[PATCH] D120489: [analyzer][NFCi] Done some changes to detect Uninitialized read by the char array manipulation functions
Balázs Benics via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Thu Feb 24 08:10:38 PST 2022
steakhal added a comment.
I'm looking forward to this check.
================
Comment at: clang/test/Analysis/bstring.c:300-311
void mempcpy14() {
int src[] = {1, 2, 3, 4};
int dst[5] = {0};
int *p;
- p = mempcpy(dst, src, 4 * sizeof(int));
+ p = mempcpy(dst, src, 4 * sizeof(int)); // expected-warning{{Bytes string function accesses uninitialized/garbage values}}
+ // FIXME: This behaviour is actually Unexpected and needs to be fix,
----------------
Basically, the store has 4 direct bindings for the `src` cluster.
At bit offset 0, 32, 64, 96, the values `1`, `2`, `3`, `4` (ints) respectively.
However, in the `memcopy` modeling, we calculate the byte offset of the very last touched **byte**, which is `byte 15`.
Consequently, we will do a lookup in the store for acquiring a binding starting at bit offset `15*8, aka. 120`.
However, there is no binding for that offset. What we have instead, is a binding starting at offset 96, associating an integer, which is 4 bytes long, thus this entry actually refers to the bits [96-128], so it overlaps with the byte at [120-128].
>From this, we should be able to prove that the given bits must have been initialized to //some value//.
What I cannot remember off the top of my head, what was the type of the `ER`. I hope it was `char`, but I cannot recall.
If that was `char`, then we have a bug in the `store`.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D120489/new/
https://reviews.llvm.org/D120489
More information about the cfe-commits
mailing list