This is an archive of the discontinued LLVM Phabricator instance.

Differential D107051

[clang][analyzer] Improve bug report in alpha.security.ReturnPtrRange
ClosedPublic

Authored by balazske on Jul 29 2021, 2:47 AM.

Details

Reviewers
Szelethus
steakhal
NoQ
martong
vsavchenko
Commits
rG9f517fd11ee9: [clang][analyzer] Improve bug report in alpha.security.ReturnPtrRange
Summary

Add some notes and track of bad return value.

Diff Detail

Event Timeline

balazske created this revision.Jul 29 2021, 2:47 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJul 29 2021, 2:47 AM
Herald added subscribers: manas, steakhal, ASDenysPetrov and 11 others. · View Herald Transcript
balazske requested review of this revision.Jul 29 2021, 2:47 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 29 2021, 2:47 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal added a comment.Jul 29 2021, 3:31 AM

Aside from that Returned pointer value points outside the original object with size of 10 'int' objects reads somewhat unnatural I have no objections.
A couple of nits here and there but overall I'm pleased to see more verbose bug reports.

clang/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp
82–83
85–86
clang/test/Analysis/return-ptr-range.cpp
0–1

Is RUN1 intentional? If so, what does it do?

1

You can specify multiple match prefixes.
If you were passing -verify=expected,notes, you would not have to duplicate each warning.

1

This is not used in every test case. I would recommend moving this to the function parameter where it's actually being used.

4–6

Only a single array should be enough.
You can specify the match count for the diagnostic verifier.

// notes-note 3 {{Memory object...}} Will succeed only if exactly 3 times matched.

17–18

This is probably more of a taste.
I would prefer fewer indentations.
The same applies everywhere.

17–20

I think it's fine to leave the common suffix (potential ... out of the matched string. They give only a little value.
The same applies everywhere, except keeping a single one maybe.

Harbormaster completed remote builds in B116915: Diff 362693.Jul 29 2021, 3:56 AM
Szelethus added reviewers: steakhal, NoQ, martong, vsavchenko.Jul 29 2021, 6:15 AM

One of the test files needs fixing: https://reviews.llvm.org/harbormaster/unit/view/931615/

Love the patch, though I agree that the note message needs some improvement. How about we change from this:

warning: Returned pointer value with index 11 points outside the original object with size of 10 'Data' objects (potential buffer overflow)

To this:

warning: Returned pointer points outside the original object (potential buffer overflow)
note: The original object 'Data' is an int array of size 10, the returned pointer points at the 11th element

or this:

warning: Returned pointer points to the 11th element of 'Data', but that is an int array of size 10 (potential buffer overflow)
clang/test/Analysis/return-ptr-range.cpp
0–1

We could just delete it. I guess that was the intent, to make this RUN line non-functional.

1

Don't forget core!

1

If this is a cpp file, just use namespaces, and redeclare everything inside them, like this: https://github.com/llvm/llvm-project/blob/main/clang/test/Analysis/track-control-dependency-conditions.cpp

17–18

I disagree, and prefer it as it is written now.

Herald added a subscriber: rnkovacs. · View Herald TranscriptJul 29 2021, 6:15 AM
balazske added inline comments.Jul 30 2021, 12:50 AM
clang/test/Analysis/return-ptr-range.cpp
0–1

I wanted to make two runs, one for warnings only and one for notes only. But could not find out how to disable the warning messages and show only notes. Because the same warnings appear anyway it should be enough to use only one run with text output and remove the custom prefix.

