1f5d2ef4a61e70eb2bcc3f4872e7095cf19d20163Ted Kremenek//=== StackAddrEscapeChecker.cpp ----------------------------------*- C++ -*--// 21622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu// 31622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu// The LLVM Compiler Infrastructure 41622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu// 51622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu// This file is distributed under the University of Illinois Open Source 61622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu// License. See LICENSE.TXT for details. 71622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu// 81622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu//===----------------------------------------------------------------------===// 91622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu// 101622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu// This file defines stack address leak checker, which checks if an invalid 111622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu// stack address is stored into a global or heap location. See CERT DCL30-C. 121622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu// 131622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu//===----------------------------------------------------------------------===// 141622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu 15027a6abdd6cedc0b8203da72eed6d15c796dce9dArgyrios Kyrtzidis#include "ClangSACheckers.h" 16ec8605f1d7ec846dbf51047bfd5c56d32d1ff91cArgyrios Kyrtzidis#include "clang/StaticAnalyzer/Core/Checker.h" 17695fb502825a53ccd178ec1c85c77929d88acb71Argyrios Kyrtzidis#include "clang/StaticAnalyzer/Core/CheckerManager.h" 18af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 199b663716449b618ba0390b1dbebc54fa8e971124Ted Kremenek#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 2018c66fdc3c4008d335885695fe36fb5353c5f672Ted Kremenek#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 219b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu#include "clang/Basic/SourceManager.h" 229b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu#include "llvm/ADT/SmallString.h" 231622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xuusing namespace clang; 249ef6537a894c33003359b1f9b9676e9178e028b7Ted Kremenekusing namespace ento; 251622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu 261622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xunamespace { 27ec8605f1d7ec846dbf51047bfd5c56d32d1ff91cArgyrios Kyrtzidisclass StackAddrEscapeChecker : public Checker< check::PreStmt<ReturnStmt>, 28af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis check::EndPath > { 296f42b62b6194f53bcbc349f5d17388e1936535d7Dylan Noblesmith mutable OwningPtr<BuiltinBug> BT_stackleak; 306f42b62b6194f53bcbc349f5d17388e1936535d7Dylan Noblesmith mutable OwningPtr<BuiltinBug> BT_returnstack; 311622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu 321622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xupublic: 33af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const; 34af498a28797c075c48d7e943df5f5a8e78ed8eb0Anna Zaks void checkEndPath(CheckerContext &Ctx) const; 359b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xuprivate: 36af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis void EmitStackError(CheckerContext &C, const MemRegion *R, 37af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis const Expr *RetE) const; 385f9e272e632e951b1efe824cd16acb4d96077930Chris Lattner static SourceRange GenName(raw_ostream &os, const MemRegion *R, 39af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis SourceManager &SM); 401622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu}; 411622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu} 421622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu 435f9e272e632e951b1efe824cd16acb4d96077930Chris LattnerSourceRange StackAddrEscapeChecker::GenName(raw_ostream &os, 44a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek const MemRegion *R, 45a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek SourceManager &SM) { 46a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek // Get the base region, stripping away fields and elements. 479b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu R = R->getBaseRegion(); 48a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek SourceRange range; 49a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek os << "Address of "; 50a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek 519b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu // Check if the region is a compound literal. 