[PATCH] D49633: [CStringSYntaxChecker] Improvements of strlcpy check
David CARLIER via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Mon Jul 23 11:26:50 PDT 2018
This revision was automatically updated to reflect the committed changes.
Closed by commit rL337721: [CStringSyntaxChecker] Improvements of strlcpy check (authored by devnexen, committed by ).
Changed prior to commit:
https://reviews.llvm.org/D49633?vs=156669&id=156839#toc
Repository:
rL LLVM
https://reviews.llvm.org/D49633
Files:
cfe/trunk/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp
cfe/trunk/test/Analysis/cstring-syntax.c
Index: cfe/trunk/test/Analysis/cstring-syntax.c
===================================================================
--- cfe/trunk/test/Analysis/cstring-syntax.c
+++ cfe/trunk/test/Analysis/cstring-syntax.c
@@ -31,4 +31,5 @@
strlcpy(dest, src, badlen); // expected-warning {{The third argument is larger than the size of the input buffer. Replace with the value 'sizeof(dest)` or lower}}
strlcpy(dest, src, ulen);
strlcpy(dest + 5, src, 5);
+ strlcpy(dest + 5, src, 10); // expected-warning {{The third argument is larger than the size of the input buffer.}}
}
Index: cfe/trunk/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp
===================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp
@@ -88,6 +88,7 @@
/// size_t cpy = 4;
/// strlcpy(dst, "abcd", sizeof("abcd") - 1);
/// strlcpy(dst, "abcd", 4);
+ /// strlcpy(dst + 3, "abcd", 2);
/// strlcpy(dst, "abcd", cpy);
bool containsBadStrlcpyPattern(const CallExpr *CE);
@@ -149,6 +150,7 @@
const auto *DstArgDecl = dyn_cast<DeclRefExpr>(DstArg->IgnoreParenImpCasts());
const auto *LenArgDecl = dyn_cast<DeclRefExpr>(LenArg->IgnoreParenLValueCasts());
+ uint64_t DstOff = 0;
// - size_t dstlen = sizeof(dst)
if (LenArgDecl) {
const auto *LenArgVal = dyn_cast<VarDecl>(LenArgDecl->getDecl());
@@ -158,14 +160,28 @@
// - integral value
// We try to figure out if the last argument is possibly longer
- // than the destination can possibly handle if its size can be defined
+ // than the destination can possibly handle if its size can be defined.
if (const auto *IL = dyn_cast<IntegerLiteral>(LenArg->IgnoreParenImpCasts())) {
uint64_t ILRawVal = IL->getValue().getZExtValue();
+
+ // Case when there is pointer arithmetic on the destination buffer
+ // especially when we offset from the base decreasing the
+ // buffer length accordingly.
+ if (!DstArgDecl) {
+ if (const auto *BE = dyn_cast<BinaryOperator>(DstArg->IgnoreParenImpCasts())) {
+ DstArgDecl = dyn_cast<DeclRefExpr>(BE->getLHS()->IgnoreParenImpCasts());
+ if (BE->getOpcode() == BO_Add) {
+ if ((IL = dyn_cast<IntegerLiteral>(BE->getRHS()->IgnoreParenImpCasts()))) {
+ DstOff = IL->getValue().getZExtValue();
+ }
+ }
+ }
+ }
if (DstArgDecl) {
if (const auto *Buffer = dyn_cast<ConstantArrayType>(DstArgDecl->getType())) {
ASTContext &C = BR.getContext();
uint64_t BufferLen = C.getTypeSize(Buffer) / 8;
- if (BufferLen < ILRawVal)
+ if ((BufferLen - DstOff) < ILRawVal)
return true;
}
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D49633.156839.patch
Type: text/x-patch
Size: 2761 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180723/70420d17/attachment.bin>
More information about the llvm-commits
mailing list