Download Raw Diff

Details

Reviewers

NoQ
vsavchenko
Szelethus
martong
balazske

Commits

rG68088563fbad: [analyzer] MallocOverflow should consider comparisons only preceding malloc

Summary

MallocOverflow works in two phases:

Collects suspicious malloc calls, whose argument is a multiplication
Filters the aggregated list of suspicious malloc calls by iterating over the BasicBlocks of the CFG looking for comparison binary operators over the variable constituting in any suspicious malloc.

Consequently, it suppressed true-positive cases when the comparison check was after the malloc call.
In this patch, the checker will consider the relative position of the relation check to the malloc call.

E.g.:

void *check_after_malloc(int n, int x) {
  int *p = NULL;
  if (x == 42)
    p = malloc(n * sizeof(int)); // Previously **no** warning, now it
                                 // warns about this.

  // The check is after the allocation!
  if (n > 10) {
    // Do something conditionally.
  }
  return p;
}

Diff Detail

Event Timeline

steakhal created this revision.Aug 10 2021, 2:03 AM

Herald added subscribers: manas, ASDenysPetrov, dkrupp and 8 others. · View Herald TranscriptAug 10 2021, 2:03 AM

steakhal requested review of this revision.Aug 10 2021, 2:03 AM

steakhal mentioned this in D107756: [analyzer] Extend the documentation of MallocOverflow.

Harbormaster completed remote builds in B118823: Diff 365386.Aug 10 2021, 3:13 AM

balazske added inline comments.Aug 11 2021, 8:00 AM

clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
163	Is it safe to check for position in source code, instead of the execution path?
165	This is not a `PredTrue` any more.

steakhal added inline comments.Aug 11 2021, 8:16 AM

clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
163	I don't think so. But it's already better than outright suppressing any finding.
165	Oh sure, I'm gonna fix it!

PredTrue -> PrecedesMalloc

Harbormaster completed remote builds in B119200: Diff 365921.Aug 12 2021, 1:41 AM

Okay, I think this change is aligned with the checker's original logic. I.e. we have a heuristic, so we do not warn if we see a check of the involved variable...
I was digging a bit and found a related SEI CERT rule. MEM35-C Perhaps this checker could warn on the second code example?

On the other hand, on the long term I'd like to see this checker completely removed without any trace. I mean, generally, we should be able to warn if the result of any binary operation may not be represented in the underlying type. I think, this should be handled with an orchestration of a clever constraint solver and the engine.

In D107804#2950274, @martong wrote:

Okay, I think this change is aligned with the checker's original logic. I.e. we have a heuristic, so we do not warn if we see a check of the involved variable...
I was digging a bit and found a related SEI CERT rule. MEM35-C Perhaps this checker could warn on the second code example?

The checker in it's current form, would warn for the very first example, and only for that example:

void *alloc_blocks(size_t num_blocks) {
  if (num_blocks == 0)
    return NULL;
  unsigned long long alloc = num_blocks * BLOCKSIZE ;
  return (alloc < UINT_MAX) ? malloc(num_blocks * BLOCKSIZE ) : NULL;
  // expected-warning@-1 {{the computation of the size of the memory allocation may overflow}}
}

It wouldn't warn for the rest of the examples because those have some sort of comparison checks on the variable.

On the other hand, on the long term I'd like to see this checker completely removed without any trace. I mean, generally, we should be able to warn if the result of any binary operation may not be represented in the underlying type. I think this should be handled with an orchestration of a clever constraint solver and the engine.

We cannot have a witness for overflow if we calculate on unknown symbolic values, like top-level function parameters, etc. In that sense, the checker relaxes the bug condition to look for potential overflowing multiplications in a specific context, in malloc parameters. That being said, a smarter constraint solver wouldn't help much.

martong added inline comments.Aug 18 2021, 9:39 AM

clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
163	Do we somehow assure that the two locations are inside the same stack frame? I mean @balazske has a point and I think this solution is okay if we compare two locations inside the same function.
clang/test/Analysis/malloc-overflow.c
115–124	What happens if the check happens in an inlined function? The location is above the malloc in the TU, isn't it? int check(int n) return (n > 10); } void check_before_malloc(int n, int x) { int p = NULL; if (x == 42) p = malloc(n * sizeof(int)); // no-warning? if (check(n)) return NULL; // Do some other stuff, e.g. initialize the memory. return p; }

Add a test using macros. It demonstrates that the source locations are properly resolved.
@martong Let me know if you have anything.

clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
163	I would assert this fact, but I'm not exactly sure how to acquire the enclosing function of a SourceLocation.
clang/test/Analysis/malloc-overflow.c
115–124	The checker conducts a simple AST-matching, thus it wouldn't resolve the `check(n)` call. So, the checker will fire regardless of where you put the `check(n)` call, before or after the `malloc()`. Even in case of macros, it still works. Check the updated test file.

