This is an archive of the discontinued LLVM Phabricator instance.

[analyzer][docs] Highlight some differences between ArrayBound and V2
Needs RevisionPublic

Authored by steakhal on Apr 20 2021, 1:55 AM.

Details

Summary

It adds some comments about the ArrayBound and ArrayBoundV2. It would help the users deciding which to enable.

Further thoughts on this:
If V2 warns for all cases where V1 does, why do we let them enable both at the same time?

Diff Detail

Event Timeline

steakhal created this revision.Apr 20 2021, 1:55 AM
steakhal requested review of this revision.Apr 20 2021, 1:55 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 20 2021, 1:55 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal added inline comments.Apr 20 2021, 1:58 AM
clang/docs/analyzer/checkers.rst
2107

There is no such checker, thus I removed this comment. Also, unix.Malloc seems to be enough.

steakhal updated this revision to Diff 338786.Apr 20 2021, 2:45 AM

Add 'Limitations and bugs' section with a false-positive example.
It would also help users classifying certain types of false-positive reports.

Szelethus requested changes to this revision.Jun 11 2021, 3:03 AM
Szelethus added inline comments.
clang/docs/analyzer/checkers.rst
2107

This doesn't seem to be true, MallocChecker's modeling and reporting parts are rather neatly separated, it should depend on unix.DinamicMemoryModeling. The warnings show even with the following command:

build/bin/clang -cc1 -analyze -analyzer-checker=core,alpha.security.ArrayBound,unix.Malloc test2.c

And should be patched, ideally:

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 444b00d73f0b..c36cfba2cdcf 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -941,6 +941,7 @@ let ParentPackage = SecurityAlpha in {
 
 def ArrayBoundChecker : Checker<"ArrayBound">,
   HelpText<"Warn about buffer overflows (older checker)">,
+  Dependencies<[DynamicMemoryModeling]>,
   Documentation<HasAlphaDocumentation>;
 
 def ArrayBoundCheckerV2 : Checker<"ArrayBoundV2">,
2126

if the taint checker is also enabled

2128–2130

transforms buffer accesses more aggressively

What does that mean? I'm not sure, and I am supposed to be a developer >.<'

While <this chceker is better>

...and where is the 'but'? Maybe 'while' isn't the word to start this sentence on.

2133–2134

And this results in what? What is an arithmetic assumption? What do you mean under value ranges? Can you give an example?

This revision now requires changes to proceed.Jun 11 2021, 3:03 AM