[cfe-dev] On heap variables and Clang SA

Manuel Klimek klimek at google.com
Tue Mar 17 05:09:51 PDT 2015 

On Mon, Mar 16, 2015 at 6:45 PM Bhargava Shastry <
bshastry at sec.t-labs.tu-berlin.de> wrote:

> Hello,
>
> Clang analyzer's checker dev page [1] talks of Clang SA being able to
> track state of symbolic expressions and symbolic memory regions. Do
> these concepts map to stack variables/expressions and heap
> variables/expressions respectively?
>

AFAIU symbolic regions are regions that the analyzer considers to be
constant and thus representable purely by the expression that generates
them, while memory regions basically modeling memory - both stack and heap.


> For a construed example shown below, SA did not warn about comparison
> against garbage value on Line 16. I concluded that, it's because Clang
> SA doesn't reason about the program heap but wanted to make sure I'm not
> looking at it superficially or drawing the wrong conclusion.
>
> 1. class bar {
> 2. public:
> 3.         bar() {}
> 4.         int m_x;
> 5. };
> 6.
> 7. class foo {
> 8. public:
> 9.         foo() { ptrToBarObj = new bar(); }
> 10.        void method();
> 11.        int m_y;
> 12.        bar *ptrToBarObj;
> 13. };
> 14.
> 15. void foo::method() {
> 16.         if((ptrToBarObj->m_x > 0))
> 17.          m_y = 0;
> 18. }
>

How can you prove a comparison against garbage value from that code? Seems
like somebody can set m_x to anything between the constructor and the call
to method.
If you want to catch this, you'll at least need:
void f() {
  foo f;
  f.method();
}
... and then the SA needs to "inline" both the call to the constructor and
the method call to see the problem.


>
> [1]: http://clang-analyzer.llvm.org/checker_dev_manual.html
>
> Regards,
> Bhargava
>
> --
> Learn more about COSADE 2015, the 6th Conference on
> Constructive Side Channel Analysis and Secure Design
> http://www.cosade.org
>
> Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
> Security in Telecommunications
> TU Berlin / Telekom Innovation Laboratories
> Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
> phone: +49 30 8353 58235
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150317/8e31b95a/attachment.html>

More information about the cfe-dev mailing list