This is an archive of the discontinued LLVM Phabricator instance.

Differential D107960

[clang][analyzer] Make ReturnPtrRange checker warn at negative index.
AbandonedPublic

Authored by balazske on Aug 12 2021, 6:29 AM.

Details

Reviewers
Szelethus
steakhal
Summary

The checker did not work with negative array index at return.
Specially for -1 it did not produce a bug.
assumeInBound may not work correct with negative values so a pre-
check is added to the checker for negative array index.

Diff Detail

Event Timeline

balazske created this revision.Aug 12 2021, 6:29 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptAug 12 2021, 6:29 AM
Herald added subscribers: manas, steakhal, ASDenysPetrov and 12 others. · View Herald Transcript
balazske requested review of this revision.Aug 12 2021, 6:29 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 12 2021, 6:29 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B119254: Diff 365990.Aug 12 2021, 6:57 AM
steakhal requested changes to this revision.Aug 12 2021, 7:00 AM

If assumeInBound() behaves unexpectedly, we should probably fix that instead.
This change would workaround the issue, instead of fixing it. By fixing the root cause all users of assumeInBound() would benefit.
I recommend you to have a deeper look at the insides of assumeInBound() investigating why it behaves that way.

This revision now requires changes to proceed.Aug 12 2021, 7:00 AM
balazske added a comment.Aug 13 2021, 7:13 AM

assumeInBound should check if 0<=Idx<UpperBound. In this case it makes no sense of UpperBound is negative.
The problem appears in cases like this:

int *conjure();
int *m1() {
  int *p = conjure();
  return p - 1;
}

The extent of the region is symbolic and the index is a constant, so a constraint for the extent appears after assumeInBound.
For positive index (at p - 1 in the code) it looks correct, if p + 1 is used:

StOutBound:"program_state": {
  "store": { "pointer": "0x6acdd8", "items": [
    { "cluster": "GlobalInternalSpaceRegion", "pointer": "0x6acb98", "items": [
      { "kind": "Default", "offset": 0, "value": "conj_$0{int, LC1, S666, #1}" }
    ]},
    { "cluster": "GlobalSystemSpaceRegion", "pointer": "0x6accb8", "items": [
      { "kind": "Default", "offset": 0, "value": "conj_$1{int, LC1, S666, #1}" }
    ]}
  ]},
  "environment": { "pointer": "0x6ac010", "items": [
    { "lctx_id": 1, "location_context": "#0 Call", "calling": "conjured::b3", "location": null, "items": [
      { "stmt_id": 684, "pretty": "p + 1", "value": "&Element{SymRegion{conj_$2{int *, LC1, S666, #1}},1 S64b,int}" }
    ]}
  ]},
  "constraints": [
    { "symbol": "(extent_$3{SymRegion{conj_$2{int *, LC1, S666, #1}}}) / 4", "range": "{ [0, 1] }" }
  ],
  "equivalence_classes": null,
  "disequality_info": null,
  "dynamic_types": null,
  "dynamic_casts": null,
  "constructing_objects": null,
  "checker_messages": null
}
StInBound:"program_state": {
  "store": { "pointer": "0x6acdd8", "items": [
    { "cluster": "GlobalInternalSpaceRegion", "pointer": "0x6acb98", "items": [
      { "kind": "Default", "offset": 0, "value": "conj_$0{int, LC1, S666, #1}" }
    ]},
    { "cluster": "GlobalSystemSpaceRegion", "pointer": "0x6accb8", "items": [
      { "kind": "Default", "offset": 0, "value": "conj_$1{int, LC1, S666, #1}" }
    ]}
  ]},
  "environment": { "pointer": "0x6ac010", "items": [
    { "lctx_id": 1, "location_context": "#0 Call", "calling": "conjured::b3", "location": null, "items": [
      { "stmt_id": 684, "pretty": "p + 1", "value": "&Element{SymRegion{conj_$2{int *, LC1, S666, #1}},1 S64b,int}" }
    ]}
  ]},
  "constraints": [
    { "symbol": "(extent_$3{SymRegion{conj_$2{int *, LC1, S666, #1}}}) / 4", "range": "{ [-9223372036854775808, -1], [2, 9223372036854775807] }" }
  ],
  "equivalence_classes": null,
  "disequality_info": null,
  "dynamic_types": null,
  "dynamic_casts": null,
  "constructing_objects": null,
  "checker_messages": null
}

For p - 1 only the StOutBound exists:

