Skip to content
This repository was archived by the owner on Jun 17, 2022. It is now read-only.
This repository was archived by the owner on Jun 17, 2022. It is now read-only.

Pointers to locals can escape, allowing UB #138

Open
Open
Pointers to locals can escape, allowing UB#138

Description

@mb64
mb64
opened on Oct 13, 2020

The following compiles:

using <stdio.h>::{printf};

fn addr_of_local() int* 
    model safe(return)
{
    int x = 12;
    return &x;
}

fn deref(int *x) int
    model *x == return
{
    return *x;
}

export fn main() -> int {
    int *ptr = addr_of_local();

    int a = *ptr;
    printf("a is %d\n", a);

    int b = deref(ptr);

    static_assert(a == b);
    printf("%d == %d guaranteed by ZZ's static analysis\n", a, b);

    return 0;
}

Here is an example output on my machine:

a is 12
12 == 2147450884 guaranteed by ZZ's static analysis

I love the concept behind ZZ, so I'm sad to have found such a gaping hole.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions