Skip to content

[Compiler-RT] CodeQL Violations #159273

New issue
New issue
Open
Open
[Compiler-RT] CodeQL Violations#159273
Labels
code-qualitycompiler-rtgithub:security
@ampandey-1995

Description

@ampandey-1995
ampandey-1995
opened on Sep 17, 2025

Description

CodeQL analysis has flagged violations in the codebase of compiler-rt. These issues may impact code quality, security, or maintainability and should be reviewed and addressed.

Some violations are addressed in PR 154937 & PR 159097.

Pending severe violations

  • cpp/pointer-overflow-check
    In compiler-rt/lib/safestack/safestack.cpp at line 126 ,127
  • cpp/command-line-injection
    In fuzzer/FuzzerUtilLinux.cpp at line 27
  • cpp/incorrect-string-type-conversion
    In sanitizer_common/sanitizer_common_interceptors_format.inc at line 355
  • cpp/uncontrolled-allocation-size
    In profile/InstrProfilingFile.c at line 383

Violation Summary Report
Detailed Violation Summary Report

Steps to Reproduce

  1. Download CodeQL and Configuration
  2. Create/Build the CodeQL database for compiler-rt 
    codeql database create /path/to/dir/CODEQL_DB --language=cpp --source-root="llvm-project" --command="ninja  -C /path/to/build/dir/compiler-rt"
    Note. Please Clean the build directory of compile-rt using ninja clean before running above command.
  3. Analyze the CodeQL database 
     codeql database analyze /path/to/dir/CODEQL_DB --format=sarif-latest --output="results.sarif" cpp-security-extended.qls
  4. Generate report in html using sarif tool 
    sarif html -o results.html results.sarif

Environment

LLVM version: 22.0.0
OS: Ubuntu 22.04
Architecture: x86_64
LLVM Branch: main
Commit HEAD: 2155f17

Metadata

Metadata

Assignees

No one assigned

    Labels

    code-qualitycompiler-rtgithub:security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions