[llvm-bugs] [Bug 47130] Detect buffer underflow

Tue Oct 12 02:31:37 PDT 2021

https://bugs.llvm.org/show_bug.cgi?id=47130

Balazs Benics <balazs.benics at sigmatechnology.se> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |balazs.benics at sigmatechnolo
                   |                            |gy.se
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #1 from Balazs Benics <balazs.benics at sigmatechnology.se> ---
By checking the code I'm pretty sure it's technically correct.
So, in that sense, there is no bug that we should warn about.

We explicitly check if the `memset()` deals with the whole object or not.
If it doesn't cover the whole object we invalidate the buffer.

This is done so because we can't model partially initialized memory regions
efficiently at scale. The memory model of the analyzer could be extended to
support at least if some concrete prefix/suffix/chunk has a certain property
(e.g. uninitialized, or initialized to a certain value). But we need to
consider the performance impact of these.

On the other hand, I agree that the check for this specific case, when a
concrete upperbound is used, could be detected without much effort.

The related code is located here:
https://github.com/llvm/llvm-project/blob/e5c7c171e5db6af1e3dca1059df4287b0d147eaf/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp#L1088-L1091

If you feel the courage to tinker with it, I could guide you through it, but I
don't have time to fix this.

Aside from that, I think there is a related SEI-CERT rule, but I cannot recall
ATM which.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20211012/bfb46cc4/attachment.html>