This is an archive of the discontinued LLVM Phabricator instance.

Differential D14203

[analyzer] Improve pointer arithmetic checker.
ClosedPublic

Authored by xazax.hun on Oct 30 2015, 8:38 AM.

Details

Reviewers
dcoughlin
zaks.anna
Commits
rGd1abcf799ef5: [analyzer] Improve pointer arithmetic checker.
rC261632: [analyzer] Improve pointer arithmetic checker.
rL261632: [analyzer] Improve pointer arithmetic checker.
Summary

This patch is intended to improve pointer arithmetic checker.

From now on it tries to only warn, when the pointer arithmetic is likely to cause an error. For example when the pointer points to a single object, or an array of derived types.

Note that this check does not free the stored information right now, because it caused some trouble when I was checking the following code.

struct trie {
  struct trie* next;
};

struct kwset {
  struct trie *trie;
  unsigned char y[10];
  struct trie* next[10];
  int d;
};

typedef struct trie trie_t;
typedef struct kwset kwset_t;

void f(kwset_t *kws, char const *p, char const *q) {
  struct trie const *trie;
  struct trie * const *next = kws->next;
  register unsigned char c;
  register char const *end = p;
  register char const *lim = q;
  register int d = 1;
  register unsigned char const *y = kws->y;

  d = y[c = (end+=d)[-1]];
  trie = next[c]; // Here the analyzer tought that kws->next is a dead region, so the stored information was unavailable for the array. adding a kws = 0 or similar line to the end of the function fixed the problem. Is this a bug in liveness analysis fo regions?
}

Diff Detail

Repository
rL LLVM

Event Timeline

xazax.hun updated this revision to Diff 38813.Oct 30 2015, 8:38 AM
xazax.hun retitled this revision from to [analyzer] Improve pointer arithmetic checker..
xazax.hun updated this object.
xazax.hun added reviewers: zaks.anna, dcoughlin.
xazax.hun updated this object.
xazax.hun added subscribers: cfe-commits, dkrupp.
dcoughlin edited edge metadata.Nov 11 2015, 10:45 AM

Gabor,

This is an alpha checker. Do you anticipate turning it on by default?

Comments inline.

lib/StaticAnalyzer/Checkers/PointerArithChecker.cpp
28 ↗(On Diff #38813)

Is it necessary to distinguish so many cases here? For example, why do we need to distinguish between PlacementNew and OverloadedNew?

Another thought: given the expense of tracking stuff in the GDM could we instead track whether pointer arithmetic is explicitly disallowed for a given region? Then we wouldn't have to track any data for the "good" pointers.

Also, how does AllocKind relate to the AllocationFamily from MallocChecker? Could that checker's state be used so we don't have to track any additional information here?

If you do keep AllocKind, I think it would be good to add a comment describing how this enum is used and the intended meaning of each element.

29 ↗(On Diff #38813)

I'm not sure "singleton" is the right term here. I associate "singleton" with the design pattern of only having a single instance of a class allocated at a given time (a form of global shared state). Also, SingletonMalloc doesn't appear to be used anywhere.

88 ↗(On Diff #38813)

I think it would be better to use llvm::SmallSet here.

137 ↗(On Diff #38813)

I think it would be good to add a doc comment for this function describing what the function does and its parameters as well as whether they are input or output parameters.

I also wonder if this logic is better expressed as a loop rather than recursion. What do you think?

150 ↗(On Diff #38813)

In general, I think it is better to avoid default in cases like these so that when an enum case is added the compiler issues a warning and thus forces the person adding the change to think about what the behavior of the new case should be.

198 ↗(On Diff #38813)

I think "polymorphic" is a bit jargony. Can this diagnostic be explained in terms of base and derived classes?

test/Analysis/ptr-arith.cpp
47 ↗(On Diff #38813)

I think it would be good to add tests showing p = i*0 + p' and p = p + i*0' don't alarm. Also `p += i*0'.

xazax.hun added a comment.Nov 12 2015, 1:20 AM
In D14203#287303, @dcoughlin wrote:

Gabor,

This is an alpha checker. Do you anticipate turning it on by default?

