[PATCH] D157104: [analyzer] Improve underflow handling in ArrayBoundV2
DonĂ¡t Nagy via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Aug 4 08:05:34 PDT 2023
donat.nagy created this revision.
Herald added subscribers: steakhal, manas, ASDenysPetrov, martong, gamesh411, dkrupp, Szelethus, mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware, xazax.hun.
Herald added a reviewer: NoQ.
Herald added a project: All.
donat.nagy requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.
This minor change ensures that underflow errors are reported on arrays that are in unknown space but have well-defined size.
As a concrete example, the following test case did not produce a warning previously, but will produce a warning after this patch:
typedef struct {
int id;
char name[256];
} user_t;
user_t *get_symbolic_user(void);
char test_underflow_symbolic_2() {
user_t *user = get_symbolic_user();
return user->name[-1];
}
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D157104
Files:
clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
clang/test/Analysis/out-of-bounds.c
Index: clang/test/Analysis/out-of-bounds.c
===================================================================
--- clang/test/Analysis/out-of-bounds.c
+++ clang/test/Analysis/out-of-bounds.c
@@ -151,11 +151,23 @@
// Don't warn when indexing below the start of a symbolic region's whose
// base extent we don't know.
int *get_symbolic(void);
-void test_index_below_symboloc(void) {
+void test_underflow_symbolic(void) {
int *buf = get_symbolic();
buf[-1] = 0; // no-warning;
}
+// But warn if we understand the internal memory layout of a symbolic region.
+typedef struct {
+ int id;
+ char name[256];
+} user_t;
+
+user_t *get_symbolic_user(void);
+char test_underflow_symbolic_2() {
+ user_t *user = get_symbolic_user();
+ return user->name[-1]; // expected-warning{{Out of bound memory access}}
+}
+
void test_incomplete_struct(void) {
extern struct incomplete incomplete;
int *p = (int *)&incomplete;
@@ -173,4 +185,3 @@
buf[x] = 1;
clang_analyzer_eval(x <= 99); // expected-warning{{TRUE}}
}
-
Index: clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
+++ clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
@@ -172,13 +172,17 @@
return;
NonLoc ByteOffset = RawOffset->getByteOffset();
+ const SubRegion *Reg = RawOffset->getRegion();
// CHECK LOWER BOUND
- const MemSpaceRegion *SR = RawOffset->getRegion()->getMemorySpace();
- if (!llvm::isa<UnknownSpaceRegion>(SR)) {
- // A pointer to UnknownSpaceRegion may point to the middle of
- // an allocated region.
-
+ const MemSpaceRegion *Space = Reg->getMemorySpace();
+ if (!(isa<SymbolicRegion>(Reg) && isa<UnknownSpaceRegion>(Space))) {
+ // A symbolic region in unknown space represents an unknown pointer that
+ // may point into the middle of an array, so we don't look for underflows.
+ // Both conditions are significant because we want to check underflows in
+ // symbolic regions on the heap (which may be introduced by checkers that
+ // call SValBuilder::getConjuredHeapSymbolVal()) and non-symbolic regions
+ // (e.g. a field subregion of a symbolic region) in unknown space.
auto [state_precedesLowerBound, state_withinLowerBound] =
compareValueToThreshold(state, ByteOffset,
svalBuilder.makeZeroArrayIndex(), svalBuilder);
@@ -195,7 +199,7 @@
// CHECK UPPER BOUND
DefinedOrUnknownSVal Size =
- getDynamicExtent(state, RawOffset->getRegion(), svalBuilder);
+ getDynamicExtent(state, Reg, svalBuilder);
if (auto KnownSize = Size.getAs<NonLoc>()) {
auto [state_withinUpperBound, state_exceedsUpperBound] =
compareValueToThreshold(state, ByteOffset, *KnownSize, svalBuilder);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D157104.547217.patch
Type: text/x-patch
Size: 2839 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20230804/6c0add5d/attachment.bin>
More information about the cfe-commits
mailing list