[PATCH] D100829: [analyzer][docs] Highlight some differences between ArrayBound and V2

Balázs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Tue Apr 20 02:45:53 PDT 2021 

steakhal updated this revision to Diff 338786.
steakhal added a comment.

Add 'Limitations and bugs' section with a false-positive example.
It would also help users classifying certain types of false-positive reports.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D100829/new/

https://reviews.llvm.org/D100829

Files:
  clang/docs/analyzer/checkers.rst


Index: clang/docs/analyzer/checkers.rst
===================================================================
--- clang/docs/analyzer/checkers.rst
+++ clang/docs/analyzer/checkers.rst
@@ -2083,6 +2083,7 @@
 alpha.security.ArrayBound (C)
 """""""""""""""""""""""""""""
 Warn about buffer overflows (older checker).
+It does not consider tainted indices.
 
 .. code-block:: c
 
@@ -2103,8 +2104,7 @@
    p[2] = a; // warn
  }
 
- // note: requires unix.Malloc or
- // alpha.unix.MallocWithAnnotations checks enabled.
+ // note: also requires the unix.Malloc checker.
  void test() {
    int *p = malloc(12);
    p[3] = 4; // warn
@@ -2121,6 +2121,26 @@
 alpha.security.ArrayBoundV2 (C)
 """""""""""""""""""""""""""""""
 Warn about buffer overflows (newer checker).
+It should warn for all the cases where the ArrayBound would and for more.
+For tainted indices, you have to prove/assert that the index must be inbound
+if the taint checker also enabled.
+
+This checker transforms buffer accesses more aggressively. While it can infer
+more accurate constraints for the possible values ranges of the variables
+constituting to the index expression compared to the simple ArrayBound checker.
+
+Limitations and bugs:
+ * Sometimes it is difficult to understand the what are the value ranges that
+   are out of bounds. (not all arithmetic assumptions are displayed)
+ * There can be false-positive findings if an index is of
+   `unsigned long (aka. size_t)` or a wider unsigned type.
+    .. code-block:: c
+
+      const char a[] = "aabbcc";
+      char foo(unsigned long long len) {
+        return a[len+1]; // false-positive
+        // Out of bound memory access (access exceeds upper limit of memory block)
+      }
 
 .. code-block:: c
 
@@ -2150,6 +2170,14 @@
    char c = s[x]; // warn: index is tainted
  }
 
+ void test() {
+   char s[] = "abc";
+   int x = getchar();
+   x = (x < 0) ? 0 : (x > 3) ? 3 : x;
+   // 'x' is still tainted, but constrained to be within [0,3].
+   char c = s[x];  // no warning
+ }
+
 .. _alpha-security-MallocOverflow:
 
 alpha.security.MallocOverflow (C)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D100829.338786.patch
Type: text/x-patch
Size: 2093 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20210420/37615620/attachment.bin>

More information about the cfe-commits mailing list