| Issue |
152446
|
| Summary |
Clang Static Analyzer (MallocChecker) misses use-after-free via field address (e.g. &ptr->field)
|
| Labels |
clang
|
| Assignees |
|
| Reporter |
LoboQ1ng
|
Clang Static Analyzer's `MallocChecker` currently **fails to detect use-after-free** when the memory is accessed via the address of a field inside a freed structure.
For example, the following use-after-free goes undetected:
```c
#include <stdlib.h>
struct Obj {
int field;
};
void use(void *);
void test() {
struct Obj *o = malloc(sizeof(struct Obj));
free(o);
use(&o->field); // ⚠️ No warning reported by CSA (MallocChecker)
}
```
In this example, the heap memory pointed to by o has been freed, yet &o->field is passed to a function. This is a classic use-after-free bug, but MallocChecker does not currently report it.
Root Cause
In MallocChecker.cpp, argument checking currently relies on:
```cpp
SymbolRef Sym = ArgSVal.getAsSymbol();
```
This fails for field address expressions like &ptr->field, because such expressions produce a MemRegionVal, and getAsSymbol() does not extract the base symbol in those cases.
![]()
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