17–18

The current style will be used, the comments are better grouped.

balazske updated this revision to Diff 362981.Jul 30 2021, 12:53 AM

Changed way of generating notes.
Re-structured the tests.
Other small changes.

balazske marked 9 inline comments as done.Jul 30 2021, 12:59 AM
Harbormaster completed remote builds in B117113: Diff 362981.Jul 30 2021, 1:57 AM
steakhal added a comment.Aug 5 2021, 4:30 AM

First and foremost, I think this is a great change. I think the diagnostic is on the point.
BTW it seems like you missed two notes in misc-ps-region-store.m causing a test fail:

error: 'note' diagnostics seen but not expected:
  File /home/steakhal/git/llvm-project/clang/test/Analysis/misc-ps-region-store.m Line 464: Original object declared here
  File /home/steakhal/git/llvm-project/clang/test/Analysis/misc-ps-region-store.m Line 467: Original object 'test_cwe466_return_outofbounds_pointer_a' is an array of 10 'int' objects, returned pointer points at index 11
2 errors generated.

The following comments are not about your actual change, I'm rather pointing out further possibilities for improving the checker.

The checker seems to cover cases when we see the array, fine.
What about pointers/references to arrays? IMO we should trust those declarations about the size of the pointee.

using size_t = decltype(sizeof 1);
using int10 = int[10];

template <class T> void clang_analyzer_dump(T);
size_t clang_analyzer_getExtent(void *);
int conjure_index();


int *test_ptr_to_array(int10 *arr) {
  int x = conjure_index();
  if (x != 20)
    return *arr; // no-warning

  clang_analyzer_dump(clang_analyzer_getExtent(*arr));
  // expected-warning-re@-1 {{extent_${{[0-9]+}}{SymRegion{reg_${{[0-9]+}}<int10 * arr>}}}}
  // FIXME: Above should be '40 S64b' on Linux x86_64.

  int *result = *arr + x;
  clang_analyzer_dump(result);
  // expected-warning-re@-1 {{&Element{SymRegion{reg_${{[0-9]+}}<int10 * arr>},20 S64b,int}}}
  return result; // We should expect a warning here.
}

Please add this test to your patch.

It seems like the checker would catch it if MemRegionManager::getStaticSize() would consider the type of the SymbolicRegion for ConstantArray pointee types. I'll have a patch about that.

clang/test/Analysis/return-ptr-range.cpp
11

I would rather use a simple block {...} for opening a scope, but I don't know why you don't declare ptr in the original scope in the first place.
People usually use do {} while(0) constructs if they want to use break somewhere ~~ like a goto OR they implement a macro. You are doing none of these.

steakhal added a comment.Aug 5 2021, 7:04 AM
In D107051#2928089, @steakhal wrote:

First and foremost, I think this is a great change. I think the diagnostic is on the point.
BTW it seems like you missed two notes in misc-ps-region-store.m causing a test fail:

error: 'note' diagnostics seen but not expected:
  File /home/steakhal/git/llvm-project/clang/test/Analysis/misc-ps-region-store.m Line 464: Original object declared here
  File /home/steakhal/git/llvm-project/clang/test/Analysis/misc-ps-region-store.m Line 467: Original object 'test_cwe466_return_outofbounds_pointer_a' is an array of 10 'int' objects, returned pointer points at index 11
2 errors generated.

The following comments are not about your actual change, I'm rather pointing out further possibilities for improving the checker.

The checker seems to cover cases when we see the array, fine.
What about pointers/references to arrays? IMO we should trust those declarations about the size of the pointee.

using size_t = decltype(sizeof 1);
using int10 = int[10];

template <class T> void clang_analyzer_dump(T);
size_t clang_analyzer_getExtent(void *);
int conjure_index();


int *test_ptr_to_array(int10 *arr) {
  int x = conjure_index();
  if (x != 20)
    return *arr; // no-warning

  clang_analyzer_dump(clang_analyzer_getExtent(*arr));
  // expected-warning-re@-1 {{extent_${{[0-9]+}}{SymRegion{reg_${{[0-9]+}}<int10 * arr>}}}}
  // FIXME: Above should be '40 S64b' on Linux x86_64.

  int *result = *arr + x;
  clang_analyzer_dump(result);
  // expected-warning-re@-1 {{&Element{SymRegion{reg_${{[0-9]+}}<int10 * arr>},20 S64b,int}}}
  return result; // We should expect a warning here.
}

Please add this test to your patch.

