[PATCH] D148355: [analyzer] Fix comparison logic in ArrayBoundCheckerV2
DonĂ¡t Nagy via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Apr 14 10:14:18 PDT 2023
donat.nagy created this revision.
donat.nagy added reviewers: steakhal, NoQ, gamesh411, Szelethus.
donat.nagy added a project: clang-tools-extra.
Herald added subscribers: manas, ASDenysPetrov, martong, dkrupp, mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware, xazax.hun.
Herald added a project: All.
donat.nagy requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.
This simple commit introduces a separate code path for a certain situation that was handled incorrectly by the prototype checker alpha.security.ArrayBoundV2. This issue was already known and marked by a "FIXME" testcase which is now adapted to except the correct behavior.
Note that although the visible symptom of this issue was an overflow error, the actual problem was in the underflow handler logic:
(0) The testcase introduces with a five-element array "char a[5]" and an unknown argument "size_t len"; then evaluates "a[len+1]".
(1) The underflow check tries to determine whether "len+1 < 0" holds.
(2) This inequality is rearranged to "len < -1".
(3) evalBinOpNN() evaluates this with the schematics of C/C++ and converts -1 to the size_t value SIZE_MAX.
(4) The engine concludes that len == SIZE_MAX, because otherwise we'd have an underflow here.
(5) The overflow check tries to determine whether "len+1 >= 5".
(6) This inequality is rearranged to "len >= 4".
(7) The engine substitutes len == SIZE_MAX and reports that we have an overflow.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D148355
Files:
clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
clang/test/Analysis/array-bound-v2-constraint-check.c
clang/test/Analysis/out-of-bounds-false-positive.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D148355.513660.patch
Type: text/x-patch
Size: 6308 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20230414/c7e0106f/attachment-0001.bin>
More information about the cfe-commits
mailing list