How to prevent returning a pointer to a temporary variable?

Question

On a recent bug hunt, I found an issue with returning a pointer to a member of a temporary variable. The offending (simplified) code was:

struct S {
    S(int i) : i(i) {}
    int i;
    int* ptr() { return &i; }
};

int* fun(int i) { return S(i).ptr(); }  // temporary S dies but pointer lives on

int main() {
    int* p = fun(1);
    return *p;  // undefined
}

How to prevent this? GCC & Clang have -Waddress-of-temporary and -Wreturn-stack-address but they seem to loose trail because of ptr() acting as a middle man for the dirty deeds. They are only triggered when the pointer is taken directly:

int* fun(int i) { return &S(i).i; }  // rightly fails to compile

My project also incorporates cppcheck in continuous integration but it also can't pick it up (raised here).

Which static analysis tool can prevent this class of bugs?

EDIT: GCC does pick it up since version 6.1.0 with -Wreturn-local-addr and (surprisingly) -O2 switched on.

Answer 1

I am a Cppcheck developer.

My project also incorporates cppcheck in continuous integration but it also can't pick it up.

interesting bug. This is the kind of bug that cppcheck wants to warn about. We have some related checks but this slipped through unfortunately.

Not really surprising given the regex nature of cppcheck.

I don't personally understand why some people say cppcheck is a regex tool.

It uses AST, context sensitive valueflow analysis, etc to detect bugs. So does GCC and Clang. Cppcheck is sometimes claimed to be a regex tool but GCC and Clang are not.