[clang-tools-extra] [llvm] [clang] [analyzer] Support interestingness in ArrayBoundV2 (PR #78315)
via cfe-commits
cfe-commits at lists.llvm.org
Mon Jan 22 08:22:31 PST 2024
=?utf-8?q?Donát?= Nagy <donat.nagy at ericsson.com>,
=?utf-8?q?Donát?= Nagy <donat.nagy at ericsson.com>,
=?utf-8?q?Donát?= Nagy <donat.nagy at ericsson.com>
Message-ID:
In-Reply-To: <llvm.org/llvm/llvm-project/pull/78315 at github.com>
================
@@ -124,3 +124,25 @@ int assumingConverted2(struct foo f, int arg) {
// expected-note at -2 {{Access of 'array' at negative byte offset}}
return a + b + c;
}
+
+int assumingPlainOffset(struct foo f, int arg) {
+ // This TC is intended to check the corner case that the checker prints the
+ // shorter "offset" instead of "byte offset" when it's irrelevant that the
+ // offset is measured in bytes.
+
+ // expected-note at +2 {{Assuming 'arg' is < 2}}
+ // expected-note at +1 {{Taking false branch}}
+ if (arg >= 2)
+ return 0;
+
+ int b = ((int*)(f.b))[arg];
+ // expected-note at -1 {{Assuming byte offset is non-negative and less than 5, the extent of 'f.b'}}
+ // FIXME: this should be {{Assuming offset is non-negative}}
+ // but the current simplification algorithm doesn't realize that arg <= 1
+ // implies that the byte offset arg*4 will be less than 5.
----------------
NagyDonat wrote:
Also note that currently the checker only verifies that _(byte offset to first byte of accessed element) < (extent of memory region in bytes)_; so e.g. it would accept "`char b[5]; ((int*)b)[1] = 123;`" despite the fact that (assuming 4-bit `int`) this writes 3 bytes after the end of the array `b`.
This issue seems to be mostly theoretical (this sort of low-level memory abuse should be very rare), but I'll try to ensure that the checker handles it correctly.
https://github.com/llvm/llvm-project/pull/78315
More information about the cfe-commits
mailing list