[PATCH] D100829: [analyzer][docs] Highlight some differences between ArrayBound and V2

Balázs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Tue Apr 20 01:55:38 PDT 2021 

steakhal created this revision.
steakhal added reviewers: NoQ, vsavchenko, Szelethus, martong.
Herald added subscribers: ASDenysPetrov, Charusso, dkrupp, donat.nagy, mikhail.ramalho, a.sidorin, rnkovacs, szepet, baloghadamsoftware, xazax.hun, whisperity.
steakhal requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.

It adds some comments about the ArrayBound and ArrayBoundV2. It would help the users deciding which to enable.

Further thoughts on this:
If V2 warns for all cases where V1 does, why do we let them enable both at the same time?


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D100829

Files:
  clang/docs/analyzer/checkers.rst


Index: clang/docs/analyzer/checkers.rst
===================================================================
--- clang/docs/analyzer/checkers.rst
+++ clang/docs/analyzer/checkers.rst
@@ -2083,6 +2083,7 @@
 alpha.security.ArrayBound (C)
 """""""""""""""""""""""""""""
 Warn about buffer overflows (older checker).
+It does not consider tainted indices.
 
 .. code-block:: c
 
@@ -2103,8 +2104,7 @@
    p[2] = a; // warn
  }
 
- // note: requires unix.Malloc or
- // alpha.unix.MallocWithAnnotations checks enabled.
+ // note: also requires the unix.Malloc checker.
  void test() {
    int *p = malloc(12);
    p[3] = 4; // warn
@@ -2121,6 +2121,15 @@
 alpha.security.ArrayBoundV2 (C)
 """""""""""""""""""""""""""""""
 Warn about buffer overflows (newer checker).
+It should warn for all the cases where the ArrayBound would and for more.
+For tainted indices, you have to prove/assert that the index must be inbound
+if the taint checker also enabled.
+
+This checker transforms buffer accesses more aggressively. While it can infer
+more accurate constraints for the possible values ranges of the variables
+constituting to the index expression compared to the simple ArrayBound checker,
+the complexity of the bug paths of not only this but any other checker can also
+increase if enabled.
 
 .. code-block:: c
 
@@ -2150,6 +2159,14 @@
    char c = s[x]; // warn: index is tainted
  }
 
+ void test() {
+   char s[] = "abc";
+   int x = getchar();
+   x = (x < 0) ? 0 : (x > 3) ? 3 : x;
+   // 'x' is still tainted, but constrained to be within [0,3].
+   char c = s[x];  // no warning
+ }
+
 .. _alpha-security-MallocOverflow:
 
 alpha.security.MallocOverflow (C)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D100829.338771.patch
Type: text/x-patch
Size: 1665 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20210420/c85c2d0d/attachment.bin>

More information about the cfe-commits mailing list