OutBound:"program_state": {
  "store": { "pointer": "0x161bdd8", "items": [
    { "cluster": "GlobalInternalSpaceRegion", "pointer": "0x161bb98", "items": [
      { "kind": "Default", "offset": 0, "value": "conj_$0{int, LC1, S666, #1}" }
    ]},
    { "cluster": "GlobalSystemSpaceRegion", "pointer": "0x161bcb8", "items": [
      { "kind": "Default", "offset": 0, "value": "conj_$1{int, LC1, S666, #1}" }
    ]}
  ]},
  "environment": { "pointer": "0x161b010", "items": [
    { "lctx_id": 1, "location_context": "#0 Call", "calling": "conjured::b3", "location": null, "items": [
      { "stmt_id": 684, "pretty": "p - 1", "value": "&Element{SymRegion{conj_$2{int *, LC1, S666, #1}},-1 S64b,int}" }
    ]}
  ]},
  "constraints": [
    { "symbol": "(extent_$3{SymRegion{conj_$2{int *, LC1, S666, #1}}}) / 4", "range": "{ [-9223372036854775808, 9223372036854775807] }" }
  ],
  "equivalence_classes": null,
  "disequality_info": null,
  "dynamic_types": null,
  "dynamic_casts": null,
  "constructing_objects": null,
  "checker_messages": null
}

For p - 2 the StOutBound has constraint { [-9223372036854775808, -2], [0, 9223372036854775807] } and StInBound has { [-1, -1] }. Probably this is how the overflow situation is handled or it is not correct.

This checker can do anyway nothing with a negative index. It may be out of bound in a non-symbolic region but can be valid.

martong added a comment.Aug 30 2021, 6:26 AM

Would it make sense to tweak assumeInBound in a way to handle symbolic regions differently than concrete regions?
I mean

static int arr[10];
return arr - 1; // we want a warning here
...

int *p = conjure();
return p - 1;  // no warning here
balazske abandoned this revision.Jun 1 2022, 2:21 AM

With the current main branch the new test passes.

Herald added a project: Restricted Project. · View Herald TranscriptJun 1 2022, 2:21 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
118 lines
test/
Analysis/
21 lines

