This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
1/1
ArrayBoundCheckerV2.cpp
-
test/Analysis/
-
Analysis/
-
out-of-bounds.c

Differential D150446

[analyzer] Check ArraySubscriptExprs in ArrayBoundCheckerV2
AbandonedPublic

Authored by donat.nagy on May 12 2023, 6:44 AM.

Download Raw Diff

Details

Reviewers

dkrupp
gamesh411
steakhal
NoQ

Summary

The checker alpha.security.ArrayBoundV2 was implemented with a check::Location callback, so it triggered on memory read or write operations (and checked memory operations that handled ElementRegions).

The generality of this solution was elegant, but I'm replacing it with an implementation based on check::PreStmt<ArraySubscriptExpr>, because that'll be a better base for implementing intuitive and detailed error reports.

The logic for simplifying symbolically handled inequalities is unchanged and the existing unit tests pass under then new implementation without changes. Moreover, I'm highlighting the imprevements with four unit tests that all fail before this commit and pass with this commit:

(1) The case test_indirect_use() shows that the new code places the bug report at the location where an array is indexed incorrectly, while the old implementation placed the bug report in use_ptr() where the bad ElementRegion was accessed. I think this new behavior is more intuitive and basically a prerequisite for producing high quality error reports.

(2) The case test_multidim_generic() shows that the old logic badly mishandled multidimensional arrays.

(3) The case test_field() reveals that the old logic didn't notice memory access that touched only a FieldRegion inside an erroneous ElementRegion.

(4) The case test_in_unknown_space() shows that the checker had ignored all underflows occuring in UnknownSpaceRegion (i.e. memory accessed via unknown pointers) even if they happened in a well-structured area.

Among these issues (1) needed the switch to check::PreStmt, (2) and (3) are more elegant with check::PreStmt, but could've been solved with check::Location, and (4) is an independent improvement.

Finally, this commit also adds the testcases test_multidim_zero() and test_undersized_region() which are currently disabled, but should be fixed and enabled by followup commits.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

donat.nagy created this revision.May 12 2023, 6:44 AM

Herald added a reviewer: NoQ. · View Herald TranscriptMay 12 2023, 6:44 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: manas, ASDenysPetrov, martong and 7 others. · View Herald Transcript

donat.nagy requested review of this revision.May 12 2023, 6:44 AM

Herald added a project: Restricted Project. · View Herald TranscriptMay 12 2023, 6:44 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

After some thinking and discussion with @gamesh411 I decided that it'd be better to replace the callback used by this checker. This is a clean but rough draft of this concept; for a final version I'd consider:

adding a secondary callback that handles *ptr equivalently to ptr[0];
including a special case that it's valid to form an after-the-end pointer as &arr[N] where N is the length of the array;
including a check::Location callback that creates bug reports when these after-the-end pointers are dereferenced.

@steakhal What do you think about this design direction?

(Re-uploaded patch to apply clang-format changes and remove a stray temporary comment.)

Harbormaster completed remote builds in B231594: Diff 521640.May 12 2023, 9:00 AM

I still struggle to see the motivation.
Please consider adding a test demonstraing a case when the diagnostic is not relevant or easily misunderstood by the users. Alternatively, give an evaluation of this change so that I can see it myself. In the end it would still make sense to have something to talk about some specifi case(s).

I started to create tests to demonstrate the differences from the baseline, and it turns out that my patch is handling multidimensional arrays incorrectly. I'll debug this issue and upload a fixed version of this patch.

I managed to debug the issue that plagued my commit (see test_multidim_zero() for details, I think I'll fix it in a followup change); and I have uploaded a new version of this patch with testcases that highlight the improvements introduced by it.

@steakhal If you need any additional clarification, feel free to ask me.

By the way, I'm fed up with the hack that ElementRegion is used for three separate things ("real" array indexing, casts and pointer arithmetic). To fix this I'm thinking about introducing a subclass hierarchy where a base class ElementLikeRegion has three subclasses:

ElementRegion represents the smaller memory area of one element in an array,
CastRegion represents the same memory area, but with a different type, and
OffsetRegion represents the same memory area, but with a different starting point.

Most old references to ElementRegion could be replaced by references to ElementLikeRegion, but functions like stripCasts() would be able to distinguish between the subclasses and do the intuitive thing.

What do you think about this idea? Do you see any problem with it?

