[cfe-commits] r86282 - in /cfe/trunk: lib/Analysis/ReturnPointerRangeChecker.cpp test/Analysis/misc-ps-region-store.m test/Analysis/region-only-test.c

Fri Nov 6 12:16:31 PST 2009

Author: kremenek
Date: Fri Nov  6 14:16:31 2009
New Revision: 86282

URL: http://llvm.org/viewvc/llvm-project?rev=86282&view=rev
Log:
Sentence-case bug type, and pull tests from region-only-test.c into misc-ps-region.store.m (removing an extra unneeded test file).  Also add a bunch of FIXME comments for future enhancements.

Removed:
    cfe/trunk/test/Analysis/region-only-test.c
Modified:
    cfe/trunk/lib/Analysis/ReturnPointerRangeChecker.cpp
    cfe/trunk/test/Analysis/misc-ps-region-store.m

Modified: cfe/trunk/lib/Analysis/ReturnPointerRangeChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/ReturnPointerRangeChecker.cpp?rev=86282&r1=86281&r2=86282&view=diff

==============================================================================

--- cfe/trunk/lib/Analysis/ReturnPointerRangeChecker.cpp (original)
+++ cfe/trunk/lib/Analysis/ReturnPointerRangeChecker.cpp Fri Nov  6 14:16:31 2009
@@ -51,10 +51,13 @@
 
   const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
   if (!ER)
-    return;  
+    return;
 
   DefinedOrUnknownSVal &Idx = cast<DefinedOrUnknownSVal>(ER->getIndex());
 
+  // FIXME: All of this out-of-bounds checking should eventually be refactored into a
+  // common place.
+
   // Zero index is always in bound, this also passes ElementRegions created for
   // pointer casts.
   if (Idx.isZeroConstant())
@@ -72,15 +75,21 @@
     if (!N)
       return;
   
+    // FIXME: This bug correspond to CWE-466.  Eventually we should have bug types explicitly
+    // reference such exploit categories (when applicable).
     if (!BT)
-      BT = new BuiltinBug("Return of Pointer Value Outside of Expected Range");
-  
+      BT = new BuiltinBug("Return of pointer value outside of expected range",
+           "Returned pointer value points outside the original object (potential buffer overflow)");
+
+    // FIXME: It would be nice to eventually make this diagnostic more clear, e.g., by referencing
+    // the original declaration or by saying *why* this reference is outside the range.
+
     // Generate a report for this bug.
     RangedBugReport *report = 
       new RangedBugReport(*BT, BT->getDescription().c_str(), N);
 
-    report->addRange(RS->getSourceRange());
-  
+    report->addRange(RetE->getSourceRange());
+
     C.EmitReport(report);
   }
 }

Modified: cfe/trunk/test/Analysis/misc-ps-region-store.m
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/misc-ps-region-store.m?rev=86282&r1=86281&r2=86282&view=diff

==============================================================================
--- cfe/trunk/test/Analysis/misc-ps-region-store.m (original)
+++ cfe/trunk/test/Analysis/misc-ps-region-store.m Fri Nov  6 14:16:31 2009
@@ -431,3 +431,26 @@
 static void pr5316(pr5316_REFRESH_ELEMENT *dst, const pr5316_REFRESH_ELEMENT *src) {
   while ((*dst++ = *src++).chr != L'\0')  ;
 }
+
+//===----------------------------------------------------------------------===//
+// Exercise creating ElementRegion with symbolic super region.
+//===----------------------------------------------------------------------===//
+void element_region_with_symbolic_superregion(int* p) {
+  int *x;
+  int a;
+  if (p[0] == 1)
+    x = &a;
+  if (p[0] == 1)
+    (void)*x; // no-warning
+}
+
+//===----------------------------------------------------------------------===//
+// Test returning an out-of-bounds pointer (CWE-466)
+//===----------------------------------------------------------------------===//
+
+static int test_cwe466_return_outofbounds_pointer_a[10];
+int *test_cwe466_return_outofbounds_pointer() {
+  int *p = test_cwe466_return_outofbounds_pointer_a+10;
+  return p; // expected-warning{{Returned pointer value points outside the original object}}
+}
+

Removed: cfe/trunk/test/Analysis/region-only-test.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/region-only-test.c?rev=86281&view=auto

==============================================================================
--- cfe/trunk/test/Analysis/region-only-test.c (original)
+++ cfe/trunk/test/Analysis/region-only-test.c (removed)
@@ -1,20 +0,0 @@
-// RUN: clang-cc -analyze -checker-cfref -analyzer-store=region -verify %s
-
-// Region store must be enabled for tests in this file.
-
-// Exercise creating ElementRegion with symbolic super region.
-void foo(int* p) {
-  int *x;
-  int a;
-  if (p[0] == 1)
-    x = &a;
-  if (p[0] == 1)
-    (void)*x; // no-warning
-}
-
-int a[10];
-
-int *f0() {
-  int *p = a+10;
-  return p; // expected-warning{{Return of Pointer Value Outside of Expected Range}}
-}



