[llvm-bugs] [Bug 27820] New: ArrayBoundCheckerV2 false positive due to dead symbol remove.

via llvm-bugs llvm-bugs at lists.llvm.org
Thu May 19 20:24:30 PDT 2016 

https://llvm.org/bugs/show_bug.cgi?id=27820

            Bug ID: 27820
           Summary: ArrayBoundCheckerV2 false positive due to dead symbol
                    remove.
           Product: clang
           Version: 3.6
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: kremenek at apple.com
          Reporter: ioripolo at foxmail.com
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

I got a simple test case as below:

  typedef struct _FILE FILE;
  extern FILE *stdin;

  void foo() {
    int pos = 1;
    int table[] = {1, 2};
    char inputBuffer[2] = "";
    fgets(inputBuffer, 2, stdin);
    pos = atoi(inputBuffer);
    if (pos > 0 && pos <=2) {
      table[pos] = 10;
    }
  }

And with the command line "clang -cc1 -analyze -w
-analyzer-checker=alpha.security.ArrayBoundV2
-analyzer-checker=alpha.security.taint test.c"

Then i got a warning like this:

  test.c:15:16: warning: Out of bound memory access (index is tainted)
    table[pos] = 10;
    ~~~~~~~~~~~^~~~
  1 warning generated.

But we have a validation "if (pos > 0 && pos <=2)", so the extent of pos should
be OK.



After took a look inside this false positive, i think i found the reason:

In the 'PreStmtPurgeDeadSymbols' process of the assign binaryoperator
'table[pos] = 10', the 'pos' is not live any more, so the conjured symbol and
it's constraint were removed.

Later when we check the location for ArrayBoundV2, because the removement of
the conjured symbol, both 'state_exceedsUpperBound'and 'state_withinUpperBound'
are not null. Finally got the warning according the logic below.

    // If we are under constrained and the index variables are tainted, report.
    if (state_exceedsUpperBound && state_withinUpperBound) {
      if (state->isTainted(rawOffset.getByteOffset()))
        reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted);
        return;
    }

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160520/90f4ce37/attachment.html>

More information about the llvm-bugs mailing list