Page History

...

Code Block

bgColor	#FFcccc
lang	cpp

class S { 
  int v; 
 
public: 
  S() : v(12) {} // Non-trivial constructor 
 
  void f(); 
};   
 
void f() { 
 
  // ...   
 
  goto bad_idea;   
 
  // ... 
 
  S s; // Control passes over the declaration, so initialization does not take place.   
 
  bad_idea: 
    s.f(); 
}

Compliant Solution

This compliant solution ensures that s is properly initialized prior to performing the local jump.

Code Block

bgColor	#ccccff
lang	cpp

class S { 
  int v; 
 
public: 
  S() : v(12) {} // Non-trivial constructor 
  
  void f(); 
};   
 
void f() { 
  S s; 
 
  // ... 
 
  goto bad_idea; 
 
  // ... 
 
  bad_idea: 
    s.f(); 
}

Noncompliant Code Example

In this noncompliant code example, f() is called with an iterable range of objects of type S. These objects are copied into a temporary buffer using std::copy(), and when processing of those objects is complete, the temporary buffer is deallocated. However, the buffer returned by std::get_temporary_buffer() does not contain initialized objects of type S, so when std::copy() dereferences the destination iterator, it results in undefined behavior because the object referenced by the destination iterator has yet to start its lifetime. This is because , while space for the object has been allocated, no constructors or initializers have been invoked.

...

Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
EXP54-CPP	High	Probable	High	P6	L2

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée_V

return-reference-local
dangling_pointer_use

Partially checked

Clang

Include Page

	Clang_V
	Clang_V

-Wdangling-initializer-list

Catches some lifetime issues related to incorrect use of std::initializer_list<>

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

IO.UAC
ALLOC.UAF

Use after close
Use after free

LDRA tool suite Include PageLDRA_VLDRA_V

42 D, 53 D, 77 D, 1 J, 71 S, 565 S

Partially implemented

Parasoft C/C++test9.5BD-RES-FREE

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C++4003, C++4026

DF2812, DF2813, DF2814, DF2930, DF2931, DF2932, DF2933, DF2934,

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

CL.FFM.ASSIGN
CL.FFM.COPY
LOCRET.ARG
LOCRET.GLOB
LOCRET.RET
UFM.DEREF.MIGHT
UFM.DEREF.MUST
UFM.FFM.MIGHT
UFM.FFM.MUST
UFM.RETURN.MIGHT
UFM.RETURN.MUST
UFM.USE.MIGHT
UFM.USE.MUST
UNINIT.HEAP.MIGHT
UNINIT.HEAP.MUST
UNINIT.STACK.ARRAY.MIGHT
UNINIT.STACK.ARRAY.MUST
UNINIT.STACK.ARRAY.PARTIAL.MUST
UNINIT.STACK.MIGHT
UNINIT.STACK.MUST

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

42 D, 53 D, 77 D, 1 J, 71 S, 565 S

Partially implemented

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_CPP-EXP54-a
CERT_CPP-EXP54-b
CERT_CPP-EXP54-c

Do not use resources that have been freed
The address of an object with automatic storage shall not be returned from a function
The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist

Parasoft Insure++

Runtime detection

Polyspace Bug Finder

Include Page