5bb7ba6222
This patch improves MallocChecker to detect use-after-free bugs when a freed structure's field is passed by address (e.g., `&ptr->field`). Previously, MallocChecker would miss such cases, as it only checked the top-level symbol of argument values. This patch analyzes the base region of arguments and extracts the symbolic region (if any), allowing UAF detection even for field address expressions. Fixes #152446
45 lines
1.0 KiB
C
45 lines
1.0 KiB
C
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc -verify %s
|
|
|
|
#include "Inputs/system-header-simulator-for-malloc.h"
|
|
|
|
struct Obj {
|
|
int field;
|
|
};
|
|
|
|
void use(void *ptr);
|
|
|
|
void test_direct_param_uaf() {
|
|
int *p = (int *)malloc(sizeof(int));
|
|
free(p);
|
|
use(p); // expected-warning{{Use of memory after it is released}}
|
|
}
|
|
|
|
void test_struct_field_uaf() {
|
|
struct Obj *o = (struct Obj *)malloc(sizeof(struct Obj));
|
|
free(o);
|
|
use(&o->field); // expected-warning{{Use of memory after it is released}}
|
|
}
|
|
|
|
void test_no_warning_const_int() {
|
|
use((void *)0x1234); // no-warning
|
|
}
|
|
|
|
void test_no_warning_stack() {
|
|
int x = 42;
|
|
use(&x); // no-warning
|
|
}
|
|
|
|
void test_nested_alloc() {
|
|
struct Obj *o = (struct Obj *)malloc(sizeof(struct Obj));
|
|
use(o); // no-warning
|
|
free(o);
|
|
use(o); // expected-warning{{Use of memory after it is released}}
|
|
}
|
|
|
|
void test_nested_field() {
|
|
struct Obj *o = (struct Obj *)malloc(sizeof(struct Obj));
|
|
int *f = &o->field;
|
|
free(o);
|
|
use(f); // expected-warning{{Use of memory after it is released}}
|
|
}
|