[PATCH] D23112: [analyzer] Correctly add assumptions based on array bounds.
Gábor Horváth via cfe-commits
cfe-commits at lists.llvm.org
Mon Aug 8 02:23:35 PDT 2016
xazax.hun updated this revision to Diff 67135.
xazax.hun added a comment.
- Address review comments.
https://reviews.llvm.org/D23112
Files:
lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
test/Analysis/out-of-bounds.c
Index: test/Analysis/out-of-bounds.c
===================================================================
--- test/Analysis/out-of-bounds.c
+++ test/Analysis/out-of-bounds.c
@@ -1,4 +1,6 @@
-// RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-checker=core,alpha.security.ArrayBoundV2 -verify %s
+// RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-checker=core,alpha.security.ArrayBoundV2,debug.ExprInspection -verify %s
+
+void clang_analyzer_eval(int);
// Tests doing an out-of-bounds access after the end of an array using:
// - constant integer index
@@ -146,6 +148,14 @@
buf[x] = 1;
}
+// *** FIXME ***
+// The result is unknown for the same reason as above.
+void test_asume_after_access(unsigned long x) {
+ int buf[100];
+ buf[x] = 1;
+ clang_analyzer_eval(x <= 99); // expected-warning{{UNKNOWN}}
+}
+
// Don't warn when indexing below the start of a symbolic region's whose
// base extent we don't know.
int *get_symbolic();
@@ -166,3 +176,9 @@
p[1] = 42; // no-warning
}
+void test_asume_after_access2(unsigned long x) {
+ char buf[100];
+ buf[x] = 1;
+ clang_analyzer_eval(x <= 99); // expected-warning{{TRUE}}
+}
+
Index: lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
===================================================================
--- lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
+++ lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
@@ -157,13 +157,13 @@
// If we are under constrained and the index variables are tainted, report.
if (state_exceedsUpperBound && state_withinUpperBound) {
- if (state->isTainted(rawOffset.getByteOffset()))
+ if (state->isTainted(rawOffset.getByteOffset())) {
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted);
return;
- }
-
- // If we are constrained enough to definitely exceed the upper bound, report.
- if (state_exceedsUpperBound) {
+ }
+ } else if (state_exceedsUpperBound) {
+ // If we are constrained enough to definitely exceed the upper bound,
+ // report.
assert(!state_withinUpperBound);
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes);
return;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D23112.67135.patch
Type: text/x-patch
Size: 2176 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20160808/05d045dd/attachment.bin>
More information about the cfe-commits
mailing list