It seems like the checker would catch it if MemRegionManager::getStaticSize() would consider the type of the SymbolicRegion for ConstantArray pointee types. I'll have a patch about that.

It seems like we cannot implement this in a way fitting into the current memory model. To be able to do that we should be able to differentiate these two cases:

void test(int10 *arr) {
  clang_analyzer_dump((int*)(arr + 2)); // allow: `arr` might be a pointer to an array of `int10[100]`, in which case the resulting pointer is safe to use
  clang_analyzer_dump(*arr + 20);       // disallow: `*arr` :: `int[10]`, creating a pointer to the 20th element
  // Both dumps are the same:  &Element{SymRegion{reg_$0<int10 * arr>},20 S64b,int}
}

So, I'm actually puzzled about this. I think you can leave out the extra test case I proposed.

balazske added a comment.Aug 5 2021, 7:25 AM

If the original memory object is not known the static size is not known too. Every pointer with unknown source can point into a bigger data structure.

clang/test/Analysis/return-ptr-range.cpp
11

I do not know why these loops are here but did not change the original code. Should we change it to simple block?

steakhal added a comment.Aug 5 2021, 7:58 AM
In D107051#2928536, @balazske wrote:

If the original memory object is not known the static size is not known too. Every pointer with unknown source can point into a bigger data structure.

You are right, but IMO pointers to arrays are so rare that we could probably trust them. At least, that was my idea.

clang/test/Analysis/return-ptr-range.cpp
11

Yes, please. The note for the loop is only noise in its current form.

balazske updated this revision to Diff 364495.Aug 5 2021, 8:36 AM

Fixes in tests.

steakhal accepted this revision.Aug 5 2021, 9:18 AM

Aside from the inline nit, I think it's good to go.
Let some time for the others to catch up, they might have objections.

clang/test/Analysis/return-ptr-range.cpp
17–20

I don't think we need this extra scope. Same for the others.

This revision is now accepted and ready to land.Aug 5 2021, 9:18 AM
Harbormaster completed remote builds in B118175: Diff 364495.Aug 5 2021, 9:32 AM
balazske added inline comments.Aug 11 2021, 12:10 AM
clang/test/Analysis/return-ptr-range.cpp
17–20

The original test was used to make the x "dead" at return after the loop (at least without the fix), see D12726. In the case of loop the x is garbage-collected at end of the loop, if a block is used only at the end of the function (?) but not at end of the block. So I want to put back the loop to preserve the original code.

balazske updated this revision to Diff 365693.Aug 11 2021, 12:44 AM

Re-add empty while loops in tests, to have the original code.
These loops were intentionally created and probably still needed.

Harbormaster completed remote builds in B119033: Diff 365693.Aug 11 2021, 1:21 AM
steakhal accepted this revision.Aug 11 2021, 1:59 AM
steakhal added inline comments.
clang/test/Analysis/return-ptr-range.cpp
17–20

Thank you for letting me know.

This revision was landed with ongoing or failed builds.Aug 11 2021, 3:52 AM
Closed by commit rG9f517fd11ee9: [clang][analyzer] Improve bug report in alpha.security.ReturnPtrRange (authored by balazske). · Explain Why
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rG9f517fd11ee9: [clang][analyzer] Improve bug report in alpha.security.ReturnPtrRange.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
45 lines
test/
Analysis/
3 lines
88 lines

