[cfe-dev] Static check on memcpy()

Chris Hamilton via cfe-dev cfe-dev at lists.llvm.org
Thu Dec 3 14:34:46 PST 2020

Hi folks,


It’s easy to see how memcpy (and other mem* functions) can cause
out-of-bounds reads/writes, such as in this simplified reproducer for a real
case we’ve seen:


   #include <string.h>

   struct S {

      int x;

      int xx;

      int y[];


   char dst[100];


   int main(void) {

      struct S src = {0};

      src.x = 9999;

      src.xx = 8888;

      memcpy(dst, &src, sizeof(struct S) + 1);



Here, the size argument to memcpy is clearly just wrong.  But consider that
when FAMs are in play (as is hinted at here), designers can get confused and
use the wrong size value – probably there are plenty of other circumstances
where such coding errors are easy to make, and not easy to spot during
review.  At present, CFE can’t catch this during compilation (unless I’ve
missed something).  It can be caught by the static analysis check
“alpha.unix.cstring.OutOfBounds” – but that’s rather late, rather costly,
and rather noisy (which I’m sure is why it’s an alpha check and not a core
check).  This seems like something that could be caught and flagged by
either a diagnostic or a tidy-check
   Is that reasonable?  If not, why not?






Chris Hamilton 

Compiler Developer


Mobile: +1-512-955-0143

 <mailto:chris.hamilton at ericsson.com> chris.hamilton at ericsson.com


“Without inclusion, diversity is only a statistic.”  -- Börje Ekholm, CEO of



1703 W. 5th Street Suite 600

78703,Austin, Texas

United States

 <https://www.ericsson.com/> ericsson.com




Our commitment to
Technology for Good and
<https://www.ericsson.com/thecompany/diversity-inclusion> Diversity and
Inclusion contributes to positive change.
Follow us on:  <https://www.facebook.com/ericsson> Facebook
<https://www.linkedin.com/company/ericsson> LinkedIn
<https://twitter.com/Ericsson> Twitter

Legal entity:ERICSSON AB registration number 556056-6258, registered office
in Stockholm.
This communication is confidential. Our email terms:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20201203/c12001b5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6394 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20201203/c12001b5/attachment.bin>

More information about the cfe-dev mailing list