[PATCH] Teach the analyzer about multi-dimensional VLAs

Jordan Rose jordan_rose at apple.com
Wed Oct 8 20:05:56 PDT 2014 

On Oct 2, 2014, at 2:15 , Daniel Fahlgren <daniel at fahlgren.se> wrote:

> On Thu, 2014-09-04 at 16:21 +0200, Daniel Fahlgren wrote:
>> Hi,
>> 
>> This patch handles the fixme about multi-dimensional VLAs in
>> VLASizeChecker. I tried to keep the changeset as small as possible by
>> cutting the checkPreStmt method into two parts. The checker first
>> iterates over all dimensions and reports if a bug is found. It later
>> iterates again, calculating the size. By scanning the dimensions twice
>> it can report bugs even if an unknown size is found.
>> 
>> Feedback and comments are, as always, welcome.
> 
> Ping?

Good ping. Sorry for the delay. Some comments:

+  // First only check for errors. That way we will find problems even if one of
+  // the dimensions is unknown.
+  const Expr *SE;
+  QualType QT;
+  do {
+    // Check size expression.
+    SE = VLA->getSizeExpr();
+    State = checkSizeExpr(SE, State, C);
+    if (!State)
+      return;

Seems like a worthy goal. If we're finding problems even if one dimension is unknown, though, is it worth finding problems in every size expression, rather than exiting early when we find a problem in the first one?

+
+    // Check next dimension.
+    QT = VLA->getElementType();
+    VLA = Ctx.getAsVariableArrayType(QT);
+  } while(VLA);

Nitpick: can you put a space after the "while"? (here and below)

+  // Record the state so far, in case one of the lengths is unknown.
+  C.addTransition(State);

Unfortunately we can't actually do this—you end up recording two transitions here, rather than replacing the first one. Maybe the size calculation should be factored out into a helper function as well?

+    // Multiply the current size by the element size.
+    ArraySizeVal = SvalBuilder.evalBinOpNN(State, BO_Mul, ArrayLength,
+      ArraySizeVal.castAs<NonLoc>(), SizeTy);

Can you add a FIXME in here to check for overflow? That's a security risk, really.

As for the tests, can you add some assertions that we really do multiply the size out correctly? For example, using a too-large index should warn, casting to char * and assigning outside the buffer should warn, and sizeof should give the right answer.

Thanks for fixing this up,
Jordan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20141008/24fd0ace/attachment.html>

More information about the cfe-commits mailing list