Diff 365708

clang/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp

//== ReturnPointerRangeChecker.cpp ------------------------------*- C++ -*--==// //== ReturnPointerRangeChecker.cpp ------------------------------*- C++ -*--==//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines ReturnPointerRangeChecker, which is a path-sensitive check // This file defines ReturnPointerRangeChecker, which is a path-sensitive check
// which looks for an out-of-bound pointer being returned to callers. // which looks for an out-of-bound pointer being returned to callers.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
using namespace clang; using namespace clang;
▲ Show 20 LinesShow All 50 Lines▼ Show 20 Lines if (StOutBound && !StInBound) {
// FIXME: This bug correspond to CWE-466. Eventually we should have bug // FIXME: This bug correspond to CWE-466. Eventually we should have bug
// types explicitly reference such exploit categories (when applicable). // types explicitly reference such exploit categories (when applicable).
if (!BT) if (!BT)
BT.reset(new BuiltinBug( BT.reset(new BuiltinBug(
this, "Buffer overflow", this, "Buffer overflow",
"Returned pointer value points outside the original object " "Returned pointer value points outside the original object "
"(potential buffer overflow)")); "(potential buffer overflow)"));
// FIXME: It would be nice to eventually make this diagnostic more clear,
// e.g., by referencing the original declaration or by saying *why* this
// reference is outside the range.
// Generate a report for this bug. // Generate a report for this bug.
steakhalUnsubmitted
Done
ReplyInline Actions
"(potential buffer overflow)"));
- auto ConcreteElementCount = ElementCount.getAs<nonloc::ConcreteInt>();
- auto ConcreteIdx = Idx.getAs<nonloc::ConcreteInt>();
+ const auto ConcreteElementCount = ElementCount.getAs<nonloc::ConcreteInt>();
+ const auto ConcreteIdx = Idx.getAs<nonloc::ConcreteInt>();
SmallString<128> SBuf;
steakhal:
auto report = auto Report =
std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N); std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N);
Report->addRange(RetE->getSourceRange());
steakhalUnsubmitted
Done
ReplyInline Actions
// Generate a report for this bug.
- auto report = std::make_unique<PathSensitiveBugReport>(*BT, SBuf, N);
+ auto Report = std::make_unique<PathSensitiveBugReport>(*BT, SBuf, N);
report->addRange(RetE->getSourceRange());
steakhal:
const auto ConcreteElementCount = ElementCount.getAs<nonloc::ConcreteInt>();
const auto ConcreteIdx = Idx.getAs<nonloc::ConcreteInt>();
const auto *DeclR = ER->getSuperRegion()->getAs<DeclRegion>();
if (DeclR)
Report->addNote("Original object declared here",
{DeclR->getDecl(), C.getSourceManager()});
if (ConcreteElementCount) {
SmallString<128> SBuf;
llvm::raw_svector_ostream OS(SBuf);
OS << "Original object ";
if (DeclR) {
OS << "'";
DeclR->getDecl()->printName(OS);
OS << "' ";
}
OS << "is an array of " << ConcreteElementCount->getValue() << " '";
ER->getValueType().print(OS,
PrintingPolicy(C.getASTContext().getLangOpts()));
OS << "' objects";
if (ConcreteIdx) {
OS << ", returned pointer points at index " << ConcreteIdx->getValue();
}
Report->addNote(SBuf,
{RetE, C.getSourceManager(), C.getLocationContext()});
}
bugreporter::trackExpressionValue(N, RetE, *Report);
report->addRange(RetE->getSourceRange()); C.emitReport(std::move(Report));
C.emitReport(std::move(report));
} }
} }
void ento::registerReturnPointerRangeChecker(CheckerManager &mgr) { void ento::registerReturnPointerRangeChecker(CheckerManager &mgr) {
mgr.registerChecker<ReturnPointerRangeChecker>(); mgr.registerChecker<ReturnPointerRangeChecker>();
} }
bool ento::shouldRegisterReturnPointerRangeChecker(const CheckerManager &mgr) { bool ento::shouldRegisterReturnPointerRangeChecker(const CheckerManager &mgr) {
return true; return true;
} }

