[PATCH] D100829: [analyzer][docs] Highlight some differences between ArrayBound and V2

Kristóf Umann via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Fri Jun 11 03:03:13 PDT 2021 

Szelethus requested changes to this revision.
Szelethus added inline comments.
This revision now requires changes to proceed.
Herald added a subscriber: manas.


================
Comment at: clang/docs/analyzer/checkers.rst:2107
 
- // note: requires unix.Malloc or
- // alpha.unix.MallocWithAnnotations checks enabled.
+ // note: also requires the unix.Malloc checker.
  void test() {
----------------
This doesn't seem to be true, MallocChecker's modeling and reporting parts are rather neatly separated, it should depend on unix.DinamicMemoryModeling. The warnings show even with the following command:

`build/bin/clang -cc1 -analyze -analyzer-checker=core,alpha.security.ArrayBound,unix.Malloc test2.c`

And should be patched, ideally:

```lang=git
diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 444b00d73f0b..c36cfba2cdcf 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -941,6 +941,7 @@ let ParentPackage = SecurityAlpha in {
 
 def ArrayBoundChecker : Checker<"ArrayBound">,
   HelpText<"Warn about buffer overflows (older checker)">,
+  Dependencies<[DynamicMemoryModeling]>,
   Documentation<HasAlphaDocumentation>;
 
 def ArrayBoundCheckerV2 : Checker<"ArrayBoundV2">,
```


================
Comment at: clang/docs/analyzer/checkers.rst:2126
+For tainted indices, you have to prove/assert that the index must be inbound
+if the taint checker also enabled.
+
----------------
if the taint checker **is** also enabled


================
Comment at: clang/docs/analyzer/checkers.rst:2128-2130
+This checker transforms buffer accesses more aggressively. While it can infer
+more accurate constraints for the possible values ranges of the variables
+constituting to the index expression compared to the simple ArrayBound checker.
----------------
>transforms buffer accesses more aggressively
What does that mean? I'm not sure, and I am supposed to be a developer >.<'
>While <this chceker is better>
...and where is the 'but'? Maybe 'while' isn't the word to start this sentence on.


================
Comment at: clang/docs/analyzer/checkers.rst:2133-2134
+Limitations and bugs:
+ * Sometimes it is difficult to understand the what are the value ranges that
+   are out of bounds. (not all arithmetic assumptions are displayed)
+ * There can be false-positive findings if an index is of
----------------
And this results in what? What is an arithmetic assumption? What do you mean under value ranges? Can you give an example?


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D100829/new/

https://reviews.llvm.org/D100829

More information about the cfe-commits mailing list