBaseRegion(Referrer))) {
584 continue;
585 }
586
587 // Generate a report for this bug.
588 const StringRef CommonSuffix =
589 " upon returning to the caller. This will be a dangling reference";
590 SmallString<128> Buf;
591 llvm::raw_svector_ostream Out(Buf);
592 const SourceRange Range = genName(Out, Referred, Ctx.getASTContext());
593
594 if (isa<CXXTempObjectRegion, CXXLifetimeExtendedObjectRegion>(Referrer)) {
595 Out << " is still referred to by a temporary object on the stack"
596 << CommonSuffix;
597 auto Report =
598 std::make_unique<PathSensitiveBugReport>(StackLeak, Out.str(), N);
599 if (Range.isValid())
600 Report->addRange(Range);
601 Ctx.emitReport(std::move(Report));
602 return;
603 }
604
605 auto ReferrerVariable = printReferrer(State, Referrer);
606 if (!ReferrerVariable) {
607 continue;
608 }
609
610 Out << " is still referred to by the " << *ReferrerVariable << CommonSuffix;
611 auto Report =
612 std::make_unique<PathSensitiveBugReport>(StackLeak, Out.str(), N);
613 if (Range.isValid())
614 Report->addRange(Range);
615
616 Ctx.emitReport(std::move(Report));
617 }
618}
619
620#define REGISTER_CHECKER(NAME) \
621 void ento::register##NAME##Checker(CheckerManager &Mgr) { \
622 Mgr.getChecker<StackAddrEscapeChecker>()->NAME.enable(Mgr); \
623 } \
624 \
625 bool ento::shouldRegister##NAME##Checker(const CheckerManager &) { \
626 return true; \
627 }
628
629REGISTER_CHECKER(StackAddrEscape)
630REGISTER_CHECKER(StackAddrAsyncEscape)
V
#define V(N, I)
Definition ASTContext.h:3665
REGISTER_CHECKER
#define REGISTER_CHECKER(name)
Definition CheckSecuritySyntaxOnly.cpp:1095
ExprCXX.h
Defines the clang::Expr interface and subclasses for C++ expressions.
SM
#define SM(sm)
Definition OffloadArch.cpp:16
SourceManager.h
Defines the SourceManager interface.
FilterReturnExpressionLeaks
static SmallVector< const MemRegion * > FilterReturnExpressionLeaks(const SmallVectorImpl< const MemRegion * > &MaybeEscaped, CheckerContext &C, const Expr *RetE, SVal &RetVal)
Given some memory regions that are flagged by FindStackRegionsSymbolVisitor, this function filters ou...
Definition StackAddrEscapeChecker.cpp:306
isInvalidatedSymbolRegion
static bool isInvalidatedSymbolRegion(const MemRegion *Region)
Check whether Region refers to a freshly minted symbol after an opaque function call.
Definition StackAddrEscapeChecker.cpp:443
EmitReturnedAsPartOfError
static void EmitReturnedAsPartOfError(llvm::raw_ostream &OS, SVal ReturnedVal, const MemRegion *LeakedRegion)
Definition StackAddrEscapeChecker.cpp:154
printReferrer
static std::optional< std::string > printReferrer(ProgramStateRef State, const MemRegion *Referrer)
Definition StackAddrEscapeChecker.cpp:400
getStackOrGlobalSpaceRegion
static const MemSpaceRegion * getStackOrGlobalSpaceRegion(ProgramStateRef State, const MemRegion *R)
Definition StackAddrEscapeChecker.cpp:373
getOriginBaseRegion
static const MemRegion * getOriginBaseRegion(const MemRegion *Reg)
Definition StackAddrEscapeChecker.cpp:389
FindEscapingStackRegions
static SmallVector< const MemRegion * > FindEscapingStackRegions(CheckerContext &C, const Expr *RetE, SVal RetVal)
For use in finding regions that live on the checker context's current stack frame,...
Definition StackAddrEscapeChecker.cpp:344
FindStackRegionsSymbolVisitor
A visitor made for use with a ScanReachableSymbols scanner, used for finding stack regions within an ...
Definition StackAddrEscapeChecker.cpp:247
FindStackRegionsSymbolVisitor::VisitMemRegion
bool VisitMemRegion(const MemRegion *MR) override
Definition StackAddrEscapeChecker.cpp:262
FindStackRegionsSymbolVisitor::FindStackRegionsSymbolVisitor
FindStackRegionsSymbolVisitor(CheckerContext &Ctxt, SmallVectorImpl< const MemRegion * > &StorageForStackRegions)
Definition StackAddrEscapeChecker.cpp:254
FindStackRegionsSymbolVisitor::VisitSymbol
bool VisitSymbol(SymbolRef sym) override
A visitor method invoked by ProgramStateManager::scanReachableSymbols.
Definition StackAddrEscapeChecker.cpp:260
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition ASTContext.h:220
clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition ASTContext.h:851
clang::ASTContext::Idents
IdentifierTable & Idents
Definition ASTContext.h:790
clang::ASTContext::getPrintingPolicy
const clang::PrintingPolicy & getPrintingPolicy() const
Definition ASTContext.h:843
clang::BlockDecl::captures
ArrayRef< Capture > captures() const
Definition Decl.h:4795
clang::BlockDecl::getSourceRange
SourceRange getSourceRange() const override LLVM_READONLY
Source range that this declaration covers.
Definition Decl.cpp:5413
clang::CompoundLiteralExpr::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition Expr.h:3588
clang::Decl::getASTContext
ASTContext & getASTContext() const LLVM_READONLY
Definition DeclBase.cpp:546
clang::Decl::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition DeclBase.h:431
clang::ExprWithCleanups
Represents an expression – generally a full-expression – that introduces cleanups to be run at the en...