clang/test/Analysis/misc-ps-region-store.m

Show First 20 LinesShow All 455 Lines▼ Show 20 Linesvoid element_region_with_symbolic_superregion(int* p) {
if (p[0] == 1) if (p[0] == 1)
(void)*x; // no-warning (void)*x; // no-warning
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Test returning an out-of-bounds pointer (CWE-466) // Test returning an out-of-bounds pointer (CWE-466)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static int test_cwe466_return_outofbounds_pointer_a[10]; static int test_cwe466_return_outofbounds_pointer_a[10]; // expected-note{{Original object declared here}}
int *test_cwe466_return_outofbounds_pointer() { int *test_cwe466_return_outofbounds_pointer() {
int *p = test_cwe466_return_outofbounds_pointer_a+11; int *p = test_cwe466_return_outofbounds_pointer_a+11;
return p; // expected-warning{{Returned pointer value points outside the original object}} return p; // expected-warning{{Returned pointer value points outside the original object}}
// expected-note@-1{{Original object 'test_cwe466_return_outofbounds_pointer_a' is an array of 10 'int' objects, returned pointer points at index 11}}
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// PR 3135 - Test case that shows that a variable may get invalidated when its // PR 3135 - Test case that shows that a variable may get invalidated when its
// address is included in a structure that is passed-by-value to an unknown function. // address is included in a structure that is passed-by-value to an unknown function.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
typedef struct { int *a; } pr3135_structure; typedef struct { int *a; } pr3135_structure;
▲ Show 20 LinesShow All 891 LinesShow Last 20 Lines

clang/test/Analysis/return-ptr-range.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.ReturnPtrRange -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.security.ReturnPtrRange -analyzer-output text -verify %s
steakhalUnsubmitted
Done
ReplyInline Actions

Is RUN1 intentional? If so, what does it do?

steakhal: Is `RUN1` intentional? If so, what does it do?
SzelethusUnsubmitted
Done
ReplyInline Actions

We could just delete it. I guess that was the intent, to make this RUN line non-functional.

Szelethus: We could just delete it. I guess that was the intent, to make this RUN line non-functional.
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I wanted to make two runs, one for warnings only and one for notes only. But could not find out how to disable the warning messages and show only notes. Because the same warnings appear anyway it should be enough to use only one run with text output and remove the custom prefix.

balazske: I wanted to make two runs, one for warnings only and one for notes only. But could not find out…
steakhalUnsubmitted
Done
ReplyInline Actions

You can specify multiple match prefixes.
If you were passing -verify=expected,notes, you would not have to duplicate each warning.

steakhal: You can specify multiple match prefixes. If you were passing `-verify=expected,notes`, you…
SzelethusUnsubmitted
Done
ReplyInline Actions

Don't forget core!

Szelethus: Don't forget `core`!
steakhalUnsubmitted
Done
ReplyInline Actions

This is not used in every test case. I would recommend moving this to the function parameter where it's actually being used.

steakhal: This is not used in every test case. I would recommend moving this to the function parameter…
SzelethusUnsubmitted
Done
ReplyInline Actions

If this is a cpp file, just use namespaces, and redeclare everything inside them, like this: https://github.com/llvm/llvm-project/blob/main/clang/test/Analysis/track-control-dependency-conditions.cpp

Szelethus: If this is a cpp file, just use namespaces, and redeclare everything inside them, like this…
int arr[10];
int *ptr;
int conjure_index(); int conjure_index();
int *test_element_index_lifetime() { namespace test_element_index_lifetime {
do {
steakhalUnsubmitted
Not Done
ReplyInline Actions

Only a single array should be enough.
You can specify the match count for the diagnostic verifier.