529b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu if (const CompoundLiteralRegion* CR = dyn_cast<CompoundLiteralRegion>(R)) { 539c378f705405d37f49795d5e915989de774fe11fTed Kremenek const CompoundLiteralExpr *CL = CR->getLiteralExpr(); 54a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek os << "stack memory associated with a compound literal " 55a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek "declared on line " 56642116259e8df6286063a17361c20e95b5017a0aChandler Carruth << SM.getExpansionLineNumber(CL->getLocStart()) 57a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek << " returned to caller"; 589b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu range = CL->getSourceRange(); 599b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu } 609b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu else if (const AllocaRegion* AR = dyn_cast<AllocaRegion>(R)) { 619c378f705405d37f49795d5e915989de774fe11fTed Kremenek const Expr *ARE = AR->getExpr(); 629b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu SourceLocation L = ARE->getLocStart(); 639b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu range = ARE->getSourceRange(); 64a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek os << "stack memory allocated by call to alloca() on line " 65642116259e8df6286063a17361c20e95b5017a0aChandler Carruth << SM.getExpansionLineNumber(L); 669b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu } 679b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu else if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(R)) { 689b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu const BlockDecl *BD = BR->getCodeRegion()->getDecl(); 699b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu SourceLocation L = BD->getLocStart(); 709b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu range = BD->getSourceRange(); 71a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek os << "stack-allocated block declared on line " 72642116259e8df6286063a17361c20e95b5017a0aChandler Carruth << SM.getExpansionLineNumber(L); 739b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu } 749b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu else if (const VarRegion *VR = dyn_cast<VarRegion>(R)) { 75a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek os << "stack memory associated with local variable '" 76a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek << VR->getString() << '\''; 779b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu range = VR->getDecl()->getSourceRange(); 789b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu } 79782f63ecd124f9384f988dc7e0cf4ae1540c15f6Jeffrey Yasskin else if (const CXXTempObjectRegion *TOR = dyn_cast<CXXTempObjectRegion>(R)) { 80782f63ecd124f9384f988dc7e0cf4ae1540c15f6Jeffrey Yasskin os << "stack memory associated with temporary object of type '" 81782f63ecd124f9384f988dc7e0cf4ae1540c15f6Jeffrey Yasskin << TOR->getValueType().getAsString() << '\''; 82782f63ecd124f9384f988dc7e0cf4ae1540c15f6Jeffrey Yasskin range = TOR->getExpr()->getSourceRange(); 83782f63ecd124f9384f988dc7e0cf4ae1540c15f6Jeffrey Yasskin } 849b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu else { 85b219cfc4d75f0a03630b7c4509ef791b7e97b2c8David Blaikie llvm_unreachable("Invalid region in ReturnStackAddressChecker."); 86a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek } 87a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek 88a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek return range; 89a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek} 90a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek 91f5d2ef4a61e70eb2bcc3f4872e7095cf19d20163Ted Kremenekvoid StackAddrEscapeChecker::EmitStackError(CheckerContext &C, const MemRegion *R, 92af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis const Expr *RetE) const { 93d048c6ef5b6cfaa0cecb8cc1d4bdace32ed21d07Ted Kremenek ExplodedNode *N = C.generateSink(); 94a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek 95a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek if (!N) 969b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu return; 979b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu 98a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek if (!BT_returnstack) 99af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis BT_returnstack.reset( 100af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis new BuiltinBug("Return of address to stack-allocated memory")); 101a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek 102a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek // Generate a report for this bug. 103f7ccbad5d9949e7ddd1cbef43d482553b811e026Dylan Noblesmith SmallString<512> buf; 104a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek llvm::raw_svector_ostream os(buf); 105a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek SourceRange range = GenName(os, R, C.getSourceManager()); 106a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek os << " returned to caller"; 107e172e8b9e7fc67d7d03589af7e92fe777afcf33aAnna Zaks BugReport *report = new BugReport(*BT_returnstack, os.str(), N); 1089b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu report->addRange(RetE->getSourceRange()); 1099b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu if (range.isValid()) 1109b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu report->addRange(range); 1119b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu 1129b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu C.EmitReport(report); 113a7e6845660f91ec611427e1db842780e1ec12bdbEli Friedman} 1149b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu 115f5d2ef4a61e70eb2bcc3f4872e7095cf19d20163Ted Kremenekvoid StackAddrEscapeChecker::checkPreStmt(const ReturnStmt *RS, 1167e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek CheckerContext &C) const { 1179b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu 1189b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu const Expr *RetE = RS->getRetValue(); 