Harbormaster completed remote builds in B121142: Diff 368603.Aug 25 2021, 4:44 AM

Pin the -triple to x86_64

Harbormaster completed remote builds in B121192: Diff 368679.Aug 25 2021, 11:48 AM

Upsz-upsz, something went terribly off here! Flexible array members related changes come in with the last diff. For example, the file flexible-array-members.c came in. It might be perhaps a rebase issue if the FAM related change had been commited already, could you please rebase this patch?

This revision now requires changes to proceed.Aug 26 2021, 6:37 AM

The right diff this time :D

Harbormaster completed remote builds in B121335: Diff 368864.Aug 26 2021, 7:38 AM

Thanks, LGTM!

This revision is now accepted and ready to land.Aug 26 2021, 8:26 AM

Rebased. Removed the given limitation from the user-facing documentation, that this patch fixes.

Harbormaster completed remote builds in B121446: Diff 369031.Aug 27 2021, 12:14 AM

Closed by commit rG68088563fbad: [analyzer] MallocOverflow should consider comparisons only preceding malloc (authored by steakhal). · Explain WhyAug 27 2021, 5:41 AM

This revision was automatically updated to reflect the committed changes.

steakhal added a commit: rG68088563fbad: [analyzer] MallocOverflow should consider comparisons only preceding malloc.

Herald added a project: Restricted Project. · View Herald TranscriptAug 27 2021, 5:41 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Probably it is too late, but the title of this change is misleading. I think is should be either MallocOverflow should consider comparisons AFTER malloc or MallocOverflow should NOT consider comparisons only preceding malloc.

Diff 365921

clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp

Show All 26 Lines
#include <utility>		#include <utility>

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;
using llvm::APSInt;		using llvm::APSInt;

namespace {		namespace {
struct MallocOverflowCheck {		struct MallocOverflowCheck {
		const CallExpr *call;
const BinaryOperator *mulop;		const BinaryOperator *mulop;
const Expr *variable;		const Expr *variable;
APSInt maxVal;		APSInt maxVal;

MallocOverflowCheck(const BinaryOperator m, const Expr v, APSInt val)		MallocOverflowCheck(const CallExpr call, const BinaryOperator m,
: mulop(m), variable(v), maxVal(std::move(val)) {}		const Expr *v, APSInt val)
		: call(call), mulop(m), variable(v), maxVal(std::move(val)) {}
};		};

class MallocOverflowSecurityChecker : public Checker<check::ASTCodeBody> {		class MallocOverflowSecurityChecker : public Checker<check::ASTCodeBody> {
public:		public:
void checkASTCodeBody(const Decl *D, AnalysisManager &mgr,		void checkASTCodeBody(const Decl *D, AnalysisManager &mgr,
BugReporter &BR) const;		BugReporter &BR) const;

void CheckMallocArgument(		void CheckMallocArgument(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,		SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const Expr *TheArgument, ASTContext &Context) const;		const CallExpr *TheCall, ASTContext &Context) const;

void OutputPossibleOverflows(		void OutputPossibleOverflows(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,		SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const Decl *D, BugReporter &BR, AnalysisManager &mgr) const;		const Decl *D, BugReporter &BR, AnalysisManager &mgr) const;

};		};
} // end anonymous namespace		} // end anonymous namespace

// Return true for computations which evaluate to zero: e.g., mult by 0.		// Return true for computations which evaluate to zero: e.g., mult by 0.
static inline bool EvaluatesToZero(APSInt &Val, BinaryOperatorKind op) {		static inline bool EvaluatesToZero(APSInt &Val, BinaryOperatorKind op) {
return (op == BO_Mul) && (Val == 0);		return (op == BO_Mul) && (Val == 0);
}		}

void MallocOverflowSecurityChecker::CheckMallocArgument(		void MallocOverflowSecurityChecker::CheckMallocArgument(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,		SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const Expr *TheArgument,		const CallExpr *TheCall, ASTContext &Context) const {
ASTContext &Context) const {