// notes-note 3 {{Memory object...}} Will succeed only if exactly 3 times matched.

steakhal: Only a single array should be enough. You can specify the match count for the diagnostic…
int arr[10]; // expected-note{{Original object declared here}} expected-note{{Original object declared here}}
int *ptr;
int *test_global_ptr() {
do { // expected-note{{Loop condition is false. Exiting loop}}
steakhalUnsubmitted
Not Done
ReplyInline Actions

I would rather use a simple block {...} for opening a scope, but I don't know why you don't declare ptr in the original scope in the first place.
People usually use do {} while(0) constructs if they want to use break somewhere ~~ like a goto OR they implement a macro. You are doing none of these.

steakhal: I would rather use a simple block `{...}` for opening a scope, but I don't know why you don't…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I do not know why these loops are here but did not change the original code. Should we change it to simple block?

balazske: I do not know why these loops are here but did not change the original code. Should we change…
steakhalUnsubmitted
Not Done
ReplyInline Actions

Yes, please. The note for the loop is only noise in its current form.

steakhal: Yes, please. The note for the loop is only noise in its current form.
int x = conjure_index(); int x = conjure_index();
ptr = arr + x; ptr = arr + x; // expected-note{{Value assigned to 'ptr'}}
if (x != 20) if (x != 20) // expected-note{{Assuming 'x' is equal to 20}}
// expected-note@-1{{Taking false branch}}
return arr; // no-warning return arr; // no-warning
} while (0); } while(0);
return ptr; // expected-warning{{Returned pointer value points outside the original object (potential buffer overflow)}} return ptr; // expected-warning{{Returned pointer value points outside the original object (potential buffer overflow) [alpha.security.ReturnPtrRange]}}
steakhalUnsubmitted
Not Done
ReplyInline Actions
ptr = arr1 + x; // notes-note{{Value assigned to 'ptr'}}
- if (x != 20) // notes-note{{Assuming 'x' is equal to 20}}
- // notes-note@-1{{Taking false branch}}
+ // notes-note@+2 {{Assuming 'x' is equal to 20}}
+ // notes-note@+1 {{Taking false branch}}
+ if (x != 20)
return arr1; // no-warning

This is probably more of a taste.
I would prefer fewer indentations.
The same applies everywhere.

steakhal: This is probably more of a taste. I would prefer fewer indentations. The same applies…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

I disagree, and prefer it as it is written now.

Szelethus: I disagree, and prefer it as it is written now.
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The current style will be used, the comments are better grouped.

balazske: The current style will be used, the comments are better grouped.
// expected-note@-1{{Returned pointer value points outside the original object (potential buffer overflow)}}
// expected-note@-2{{Original object 'arr' is an array of 10 'int' objects}}
steakhalUnsubmitted
Done
ReplyInline Actions
} while (0);
- return ptr; // expected-warning{{Returned pointer value points outside the original object with size of 10 'int' objects (potential buffer overflow) [alpha.security.ReturnPtrRange]}}
+ // expected-warning@+2 {{Returned pointer value points outside the original object with size of 10 'int' objects}}
+ // notes-note@+1 {{Returned pointer value points outside the original object with size of 10 'int' objects}}
+ return ptr;
// notes-warning@-1{{Returned pointer value points outside the original object with size of 10 'int' objects (potential buffer overflow) [alpha.security.ReturnPtrRange]}}

I think it's fine to leave the common suffix (potential ... out of the matched string. They give only a little value.
The same applies everywhere, except keeping a single one maybe.

steakhal: I think it's fine to leave the common suffix `(potential ...` out of the matched string. They…
steakhalUnsubmitted
Not Done
ReplyInline Actions

I don't think we need this extra scope. Same for the others.

steakhal: I don't think we need this extra scope. Same for the others.
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The original test was used to make the x "dead" at return after the loop (at least without the fix), see D12726. In the case of loop the x is garbage-collected at end of the loop, if a block is used only at the end of the function (?) but not at end of the block. So I want to put back the loop to preserve the original code.

balazske: The original test was used to make the `x` "dead" at return after the loop (at least without…
steakhalUnsubmitted
Not Done
ReplyInline Actions

Thank you for letting me know.

