Clang Static Analyzer (MallocChecker) misses use-after-free via field address (e.g. &ptr->field)

[LoboQ1ng]

Clang Static Analyzer's MallocChecker currently fails to detect use-after-free when the memory is accessed via the address of a field inside a freed structure.

For example, the following use-after-free goes undetected:

#include <stdlib.h>

struct Obj {
  int field;
};

void use(void *);

void test() {
  struct Obj *o = malloc(sizeof(struct Obj));
  free(o);
  use(&o->field); // ⚠️ No warning reported by CSA (MallocChecker)
}

In this example, the heap memory pointed to by o has been freed, yet &o->field is passed to a function. This is a classic use-after-free bug, but MallocChecker does not currently report it.
Root Cause
In MallocChecker.cpp, argument checking currently relies on:

SymbolRef Sym = ArgSVal.getAsSymbol();

This fails for field address expressions like &ptr->field, because such expressions produce a MemRegionVal, and getAsSymbol() does not extract the base symbol in those cases.

[LoboQ1ng]

I've submitted a pull request that addresses this issue:
MallocChecker#152446
This patch enhances MallocChecker so that it correctly detects Use-After-Free (UAF) issues even when fields of a freed object are used, such as &o->field after free(o).

Here is a minimal test program to illustrate the scenarios now detected:

#include <stdlib.h>

struct Obj {
  int field;
};

void use(void *ptr);

void test_nested_field() {
    struct Obj *o = malloc(sizeof(struct Obj));
    int *f = &o->field;
    free(o);
    use(f);  // UAF: field from freed object
}

void test_direct_param_uaf() {
  int *p = (int *)malloc(sizeof(int));
  free(p);
  use(p);  // UAF: direct pointer
}

void test_struct_field_uaf() {
  struct Obj *o = (struct Obj *)malloc(sizeof(struct Obj));
  free(o);
  use(&o->field);  // UAF: field from freed object
}

void test_safe_stack() {
  int x = 42;
  use(&x);  // SAFE
}

I also attached a CodeChecker-generated HTML report in the issue attachment, showing that the checker correctly flags UAF cases after the patch, while not introducing any false positives on valid uses like stack variables.

unix_malloc_test_html.zip

[llvmbot]

@llvm/issue-subscribers-clang-static-analyzer

Author: None (LoboQ1ng)

Clang Static Analyzer's `MallocChecker` currently **fails to detect use-after-free** when the memory is accessed via the address of a field inside a freed structure.

For example, the following use-after-free goes undetected:

#include <stdlib.h>

struct Obj {
  int field;
};

void use(void *);

void test() {
  struct Obj *o = malloc(sizeof(struct Obj));
  free(o);
  use(&o->field); // ⚠️ No warning reported by CSA (MallocChecker)
}

In this example, the heap memory pointed to by o has been freed, yet &o->field is passed to a function. This is a classic use-after-free bug, but MallocChecker does not currently report it.
Root Cause
In MallocChecker.cpp, argument checking currently relies on:

SymbolRef Sym = ArgSVal.getAsSymbol();

This fails for field address expressions like &ptr->field, because such expressions produce a MemRegionVal, and getAsSymbol() does not extract the base symbol in those cases.