Diff 365990

clang/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp

Show First 20 LinesShow All 58 Lines▼ Show 20 Linesvoid ReturnPointerRangeChecker::checkPreStmt(const ReturnStmt *RS,
DefinedOrUnknownSVal ElementCount = getDynamicElementCount( DefinedOrUnknownSVal ElementCount = getDynamicElementCount(
state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType()); state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());
// We assume that the location after the last element in the array is used as // We assume that the location after the last element in the array is used as
// end() iterator. Reporting on these would return too many false positives. // end() iterator. Reporting on these would return too many false positives.
if (Idx == ElementCount) if (Idx == ElementCount)
return; return;
auto ElementCountNL = ElementCount.getAs<NonLoc>();
assert(ElementCountNL && "Array size should not be a pointer");
auto IdxNegativeVal =
C.getSValBuilder()
.evalBinOpNN(state, BO_LT, *ElementCountNL,
C.getSValBuilder().makeZeroArrayIndex(),
C.getSValBuilder().getConditionType())
.castAs<DefinedOrUnknownSVal>();
ProgramStateRef IdxNegative, IdxNonNegative;
std::tie(IdxNegative, IdxNonNegative) = state->assume(IdxNegativeVal);
ProgramStateRef StError;
if (IdxNegative && !IdxNonNegative) {
StError = IdxNegative;
} else {
ProgramStateRef StInBound = state->assumeInBound(Idx, ElementCount, true); ProgramStateRef StInBound = state->assumeInBound(Idx, ElementCount, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, ElementCount, false); ProgramStateRef StOutBound = state->assumeInBound(Idx, ElementCount, false);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound)
ExplodedNode *N = C.generateErrorNode(StOutBound); StError = StOutBound;
else
return;
}
ExplodedNode *N = C.generateErrorNode(StError);
if (!N) if (!N)
return; return;
// FIXME: This bug correspond to CWE-466. Eventually we should have bug // FIXME: This bug correspond to CWE-466. Eventually we should have bug
// types explicitly reference such exploit categories (when applicable). // types explicitly reference such exploit categories (when applicable).
if (!BT) if (!BT)
BT.reset(new BuiltinBug( BT.reset(new BuiltinBug(
this, "Buffer overflow", this, "Buffer overflow",
"Returned pointer value points outside the original object " "Returned pointer value points outside the original object "
"(potential buffer overflow)")); "(potential buffer overflow)"));
// Generate a report for this bug. // Generate a report for this bug.
auto Report = auto Report =
std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N); std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N);
Report->addRange(RetE->getSourceRange()); Report->addRange(RetE->getSourceRange());
const auto ConcreteElementCount = ElementCount.getAs<nonloc::ConcreteInt>(); const auto ConcreteElementCount = ElementCount.getAs<nonloc::ConcreteInt>();
const auto ConcreteIdx = Idx.getAs<nonloc::ConcreteInt>(); const auto ConcreteIdx = Idx.getAs<nonloc::ConcreteInt>();
const auto *DeclR = ER->getSuperRegion()->getAs<DeclRegion>(); const auto *DeclR = ER->getSuperRegion()->getAs<DeclRegion>();
if (DeclR) if (DeclR)
Report->addNote("Original object declared here", Report->addNote("Original object declared here",
{DeclR->getDecl(), C.getSourceManager()}); {DeclR->getDecl(), C.getSourceManager()});
if (ConcreteElementCount) { if (ConcreteElementCount) {
SmallString<128> SBuf; SmallString<128> SBuf;
llvm::raw_svector_ostream OS(SBuf); llvm::raw_svector_ostream OS(SBuf);
OS << "Original object "; OS << "Original object ";
if (DeclR) { if (DeclR) {
OS << "'"; OS << "'";
DeclR->getDecl()->printName(OS); DeclR->getDecl()->printName(OS);
OS << "' "; OS << "' ";
} }
OS << "is an array of " << ConcreteElementCount->getValue() << " '"; OS << "is an array of " << ConcreteElementCount->getValue() << " '";
ER->getValueType().print(OS, ER->getValueType().print(OS,
PrintingPolicy(C.getASTContext().getLangOpts())); PrintingPolicy(C.getASTContext().getLangOpts()));
OS << "' objects"; OS << "' objects";
if (ConcreteIdx) { if (ConcreteIdx) {
OS << ", returned pointer points at index " << ConcreteIdx->getValue(); OS << ", returned pointer points at index " << ConcreteIdx->getValue();
} }
Report->addNote(SBuf, Report->addNote(SBuf, {RetE, C.getSourceManager(), C.getLocationContext()});
{RetE, C.getSourceManager(), C.getLocationContext()});
} }
bugreporter::trackExpressionValue(N, RetE, *Report); bugreporter::trackExpressionValue(N, RetE, *Report);
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
}
void ento::registerReturnPointerRangeChecker(CheckerManager &mgr) { void ento::registerReturnPointerRangeChecker(CheckerManager &mgr) {
mgr.registerChecker<ReturnPointerRangeChecker>(); mgr.registerChecker<ReturnPointerRangeChecker>();
} }
bool ento::shouldRegisterReturnPointerRangeChecker(const CheckerManager &mgr) { bool ento::shouldRegisterReturnPointerRangeChecker(const CheckerManager &mgr) {
return true; return true;
} }

clang/test/Analysis/return-ptr-range.cpp

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines if (I != 11) // expected-note{{Assuming 'I' is equal to 11}}
return DataArr; return DataArr;
return DataArr + I; // expected-warning{{Returned pointer value points outside the original object}} return DataArr + I; // expected-warning{{Returned pointer value points outside the original object}}
// expected-note@-1{{Returned pointer value points outside the original object}} // expected-note@-1{{Returned pointer value points outside the original object}}
// expected-note@-2{{Original object 'DataArr' is an array of 10 'test_array_of_struct::Data' objects, returned pointer points at index 11}} // expected-note@-2{{Original object 'DataArr' is an array of 10 'test_array_of_struct::Data' objects, returned pointer points at index 11}}
} }
} }
int *test_negative_index(int I) {
static int arr[10]; // expected-note{{Original object declared here}}
// expected-note@-1{{'arr' initialized here}}
// expected-note@-2{{Original object declared here}}
// expected-note@-3{{'arr' initialized here}}
if (I == -1) // expected-note{{Assuming the condition is true}}
// expected-note@-1{{Taking true branch}}
// expected-note@-2{{Assuming the condition is false}}
// expected-note@-3{{Taking false branch}}
return arr + I; // expected-warning{{Returned pointer value points outside the original object}}
// expected-note@-1{{Returned pointer value points outside the original object}}
// expected-note@-2{{Original object 'arr' is an array of 10 'int' objects, returned pointer points at index -1}}
if (I == -2) // expected-note{{Assuming the condition is true}}
// expected-note@-1{{Taking true branch}}
return arr + I; // expected-warning{{Returned pointer value points outside the original object}}
// expected-note@-1{{Returned pointer value points outside the original object}}
// expected-note@-2{{Original object 'arr' is an array of 10 'int' objects, returned pointer points at index -2}}
if (I == 0)
return arr + I;
return arr + I;
}