steakhal: Thank you for letting me know.
} }
int *test_element_index_lifetime_with_local_ptr() { int *test_local_ptr() {
int *local_ptr; int *local_ptr;
do { do { // expected-note{{Loop condition is false. Exiting loop}}
int x = conjure_index(); int x = conjure_index();
local_ptr = arr + x; local_ptr = arr + x; // expected-note{{Value assigned to 'local_ptr'}}
if (x != 20) if (x != 20) // expected-note{{Assuming 'x' is equal to 20}}
// expected-note@-1{{Taking false branch}}
return arr; // no-warning return arr; // no-warning
} while (0); } while(0);
return local_ptr; // expected-warning{{Returned pointer value points outside the original object (potential buffer overflow)}} return local_ptr; // expected-warning{{Returned pointer value points outside the original object (potential buffer overflow) [alpha.security.ReturnPtrRange]}}
// expected-note@-1{{Returned pointer value points outside the original object (potential buffer overflow)}}
// expected-note@-2{{Original object 'arr' is an array of 10 'int' objects}}
}
} }
template <typename T, int N> template <typename T, int N>
T* end(T (&arr)[N]) { T* end(T (&arr)[N]) {
return arr + N; // no-warning, because we want to avoid false positives on returning the end() iterator of a container. return arr + N; // no-warning, because we want to avoid false positives on returning the end() iterator of a container.
} }
void get_end_of_array() { void get_end_of_array() {
Show All 15 Lines
void use_iterable_object() { void use_iterable_object() {
Iterable<20> iter; Iterable<20> iter;
iter.end(); iter.end();
} }
template <int N> template <int N>
class BadIterable { class BadIterable {
int buffer[N]; int buffer[N]; // expected-note{{Original object declared here}}
int *start, *finish; int *start, *finish;
public: public:
BadIterable() : start(buffer), finish(buffer + N) {} BadIterable() : start(buffer), finish(buffer + N) {} // expected-note{{Value assigned to 'iter.finish'}}
int* begin() { return start; } int* begin() { return start; }
int* end() { return finish + 1; } // expected-warning{{Returned pointer value points outside the original object (potential buffer overflow)}} int* end() { return finish + 1; } // expected-warning{{Returned pointer value points outside the original object}}
// expected-note@-1{{Returned pointer value points outside the original object}}
// expected-note@-2{{Original object 'buffer' is an array of 20 'int' objects, returned pointer points at index 21}}
}; };
void use_bad_iterable_object() { void use_bad_iterable_object() {
BadIterable<20> iter; BadIterable<20> iter; // expected-note{{Calling default constructor for 'BadIterable<20>'}}
iter.end(); // expected-note@-1{{Returning from default constructor for 'BadIterable<20>'}}
iter.end(); // expected-note{{Calling 'BadIterable::end'}}
} }
int *test_idx_sym(int I) {
static int arr[10]; // expected-note{{Original object declared here}} expected-note{{'arr' initialized here}}
if (I != 11) // expected-note{{Assuming 'I' is equal to 11}}
// expected-note@-1{{Taking false branch}}
return arr;
return arr + I; // expected-warning{{Returned pointer value points outside the original object}}
// expected-note@-1{{Returned pointer value points outside the original object}}
// expected-note@-2{{Original object 'arr' is an array of 10 'int' objects, returned pointer points at index 11}}
}
namespace test_array_of_struct {
struct Data {
int A;
char *B;
};
Data DataArr[10]; // expected-note{{Original object declared here}}
Data *test_struct_array() {
int I = conjure_index();
if (I != 11) // expected-note{{Assuming 'I' is equal to 11}}
// expected-note@-1{{Taking false branch}}
return DataArr;
return DataArr + I; // expected-warning{{Returned pointer value points outside the original object}}
// expected-note@-1{{Returned pointer value points outside the original object}}
// expected-note@-2{{Original object 'DataArr' is an array of 10 'test_array_of_struct::Data' objects, returned pointer points at index 11}}
}
}