scan-build does not catch returning pointers to local storage

[Quuxplusone]

Bugzilla Link	PR26826
Status	NEW
Importance	P normal
Reported by	Steve Williams (swilliams@taranawireless.com)
Reported on	2016-03-02 18:52:55 -0800
Last modified on	2016-03-02 19:34:01 -0800
Version	unspecified
Hardware	PC Linux
CC	dcoughlin@apple.com, llvm-bugs@lists.llvm.org
Fixed by commit(s)
Attachments	returns_pointer_to_local.c (1022 bytes, text/x-csrc)
Blocks
Blocked by
See also

The attached file shows a function returns a pointer to an array in its local
stack frame to its caller. This is dangerous, because an interrupt or other
intervening function call made by the caller before referencing this returned
pointer can clobber this region of memory, resulting in garbage values.

I would have expected the static analyzer to flag this as questionable, but

  scan-build clang -O3 -Wall -c returns_pointer_to_local.c

yields only:

  scan-build: Using '/home/swilliams-local/src/llvm-build/bin/clang-3.9' for static analysis
  scan-build: Removing directory '/tmp/scan-build-2016-03-02-165148-28031-1' because it contains no reports.
  scan-build: No bugs found.

[Quuxplusone]

Attached returns_pointer_to_local.c (1022 bytes, text/x-csrc): test case

[Quuxplusone]

Reproduced. I'm surprised that the StackAddrEscapeChecker doesn't catch this!

Tracked internally by rdar://problem/24944831.