[PATCH] D107756: [analyzer] Extend the documentation of MallocOverflow

Balázs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Thu Aug 26 06:22:52 PDT 2021


This revision was automatically updated to reflect the committed changes.
Closed by commit rG6097a4192458: [analyzer] Extend the documentation of MallocOverflow (authored by steakhal).
Herald added a project: clang.
Herald added a subscriber: cfe-commits.

Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D107756/new/

https://reviews.llvm.org/D107756

Files:
  clang/docs/analyzer/checkers.rst


Index: clang/docs/analyzer/checkers.rst
===================================================================
--- clang/docs/analyzer/checkers.rst
+++ clang/docs/analyzer/checkers.rst
@@ -2154,7 +2154,14 @@
 
 alpha.security.MallocOverflow (C)
 """""""""""""""""""""""""""""""""
-Check for overflows in the arguments to malloc().
+Check for overflows in the arguments to ``malloc()``.
+It tries to catch ``malloc(n * c)`` patterns, where:
+ - ``n``: a variable or member access of an object
+ - ``c``: a constant foldable integral
+
+This checker was designed for code audits, so expect false-positive reports.
+One is supposed to silence this checker by ensuring proper bounds checking on
+the variable in question using e.g. an ``assert()`` or a branch.
 
 .. code-block:: c
 
@@ -2168,6 +2175,26 @@
    void *p = malloc(n * sizeof(int)); // no warning
  }
 
+ void test3(int n) {
+   assert(n <= 100 && "Contract violated.");
+   void *p = malloc(n * sizeof(int)); // no warning
+ }
+
+Limitations:
+ - The checker won't warn for variables involved in explicit casts,
+   since that might limit the variable's domain.
+   E.g.: ``(unsigned char)int x`` would limit the domain to ``[0,255]``.
+   The checker will miss the true-positive cases when the explicit cast would
+   not tighten the domain to prevent the overflow in the subsequent
+   multiplication operation.
+
+ - If the variable ``n`` participates in a comparison anywhere in the enclosing
+   function's scope, even after the ``malloc()``, the report will be still
+   suppressed.
+
+ - It is an AST-based checker, thus it does not make use of the
+   path-sensitive taint-analysis.
+
 .. _alpha-security-MmapWriteExec:
 
 alpha.security.MmapWriteExec (C)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D107756.368861.patch
Type: text/x-patch
Size: 1721 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20210826/b316b0a3/attachment.bin>


More information about the cfe-commits mailing list