/* Look for a linear combination with a single variable, and at least		/* Look for a linear combination with a single variable, and at least
one multiplication.		one multiplication.
Reject anything that applies to the variable: an explicit cast,		Reject anything that applies to the variable: an explicit cast,
conditional expression, an operation that could reduce the range		conditional expression, an operation that could reduce the range
of the result, or anything too complicated :-). */		of the result, or anything too complicated :-). */
const Expr *e = TheArgument;		const Expr *e = TheCall->getArg(0);
const BinaryOperator * mulop = nullptr;		const BinaryOperator * mulop = nullptr;
APSInt maxVal;		APSInt maxVal;

for (;;) {		for (;;) {
maxVal = 0;		maxVal = 0;
e = e->IgnoreParenImpCasts();		e = e->IgnoreParenImpCasts();
if (const BinaryOperator *binop = dyn_cast<BinaryOperator>(e)) {		if (const BinaryOperator *binop = dyn_cast<BinaryOperator>(e)) {
BinaryOperatorKind opc = binop->getOpcode();		BinaryOperatorKind opc = binop->getOpcode();
Show All 27 Lines	void MallocOverflowSecurityChecker::CheckMallocArgument(

if (mulop == nullptr)		if (mulop == nullptr)
return;		return;

// We've found the right structure of malloc argument, now save		// We've found the right structure of malloc argument, now save
// the data so when the body of the function is completely available		// the data so when the body of the function is completely available
// we can check for comparisons.		// we can check for comparisons.

// TODO: Could push this into the innermost scope where 'e' is		PossibleMallocOverflows.push_back(
// defined, rather than the whole function.		MallocOverflowCheck(TheCall, mulop, e, maxVal));
PossibleMallocOverflows.push_back(MallocOverflowCheck(mulop, e, maxVal));
}		}

namespace {		namespace {
// A worker class for OutputPossibleOverflows.		// A worker class for OutputPossibleOverflows.
class CheckOverflowOps :		class CheckOverflowOps :
public EvaluatedExprVisitor<CheckOverflowOps> {		public EvaluatedExprVisitor<CheckOverflowOps> {
public:		public:
typedef SmallVectorImpl<MallocOverflowCheck> theVecType;		typedef SmallVectorImpl<MallocOverflowCheck> theVecType;
Show All 24 Lines	void Erase(const T1 *DR,
return getDecl(CheckDR) == getDecl(DR) && Pred(Check);		return getDecl(CheckDR) == getDecl(DR) && Pred(Check);
return false;		return false;
};		};
toScanFor.erase(std::remove_if(toScanFor.begin(), toScanFor.end(), P),		toScanFor.erase(std::remove_if(toScanFor.begin(), toScanFor.end(), P),
toScanFor.end());		toScanFor.end());
}		}

void CheckExpr(const Expr *E_p) {		void CheckExpr(const Expr *E_p) {
auto PredTrue = [](const MallocOverflowCheck &) { return true; };
const Expr *E = E_p->IgnoreParenImpCasts();		const Expr *E = E_p->IgnoreParenImpCasts();
		const auto PrecedesMalloc = [E, this](const MallocOverflowCheck &c) {
		return Context.getSourceManager().isBeforeInTranslationUnit(
		balazskeUnsubmitted Done Reply Inline Actions Is it safe to check for position in source code, instead of the execution path? balazske: Is it safe to check for position in source code, instead of the execution path?
		steakhalAuthorUnsubmitted Done Reply Inline Actions I don't think so. But it's already better than outright suppressing any finding. steakhal: I don't think so. But it's already better than outright suppressing any finding.
		martongUnsubmitted Done Reply Inline Actions Do we somehow assure that the two locations are inside the same stack frame? I mean @balazske has a point and I think this solution is okay if we compare two locations inside the same function. martong: Do we somehow assure that the two locations are inside the same stack frame? I mean @balazske…
		steakhalAuthorUnsubmitted Done Reply Inline Actions I would assert this fact, but I'm not exactly sure how to acquire the enclosing function of a SourceLocation. steakhal: I would assert this fact, but I'm not exactly sure how to acquire the enclosing function of a…
		E->getExprLoc(), c.call->getExprLoc());
		};
		balazskeUnsubmitted Done Reply Inline Actions This is not a `PredTrue` any more. balazske: This is not a `PredTrue` any more.
		steakhalAuthorUnsubmitted Done Reply Inline Actions Oh sure, I'm gonna fix it! steakhal: Oh sure, I'm gonna fix it!
if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E))		if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E))
Erase<DeclRefExpr>(DR, PredTrue);		Erase<DeclRefExpr>(DR, PrecedesMalloc);
else if (const auto *ME = dyn_cast<MemberExpr>(E)) {		else if (const auto *ME = dyn_cast<MemberExpr>(E)) {
Erase<MemberExpr>(ME, PredTrue);		Erase<MemberExpr>(ME, PrecedesMalloc);
}		}
}		}

