Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFcccc
langcpp
class S { 
  int v; 
 
public: 
  S() : v(12) {} // Non-trivial constructor 
 
  void f(); 
};   
 
void f() { 
 
  // ...   
 
  goto bad_idea;   
 
  // ... 
 
  S s; // Control passes over the declaration, so initialization does not take place.   
 
  bad_idea: 
    s.f(); 
}

Compliant Solution

This compliant solution ensures that s is properly initialized prior to performing the local jump.

Code Block
bgColor#ccccff
langcpp
class S { 
  int v; 
 
public: 
  S() : v(12) {} // Non-trivial constructor 
  
  void f(); 
};   
 
void f() { 
  S s; 
 
  // ... 
 
  goto bad_idea; 
 
  // ... 
 
  bad_idea: 
    s.f(); 
}

Noncompliant Code Example

...

Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP54-CPP

High

Probable

High

P6

L2

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page
Astrée_V
Astrée_V

return-reference-local
dangling_pointer_use
Partially checked
Clang
Include Page
Clang_V
Clang_V

-Wdangling-initializer-list

Catches some lifetime issues related to incorrect use of std::initializer_list<>
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

IO.UAC
ALLOC.UAF

Use after close
Use after free
Klocwork
Helix QAC

Include Page

Klocwork

Helix QAC_V

Klocwork

Helix QAC_V

C++4003, C++4026

DF2812, DF2813, DF2814, DF2930, DF2931, DF2932, DF2933, DF2934,


Klocwork
Include Page
Klocwork_V
Klocwork_V
CL.FFM.ASSIGN
CL.FFM.COPY
LOCRET.ARG
LOCRET.GLOB
LOCRET.RET
UFM.DEREF.MIGHT
UFM.DEREF.MUST
UFM.FFM.MIGHT
UFM.FFM.MUST
UFM.RETURN.MIGHT
UFM.RETURN.MUST
UFM.USE.MIGHT
UFM.USE.MUST
UNINIT.HEAP.MIGHT
UNINIT.HEAP.MUST
UNINIT.STACK.ARRAY.MIGHT
UNINIT.STACK.ARRAY.MUST
UNINIT.STACK.ARRAY.PARTIAL.MUST
UNINIT.STACK.MIGHT
UNINIT.STACK.MUST
 

LDRA tool suite
Include Page
LDRA_V
LDRA_V

42 D, 53 D, 77 D, 1 J, 71 S, 565 S

Partially implemented

Parasoft C/C++test
9.5BD-RES-FREE 
Include Page
Parasoft_V
Parasoft_V

CERT_CPP-EXP54-a
CERT_CPP-EXP54-b
CERT_CPP-EXP54-c

Do not use resources that have been freed
The address of an object with automatic storage shall not be returned from a function
The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist

Parasoft Insure++

Runtime detection
Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C++: EXP54-CPP

Checks for:

  • Non-initialized variable or pointer
  • Use of previously freed pointer
  • Pointer or reference to stack variable leaving scope
  • Accessing object with temporary lifetime

Rule partially covered.

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V758V1041, V1099

RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
return-reference-localPartially checked
Parasoft Insure++  Runtime detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[Coverity 2007]
 

[ISO/IEC 14882-2014]Subclause 3.8, "Object Lifetime"
Subclause 8.5.4, "List-Initialization"
 
 


...

Image Modified Image Modified Image Modified