diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst --- a/clang/docs/analyzer/checkers.rst +++ b/clang/docs/analyzer/checkers.rst @@ -2083,6 +2083,7 @@ alpha.security.ArrayBound (C) """"""""""""""""""""""""""""" Warn about buffer overflows (older checker). +It does not consider tainted indices. .. code-block:: c @@ -2103,8 +2104,7 @@ p[2] = a; // warn } - // note: requires unix.Malloc or - // alpha.unix.MallocWithAnnotations checks enabled. + // note: also requires the unix.Malloc checker. void test() { int *p = malloc(12); p[3] = 4; // warn @@ -2121,6 +2121,15 @@ alpha.security.ArrayBoundV2 (C) """"""""""""""""""""""""""""""" Warn about buffer overflows (newer checker). +It should warn for all the cases where the ArrayBound would and for more. +For tainted indices, you have to prove/assert that the index must be inbound +if the taint checker also enabled. + +This checker transforms buffer accesses more aggressively. While it can infer +more accurate constraints for the possible values ranges of the variables +constituting to the index expression compared to the simple ArrayBound checker, +the complexity of the bug paths of not only this but any other checker can also +increase if enabled. .. code-block:: c @@ -2150,6 +2159,14 @@ char c = s[x]; // warn: index is tainted } + void test() { + char s[] = "abc"; + int x = getchar(); + x = (x < 0) ? 0 : (x > 3) ? 3 : x; + // 'x' is still tainted, but constrained to be within [0,3]. + char c = s[x]; // no warning + } + .. _alpha-security-MallocOverflow: alpha.security.MallocOverflow (C)