A checker for dangling string pointers in C++ in the Clang Static - - PowerPoint PPT Presentation

▶

Mar 08, 2023 152 likes •259 views

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs Mentors: Artem Dergachev Etvs Lornd University, Budapest, Hungary Gbor Horvth rekanikolett@gmail.com Real-world example return

SLIDE 1

A checker for dangling string pointers in C++

Réka Kovács

Eötvös Loránd University, Budapest, Hungary rekanikolett@gmail.com

Mentors: Artem Dergachev Gábor Horváth

in the Clang Static Analyzer

SLIDE 2

return std::to_string(size).c_str();

Real-world example

SLIDE 3

return std::to_string(size).c_str();

Real-world example

std::to_string() creates a temporary object the caller will receive a pointer to an already deallocated character buffer

SLIDE 4

return std::to_string(size).c_str();

Real-world example

std::to_string() creates a temporary object the caller will receive a pointer to an already deallocated character buffer found code like this in popular open-source projects

* *

SLIDE 5

cplusplus.InnerPointer

Raw pointer to buffer obtained from string Operation that re/deallocates the buffer Use of the raw pointer

c_str(), data() dtor, =, +=, assign(), clear(), erase(), insert(), ... ‘Inner pointer of container used after re/deallocation’

SLIDE 6

cplusplus.InnerPointer

Found 3 true positives in Ceph, GPGME and Facebook’s RocksDB Reported & fixed within a day Found 0 false positives in these projects! Please try it out and give feedback! Evaluated on a couple of open-source projects (+ dependencies): Bitcoin, Ceph, Harfbuzz, ICU, LibreOffice, LLVM, qBittorrent

SLIDE 7

Future plans

std::string_view

ther STL / non-STL containers

SLIDE 8

How to use

$ scan-build Analyze a project: $ clang --analyze a.cpp Enabled by default Analyze one file: Enabled by default

SLIDE 9

A checker for dangling string pointers in C++ in the Clang Static - - PowerPoint PPT Presentation

A checker for dangling string pointers in C++

Réka Kovács

Eötvös Loránd University, Budapest, Hungary rekanikolett@gmail.com

Mentors: Artem Dergachev Gábor Horváth

in the Clang Static Analyzer

return std::to_string(size).c_str();

Real-world example

return std::to_string(size).c_str();

Real-world example

std::to_string() creates a temporary object the caller will receive a pointer to an already deallocated character buffer

return std::to_string(size).c_str();

Real-world example

std::to_string() creates a temporary object the caller will receive a pointer to an already deallocated character buffer found code like this in popular open-source projects

* *

cplusplus.InnerPointer

Raw pointer to buffer obtained from string Operation that re/deallocates the buffer Use of the raw pointer

c_str(), data() dtor, =, +=, assign(), clear(), erase(), insert(), ... ‘Inner pointer of container used after re/deallocation’

cplusplus.InnerPointer

Found 3 true positives in Ceph, GPGME and Facebook’s RocksDB Reported & fixed within a day Found 0 false positives in these projects! Please try it out and give feedback! Evaluated on a couple of open-source projects (+ dependencies): Bitcoin, Ceph, Harfbuzz, ICU, LibreOffice, LLVM, qBittorrent

Future plans

std::string_view

How to use

$ scan-build Analyze a project: $ clang --analyze a.cpp Enabled by default Analyze one file: Enabled by default

Thanks!

rnkovacs.github.io/gsoc2018 Final report:

Réka Kovács / rekanikolett@gmail.com