Index: clang/include/clang/StaticAnalyzer/Checkers/Checkers.td =================================================================== --- clang/include/clang/StaticAnalyzer/Checkers/Checkers.td +++ clang/include/clang/StaticAnalyzer/Checkers/Checkers.td @@ -305,6 +305,11 @@ Dependencies<[PthreadLockBase]>, Documentation; +def UndefinedNewArraySizeChecker : Checker<"NewArraySize">, + HelpText<"Check if the size of the array in a new[] expression is undefined">, + Documentation; + + } // end "alpha.core" //===----------------------------------------------------------------------===// Index: clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h =================================================================== --- clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h +++ clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h @@ -1033,6 +1033,12 @@ return getOriginExpr()->getNumPlacementArgs() + getNumImplicitArgs(); } + bool isArray() const { return getOriginExpr()->isArray(); } + + Optional getArraySizeExpr() const { + return getOriginExpr()->getArraySize(); + } + const Expr *getArgExpr(unsigned Index) const override { // The first argument of an allocator call is the size of the allocation. if (Index < getNumImplicitArgs()) Index: clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt =================================================================== --- clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt +++ clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt @@ -120,6 +120,7 @@ UndefResultChecker.cpp UndefinedArraySubscriptChecker.cpp UndefinedAssignmentChecker.cpp + UndefinedNewArraySizeChecker.cpp UninitializedObject/UninitializedObjectChecker.cpp UninitializedObject/UninitializedPointee.cpp UnixAPIChecker.cpp Index: clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp =================================================================== --- clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp +++ clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp @@ -1749,6 +1749,10 @@ // Fill the region with the initialization value. State = State->bindDefaultInitial(RetVal, Init, LCtx); + // If Size is somehow undefined at this point, this line prevents a crash. + if (Size.isUndef()) + Size = UnknownVal(); + // Set the region's extent. State = setDynamicExtent(State, RetVal.getAsRegion(), Size.castAs(), svalBuilder); Index: clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp =================================================================== --- /dev/null +++ clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp @@ -0,0 +1,105 @@ +//===--- UndefinedNewArraySizeChecker.cpp -----------------------*- C++ -*--==// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// +// This defines UndefinedNewArraySizeChecker, a builtin check in ExprEngine +// that checks if the size of the array in a new[] expression is undefined. +// +//===----------------------------------------------------------------------===// + +#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" +#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" +#include "clang/StaticAnalyzer/Core/Checker.h" +#include "clang/StaticAnalyzer/Core/CheckerManager.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" + +using namespace clang; +using namespace ento; + +namespace { +class UndefinedNewArraySizeChecker : public Checker { + +private: + mutable std::unique_ptr BT; + +public: + void checkPostCall(const CallEvent &Call, CheckerContext &C) const; + void HandleUndefinedArrayElementCount(CheckerContext &C, SVal ArgVal, + const Expr *Init, + SourceRange Range) const; +}; +} // namespace + +void UndefinedNewArraySizeChecker::checkPostCall(const CallEvent &Call, + CheckerContext &C) const { + if (const auto *AC = dyn_cast(&Call)) { + if (!AC->isArray()) + return; + + auto *SizeEx = *AC->getArraySizeExpr(); + + const auto State = Call.getState(); + const auto *LCtx = Call.getLocationContext(); + + auto SizeVal = State->getSVal(SizeEx, LCtx); + + if (SizeVal.isUndef()) + HandleUndefinedArrayElementCount(C, SizeVal, SizeEx, + SizeEx->getSourceRange()); + } +} + +void UndefinedNewArraySizeChecker::HandleUndefinedArrayElementCount( + CheckerContext &C, SVal ArgVal, const Expr *Init, SourceRange Range) const { + + if (ExplodedNode *N = C.generateErrorNode()) { + if (!BT) + BT.reset(new BuiltinBug(this, "Undefined array element count")); + + SmallString<100> buf; + llvm::raw_svector_ostream os(buf); + + os << "Undefined element count! "; + + // Try to be more informative... + os << "The value "; + Init = Init->IgnoreCasts(); + + if (const auto *DRE = dyn_cast(Init)) + os << "stored in '" << *DRE->getDecl() << "' "; + else if (const auto *CE = dyn_cast(Init)) { + os << "returned "; + + if (auto CalleeDecl = dyn_cast_or_null(CE->getCalleeDecl())) + os << "from '" << *CalleeDecl << "' "; + else + os << "'[*here*]' "; + } else + os << "'[*here*]' "; + + os << "is "; + ArgVal.dumpToStream(os); + os << "!"; + + auto R = std::make_unique(*BT, os.str(), N); + R->markInteresting(ArgVal); + R->addRange(Range); + bugreporter::trackExpressionValue(N, Init, *R); + + C.emitReport(std::move(R)); + } +} + +void ento::registerUndefinedNewArraySizeChecker(CheckerManager &mgr) { + mgr.registerChecker(); +} + +bool ento::shouldRegisterUndefinedNewArraySizeChecker( + const CheckerManager &mgr) { + return true; +} Index: clang/test/Analysis/undefined-new-element.cpp =================================================================== --- /dev/null +++ clang/test/Analysis/undefined-new-element.cpp @@ -0,0 +1,52 @@ +// RUN: %clang_analyze_cc1 %s \ +RUN: -analyzer-checker=alpha.core \ +// RUN: -verify + +void checkUndefinedElmenetCountValue() +{ + int n; + + int *arr = new int[n]; // expected-warning{{Undefined element count!}} +} + +void checkUndefinedElmenetCountMultiDimensionalValue() +{ + int n; + + auto *arr = new int[n][5]; // expected-warning{{Undefined element count!}} +} + +void checkUndefinedElmenetCountReference() +{ + int n; + + int& ref = n; + + int *arr = new int[ref]; // expected-warning{{Undefined element count!}} +} + +void checkUndefinedElmenetCountMultiDimensionalReference() +{ + int n; + + int& ref = n; + + auto *arr = new int[ref][5]; // expected-warning{{Undefined element count!}} +} + +int foo() +{ + int n; + + return n; +} + +void checkUndefinedElmenetCountFunction() +{ + int *arr = new int[foo()]; // expected-warning{{Undefined element count!}} +} + +void checkUndefinedElmenetCountMultiDimensionalFunction() +{ + auto *arr = new int[foo()][5]; // expected-warning{{Undefined element count!}} +}