(By the way I'm not satisfied with these quickly picked class names -- feel free to suggest better ones!)

Harbormaster completed remote builds in B232271: Diff 522544.May 16 2023, 5:31 AM

In D150446#4345723, @donat.nagy wrote:

By the way, I'm fed up with the hack that ElementRegion is used for three separate things ("real" array indexing, casts and pointer arithmetic). To fix this I'm thinking about introducing a subclass hierarchy where a base class ElementLikeRegion has three subclasses:

ElementRegion represents the smaller memory area of one element in an array,

CastRegion represents the same memory area, but with a different type, and

OffsetRegion represents the same memory area, but with a different starting point.

Most old references to ElementRegion could be replaced by references to ElementLikeRegion, but functions like stripCasts() would be able to distinguish between the subclasses and do the intuitive thing.

What do you think about this idea? Do you see any problem with it?

Ah, yes. I agree that this is a real issue. However, it's going to be non-trivial to lift all uses. ATM I cannot see immediate blockers.
I can only encourage you to explore this direction and report back in an RFC on discourse.
That change should be an NFC change, and only afterward apply semantic improvements - that are likely uncovered by this proposal.

(By the way I'm not satisfied with these quickly picked class names -- feel free to suggest better ones!)

Yes, there are probably better alternatives. Let's push this aside for now.

I'll move this class hierarchy modification question into a discourse thread after collecting the relevant facts. (By the way, thanks for suggesting discourse, I was not aware of it!)

@steakhal What is your first impression about this commit? Is this the (or at least a) good direction? May I continue with creating additional improvements (e.g. better error messages) that depend on this commit?

I'll come back one or two weeks later.

By the way, I'm fed up with the hack that ElementRegion is used for three separate things ("real" array indexing, casts and pointer arithmetic). To fix this I'm thinking about introducing a subclass hierarchy where a base class ElementLikeRegion has three subclasses:

ElementRegion represents the smaller memory area of one element in an array,

CastRegion represents the same memory area, but with a different type, and

OffsetRegion represents the same memory area, but with a different starting point.

Most old references to ElementRegion could be replaced by references to ElementLikeRegion, but functions like stripCasts() would be able to distinguish between the subclasses and do the intuitive thing.

What do you think about this idea? Do you see any problem with it?

(By the way I'm not satisfied with these quickly picked class names -- feel free to suggest better ones!)

My usual response to this is, "region types were a mistake". Every single time when the program relies on region type, it is actually supposed to rely on either AST type behind the program point, or on the dynamic type map if runtime types are of interest. I believe the ideal solution is to remove all non-base regions (ElementRegion, FieldRegion, CXXBaseObjectRegion, CXXDerivedObjectRegion) entirely, and instead represent all single-location values as (base region, offset) pairs (where offset can be an arbitrary SVal of appropriate numeric type), and represent regions as (base region, begin offset, end offset) triples.

So for example the SymbolRegionValue{FieldRegion{VarRegion}} object reg_$0<int var->field> would be turned into a SymbolRegionValue{VarRegion, Offset} object reg_$0<int var @+32> where 32 is the bit offset of field field in the struct. We could preserve the end offset here as well, but the int part already tells us that it's 64 or something like that. Funny type punning should probably be handled by the surrounding expression instead; here we just need to capture what the memory read looked like when it produced that symbol.

Basically do whatever RegionStore already does right, everywhere else.

I have more thoughts/examples at https://github.com/llvm/llvm-project/issues/42709

I don't know whether my solution is easier to implement than your solution. My solution yields a much simpler system at the end (whereas your solution increases complexity), but in my case the changes can be pretty dramatic. Both solutions will be pretty hard because you'll have to untangle a lot of code built specifically to deal with the existing artificial ambiguities. One good thing about my solution is, you'd at least be able to consult runtime behavior as the ultimate source of truth; region types aren't part of the runtime behavior so there's no right or wrong way to handle them so they'll always be a source of confusion. But if I was to guess, I'd say your solution is probably more realistic to implement on a short time frame, and you might be able to make your work somewhat incremental as well, by introducing the new regions in more and more cases.

I'm replacing it with an implementation based on check::PreStmt<ArraySubscriptExpr>

I think this is a great call; there's no fundamental reason why this would be more precise, but this tightly ties the problem to source code (as opposed to low-level memory layout), which allows us to shape the entire analysis differently and communicate with the user more efficiently.

