This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/docs/analyzer/
-
docs/
-
analyzer/
3/5
checkers.rst

Differential D100829

[analyzer][docs] Highlight some differences between ArrayBound and V2
Needs RevisionPublic

Authored by steakhal on Apr 20 2021, 1:55 AM.

Download Raw Diff

Details

Reviewers

NoQ
vsavchenko
Szelethus
martong

Summary

It adds some comments about the ArrayBound and ArrayBoundV2. It would help the users deciding which to enable.

Further thoughts on this:
If V2 warns for all cases where V1 does, why do we let them enable both at the same time?

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

steakhal created this revision.Apr 20 2021, 1:55 AM

Herald added subscribers: ASDenysPetrov, Charusso, dkrupp and 8 others. · View Herald TranscriptApr 20 2021, 1:55 AM

steakhal requested review of this revision.Apr 20 2021, 1:55 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 20 2021, 1:55 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

steakhal added inline comments.Apr 20 2021, 1:58 AM

clang/docs/analyzer/checkers.rst
2107	There is no such checker, thus I removed this comment. Also, `unix.Malloc` seems to be enough.

Add 'Limitations and bugs' section with a false-positive example.
It would also help users classifying certain types of false-positive reports.

Harbormaster completed remote builds in B99654: Diff 338771.Apr 20 2021, 3:14 AM

Harbormaster completed remote builds in B99663: Diff 338786.Apr 20 2021, 4:17 AM

Szelethus requested changes to this revision.Jun 11 2021, 3:03 AM

Szelethus added inline comments.

clang/docs/analyzer/checkers.rst
2107	This doesn't seem to be true, MallocChecker's modeling and reporting parts are rather neatly separated, it should depend on unix.DinamicMemoryModeling. The warnings show even with the following command: `build/bin/clang -cc1 -analyze -analyzer-checker=core,alpha.security.ArrayBound,unix.Malloc test2.c` And should be patched, ideally: diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td index 444b00d73f0b..c36cfba2cdcf 100644 --- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td +++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td @@ -941,6 +941,7 @@ let ParentPackage = SecurityAlpha in { def ArrayBoundChecker : Checker<"ArrayBound">, HelpText<"Warn about buffer overflows (older checker)">, + Dependencies<[DynamicMemoryModeling]>, Documentation<HasAlphaDocumentation>; def ArrayBoundCheckerV2 : Checker<"ArrayBoundV2">,
2126	if the taint checker is also enabled
2128–2130	transforms buffer accesses more aggressively What does that mean? I'm not sure, and I am supposed to be a developer >.<' While <this chceker is better> ...and where is the 'but'? Maybe 'while' isn't the word to start this sentence on.
2133–2134	And this results in what? What is an arithmetic assumption? What do you mean under value ranges? Can you give an example?

This revision now requires changes to proceed.Jun 11 2021, 3:03 AM

Herald added a subscriber: manas. · View Herald TranscriptJun 11 2021, 3:03 AM

Revision Contents

Path

Size

clang/

docs/

analyzer/

checkers.rst

32 lines

Diff 338786

clang/docs/analyzer/checkers.rst

Show First 20 Lines • Show All 2,077 Lines • ▼ Show 20 Lines	int func(const char *var) {
return putenv(env); // putenv function should not be called with auto variables		return putenv(env); // putenv function should not be called with auto variables
}		}

.. _alpha-security-ArrayBound:		.. _alpha-security-ArrayBound:

alpha.security.ArrayBound (C)		alpha.security.ArrayBound (C)
"""""""""""""""""""""""""""""		"""""""""""""""""""""""""""""
Warn about buffer overflows (older checker).		Warn about buffer overflows (older checker).
		It does not consider tainted indices.

.. code-block:: c		.. code-block:: c

void test() {		void test() {
char *s = "";		char *s = "";
char c = s[1]; // warn		char c = s[1]; // warn
}		}

struct seven_words {		struct seven_words {
int c[7];		int c[7];
};		};

void test() {		void test() {
struct seven_words a, *p;		struct seven_words a, *p;
p = &a;		p = &a;
p[0] = a;		p[0] = a;
p[1] = a;		p[1] = a;
p[2] = a; // warn		p[2] = a; // warn
}		}

