...
Code Block | ||||
---|---|---|---|---|
| ||||
class S { int v; public: S() : v(12) {} // Non-trivial constructor void f(); }; void f() { // ... goto bad_idea; // ... S s; // Control passes over the declaration, so initialization does not take place. bad_idea: s.f(); } |
Compliant Solution
This compliant solution ensures that s
is properly initialized prior to performing the local jump.
Code Block | ||||
---|---|---|---|---|
| ||||
class S { int v; public: S() : v(12) {} // Non-trivial constructor void f(); }; void f() { S s; // ... goto bad_idea; // ... bad_idea: s.f(); } |
Noncompliant Code Example
...
Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP54-CPP | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| return-reference-local dangling_pointer_use | Partially checked | ||||||
Clang |
| -Wdangling-initializer-list | Catches some lifetime issues related to incorrect use of std::initializer_list<> | ||||||
CodeSonar |
| IO.UAC | Use after close Use after free |
Helix QAC |
|
|
| C++4003, C++4026 DF2812, DF2813, DF2814, DF2930, DF2931, DF2932, DF2933, DF2934, | |||||||
Klocwork |
| CL.FFM.ASSIGN CL.FFM.COPY LOCRET.ARG LOCRET.GLOB LOCRET.RET UFM.DEREF.MIGHT UFM.DEREF.MUST UFM.FFM.MIGHT UFM.FFM.MUST UFM.RETURN.MIGHT UFM.RETURN.MUST UFM.USE.MIGHT UFM.USE.MUST UNINIT.HEAP.MIGHT UNINIT.HEAP.MUST UNINIT.STACK.ARRAY.MIGHT UNINIT.STACK.ARRAY.MUST UNINIT.STACK.ARRAY.PARTIAL.MUST UNINIT.STACK.MIGHT UNINIT.STACK.MUST |
LDRA tool suite |
| 42 D, 53 D, 77 D, 1 J, 71 S, 565 S | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_CPP-EXP54-a | Do not use resources that have been freed | |||||||
Parasoft Insure++ | Runtime detection | ||||||||
Polyspace Bug Finder |
| CERT C++: EXP54-CPP | Checks for:
Rule partially covered. | ||||||
PVS-Studio |
| V758, V1041, V1099 | |||||||
RuleChecker |
| return-reference-local | Partially checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
[Coverity 2007] |
[ISO/IEC 14882-2014] | Subclause 3.8, "Object Lifetime" Subclause 8.5.4, "List-Initialization" |
...