Comments inline.

I could see two kinds of false positives with this checker when running this on the LLVM codebase.

When objects are allocated in a way that one object is allocated together with an array (the array is after the original object in), and the object contains getter code like:

reinterpret_cast<Elements*>(this + 1);

When a function is written like this:

Obj* f() {
if (opaqueCond)
    return singleObject;
return array;
}

And used like this:

f()[5];

Other then these two cases I think the results are good.

xazax.hun added inline comments.Nov 12 2015, 1:37 AM
lib/StaticAnalyzer/Checkers/PointerArithChecker.cpp
28 ↗(On Diff #38813)

I think this way it is more explicit that we are not going to reason about PlacementNew and OverLoadedNew. Turning this information into comments and reduce the number of elements of the enum is fine. I am going to do that.

Storing information only for singletons or only for arrays seems like a good idea for me. However it is possible that there are more pointers for single objects than arrays? In this case it would be better to store data only for "good" pointers.

AllocationFamily does not distinguish placement and overloaded new for instance. The current approach to this checker is to be conservative and do not try to reason about them. Other than that in the future I planned to add heuristics when a malloc call is likely to allocate and array and when it is likely to allocate a single object (heuristics on the AST). The AllocationFamily do not distinguish these cases.

29 ↗(On Diff #38813)

What about SingleObjectNew? Currently this checker does not reason about malloced pointers, because it does not distinguish the case where the malloc is used to allocate an array and where it is used to allocate a single object. I was planning to do this classification based on some heuristics on AST matching.

88 ↗(On Diff #38813)

I will change that, thanks.

137 ↗(On Diff #38813)

I will rewrite it without recursion and check the results but I suspect that you are right.

150 ↗(On Diff #38813)

I will enumerate the rest of the kinds here.

198 ↗(On Diff #38813)

Sure, I will try to come up with something.

xazax.hun updated this revision to Diff 41022.Nov 24 2015, 4:20 AM
xazax.hun edited edge metadata.
xazax.hun marked 11 inline comments as done.
  • Fixed some of the review comments.
  • Updated to latest trunk.
xazax.hun added inline comments.Nov 24 2015, 4:23 AM
lib/StaticAnalyzer/Checkers/PointerArithChecker.cpp
28 ↗(On Diff #41022)

In case, there is a pointer to the stack allocated variable, nothing will be stored in the GDM.
The result of a new is a symbolic region, but there are other ways to get a symbolic region, e.g. a pointer as an argument to a top level function. In order to distinguish these cases I think I need to store something to the GDM. But I will think a bit more, whether there is a way to reduce the GDM usage.

150 ↗(On Diff #38813)

I checked and there are more kinds than what I think is worth enumerating.

xazax.hun added a comment.Feb 11 2016, 3:49 AM

Ping.

dcoughlin accepted this revision.Feb 22 2016, 9:30 AM
dcoughlin edited edge metadata.

Other than a suggested diagnostic rewording to consider, looks good to me. Thanks Gábor!

lib/StaticAnalyzer/Checkers/PointerArithChecker.cpp
198 ↗(On Diff #41022)

Here is a suggestion to reword: "Pointer arithmetic on non-array variables relies on memory layout, which is dangerous."

This revision is now accepted and ready to land.Feb 22 2016, 9:30 AM
Closed by commit rL261632: [analyzer] Improve pointer arithmetic checker. (authored by xazax). · Explain WhyFeb 23 2016, 4:39 AM
This revision was automatically updated to reflect the committed changes.
zukatsinadze mentioned this in D97699: [analyzer] Add InvalidPtrChecker.Mar 1 2021, 9:08 AM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
324 lines
test/
Analysis/
4 lines
2 lines
4 lines
82 lines
2 lines