One straightforward implication is that this way we avoid dealing with multiplication/division when calculating offsets. This is particularly valuable when the offset is symbolic, so existing decomposition into RegionOffset basically gives up. Of course we could fix RegionOffset to correctly compute a symbolic offset value instead, with all the multiplications and divisions over symbolic expressions. Then the constraint solver will need to solve these multiplications/divisions. Of course we could improve the constraint solver to handle them better, but if we can avoid this entirely, why not? Then, after the solver gives us the answer, we have to explain the answer to the user. And then, again, this isn't unsolvable, but that explanation would be much more convoluted in terms of symbolic byte offsets, than in terms of the actual source-level array index.

Now, symbolic offsets are actually extremely important because I believe this is pretty much the only case where we can reach good false positive rate. A typical loop over an array will be modeled by assigning the loop counter to concrete values 0, 1, 2, 3 and simulating the loop. This is the root cause of many false positives because the assumption that the loop can definitely be executed exactly 0 (or exactly 1 or exactly 2 or exactly 3) times is deeply incorrect. However when the index is symbolic, it indicates that the index is not a loop counter, so these false positives aren't going to hurt us.

Finally, when it comes to reclaiming our chance of finding bugs in loops, I think you should try to take your patch to the next level: don't even warn at check::PreStmt<ArraySubscriptExpr>, warn at checkPreStmt<ForStmt>!! Where check::PreStmt<ForStmt> is not actually a thing we support yet, but you get the point, simulate it with check::BranchCondition or something. The point is to analyze the loop ahead of time, syntactically or in a flow-sensitive manner (just like the loop unrolling facility figures out if a loop is worth unrolling, or how clang-tidy's bugprone-infinite-loop finds infinite loops), identify access patterns to the array in the loop, reach a conclusion that the array will be accessed by the loop up to a certain bound, compute symbolic value of that bound, and verify that it's within array bounds immediately, before entering the loop! In this case it doesn't matter how imprecise our loop modeling is, you'll still be able to reduce the concrete loop unrolling problem into a symbolic constraint problem, which we have a much better chance of solving correctly beyond toy examples.

@NoQ Re: ElementRegion hacks: Your suggestion is very convincing, and I agree that while my idea would bring some clarity to some particular issues, overall it would just worsen the "chaotic heap of classes" situation. The only advantage of my solution is that it would be an incremental change; but it's only incrementing the amount of problems, so I think I won't continue working on it.

On the other hand, I'd be interested in participating in the implementation of your suggestion. Unfortunately I don't have enough capacity to just sit down and start coding it; but I could suggest this reorganization as a potential thesis topic for a student/intern. (Our team regularly gets interns from Eötvös Loránd University; if one of them is interested, then perhaps we could tackle this issue with me in a mentor / advisor role, and the student creating the bulk of the code reorganization commits. These are very far-fetched plans, but I'd be glad to see the cleanup that you suggested and I'll try to contribute what I can. Of course if you have a more concrete plan for doing this rewrite, then instead of intruding I'm happy to help with e.g. reviews.)

Re: this review:

One straightforward implication is that this way [checking PreStmt<ArraySubscriptExpr>] we avoid dealing with multiplication/division when calculating offsets.

Unfortunately this is not the case, because the size of the arrays (calculated by clang::ento::getDynamicExtent() in DynamicExtent.cpp) is still expressed in bytes ("CharUnits") and we need to multiply the index with sizeof(elemType) before we can compare it to this value. The distinguishing feature of ArrayBoundCheckerV2 is that it has some (ad-hoc but useful) logic for reasoning about some multiplications; that part is not changed by this commit.

Now that you mention it, I see that it would be nice to avoid bothering with byte offsets and multiplications in the simple case when we want to take a single int from an array of ints. To achieve this we'd need to introduce extent handling functions that measure the size of arrays in number of elements (of what kind?) instead of bytes; right now I don't know how difficult would it be to achieve that. (As far as I see the extent is usually either a constant [that can be readily divided], or it's a freshly conjured symbol... Are those symbols used for anything meaningful? Can we ever put an upper bound on them?) However this all should probably belong to a separate commit/review/discourse thread.