1199b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu if (!RetE) 1209b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu return; 12173212dff6437d409e0c1b779fdcac2f4f98ca8b0Jordan Rose RetE = RetE->IgnoreParens(); 122c210cb7a358d14cdd93b58562f33ff5ed2d895c1Jordan Rose 123c210cb7a358d14cdd93b58562f33ff5ed2d895c1Jordan Rose const LocationContext *LCtx = C.getLocationContext(); 124c210cb7a358d14cdd93b58562f33ff5ed2d895c1Jordan Rose SVal V = C.getState()->getSVal(RetE, LCtx); 1259b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu const MemRegion *R = V.getAsRegion(); 1269b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu 1277e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek if (!R) 1287e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek return; 1299b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu 1307e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek const StackSpaceRegion *SS = 1317e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek dyn_cast_or_null<StackSpaceRegion>(R->getMemorySpace()); 1327e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek 1337e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek if (!SS) 1347e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek return; 135f85e193739c953358c865005855253af4f68a497John McCall 1367e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek // Return stack memory in an ancestor stack frame is fine. 137c210cb7a358d14cdd93b58562f33ff5ed2d895c1Jordan Rose const StackFrameContext *CurFrame = LCtx->getCurrentStackFrame(); 138c210cb7a358d14cdd93b58562f33ff5ed2d895c1Jordan Rose const StackFrameContext *MemFrame = SS->getStackFrame(); 139c210cb7a358d14cdd93b58562f33ff5ed2d895c1Jordan Rose if (MemFrame != CurFrame) 1409b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu return; 1417e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek 1427e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek // Automatic reference counting automatically copies blocks. 1434e4d08403ca5cfd4d558fa2936215d3a4e5a528dDavid Blaikie if (C.getASTContext().getLangOpts().ObjCAutoRefCount && 1447e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek isa<BlockDataRegion>(R)) 1457e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek return; 1467e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek 147c210cb7a358d14cdd93b58562f33ff5ed2d895c1Jordan Rose // Returning a record by value is fine. (In this case, the returned 14873212dff6437d409e0c1b779fdcac2f4f98ca8b0Jordan Rose // expression will be a copy-constructor, possibly wrapped in an 14973212dff6437d409e0c1b779fdcac2f4f98ca8b0Jordan Rose // ExprWithCleanups node.) 15073212dff6437d409e0c1b779fdcac2f4f98ca8b0Jordan Rose if (const ExprWithCleanups *Cleanup = dyn_cast<ExprWithCleanups>(RetE)) 15173212dff6437d409e0c1b779fdcac2f4f98ca8b0Jordan Rose RetE = Cleanup->getSubExpr(); 152c210cb7a358d14cdd93b58562f33ff5ed2d895c1Jordan Rose if (isa<CXXConstructExpr>(RetE) && RetE->getType()->isRecordType()) 153c210cb7a358d14cdd93b58562f33ff5ed2d895c1Jordan Rose return; 154c210cb7a358d14cdd93b58562f33ff5ed2d895c1Jordan Rose 1557e8678314cf19f28cfddb2d9d0567d993073ec7eTed Kremenek EmitStackError(C, R, RetE); 1569b1468311d625ac8920adda5440ce8ffb1a5a5d2Zhongxing Xu} 1571622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu 158af498a28797c075c48d7e943df5f5a8e78ed8eb0Anna Zaksvoid StackAddrEscapeChecker::checkEndPath(CheckerContext &Ctx) const { 1598bef8238181a30e52dea380789a7e2d760eac532Ted Kremenek ProgramStateRef state = Ctx.getState(); 160551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek 161551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek // Iterate over all bindings to global variables and see if it contains 162551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek // a memory region in the stack space. 163551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek class CallBack : public StoreManager::BindingsHandler { 164551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek private: 165af498a28797c075c48d7e943df5f5a8e78ed8eb0Anna Zaks CheckerContext &Ctx; 166551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek const StackFrameContext *CurSFC; 167551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek public: 1685f9e272e632e951b1efe824cd16acb4d96077930Chris Lattner SmallVector<std::pair<const MemRegion*, const MemRegion*>, 10> V; 169551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek 170af498a28797c075c48d7e943df5f5a8e78ed8eb0Anna Zaks CallBack(CheckerContext &CC) : 171af498a28797c075c48d7e943df5f5a8e78ed8eb0Anna Zaks Ctx(CC), 17239ac1876f6f9a1a8e0070f0df61036c7ba05202bAnna Zaks CurSFC(CC.getLocationContext()->getCurrentStackFrame()) 173af498a28797c075c48d7e943df5f5a8e78ed8eb0Anna Zaks {} 174551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek 175551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek bool HandleBinding(StoreManager &SMgr, Store store, 176551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek const MemRegion *region, SVal val) { 177551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek 178551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek if (!isa<GlobalsSpaceRegion>(region->getMemorySpace())) 179551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek return true; 180551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek 181551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek const MemRegion *vR = val.getAsRegion(); 182551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek if (!vR) 183551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek return true; 184f85e193739c953358c865005855253af4f68a497John McCall 185f85e193739c953358c865005855253af4f68a497John McCall // Under automated retain release, it is okay to assign a block 186f85e193739c953358c865005855253af4f68a497John McCall // directly to a global variable. 1874e4d08403ca5cfd4d558fa2936215d3a4e5a528dDavid Blaikie if (Ctx.getASTContext().getLangOpts().ObjCAutoRefCount && 188f85e193739c953358c865005855253af4f68a497John McCall isa<BlockDataRegion>(vR)) 189f85e193739c953358c865005855253af4f68a497John McCall return true; 190f85e193739c953358c865005855253af4f68a497John McCall 191551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek if (const StackSpaceRegion *SSR = 192551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek dyn_cast<StackSpaceRegion>(vR->getMemorySpace())) { 193551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek // If the global variable holds a location in the current stack frame, 194551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek // record the binding to emit a warning. 195a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek if (SSR->getStackFrame() == CurSFC) 196a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek V.push_back(std::make_pair(region, vR)); 1971622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu } 198551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek 199551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek return true; 2001622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu } 201551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek }; 202551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek 203af498a28797c075c48d7e943df5f5a8e78ed8eb0Anna Zaks CallBack cb(Ctx); 204551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek state->getStateManager().getStoreManager().iterBindings(state->getStore(),cb); 205a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek 206a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek if (cb.V.empty()) 207551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek return; 208551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek 209551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek // Generate an error node. 2100bd6b110e908892d4b5c8671a9f435a1d72ad16aAnna Zaks ExplodedNode *N = Ctx.addTransition(state); 211551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek if (!N) 212551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek return; 213a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek 214551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek if (!BT_stackleak) 215af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis BT_stackleak.reset( 216a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek new BuiltinBug("Stack address stored into global variable", 217a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek "Stack address was saved into a global variable. " 218a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek "This is dangerous because the address will become " 219af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis "invalid after returning from the function")); 220551bd1f9191af0eecdc29764e34e01803c73ae31Ted Kremenek 221a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek for (unsigned i = 0, e = cb.V.size(); i != e; ++i) { 222a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek // Generate a report for this bug. 223f7ccbad5d9949e7ddd1cbef43d482553b811e026Dylan Noblesmith SmallString<512> buf; 224a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek llvm::raw_svector_ostream os(buf); 225a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek SourceRange range = GenName(os, cb.V[i].second, 226af498a28797c075c48d7e943df5f5a8e78ed8eb0Anna Zaks Ctx.getSourceManager()); 227a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek os << " is still referred to by the global variable '"; 228a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek const VarRegion *VR = cast<VarRegion>(cb.V[i].first->getBaseRegion()); 229b8989f27f116ff2400e92a52c067a69846119eb5Benjamin Kramer os << *VR->getDecl() 230a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek << "' upon returning to the caller. This will be a dangling reference"; 231e172e8b9e7fc67d7d03589af7e92fe777afcf33aAnna Zaks BugReport *report = new BugReport(*BT_stackleak, os.str(), N); 232a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek if (range.isValid()) 233a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek report->addRange(range); 234a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek 235af498a28797c075c48d7e943df5f5a8e78ed8eb0Anna Zaks Ctx.EmitReport(report); 236a8166156a6414ddd6a68514dc4f48e95d2259977Ted Kremenek } 2371622a547971cee50e386b4cdfe62ed1fcee1036dZhongxing Xu} 238af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis 239f5d2ef4a61e70eb2bcc3f4872e7095cf19d20163Ted Kremenekvoid ento::registerStackAddrEscapeChecker(CheckerManager &mgr) { 240f5d2ef4a61e70eb2bcc3f4872e7095cf19d20163Ted Kremenek mgr.registerChecker<StackAddrEscapeChecker>(); 241af5800a1e287990bb547e052f257adeeae5ab476Argyrios Kyrtzidis} 242