Diff 48806

cfe/trunk/lib/StaticAnalyzer/Checkers/PointerArithChecker.cpp

//=== PointerArithChecker.cpp - Pointer arithmetic checker -----*- C++ -*--===// //=== PointerArithChecker.cpp - Pointer arithmetic checker -----*- C++ -*--===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This files defines PointerArithChecker, a builtin checker that checks for // This files defines PointerArithChecker, a builtin checker that checks for
// pointer arithmetic on locations other than array elements. // pointer arithmetic on locations other than array elements.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ClangSACheckers.h" #include "ClangSACheckers.h"
#include "clang/AST/DeclCXX.h"
#include "clang/AST/ExprCXX.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "llvm/ADT/SmallVector.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
enum class AllocKind {
SingleObject,
Array,
Unknown,
Reinterpreted // Single object interpreted as an array.
};
} // end namespace
namespace llvm {
template <> struct FoldingSetTrait<AllocKind> {
static inline void Profile(AllocKind X, FoldingSetNodeID &ID) {
ID.AddInteger(static_cast<int>(X));
}
};
} // end namespace llvm
namespace {
class PointerArithChecker class PointerArithChecker
: public Checker< check::PreStmt<BinaryOperator> > { : public Checker<
mutable std::unique_ptr<BuiltinBug> BT; check::PreStmt<BinaryOperator>, check::PreStmt<UnaryOperator>,
check::PreStmt<ArraySubscriptExpr>, check::PreStmt<CastExpr>,
check::PostStmt<CastExpr>, check::PostStmt<CXXNewExpr>,
check::PostStmt<CallExpr>, check::DeadSymbols> {
AllocKind getKindOfNewOp(const CXXNewExpr *NE, const FunctionDecl *FD) const;
const MemRegion *getArrayRegion(const MemRegion *Region, bool &Polymorphic,
AllocKind &AKind, CheckerContext &C) const;
const MemRegion *getPointedRegion(const MemRegion *Region,
CheckerContext &C) const;
void reportPointerArithMisuse(const Expr *E, CheckerContext &C,
bool PointedNeeded = false) const;
void initAllocIdentifiers(ASTContext &C) const;
mutable std::unique_ptr<BuiltinBug> BT_pointerArith;
mutable std::unique_ptr<BuiltinBug> BT_polyArray;
mutable llvm::SmallSet<IdentifierInfo *, 8> AllocFunctions;
public: public:
void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const; void checkPreStmt(const UnaryOperator *UOp, CheckerContext &C) const;
void checkPreStmt(const BinaryOperator *BOp, CheckerContext &C) const;
void checkPreStmt(const ArraySubscriptExpr *SubExpr, CheckerContext &C) const;
void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
void checkPostStmt(const CastExpr *CE, CheckerContext &C) const;
void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
}; };
} // end namespace
REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, const MemRegion *, AllocKind)
void PointerArithChecker::checkDeadSymbols(SymbolReaper &SR,
CheckerContext &C) const {
// TODO: intentional leak. Some information is garbage collected too early,
// see http://reviews.llvm.org/D14203 for further information.
/*ProgramStateRef State = C.getState();
RegionStateTy RegionStates = State->get<RegionState>();
for (RegionStateTy::iterator I = RegionStates.begin(), E = RegionStates.end();
I != E; ++I) {
if (!SR.isLiveRegion(I->first))
State = State->remove<RegionState>(I->first);
} }
C.addTransition(State);*/
}
AllocKind PointerArithChecker::getKindOfNewOp(const CXXNewExpr *NE,
const FunctionDecl *FD) const {
// This checker try not to assume anything about placement and overloaded
// new to avoid false positives.
if (isa<CXXMethodDecl>(FD))
return AllocKind::Unknown;
if (FD->getNumParams() != 1 || FD->isVariadic())
return AllocKind::Unknown;
if (NE->isArray())
return AllocKind::Array;
void PointerArithChecker::checkPreStmt(const BinaryOperator *B, return AllocKind::SingleObject;
}
const MemRegion *
PointerArithChecker::getPointedRegion(const MemRegion *Region,
CheckerContext &C) const {
assert(Region);
ProgramStateRef State = C.getState();
SVal S = State->getSVal(Region);
return S.getAsRegion();