// note: requires unix.Malloc or		// note: also requires the unix.Malloc checker.
		SzelethusUnsubmitted Not Done Reply Inline Actions This doesn't seem to be true, MallocChecker's modeling and reporting parts are rather neatly separated, it should depend on unix.DinamicMemoryModeling. The warnings show even with the following command: `build/bin/clang -cc1 -analyze -analyzer-checker=core,alpha.security.ArrayBound,unix.Malloc test2.c` And should be patched, ideally: diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td index 444b00d73f0b..c36cfba2cdcf 100644 --- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td +++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td @@ -941,6 +941,7 @@ let ParentPackage = SecurityAlpha in { def ArrayBoundChecker : Checker<"ArrayBound">, HelpText<"Warn about buffer overflows (older checker)">, + Dependencies<[DynamicMemoryModeling]>, Documentation<HasAlphaDocumentation>; def ArrayBoundCheckerV2 : Checker<"ArrayBoundV2">, Szelethus: This doesn't seem to be true, MallocChecker's modeling and reporting parts are rather neatly…
// alpha.unix.MallocWithAnnotations checks enabled.
steakhalAuthorUnsubmitted Done Reply Inline Actions There is no such checker, thus I removed this comment. Also, `unix.Malloc` seems to be enough. steakhal: There is no such checker, thus I removed this comment. Also, `unix.Malloc` seems to be enough.
void test() {		void test() {
int *p = malloc(12);		int *p = malloc(12);
p[3] = 4; // warn		p[3] = 4; // warn
}		}

void test() {		void test() {
char a[2];		char a[2];
int b = (int)a;		int b = (int)a;
b[1] = 3; // warn		b[1] = 3; // warn
}		}

.. _alpha-security-ArrayBoundV2:		.. _alpha-security-ArrayBoundV2:

alpha.security.ArrayBoundV2 (C)		alpha.security.ArrayBoundV2 (C)
"""""""""""""""""""""""""""""""		"""""""""""""""""""""""""""""""
Warn about buffer overflows (newer checker).		Warn about buffer overflows (newer checker).
		It should warn for all the cases where the ArrayBound would and for more.
		For tainted indices, you have to prove/assert that the index must be inbound
		if the taint checker also enabled.
		SzelethusUnsubmitted Not Done Reply Inline Actions if the taint checker is also enabled Szelethus: if the taint checker is also enabled

		This checker transforms buffer accesses more aggressively. While it can infer
		more accurate constraints for the possible values ranges of the variables
		constituting to the index expression compared to the simple ArrayBound checker.
		SzelethusUnsubmitted Not Done Reply Inline Actions transforms buffer accesses more aggressively What does that mean? I'm not sure, and I am supposed to be a developer >.<' While <this chceker is better> ...and where is the 'but'? Maybe 'while' isn't the word to start this sentence on. Szelethus: >transforms buffer accesses more aggressively What does that mean? I'm not sure, and I am…

		Limitations and bugs:
		* Sometimes it is difficult to understand the what are the value ranges that
		are out of bounds. (not all arithmetic assumptions are displayed)
		SzelethusUnsubmitted Not Done Reply Inline Actions And this results in what? What is an arithmetic assumption? What do you mean under value ranges? Can you give an example? Szelethus: And this results in what? What is an arithmetic assumption? What do you mean under value ranges?
		* There can be false-positive findings if an index is of
		`unsigned long (aka. size_t)` or a wider unsigned type.
		.. code-block:: c

		const char a[] = "aabbcc";
		char foo(unsigned long long len) {
		return a[len+1]; // false-positive
		// Out of bound memory access (access exceeds upper limit of memory block)
		}

.. code-block:: c		.. code-block:: c

void test() {		void test() {
char *s = "";		char *s = "";
char c = s[1]; // warn		char c = s[1]; // warn
}		}

Show All 13 Lines

// note: requires alpha.security.taint check turned on.		// note: requires alpha.security.taint check turned on.
void test() {		void test() {
char s[] = "abc";		char s[] = "abc";
int x = getchar();		int x = getchar();
char c = s[x]; // warn: index is tainted		char c = s[x]; // warn: index is tainted
}		}

		void test() {
		char s[] = "abc";
		int x = getchar();
		x = (x < 0) ? 0 : (x > 3) ? 3 : x;
		// 'x' is still tainted, but constrained to be within [0,3].
		char c = s[x]; // no warning
		}

.. _alpha-security-MallocOverflow:		.. _alpha-security-MallocOverflow:

alpha.security.MallocOverflow (C)		alpha.security.MallocOverflow (C)
"""""""""""""""""""""""""""""""""		"""""""""""""""""""""""""""""""""
Check for overflows in the arguments to malloc().		Check for overflows in the arguments to malloc().

.. code-block:: c		.. code-block:: c

▲ Show 20 Lines • Show All 525 Lines • Show Last 20 Lines