mirror of
https://github.com/github/codeql.git
synced 2026-05-08 15:11:36 +02:00
4ef5c9af62
Some files that will change in #1736 have been spared. ./build -j4 target/jars/qlformat find ql/cpp/ql -name "*.ql" -print0 | xargs -0 target/jars/qlformat --input find ql/cpp/ql -name "*.qll" -print0 | xargs -0 target/jars/qlformat --input (cd ql && git checkout 'cpp/ql/src/semmle/code/cpp/ir/implementation/**/*SSA*.qll') buildutils-internal/scripts/pr-checks/sync-identical-files.py --latest
38 lines
1.2 KiB
Plaintext
38 lines
1.2 KiB
Plaintext
/**
|
|
* @name Local variable address stored in non-local memory
|
|
* @description Storing the address of a local variable in non-local
|
|
* memory can cause a dangling pointer bug if the address
|
|
* is used after the function returns.
|
|
* @kind problem
|
|
* @problem.severity warning
|
|
* @precision medium
|
|
* @id cpp/stack-address-escape
|
|
* @tags reliability
|
|
*/
|
|
|
|
import cpp
|
|
import semmle.code.cpp.dataflow.StackAddress
|
|
|
|
/**
|
|
* Find assignments where the rhs might be a stack pointer and the lhs is
|
|
* not a stack variable. Such assignments might allow a stack address to
|
|
* escape.
|
|
*/
|
|
predicate stackAddressEscapes(AssignExpr assignExpr, Expr source, boolean isLocal) {
|
|
stackPointerFlowsToUse(assignExpr.getRValue(), _, source, isLocal) and
|
|
not stackReferenceFlowsToUse(assignExpr.getLValue(), _, _, _)
|
|
}
|
|
|
|
from Expr use, Expr source, boolean isLocal, string msg, string srcStr
|
|
where
|
|
stackAddressEscapes(use, source, isLocal) and
|
|
if isLocal = true
|
|
then (
|
|
msg = "A stack address ($@) may be assigned to a non-local variable." and
|
|
srcStr = "source"
|
|
) else (
|
|
msg = "A stack address which arrived via a $@ may be assigned to a non-local variable." and
|
|
srcStr = "parameter"
|
|
)
|
|
select use, msg, source, srcStr
|