Skip to content

Analysis Categories

Jump to bottom
Hugo edited this page Feb 26, 2026 · 1 revision

Analysis Categories

The analyzer performs stack-safety, resource-lifetime, uninitialized-use, and code-quality checks. Each diagnostic includes severity, source location, and machine-readable identifiers (errCode and/or ruleId).

Stack Overflow Detection

StackFrameTooLarge

Severity: Error CWE: CWE-121 (Stack-based Buffer Overflow)

Triggers when a function's total stack usage (local frame + callees) exceeds the configured limit (default: 8 MiB).

int main(void) {
    char buf[8192000000];  // way too large for stack
    return 0;
}
// [!!Error] potential stack overflow: exceeds limit of 8388608 bytes

Includes callee propagation: if main calls foo, and foo uses a huge stack, main inherits the overflow.

Buffer Overflow Detection

StackBufferOverflow

Severity: Warning CWE: CWE-121

Detects out-of-bounds access on stack-allocated buffers. Tracks alias chains, pointer dereferences, and both constant and dynamic indices.

char buf[10];
buf[15] = 'x';
// [!!Warn] potential stack buffer overflow on variable 'buf' (size 10)
//   constant index 15 is out of bounds (0..9)
//   (this is a write access)

Features:

  • Constant index bounds checking
  • Alias path tracking (e.g., ptr -> buf)
  • Struct internal array overflow detection
  • Read vs write access distinction

NegativeStackIndex

Severity: Warning

Detects negative index access on stack buffers.

char buf[10];
buf[-1] = 'c';
// [!!Warn] constant index 18446744073709551615 is out of bounds (0..9)

Dynamic Allocation Analysis

VLAUsage

Severity: Warning CWE: CWE-770 (Allocation of Resources Without Limits)

Detects variable-length arrays on the stack.

void process(int n) {
    char data[n];  // VLA - size not known at compile time
}
// [!!Warn] variable-length array detected

AllocaUserControlled

Severity: Warning (can be escalated to Error in recursive contexts)

Detects alloca or VLA whose size comes from user-controlled input (e.g., scanf).

int n;
scanf("%d", &n);
char buf[n];  // user-controlled stack allocation
// [ !!Warn ] user-controlled alloca size for variable 'buf'

AllocaTooLarge

Severity: Error

Detects constant allocations that are unreasonably large, or dynamic allocations in recursive functions.

char data[1024 * 1024 * 100];  // 100 MiB on stack
// [!!Error] oversized constant dynamic allocation

AllocaUsageWarning

Severity: Warning

General dynamic alloca usage that does not fall into the above categories. Flags the use of runtime-sized stack allocations.

Memory Operation Overflows

MemcpyWithStackDest

Severity: Warning CWE: CWE-120 (Buffer Copy without Checking Size)

Detects memcpy/memset overflows when the destination is a stack buffer.

char buf[10];
memcpy(buf, src, 20);  // copies 20 bytes into 10-byte buffer
// [!!Warn] memcpy overflow: destination buffer 'buf' is 10 bytes, but 20 bytes copied

MultipleStoresToStackBuffer

Severity: Info

Reports when multiple store instructions write to the same stack buffer at different index expressions. Not necessarily a bug, but a signal to verify index correctness.

char buf[10];
buf[0] = 'a';
buf[5] = 'b';
buf[9] = 'c';
// [!Info] multiple stores to stack buffer 'buf' (3 store instructions, 3 distinct indices)

Stack Pointer Escape Detection

StackPointerEscape

Severity: Warning CWE: CWE-562 (Return of Stack Variable Address)

Detects when a pointer to a stack variable is leaked outside its scope. Escape kinds include:

store_unknown -- storing the pointer in a non-local location (global, heap, out-parameter):

char buf[10];
global_ptr = buf;  // leaking stack address
// [!!Warn] stack pointer escape: store_unknown

call_callback -- passing a stack pointer to an indirect call (callback):

char buf[10];
callback(buf);  // indirect call, may capture pointer
// [!!Warn] stack pointer escape: call_callback

call_arg -- passing to a direct function that may capture it:

char buf[10];
consume(buf);  // direct call, callee may capture pointer
// [ !!Warn ] stack pointer escape

return -- returning a pointer to stack memory:

char buf[10];
return buf;  // pointer escapes function lifetime
// [ !!Warn ] stack pointer escape

