coretrace-stack-analyzer

BUILD

./build.sh

CORETRACE-STACK-USAGE CLI

./stack_usage_analyzer --mode=[abi/ir] test.[ll/c/cpp]

--quiet coupe complètement les diagnostics
--warnings-only garde seulement les diagnostics importants

Example

Given this code:

#define SIZE_LARGE 8192000000
#define SIZE_SMALL (SIZE_LARGE / 2)

int main(void)
{
    char test[SIZE_LARGE];

    return 0;
}

You can pass either the .c file or the corresponding .ll file to the analyzer. You may receive the following output:

Language: C
Compiling source file to LLVM IR...
Mode: ABI

Function: main
  local stack: 4096000016 bytes
  max stack (including callees): 4096000016 bytes
  [!] potential stack overflow: exceeds limit of 8388608 bytes

---

Given this code:

int foo(void)
{
    char test[8192000000];
    return 0;
}

int bar(void)
{
    return 0;
}

int main(void)
{
    foo();
    bar();

    return 0;
}

Depending on the selected --mode, you may obtain the following results:

Language: C
Compiling source file to LLVM IR...
Mode: ABI

Function: foo
  local stack: 8192000000 bytes
  max stack (including callees): 8192000000 bytes
  [!] potential stack overflow: exceeds limit of 8388608 bytes

Function: bar
  local stack: 16 bytes
  max stack (including callees): 16 bytes

Function: main
  local stack: 32 bytes
  max stack (including callees): 8192000032 bytes
  [!] potential stack overflow: exceeds limit of 8388608 bytes

Language: C
Compiling source file to LLVM IR...
Mode: IR

Function: foo
  local stack: 8192000000 bytes
  max stack (including callees): 8192000000 bytes
  [!] potential stack overflow: exceeds limit of 8388608 bytes

Function: bar
  local stack: 0 bytes
  max stack (including callees): 0 bytes

Function: main
  local stack: 16 bytes
  max stack (including callees): 8192000016 bytes
  [!] potential stack overflow: exceeds limit of 8388608 bytes

---

TODO:

• Library mode
• Define json API
• Unmangling symbols

---

9. Détection de fuite de stack pointer

Exemples :

char buf[10];
return buf;    // renvoi pointeur vers stack → use-after-return

Ou stockage :

global = buf; // leaking address of stack variable

---

Actually done:

• 1. adding VLA : Detection of potentially dangerous dynamic alloca
• 2. Detection of memcpy/memset on stack buffers
• 3. Warning when a function performs multiple stores into the same buffer
• 4. Deeper traversal analysis: constraint propagation
• 5. Detection of deep indirection in aliasing
• 6. Detection of overflow in a struct containing an internal array
• 7. Detection of stack pointer leaks:
  • store_unknown -> storing the pointer in a non-local location (typically out-parameter, heap, etc.)
  • call_callback -> passing it to a callback (indirect call)
  • call_arg -> passing it as an argument to a direct function, potentially capturable