// Check if the argument to malloc is assigned a value		// Check if the argument to malloc is assigned a value
// which cannot cause an overflow.		// which cannot cause an overflow.
// e.g., malloc (mul * x) and,		// e.g., malloc (mul * x) and,
// case 1: mul = <constant value>		// case 1: mul = <constant value>
// case 2: mul = a/b, where b > x		// case 2: mul = a/b, where b > x
▲ Show 20 Lines • Show All 142 Lines • ▼ Show 20 Lines	for (CFGBlock::iterator bi = block->begin(), be = block->end();

// Get the name of the callee. If it's a builtin, strip off the prefix.		// Get the name of the callee. If it's a builtin, strip off the prefix.
IdentifierInfo *FnInfo = FD->getIdentifier();		IdentifierInfo *FnInfo = FD->getIdentifier();
if (!FnInfo)		if (!FnInfo)
continue;		continue;

if (FnInfo->isStr ("malloc") \|\| FnInfo->isStr ("_MALLOC")) {		if (FnInfo->isStr ("malloc") \|\| FnInfo->isStr ("_MALLOC")) {
if (TheCall->getNumArgs() == 1)		if (TheCall->getNumArgs() == 1)
CheckMallocArgument(PossibleMallocOverflows, TheCall->getArg(0),		CheckMallocArgument(PossibleMallocOverflows, TheCall,
mgr.getASTContext());		mgr.getASTContext());
}		}
}		}
}		}
}		}
}		}

OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr);		OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr);
Show All 9 Lines

clang/test/Analysis/malloc-overflow.c

	Show First 20 Lines • Show All 105 Lines • ▼ Show 20 Lines
	}			}

	void * f14(int n)			void * f14(int n)
	{			{
	if (n < 0)			if (n < 0)
	return NULL;			return NULL;
	return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}			return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
	}			}

				void *check_before_malloc(int n, int x) {
				int *p = NULL;
				if (n > 10)
				return NULL;
				if (x == 42)
				p = malloc(n * sizeof(int)); // no-warning, the check precedes the allocation

				// Do some other stuff, e.g. initialize the memory.
				return p;
				}
				martongUnsubmitted Done Reply Inline Actions What happens if the check happens in an inlined function? The location is above the malloc in the TU, isn't it? int check(int n) return (n > 10); } void check_before_malloc(int n, int x) { int p = NULL; if (x == 42) p = malloc(n * sizeof(int)); // no-warning? if (check(n)) return NULL; // Do some other stuff, e.g. initialize the memory. return p; } martong: What happens if the check happens in an inlined function? The location is above the malloc in…
				steakhalAuthorUnsubmitted Done Reply Inline Actions The checker conducts a simple AST-matching, thus it wouldn't resolve the `check(n)` call. So, the checker will fire regardless of where you put the `check(n)` call, before or after the `malloc()`. Even in case of macros, it still works. Check the updated test file. steakhal: The checker conducts a simple AST-matching, thus it wouldn't resolve the `check(n)` call. So…

				void *check_after_malloc(int n, int x) {
				int *p = NULL;
				if (x == 42)
				p = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}

				// The check is after the allocation!
				if (n > 10) {
				// Do something conditionally.
				}
				return p;
				}

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] MallocOverflow should consider comparisons only preceding malloc
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 365921

clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp

clang/test/Analysis/malloc-overflow.c

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] MallocOverflow should consider comparisons only preceding mallocClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 365921

clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp

clang/test/Analysis/malloc-overflow.c

[analyzer] MallocOverflow should consider comparisons only preceding malloc
ClosedPublic