Resolution order for escape analysis:

  1. LLVM call-site attributes (nocapture, byval, byref)
  2. Inter-procedural summary (for analyzed definitions)
  3. External escape model (--escape-model)
  4. Opaque external call: no strong diagnostic emitted

Resource Lifetime Analysis

ResourceLifetimeIssue

Severity: Warning CWE: CWE-772 (Missing Release) / CWE-415 (Double Free)

Model-driven analysis using external API definitions. Requires --resource-model=<path>.

Missing release (ResourceLifetime.MissingRelease):

handle_t h;
acquire_handle(&h);
return 0;  // forgot to release
// [!!Warn] potential resource leak: 'GenericHandle' acquired in handle 'h' is not released

Double release (ResourceLifetime.DoubleRelease):

release_handle(h);
release_handle(h);  // double free
// [!!!Error] potential double release of 'GenericHandle'

Constructor/destructor mismatch (ResourceLifetime.MissingDestructorRelease):

Reports when a class field acquired in the constructor is not released in the destructor.

Incomplete inter-procedural (ResourceLifetime.IncompleteInterproc):

Warning when a local release depends on an unmodeled callee and no cross-TU summary is available.

Features:

  • Cross-TU summary propagation with fixed-point iteration
  • Per-module caching (filesystem or memory-only)
  • Supports C malloc/free, C++ new/delete, Vulkan, and custom APIs

Uninitialized Variable Detection

UninitializedLocalRead

Severity: Warning CWE: CWE-457 (Use of Uninitialized Variable)

Detects reads from local variables before they are written to.

int x;
printf("%d\n", x);  // read before initialization
// [!!Warn] use of uninitialized local variable 'x'

Features:

  • Cross-TU tracking via inter-procedural summaries
  • Branch-aware analysis (detects conditional initialization)
  • Struct partial initialization detection
  • Array initialization tracking
  • Two emitted rule IDs: UninitializedLocalRead and UninitializedLocalVariable

Code Quality Checks

DuplicateIfCondition

Severity: Warning

Detects duplicate conditions in if-else chains that create dead code.

if (x > 0) { ... }
else if (x > 0) { ... }  // duplicate condition, dead branch
// [!!Warn] duplicate condition in if-else chain

Handles:

  • Simple comparisons
  • Boolean expressions
  • Enum comparisons
  • Pointer comparisons
  • Commutative reordering
  • Nested loop contexts

ConstParameterNotModified

Severity: Info

Reports function parameters that are never modified and could be declared const.

void process(int* data, int count) {
    // 'count' is never modified
    for (int i = 0; i < count; i++) { ... }
}
// [!Info] parameter 'count' is never modified; consider declaring it const

SizeMinusOneWrite

Severity: Warning

Detects potential off-by-one errors in buffer writes using size - 1 patterns (e.g., strncpy(dst, src, sizeof(dst) - 1)).

InvalidBaseReconstruction

Severity: Warning or Error

Detects unsafe pointer arithmetic patterns where inttoptr/ptrtoint casts produce incorrect base addresses (common with container_of macro misuse).

Diagnostic Fields

Every diagnostic includes:

Field Description
filePath Source file where the issue was found
funcName Function containing the issue
line, column Source location
startLine, startColumn, endLine, endColumn SARIF range
severity Info, Warning, or Error
errCode Internal enum (e.g., StackBufferOverflow)
ruleId Dotted rule identifier (e.g., ResourceLifetime.MissingRelease)
confidence [0, 1] float when applicable
cweId CWE identifier (e.g., CWE-772)
message Human-readable diagnostic message

Home

User Guide

Developer Guide

Clone this wiki locally