}
/// Checks whether a region is the part of an array.
/// In case there is a dericed to base cast above the array element, the
/// Polymorphic output value is set to true. AKind output value is set to the
/// allocation kind of the inspected region.
const MemRegion *PointerArithChecker::getArrayRegion(const MemRegion *Region,
bool &Polymorphic,
AllocKind &AKind,
CheckerContext &C) const { CheckerContext &C) const {
if (B->getOpcode() != BO_Sub && B->getOpcode() != BO_Add) assert(Region);
while (Region->getKind() == MemRegion::Kind::CXXBaseObjectRegionKind) {
Region = Region->getAs<CXXBaseObjectRegion>()->getSuperRegion();
Polymorphic = true;
}
if (Region->getKind() == MemRegion::Kind::ElementRegionKind) {
Region = Region->getAs<ElementRegion>()->getSuperRegion();
}
ProgramStateRef State = C.getState();
if (const AllocKind *Kind = State->get<RegionState>(Region)) {
AKind = *Kind;
if (*Kind == AllocKind::Array)
return Region;
else
return nullptr;
}
// When the region is symbolic and we do not have any information about it,
// assume that this is an array to avoid false positives.
if (Region->getKind() == MemRegion::Kind::SymbolicRegionKind)
return Region;
// No AllocKind stored and not symbolic, assume that it points to a single
// object.
return nullptr;
}
void PointerArithChecker::reportPointerArithMisuse(const Expr *E,
CheckerContext &C,
bool PointedNeeded) const {
SourceRange SR = E->getSourceRange();
if (SR.isInvalid())
return; return;
ProgramStateRef state = C.getState(); ProgramStateRef State = C.getState();
const LocationContext *LCtx = C.getLocationContext(); const MemRegion *Region =
SVal LV = state->getSVal(B->getLHS(), LCtx); State->getSVal(E, C.getLocationContext()).getAsRegion();
SVal RV = state->getSVal(B->getRHS(), LCtx); if (!Region)
return;
if (PointedNeeded)
Region = getPointedRegion(Region, C);
if (!Region)
return;
const MemRegion *LR = LV.getAsRegion(); bool IsPolymorphic = false;
AllocKind Kind = AllocKind::Unknown;
if (const MemRegion *ArrayRegion =
getArrayRegion(Region, IsPolymorphic, Kind, C)) {
if (!IsPolymorphic)
return;
if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
if (!BT_polyArray)
BT_polyArray.reset(new BuiltinBug(
this, "Dangerous pointer arithmetic",
"Pointer arithmetic on a pointer to base class is dangerous "
"because derived and base class may have different size."));
auto R = llvm::make_unique<BugReport>(*BT_polyArray,
BT_polyArray->getDescription(), N);
R->addRange(E->getSourceRange());
R->markInteresting(ArrayRegion);
C.emitReport(std::move(R));
}
return;
}
if (!LR || !RV.isConstant()) if (Kind == AllocKind::Reinterpreted)
return; return;
// If pointer arithmetic is done on variables of non-array type, this often // We might not have enough information about symbolic regions.
// means behavior rely on memory organization, which is dangerous. if (Kind != AllocKind::SingleObject &&
if (isa<VarRegion>(LR) || isa<CodeTextRegion>(LR) || Region->getKind() == MemRegion::Kind::SymbolicRegionKind)
isa<CompoundLiteralRegion>(LR)) { return;
if (ExplodedNode *N = C.generateNonFatalErrorNode()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
if (!BT) if (!BT_pointerArith)
BT.reset( BT_pointerArith.reset(new BuiltinBug(this, "Dangerous pointer arithmetic",
new BuiltinBug(this, "Dangerous pointer arithmetic", "Pointer arithmetic on non-array "
"Pointer arithmetic done on non-array variables " "variables relies on memory layout, "
"means reliance on memory layout, which is " "which is dangerous."));
"dangerous.")); auto R = llvm::make_unique<BugReport>(*BT_pointerArith,
auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N); BT_pointerArith->getDescription(), N);
R->addRange(B->getSourceRange()); R->addRange(SR);
R->markInteresting(Region);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void PointerArithChecker::initAllocIdentifiers(ASTContext &C) const {
if (!AllocFunctions.empty())
return;
AllocFunctions.insert(&C.Idents.get("alloca"));
AllocFunctions.insert(&C.Idents.get("malloc"));
AllocFunctions.insert(&C.Idents.get("realloc"));
AllocFunctions.insert(&C.Idents.get("calloc"));
AllocFunctions.insert(&C.Idents.get("valloc"));
}
void PointerArithChecker::checkPostStmt(const CallExpr *CE,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
const FunctionDecl *FD = C.getCalleeDecl(CE);
if (!FD)
return;
IdentifierInfo *FunI = FD->getIdentifier();
initAllocIdentifiers(C.getASTContext());
if (AllocFunctions.count(FunI) == 0)
return;
SVal SV = State->getSVal(CE, C.getLocationContext());
const MemRegion *Region = SV.getAsRegion();
if (!Region)
return;
// Assume that C allocation functions allocate arrays to avoid false
// positives.
// TODO: Add heuristics to distinguish alloc calls that allocates single
// objecs.
State = State->set<RegionState>(Region, AllocKind::Array);
C.addTransition(State);
}
void PointerArithChecker::checkPostStmt(const CXXNewExpr *NE,
CheckerContext &C) const {
const FunctionDecl *FD = NE->getOperatorNew();
if (!FD)
return;
AllocKind Kind = getKindOfNewOp(NE, FD);
ProgramStateRef State = C.getState();
SVal AllocedVal = State->getSVal(NE, C.getLocationContext());
const MemRegion *Region = AllocedVal.getAsRegion();
if (!Region)
return;
State = State->set<RegionState>(Region, Kind);
C.addTransition(State);
}
void PointerArithChecker::checkPostStmt(const CastExpr *CE,
CheckerContext &C) const {
if (CE->getCastKind() != CastKind::CK_BitCast)
return;
const Expr *CastedExpr = CE->getSubExpr();
ProgramStateRef State = C.getState();
SVal CastedVal = State->getSVal(CastedExpr, C.getLocationContext());
const MemRegion *Region = CastedVal.getAsRegion();
if (!Region)
return;
// Suppress reinterpret casted hits.
State = State->set<RegionState>(Region, AllocKind::Reinterpreted);
C.addTransition(State);
}
void PointerArithChecker::checkPreStmt(const CastExpr *CE,
CheckerContext &C) const {
if (CE->getCastKind() != CastKind::CK_ArrayToPointerDecay)
return;
const Expr *CastedExpr = CE->getSubExpr();
ProgramStateRef State = C.getState();
SVal CastedVal = State->getSVal(CastedExpr, C.getLocationContext());
const MemRegion *Region = CastedVal.getAsRegion();
if (!Region)
return;
if (const AllocKind *Kind = State->get<RegionState>(Region)) {
if (*Kind == AllocKind::Array || *Kind == AllocKind::Reinterpreted)
return;
}
State = State->set<RegionState>(Region, AllocKind::Array);
C.addTransition(State);
}
void PointerArithChecker::checkPreStmt(const UnaryOperator *UOp,
CheckerContext &C) const {
if (!UOp->isIncrementDecrementOp() || !UOp->getType()->isPointerType())
return;
reportPointerArithMisuse(UOp->getSubExpr(), C, true);
}
void PointerArithChecker::checkPreStmt(const ArraySubscriptExpr *SubsExpr,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
SVal Idx = State->getSVal(SubsExpr->getIdx(), C.getLocationContext());
// Indexing with 0 is OK.
if (Idx.isZeroConstant())
return;
reportPointerArithMisuse(SubsExpr->getBase(), C);
}
void PointerArithChecker::checkPreStmt(const BinaryOperator *BOp,
CheckerContext &C) const {
BinaryOperatorKind OpKind = BOp->getOpcode();
if (!BOp->isAdditiveOp() && OpKind != BO_AddAssign && OpKind != BO_SubAssign)
return;
const Expr *Lhs = BOp->getLHS();
const Expr *Rhs = BOp->getRHS();
ProgramStateRef State = C.getState();
if (Rhs->getType()->isIntegerType() && Lhs->getType()->isPointerType()) {
SVal RHSVal = State->getSVal(Rhs, C.getLocationContext());
if (State->isNull(RHSVal).isConstrainedTrue())
return;
reportPointerArithMisuse(Lhs, C, !BOp->isAdditiveOp());
}
// The int += ptr; case is not valid C++.
if (Lhs->getType()->isIntegerType() && Rhs->getType()->isPointerType()) {
SVal LHSVal = State->getSVal(Lhs, C.getLocationContext());
if (State->isNull(LHSVal).isConstrainedTrue())
return;
reportPointerArithMisuse(Rhs, C);
}
} }
void ento::registerPointerArithChecker(CheckerManager &mgr) { void ento::registerPointerArithChecker(CheckerManager &mgr) {
mgr.registerChecker<PointerArithChecker>(); mgr.registerChecker<PointerArithChecker>();
} }

cfe/trunk/test/Analysis/PR24184.cpp

// RUN: %clang_cc1 -w -analyze -analyzer-eagerly-assume -fcxx-exceptions -analyzer-checker=core -analyzer-checker=alpha.core.PointerArithm,alpha.core.CastToStruct -analyzer-max-loop 64 -verify %s // RUN: %clang_cc1 -w -analyze -analyzer-eagerly-assume -fcxx-exceptions -analyzer-checker=core -analyzer-checker=alpha.core.PointerArithm,alpha.core.CastToStruct -analyzer-max-loop 64 -verify %s
// RUN: %clang_cc1 -w -analyze -analyzer-checker=core -analyzer-checker=cplusplus -fcxx-exceptions -analyzer-checker alpha.core.PointerArithm,alpha.core.CastToStruct -analyzer-max-loop 63 -verify %s // RUN: %clang_cc1 -w -analyze -analyzer-checker=core -analyzer-checker=cplusplus -fcxx-exceptions -analyzer-checker alpha.core.PointerArithm,alpha.core.CastToStruct -analyzer-max-loop 63 -verify %s
// These tests used to hit an assertion in the bug report. Test case from http://llvm.org/PR24184. // These tests used to hit an assertion in the bug report. Test case from http://llvm.org/PR24184.
typedef struct { typedef struct {
int cbData; int cbData;
unsigned pbData; unsigned pbData;
} CRYPT_DATA_BLOB; } CRYPT_DATA_BLOB;
typedef enum { DT_NONCE_FIXED } DATA_TYPE; typedef enum { DT_NONCE_FIXED } DATA_TYPE;
int a; int a;
typedef int *vcreate_t(int *, DATA_TYPE, int, int); typedef int *vcreate_t(int *, DATA_TYPE, int, int);
void fn1(unsigned, unsigned) { void fn1(unsigned, unsigned) {
char b = 0; char b = 0;
for (; 1; a++, &b + a * 0) // expected-warning{{Pointer arithmetic done on non-array variables means reliance on memory layout, which is dangerous}} for (; 1; a++, &b + a * 0)
; ;
} }
vcreate_t fn2; vcreate_t fn2;
struct A { struct A {
CRYPT_DATA_BLOB value; CRYPT_DATA_BLOB value;
int m_fn1() { int m_fn1() {
int c; int c;
Show All 26 Linestypedef struct {
unsigned char *pbData; unsigned char *pbData;
} CRYPT_DATA_BLOB_1; } CRYPT_DATA_BLOB_1;
typedef unsigned uint32_t; typedef unsigned uint32_t;
void fn1_1(void *p1, const void *p2) { p1 != p2; } void fn1_1(void *p1, const void *p2) { p1 != p2; }
void fn2_1(uint32_t *p1, unsigned char *p2, uint32_t p3) { void fn2_1(uint32_t *p1, unsigned char *p2, uint32_t p3) {
unsigned i = 0; unsigned i = 0;
for (0; i < p3; i++) for (0; i < p3; i++)
fn1_1(p1 + i, p2 + i * 0); // expected-warning{{Pointer arithmetic done on non-array variables means reliance on memory layout, which is dangerous}} fn1_1(p1 + i, p2 + i * 0);
} }
struct A_1 { struct A_1 {
CRYPT_DATA_BLOB_1 value; CRYPT_DATA_BLOB_1 value;
uint32_t m_fn1() { uint32_t m_fn1() {
uint32_t a; uint32_t a;
if (value.pbData) if (value.pbData)
fn2_1(&a, value.pbData, value.cbData); fn2_1(&a, value.pbData, value.cbData);
Show All 31 Lines

cfe/trunk/test/Analysis/fields.c

Show All 10 Lines
} }
struct s { struct s {
int n; int n;
}; };
void f() { void f() {
struct s a; struct s a;
int *p = &(a.n) + 1; int *p = &(a.n) + 1; // expected-warning{{Pointer arithmetic on}}
} }
typedef struct { typedef struct {
int x,y; int x,y;
} Point; } Point;
Point getit(void); Point getit(void);
void test() { void test() {
▲ Show 20 LinesShow All 98 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/ptr-arith.c

Show First 20 LinesShow All 46 Lines▼ Show 20 Lines
void f4() { void f4() {
int *p; int *p;
p = (int*) 0x10000; // expected-warning{{Using a fixed address is not portable because that address will probably not be valid in all environments or platforms}} p = (int*) 0x10000; // expected-warning{{Using a fixed address is not portable because that address will probably not be valid in all environments or platforms}}
} }
void f5() { void f5() {
int x, y; int x, y;
int *p; int *p;
p = &x + 1; // expected-warning{{Pointer arithmetic done on non-array variables means reliance on memory layout, which is dangerous}} p = &x + 1; // expected-warning{{Pointer arithmetic on non-array variables relies on memory layout, which is dangerous}}
int a[10]; int a[10];
p = a + 1; // no-warning p = a + 1; // no-warning
} }
// Allow arithmetic on different symbolic regions. // Allow arithmetic on different symbolic regions.
void f6(int *p, int *q) { void f6(int *p, int *q) {
int d = q - p; // no-warning int d = q - p; // no-warning
} }
void null_operand(int *a) { void null_operand(int *a) {
start: start:
// LHS is a label, RHS is NULL // LHS is a label, RHS is NULL
clang_analyzer_eval(&&start != 0); // expected-warning{{TRUE}} clang_analyzer_eval(&&start != 0); // expected-warning{{TRUE}}
clang_analyzer_eval(&&start >= 0); // expected-warning{{TRUE}} clang_analyzer_eval(&&start >= 0); // expected-warning{{TRUE}}
clang_analyzer_eval(&&start > 0); // expected-warning{{TRUE}} clang_analyzer_eval(&&start > 0); // expected-warning{{TRUE}}
clang_analyzer_eval((&&start - 0) != 0); // expected-warning{{TRUE}} clang_analyzer_eval((&&start - 0) != 0); // expected-warning{{TRUE}}
// LHS is a non-symbolic value, RHS is NULL // LHS is a non-symbolic value, RHS is NULL
clang_analyzer_eval(&a != 0); // expected-warning{{TRUE}} clang_analyzer_eval(&a != 0); // expected-warning{{TRUE}}
clang_analyzer_eval(&a >= 0); // expected-warning{{TRUE}} clang_analyzer_eval(&a >= 0); // expected-warning{{TRUE}}
clang_analyzer_eval(&a > 0); // expected-warning{{TRUE}} clang_analyzer_eval(&a > 0); // expected-warning{{TRUE}}
clang_analyzer_eval((&a - 0) != 0); // expected-warning{{TRUE}} expected-warning{{Pointer arithmetic done on non-array variables}} clang_analyzer_eval((&a - 0) != 0); // expected-warning{{TRUE}}
// LHS is NULL, RHS is non-symbolic // LHS is NULL, RHS is non-symbolic
// The same code is used for labels and non-symbolic values. // The same code is used for labels and non-symbolic values.
clang_analyzer_eval(0 != &a); // expected-warning{{TRUE}} clang_analyzer_eval(0 != &a); // expected-warning{{TRUE}}
clang_analyzer_eval(0 <= &a); // expected-warning{{TRUE}} clang_analyzer_eval(0 <= &a); // expected-warning{{TRUE}}
clang_analyzer_eval(0 < &a); // expected-warning{{TRUE}} clang_analyzer_eval(0 < &a); // expected-warning{{TRUE}}
// LHS is a symbolic value, RHS is NULL // LHS is a symbolic value, RHS is NULL
▲ Show 20 LinesShow All 229 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/ptr-arith.cpp

// RUN: %clang_cc1 -analyze -analyzer-checker=core,debug.ExprInspection -verify %s // RUN: %clang_cc1 -Wno-unused-value -std=c++14 -analyze -analyzer-checker=core,debug.ExprInspection,alpha.core.PointerArithm -verify %s
// expected-no-diagnostics
struct X { struct X {
int *p; int *p;
int zero; int zero;
void foo () { void foo () {
reset(p - 1); reset(p - 1);
} }
void reset(int *in) { void reset(int *in) {
while (in != p) // Loop must be entered. while (in != p) // Loop must be entered.
zero = 1; zero = 1;
} }
}; };
int test (int *in) { int test (int *in) {
X littleX; X littleX;
littleX.zero = 0; littleX.zero = 0;
littleX.p = in; littleX.p = in;
littleX.foo(); littleX.foo();
return 5/littleX.zero; // no-warning return 5/littleX.zero; // no-warning
} }
class Base {};
class Derived : public Base {};
void checkPolymorphicUse() {
Derived d[10];
Base *p = d;
++p; // expected-warning{{Pointer arithmetic on a pointer to base class is dangerous}}
}
void checkBitCasts() {
long l;
char *p = (char*)&l;
p = p+2;
}
void checkBasicarithmetic(int i) {
int t[10];
int *p = t;
++p;
int a = 5;
p = &a;
++p; // expected-warning{{Pointer arithmetic on non-array variables relies on memory layout, which is dangerous}}
p = p + 2; // expected-warning{{}}
p = 2 + p; // expected-warning{{}}
p += 2; // expected-warning{{}}
a += p[2]; // expected-warning{{}}
p = i*0 + p;
p = p + i*0;
p += i*0;
}
void checkArithOnSymbolic(int*p) {
++p;
p = p + 2;
p = 2 + p;
p += 2;
(void)p[2];
}
struct S {
int t[10];
};
void arrayInStruct() {
S s;
int * p = s.t;
++p;
S *sp = new S;
p = sp->t;
++p;
delete sp;
}
void checkNew() {
int *p = new int;
p[1] = 1; // expected-warning{{}}
}
void InitState(int* state) {
state[1] = 1; // expected-warning{{}}
}
int* getArray(int size) {
if (size == 0)
return new int;
return new int[5];
}
void checkConditionalArray() {
int* maybeArray = getArray(0);
InitState(maybeArray);
}
void checkMultiDimansionalArray() {
int a[5][5];
*(*(a+1)+2) = 2;
}

cfe/trunk/test/Analysis/rdar-6442306-1.m

// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.core %s -analyzer-store=region -verify // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.core -analyzer-disable-checker=alpha.core.PointerArithm %s -analyzer-store=region -verify
// expected-no-diagnostics // expected-no-diagnostics
typedef int bar_return_t; typedef int bar_return_t;
typedef struct { typedef struct {
unsigned char int_rep; unsigned char int_rep;
} Foo_record_t; } Foo_record_t;
extern Foo_record_t Foo_record; extern Foo_record_t Foo_record;
struct QuxSize {}; struct QuxSize {};
Show All 25 Lines