[clang] [analyzer] Add alpha.cplusplus.BoundsInformation checker (PR #112784)
Artem Dergachev via cfe-commits
cfe-commits at lists.llvm.org
Fri Oct 18 10:17:16 PDT 2024
haoNoQ wrote:
> but not to replace it
And it doesn't necessarily need it in the first place! I think it's most likely going to be useful as a standalone checker even when you never needed `-Wunsafe-buffer-usage`.
It's a bit coding-convention-y: roughly on the same level of "speculative" as the use-after-move checker for local variables. We don't plan to make sure that every warning is a real OOB bug. We will sometimes warn when the code is "scary-looking but ultimately benign". But depending on what we see, I think there's a solid chance it could be an on-by-default checker.
The biggest thing we're going after is the situations where the attacker controls the buffer size, or the span size, or _both-independently_, but we're trying to see if this can be detected even without taint analysis. This may work because the buffer and the size typically go "together". For example, as a struct with pointer and size fields, or as a pair of parameters. So if you're using a parameter for the size while using your member variable for the pointer, this means that something really weird is going on. Even if it's ultimately benign, we gotta say something about this. We could still use taint analysis as an extra source of information, but the idea is, maybe we don't even have to!
https://github.com/llvm/llvm-project/pull/112784
More information about the cfe-commits
mailing list