[PATCH] D35068: [analyzer] Detect usages of unsafe I/O functions
Daniel Kolozsvari via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Tue Aug 29 04:51:28 PDT 2017
koldaniel marked 4 inline comments as done.
koldaniel added inline comments.
Comment at: lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp:597-598
> Note that you cannot easily figure out if the code is intended to get compiled only under C11 and above - maybe it's accidentally compiled under C11 for this user, but is otherwise intended to keep working under older standards.
It is a possible scenario, how should I check if the checks should warn (safe functions are available) if not by using this method?
Comment at: lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp:670-675
+ auto FormatString =
+ if(FormatString &&
+ FormatString->getString().find("%s") == StringRef::npos &&
+ FormatString->getString().find("%[") == StringRef::npos)
> You'd probably also want to quit early if the format string is not a literal.
If the format string is not a literal (i.e. a variable), currently we cannot determine if there were any restrictions regarding the size or not, so we want this check to warn.
More information about the cfe-commits