Qt-ReturningDataFromTemporary¶

Referencing data from a temporary QByteArray leads to use-after-free

Required inputs: IR

Qt containers such as QByteArray, QList, etc., have member functions that return the address of the storage managed by them by means of a raw pointer. Leaking this address outside of the object's life time can lead to use-after-free errors. This rule finds places where either the address of a temporary Qt container's storage is leaked out of the temporary's life time or the address of the storage of a Qt container with automatic storage duration is leaked out of the container's scope. Note that this rule also consideres the corresponding functions of STL containers like std::vector<T,Allocator>::data, std::string::c_str, etc.

Examples

QByteArray b = ...; return b.data(); return funcReturningByteArray().data(); return funcReturningByteArray().constData();

const char * getFoo() { QByteArray b = ...; return b; // QByteArray can implicitly cast to char* }

const char *c1 = getByteArray(); const char *c2 = str.toUtf8().data();

Note that in some cases it might be fine, since the method can return the data of a global static QByteArray. However such code is brittle, it could start crashing if it ceased to be static.

This rule is based on clazy rule returning-data-from-temporary

Possible Messages

Key	Text	Severity	Disabled
possibly_leaking_reference_to_local_variable	Potentially leaking reference/pointer to local variable.	None	False
possibly_leaking_reference_to_temporary_variable	Reference/pointer to temporary object is assigned to longer-lived variable.	None	False

Options¶

This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

additional_leaking_functions¶

additional_leaking_functions

Type: set[str]

Default: {'QByteArray::constData', 'QByteArray::data', 'QByteArray::operator const char *', 'QList::constData', 'QList::data', 'QList::operator const char *', 'QString::constData', 'QString::data', 'QString::operator const char *', 'QVarLengthArray::constData', 'QVarLengthArray::data', 'QVarLengthArray::operator const char *', 'QVector::constData', 'QVector::data', 'QVector::operator const char *'}

Set of qualified names of functions. Each of these functions will be assumed to return an address that is owned by its first (including this pointer) parameter and must therefore not be dereferenced after the owner is destroyed.

Alternatively, the functions' definitions in source code can be annotated as returning a pointer/reference to one of its arguments using the attribute [[axivion::return_based_on(parameter_name)]], e.g.:

int* f(int &i1, int &i2) [[axivion::return_based_on(i2)]] { return &i2; }

or struct MyStruct { int m_i; int* f() [[axivion::return_based_on(this)]] { return &m_i; } };

additional_pointer_returns¶

additional_pointer_returns

Type: set[str]

Default: {'QByteArray::constData', 'QByteArray::data', 'QByteArray::operator const char *', 'QList::constData', 'QList::data', 'QList::operator const char *', 'QString::constData', 'QString::data', 'QString::operator const char *', 'QVarLengthArray::constData', 'QVarLengthArray::data', 'QVarLengthArray::operator const char *', 'QVector::constData', 'QVector::data', 'QVector::operator const char *'}

Set of qualified names of member functions that are considered to return a reference or pointer to this or a subobject thereof. For this option to have effect, consider_pointer_returns has to be enabled, too.

allow_longer_living_local¶

allow_longer_living_local : bool = False

Whether assignment to a longer-living local variable should be accepted.

consider_constructors_as_capturing¶

consider_constructors_as_capturing : bool = False

Whether passing a reference or pointer to a local variable into a constructor should be considered as capturing. If the constructed object is assigned to some nonlocal object, a message is issued. If set to False, passing references or pointers into a constructor call has no effect on the analysis.

consider_pointer_returns¶

consider_pointer_returns : bool = True

Whether the return value of a function that returns a reference or pointer to its argument or to an object owned by its argument should be considered, when called on a local variable. E.g., std::string::data

consider_std_addressof¶

consider_std_addressof : bool = True

Consider a call to std::addressof as an address-taking operation.

level¶

level : int = 1

Importance level of the rule as given for clazy. 0 is most desirable, higher values fall off in quality.

restrict_to_functions¶

restrict_to_functions : set[str] = set()

If not empty, check only for leaks that initially occur through the functions given by qualified name here.

Axivion Suite 7.12.0

Navigation