Hi
When reading the SEI CERT C Coding Standard rules, looking at
"DCL30-C. Declare objects with appropriate storage durations"
it seem like GCC does not warn in compile-time for some noncompliant examples.
I know eg AddressSanitizer and several runtime running tools finds these bugs,
but it would be convenient of GCC could do some basic static analysis already
in compile-time to avoid bad code generation.
Some static analysers finds these bugs, but not all, and GCC does not warn.
Example from DCL30-C, not warned by GCC:
/* NONCOMPLIANT EXAMPLE-1 */
#include <stdio.h>
const char *p;
void dont_do_this(void) {
const char c_str[] = "This will change";
p = c_str; /* Dangerous */
}
void innocuous(void) {
printf("%s\n", p);
}
int main(void) {
dont_do_this();
innocuous();
return 0;
}
/* NONCOMPLIANT EXAMPLE-2 */
void squirrel_away(char **ptr_param) {
char local[10];
/* Initialize array */
*ptr_param = local;
}
void rodent(void) {
char *ptr;
squirrel_away(&ptr);
/* ptr is live but invalid here */
}
Question, where in GCC is the most appropriate place to implements such a
checker?
I know there are some warnings for return-local-addr, and
null-pointer-dereference in some different parts, but this seems different?
Can it be found be points-to analysis, or where is it best to put this warning
if being implemented?
Reference:
https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations
