[clang] [analyzer] Improve diagnostics from ArrayBoundCheckerV2 (PR #70056)

Balazs Benics via cfe-commits cfe-commits at lists.llvm.org
Thu Nov 2 07:22:02 PDT 2023 

=?utf-8?q?Donát?= Nagy <donat.nagy at ericsson.com>,
=?utf-8?q?Donát?= Nagy <donat.nagy at ericsson.com>
Message-ID:
In-Reply-To: <llvm.org/llvm/llvm-project/pull/70056 at github.com>


================
@@ -0,0 +1,149 @@
+// RUN: %clang_analyze_cc1 -Wno-array-bounds -analyzer-output=text        \
+// RUN:     -analyzer-checker=core,alpha.security.ArrayBoundV2,unix.Malloc,alpha.security.taint -verify %s
+
+int array[10];
+
+void arrayUnderflow(void) {
+  array[-3] = 5;
+  // expected-warning at -1 {{Out of bound access to memory preceding 'array'}}
+  // expected-note at -2 {{Access of 'array' at negative byte offset -12}}
+}
+
+int scanf(const char *restrict fmt, ...);
+
+void taintedIndex(void) {
+  int index;
+  scanf("%d", &index);
+  // expected-note at -1 {{Taint originated here}}
+  // expected-note at -2 {{Taint propagated to the 2nd argument}}
+  array[index] = 5;
+  // expected-warning at -1 {{Potential out of bound access to 'array' with tainted offset}}
+  // expected-note at -2 {{Access of 'array' with a tainted offset that may be too large}}
+}
+
+void arrayOverflow(void) {
+  array[12] = 5;
+  // expected-warning at -1 {{Out of bound access to memory after the end of 'array'}}
+  // expected-note at -2 {{Access of 'array' at index 12, while it holds only 10 'int' elements}}
+}
+
+int scalar;
+int scalarOverflow(void) {
+  return (&scalar)[1];
+  // expected-warning at -1 {{Out of bound access to memory after the end of 'scalar'}}
+  // expected-note at -2 {{Access of 'scalar' at index 1, while it holds only a single 'int' element}}
+}
+
+int oneElementArray[1];
+int oneElementArrayOverflow(void) {
+  return oneElementArray[1];
+  // expected-warning at -1 {{Out of bound access to memory after the end of 'oneElementArray'}}
+  // expected-note at -2 {{Access of 'oneElementArray' at index 1, while it holds only a single 'int' element}}
+}
+
+short convertedArray(void) {
+  return ((short*)array)[47];
+  // expected-warning at -1 {{Out of bound access to memory after the end of 'array'}}
+  // expected-note at -2 {{Access of 'array' at index 47, while it holds only 20 'short' elements}}
+}
+
+struct vec {
+  int len;
+  double elems[64];
+} v;
+
+double arrayInStruct(void) {
+  return v.elems[64];
+  // expected-warning at -1 {{Out of bound access to memory after the end of 'v.elems'}}
+  // expected-note at -2 {{Access of 'v.elems' at index 64, while it holds only 64 'double' elements}}
+}
+
+double arrayInStructPtr(struct vec *pv) {
+  return pv->elems[64];
+  // expected-warning at -1 {{Out of bound access to memory after the end of the field 'elems'}}
+  // expected-note at -2 {{Access of the field 'elems' at index 64, while it holds only 64 'double' elements}}
+}
+
+struct two_bytes {
+  char lo, hi;
+};
+
+struct two_bytes convertedArray2(void) {
+  // We report this with byte offsets because the offset is not divisible by the element size.
+  struct two_bytes a = {0, 0};
+  char *p = (char*)&a;
+  return *((struct two_bytes*)(p + 7));
+  // expected-warning at -1 {{Out of bound access to memory after the end of 'a'}}
+  // expected-note at -2 {{Access of 'a' at byte offset 7, while it holds only 2 bytes}}
+}
+
+int intFromString(void) {
+  // We report this with byte offsets because the extent is not divisible by the element size.
+  return ((const int*)"this is a string of 33 characters")[20];
+  // expected-warning at -1 {{Out of bound access to memory after the end of the string literal}}
+  // expected-note at -2 {{Access of the string literal at byte offset 80, while it holds only 34 bytes}}
+}
+
+int intFromStringDivisible(void) {
+  // However, this is reported with indices/elements, because the extent happens to be a multiple of 4.
+  return ((const int*)"abc")[20];
+  // expected-warning at -1 {{Out of bound access to memory after the end of the string literal}}
+  // expected-note at -2 {{Access of the string literal at index 20, while it holds only a single 'int' element}}
+}
----------------
steakhal wrote:

I have no strong opinion.
Thanks for the explanation.

https://github.com/llvm/llvm-project/pull/70056

More information about the cfe-commits mailing list