[llvm-bugs] [Bug 27675] New: Misleading message for malloc underflow
via llvm-bugs
llvm-bugs at lists.llvm.org
Sat May 7 05:25:50 PDT 2016
https://llvm.org/bugs/show_bug.cgi?id=27675
Bug ID: 27675
Summary: Misleading message for malloc underflow
Product: clang
Version: unspecified
Hardware: Macintosh
OS: All
Status: NEW
Severity: normal
Priority: P
Component: Static Analyzer
Assignee: kremenek at apple.com
Reporter: mark.rogers at powermapper.com
CC: llvm-bugs at lists.llvm.org
Classification: Unclassified
In the following code MallocUnderflow warns that "malloc has an allocation size
of 0 bytes", but the call to malloc is preceded by a check for zero size (so it
looks like a false positive). It took me a few hours to isolate since the
traceback in Xcode doesn't pinpoint the root cause, but a method is returning
(size_t)(-2) which is eventually passed to malloc.
Finding the root cause would be much easier if the message the actual
allocation size e.g. "malloc has an allocation size of -2 bytes". If that's
not easy to do then "malloc has an allocation size of 0 bytes, or size has
underflowed" would work (but printing the actual value is unambiguous).
class PdfStringTest
{
public:
std::vector<char>* m_pBuffer;
bool m_bUnicode;
typedef uint16 pdf_utf16be;
size_t GetCharacterLength() const
{
return IsUnicode() ? GetUnicodeLengthChecked() : GetLengthChecked();
}
size_t GetCharacterLengthUnderflow() const
{
return IsUnicode() ? GetUnicodeLengthUnchecked() :
GetLengthUnchecked();
}
size_t GetCharacterLengthZero() const
{
return 0;
}
bool IsUnicode() const
{
return m_bUnicode;
}
size_t GetUnicodeLengthChecked() const
{
if ( GetSize() == 0 )
return 0;
return (GetSize() / sizeof(pdf_utf16be)) - 1;
}
size_t GetUnicodeLengthUnchecked() const
{
return (GetSize() / sizeof(pdf_utf16be)) - 1;
}
size_t GetLengthChecked() const
{
if ( GetSize() == 0 )
return 0;
return GetSize() - 2;
}
size_t GetLengthUnchecked() const
{
return GetSize() - 2;
}
size_t GetSize() const
{
return m_pBuffer ? m_pBuffer->size() : 0;
}
};
char* MallocOk( const PdfStringTest & rString )
{
size_t lLen = rString.GetCharacterLength();
if( !lLen )
return NULL;
// no analyzer warning - correct
char* pDest = static_cast<char*>(malloc( sizeof(char) * (lLen + 1) ));
return pDest;
}
char* MallocUnderflow( const PdfStringTest & rString )
{
size_t lLen = rString.GetCharacterLengthUnderflow();
if( !lLen )
return NULL;
// analyzer warns that: Call to 'malloc' has an allocation size of 0 bytes
// it can't be zero due to !lLen check above, so it's misleading and looks
like
// a false positive but it underflows when buffer size is zero and
GetCharacterLengthUnchecked
// returns SIZE_T_MAX-2
char* pDest = static_cast<char*>(malloc( sizeof(char) * (lLen + 1) ));
return pDest;
}
char* MallocZero( const PdfStringTest & rString )
{
size_t lLen = rString.GetCharacterLengthZero();
if( !lLen )
return NULL;
// no analyzer warning - correct
char* pDest = static_cast<char*>(malloc( sizeof(char) * (lLen + 1) ));
return pDest;
}
Best Regards
Mark
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160507/0672d431/attachment-0001.html>
More information about the llvm-bugs
mailing list