Re: PreStmt<ForStmt>: That's a very good idea, but I feel that it belongs to the "engine level" and it's mostly orthogonal to the behavior this checker. My short-term (or at most medium-term) goal is to move this checker out of alpha (fix bugs, squash common false positives, improve messages etc.) and here I accept the limitation that (like all the currently "stable" checkers) it's mostly limited to loop-less code. On a longer term it'd be interesting to work on improving the loop handling engine (or just adding a gimmicky "loop prediction" ability to this checker); but I don't have concrete plans that far ahead.

In D150446#4337657, @donat.nagy wrote:

After some thinking and discussion with @gamesh411 I decided that it'd be better to replace the callback used by this checker. This is a clean but rough draft of this concept; for a final version I'd consider:

adding a secondary callback that handles *ptr equivalently to ptr[0];

including a special case that it's valid to form an after-the-end pointer as &arr[N] where N is the length of the array;

including a check::Location callback that creates bug reports when these after-the-end pointers are dereferenced.

@steakhal What do you think about this design direction?

Could you elaborate on this part?
To clarify my position, I think we can go with either approach. We can stay with the check::Location, or with the PreStmt route.
To me, the only important aspect is to not regress, or prove that the places where we regress are for a good reason, and in the end we provide more valuable reports to the user.
For example, we can sacrifice some TPs for dropping a large number of FPs. That seems to be a good deal, even if we "regress" on some aspect.

Anyway, I just checked the impact of this patch and it was so big that I rerun the measurement to be sure (thus the delay :D), but it didn't get any better.
There are a lot more reports if I apply this patch, which suggests to me that there is something wrong.

For instance, in this example, we currently don't report any warnings, but with the patch, we would have some. https://godbolt.org/z/sjcrfP8df
We also lose some reports like this: https://godbolt.org/z/8113nrYhe

Please investigate it and also do comparative checks on real codebases to make sure the change is aligned with the expectations.
Given that some of our users depend on the current behavior, we should ensure that no reports disappear or appear unless they are justified.

This revision now requires changes to proceed.Jun 7 2023, 6:40 AM

Thanks for the review and the testing!

[...] What do you think about this design direction?

Could you elaborate on this part?

In short, this review should've been a discourse thread about my "switch to the PreStmt route" plan: I wanted to ask for architectural / high-level opinions before working on the details. If you or other reviewers don't reject this plan outright, I'll flesh out the secondary features (e.g. recognizing that *(arr+5) is equivalent to arr[5]).

To me, the only important aspect is to not regress, or prove that the places where we regress are for a good reason, and in the end we provide more valuable reports to the user.

My goal is to turn this checker into a useful and stable (i.e. non-alpha) checker as soon as possible.

On this path eliminating FPs (and improving the messages) is a high priority goal, but I would freely accept losing TPs as long as the remaining ones are still enough to be useful. (Theoretical example: if the current code reports a certain unusual TP (with a spartan message), but it'd be difficult to give a good error message in that situation, then I'd prefer sacrificing that TP on the altar of quick progress. Once the checker is out of alpha, we can re-add support for non-essential cases like that.)

For instance, in this example, we currently don't report any warnings, but with the patch, we would have some. https://godbolt.org/z/sjcrfP8df

I have a suspicion that these issues might be caused by the heuristics that I'm using to guess the "meaning" of the ElementRegion layers (I marked them with an inline comment). I'll examine and troubleshoot them, but probably only during the next week, because right now I'm in the middle of another task (upstreaming the ericsson-internal BitwiseShift checker) and I'd like to reach a milestone on it (e.g. starting the open source review).

We also lose some reports like this: https://godbolt.org/z/8113nrYhe

I know that this commit does not handle "array indexing" that's expressed with the pointer dereferencing operator. Re-adding this feature is a very straightforward task, and nothing depends on it, so I'll only invest work into it if I see that the other, less clear steps of my plans are successful.

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
318–319	This is the heuristic that I'm talking about in the main comment block. Note that the new code only strips ElementRegion layers where the type is the same, while the old code stripped all ElementRegion layers (and thus produced crazy FNs on multidimensional arrays).

Okay. I think we are aligned. I'm still uncomfortable sacrificing reports for fast pace development. IMO if that is the goal, then a brand new alpha checker is the way forward.
You can be sure that no external users depend on it as its brand new. Unlike with this V2 checker.
If everything goes well, after a careful evaluation we could drop V1 and V2 in favor of V3.
However, if let's say in a year that goal is not reached, we should probably do some cleanup regardless, so we not make the situation worse by having 3 unfinished alpha oob checkers. That would be a shame.

WDYT about a new checker?

Hmm, I agree that a new checker might be better for the situation when we'd sacrifice a significant amount of TPs, but after reconsidering the situation I think that my concerns are mostly theoretical: if the current code reports an issue, then it's probably not too difficult to provide a concise and useful bug report for it. (And if the issue is an eldritch mess that cannot be described in a concise manner, then it's better to ignore it...)

I might still temporarily "sacrifice" TPs or other advantages during the initial steps of the code reorganization (to keep the commit size more manageable), but I'll pay attention to compensating these in later commits (which may be merged at the same moment as the earlier ones).

donat.nagy mentioned this in D157104: [analyzer] Improve underflow handling in ArrayBoundV2.Aug 4 2023, 8:07 AM

I'm abandoning this commit because it amalgamates several unrelated changes and I think it'd be better to handle them separately:

First, there is a very simple, independent improvement related to underflows and UnknownSpaces. I already created the separate commit D157104 for this (reviews are welcome ;) ).
As the title of this commit says, I wanted to turn this checker into a Checker<check::PreStmt<ArraySubscriptExpr>> instead of a Checker<check::Location>. I'm still planning to do this transition in a separate commit because I feel that this will be needed to compose good warning messages and there are a few situations like the testcase test_field where the check::Location model produces counter-intuitive results. (When I implement this, I'll also ensure that *p and p->field are handled analogously to p[0], but perhaps these will be in a separate commit.)
Finally there is the "simplify RegionRawOffsetV2::computeOffset and fix multidimensional array handling" change. This is the modification that was responsible for the multitude of false positives caused by this commit; and I don't have a quick fix for it (the engine abuses ElementRegion to record pointer arithmetic and I didn't find a clear way to distinguish it from real element access). On the short-term I think I'll need to accept that this checker will produce false negatives in situations when one element of a multi-dimensional array is over-indexed without overflowing the whole array (e.g. if arr is declared as int arr[5][5], then arr[1][10] over-indexes arr[1], but points inside the full area of the matrix); but fortunately this is not a fatal limitation (it only produces false negatives, multi-dimensional arrays are not too common).

Herald added a subscriber: wangpc. · View Herald TranscriptAug 4 2023, 8:41 AM

In D150446#4560892, @donat.nagy wrote:

I'm abandoning this commit because it amalgamates several unrelated changes and I think it'd be better to handle them separately:

First, there is a very simple, independent improvement related to underflows and UnknownSpaces. I already created the separate commit D157104 for this (reviews are welcome ;) ).

As the title of this commit says, I wanted to turn this checker into a Checker<check::PreStmt<ArraySubscriptExpr>> instead of a Checker<check::Location>. I'm still planning to do this transition in a separate commit because I feel that this will be needed to compose good warning messages and there are a few situations like the testcase test_field where the check::Location model produces counter-intuitive results. (When I implement this, I'll also ensure that *p and p->field are handled analogously to p[0], but perhaps these will be in a separate commit.)

Finally there is the "simplify RegionRawOffsetV2::computeOffset and fix multidimensional array handling" change. This is the modification that was responsible for the multitude of false positives caused by this commit; and I don't have a quick fix for it (the engine abuses ElementRegion to record pointer arithmetic and I didn't find a clear way to distinguish it from real element access). On the short-term I think I'll need to accept that this checker will produce false negatives in situations when one element of a multi-dimensional array is over-indexed without overflowing the whole array (e.g. if arr is declared as int arr[5][5], then arr[1][10] over-indexes arr[1], but points inside the full area of the matrix); but fortunately this is not a fatal limitation (it only produces false negatives, multi-dimensional arrays are not too common).

I'd like to thank you your effort on this subject.

donat.nagy mentioned this in D158707: [analyzer] Fix a few size-type signedness inconsistency related to DynamicExtent.Aug 28 2023, 7:21 AM

GitHub <noreply@github.com> mentioned this in rGdfdedaf6dae0: [analyzer] Switch to PostStmt callbacks in ArrayBoundV2 (#72107).Tue, Dec 5, 7:17 AM

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

ArrayBoundCheckerV2.cpp

138 lines

test/

Analysis/

out-of-bounds.c

46 lines

Diff 522544

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

Show All 24 Lines
#include "llvm/Support/raw_ostream.h"		#include "llvm/Support/raw_ostream.h"
#include <optional>		#include <optional>