Definition ExprCXX.h:3661
clang::Expr
This represents one expression.
Definition Expr.h:112
clang::Expr::IgnoreParens
Expr * IgnoreParens() LLVM_READONLY
Skip past any parentheses which might surround this expression until reaching a fixed point.
Definition Expr.cpp:3085
clang::Expr::getType
QualType getType() const
Definition Expr.h:144
clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition IdentifierTable.h:748
clang::LocationContext::isParentOf
bool isParentOf(const LocationContext *LC) const
Definition AnalysisDeclContext.cpp:479
clang::LocationContext::getStackFrame
const StackFrameContext * getStackFrame() const
Definition AnalysisDeclContext.cpp:465
clang::LocationContext::inTopFrame
virtual bool inTopFrame() const
Definition AnalysisDeclContext.cpp:475
clang::ProgramPoint::getTag
const ProgramPointTag * getTag() const
Definition ProgramPoint.h:179
clang::QualType::print
void print(raw_ostream &OS, const PrintingPolicy &Policy, const Twine &PlaceHolder=Twine(), unsigned Indentation=0) const
Definition TypePrinter.cpp:2792
clang::ReturnStmt::getRetValue
Expr * getRetValue()
Definition Stmt.h:3177
clang::SourceRange
A trivial tuple used to represent a source range.
Definition SourceLocation.h:215
clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition AnalysisDeclContext.h:299
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition Stmt.cpp:338
clang::Stmt::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition Stmt.cpp:350
clang::Type::getAs
const T * getAs() const
Member-template getAs<specific type>'.
Definition TypeBase.h:9112
clang::Type::isRecordType
bool isRecordType() const
Definition TypeBase.h:8657
clang::ento::BlockDataRegion
BlockDataRegion - A region that represents a block instance.
Definition MemRegion.h:706
clang::ento::BlockDataRegion::getDecl
LLVM_ATTRIBUTE_RETURNS_NONNULL const BlockDecl * getDecl() const
Definition MemRegion.h:736
clang::ento::BlockDataRegion::referenced_vars
llvm::iterator_range< referenced_vars_iterator > referenced_vars() const
Definition MemRegion.cpp:1838
clang::ento::CheckerContext::getPredecessor
ExplodedNode * getPredecessor()
Returns the previous node in the exploded graph, which includes the state of the program before the c...
Definition CheckerContext.h:80
clang::ento::CheckerContext::generateNonFatalErrorNode
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
Definition CheckerContext.h:273
clang::ento::CheckerContext::emitReport
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
Definition CheckerContext.h:295
clang::ento::CheckerFamily
Checker families (where a single backend class implements multiple related frontends) should derive f...
Definition Checker.h:584
clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition ExplodedGraph.h:169
clang::ento::ExplodedNode::getLocation
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
Definition ExplodedGraph.h:145
clang::ento::ExplodedNode::getLocationContext
const LocationContext * getLocationContext() const
Definition ExplodedGraph.h:147
clang::ento::ExplodedNode::getFirstPred
ExplodedNode * getFirstPred()
Definition ExplodedGraph.h:209
clang::ento::ExprEngine::cleanupNodeTag
static const ProgramPointTag * cleanupNodeTag()
A tag to track convenience transitions, which can be removed at cleanup.
Definition ExprEngine.cpp:1113
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition MemRegion.h:98
clang::ento::MemRegion::getMemorySpaceAs
const MemSpace * getMemorySpaceAs(ProgramStateRef State) const
Definition MemRegion.h:143
clang::ento::MemRegion::getMemorySpace
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemSpaceRegion * getMemorySpace(ProgramStateRef State) const
Returns the most specific memory space for this memory region in the given ProgramStateRef.
Definition MemRegion.cpp:1397
clang::ento::MemRegion::getBaseRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getBaseRegion() const
Definition MemRegion.cpp:1422
clang::ento::MemRegion::printPretty
virtual void printPretty(raw_ostream &os) const
Print the region for use in diagnostics.
Definition MemRegion.cpp:653
clang::ento::MemRegion::getAs
const RegionTy * getAs() const
Definition MemRegion.h:1416
clang::ento::MemRegion::canPrintPretty
virtual bool canPrintPretty() const
Returns true if this region can be printed in a user-friendly way.
Definition MemRegion.cpp:634
clang::ento::MemSpaceRegion
MemSpaceRegion - A memory region that represents a "memory space"; for example, the set of global var...
Definition MemRegion.h:236
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition SVals.h:56
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition SVals.cpp:119
clang::ento::ScanReachableSymbols
A utility class that visits the reachable symbols using a custom SymbolVisitor.
Definition ProgramState.h:890
clang::ento::StackSpaceRegion::getStackFrame
LLVM_ATTRIBUTE_RETURNS_NONNULL const StackFrameContext * getStackFrame() const
Definition MemRegion.h:433
clang::ento::SymbolicRegion
SymbolicRegion - A special, "non-concrete" region.
Definition MemRegion.h:808
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition ProgramState_Fwd.h:37
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition SymExpr.h:133
clang::ento::ObjKind::OS
@ OS
Indicates that the tracking object is a descendant of a referenced-counted OSObject,...
Definition RetainSummaryManager.h:51
clang::ento::Store
const void * Store
Store - This opaque type encapsulates an immutable mapping from locations to values.
Definition StoreRef.h:27
clang::transformer::range
RangeSelector range(RangeSelector Begin, RangeSelector End)
DEPRECATED. Use enclose.
Definition RangeSelector.h:45
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition CalledOnceCheck.h:17
clang::isa
bool isa(CodeGen::Address addr)
Definition Address.h:330
clang::T
const FunctionProtoType * T
Definition RecursiveASTVisitor.h:1414
Generated on for clang by doxygen 1.14.0