diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst --- a/clang/docs/analyzer/checkers.rst +++ b/clang/docs/analyzer/checkers.rst @@ -2083,6 +2083,7 @@ alpha.security.ArrayBound (C) """"""""""""""""""""""""""""" Warn about buffer overflows (older checker). +It does not consider tainted indices. .. code-block:: c @@ -2103,8 +2104,7 @@ p[2] = a; // warn } - // note: requires unix.Malloc or - // alpha.unix.MallocWithAnnotations checks enabled. + // note: also requires the unix.Malloc checker. void test() { int *p = malloc(12); p[3] = 4; // warn @@ -2121,6 +2121,26 @@ alpha.security.ArrayBoundV2 (C) """"""""""""""""""""""""""""""" Warn about buffer overflows (newer checker). +It should warn for all the cases where the ArrayBound would and for more. +For tainted indices, you have to prove/assert that the index must be inbound +if the taint checker also enabled. + +This checker transforms buffer accesses more aggressively. While it can infer +more accurate constraints for the possible values ranges of the variables +constituting to the index expression compared to the simple ArrayBound checker. + +Limitations and bugs: + * Sometimes it is difficult to understand the what are the value ranges that + are out of bounds. (not all arithmetic assumptions are displayed) + * There can be false-positive findings if an index is of + `unsigned long (aka. size_t)` or a wider unsigned type. + .. code-block:: c + + const char a[] = "aabbcc"; + char foo(unsigned long long len) { + return a[len+1]; // false-positive + // Out of bound memory access (access exceeds upper limit of memory block) + } .. code-block:: c @@ -2150,6 +2170,14 @@ char c = s[x]; // warn: index is tainted } + void test() { + char s[] = "abc"; + int x = getchar(); + x = (x < 0) ? 0 : (x > 3) ? 3 : x; + // 'x' is still tainted, but constrained to be within [0,3]. + char c = s[x]; // no warning + } + .. _alpha-security-MallocOverflow: alpha.security.MallocOverflow (C)