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;
using namespace taint;		using namespace taint;

namespace {		namespace {
class ArrayBoundCheckerV2 :		class ArrayBoundCheckerV2 : public Checker<check::PreStmt<ArraySubscriptExpr>> {
public Checker<check::Location> {
mutable std::unique_ptr<BuiltinBug> BT;		mutable std::unique_ptr<BuiltinBug> BT;
mutable std::unique_ptr<BugType> TaintBT;		mutable std::unique_ptr<BugType> TaintBT;

enum OOB_Kind { OOB_Precedes, OOB_Excedes };		enum OOB_Kind { OOB_Precedes, OOB_Excedes };

void reportOOB(CheckerContext &C, ProgramStateRef errorState,		void reportOOB(CheckerContext &C, ProgramStateRef errorState,
OOB_Kind kind) const;		OOB_Kind kind) const;
void reportTaintOOB(CheckerContext &C, ProgramStateRef errorState,		void reportTaintOOB(CheckerContext &C, ProgramStateRef errorState,
SVal TaintedSVal) const;		SVal TaintedSVal) const;

static bool isFromCtypeMacro(const Stmt *S, ASTContext &AC);		static bool isFromCtypeMacro(const Stmt *S, ASTContext &AC);

public:		public:
void checkLocation(SVal l, bool isLoad, const Stmt *S,		void checkPreStmt(const ArraySubscriptExpr *ASE, CheckerContext &C) const;
CheckerContext &C) const;
};		};

// FIXME: Eventually replace RegionRawOffset with this class.		// FIXME: Eventually replace RegionRawOffset with this class.
class RegionRawOffsetV2 {		class RegionRawOffsetV2 {
private:		private:
const SubRegion *baseRegion;		const SubRegion *baseRegion;
NonLoc byteOffset;		NonLoc byteOffset;

public:		public:
RegionRawOffsetV2(const SubRegion *base, NonLoc offset)		RegionRawOffsetV2(const SubRegion *base, NonLoc offset)
: baseRegion(base), byteOffset(offset) { assert(base); }		: baseRegion(base), byteOffset(offset) { assert(base); }

NonLoc getByteOffset() const { return byteOffset; }		NonLoc getByteOffset() const { return byteOffset; }
const SubRegion *getRegion() const { return baseRegion; }		const SubRegion *getRegion() const { return baseRegion; }

static std::optional<RegionRawOffsetV2>		static std::optional<RegionRawOffsetV2>
computeOffset(ProgramStateRef State, SValBuilder &SVB, SVal Location);		computeOffset(ProgramStateRef State, SValBuilder &SVB,
		const LocationContext LCtx, const ArraySubscriptExpr ASE);

void dump() const;		void dump() const;
void dumpToStream(raw_ostream &os) const;		void dumpToStream(raw_ostream &os) const;
};		};
}		}

// TODO: once the constraint manager is smart enough to handle non simplified		// TODO: once the constraint manager is smart enough to handle non simplified
// symbolic expressions remove this function. Note that this can not be used in		// symbolic expressions remove this function. Note that this can not be used in
// the constraint manager as is, since this does not handle overflows. It is		// the constraint manager as is, since this does not handle overflows. It is
// safe to assume, however, that memory offsets will not overflow.		// safe to assume, however, that memory offsets will not overflow.
// NOTE: callers of this function need to be aware of the effects of overflows		// NOTE: callers of this function need to be aware of the effects of overflows
// and signed<->unsigned conversions!		// and signed<->unsigned conversions!
static std::pair<NonLoc, nonloc::ConcreteInt>		static std::pair<NonLoc, nonloc::ConcreteInt>
getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent,		getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent,
SValBuilder &svalBuilder) {		SValBuilder &svalBuilder) {
std::optional<nonloc::SymbolVal> SymVal = offset.getAs<nonloc::SymbolVal>();		std::optional<nonloc::SymbolVal> SymVal = offset.getAs<nonloc::SymbolVal>();
if (SymVal && SymVal->isExpression()) {		if (SymVal && SymVal->isExpression()) {
if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SymVal->getSymbol())) {		if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SymVal->getSymbol())) {
llvm::APSInt constant =		llvm::APSInt constant =
APSIntType(extent.getValue()).convert(SIE->getRHS());		APSIntType(extent.getValue()).convert(SIE->getRHS());
switch (SIE->getOpcode()) {		switch (SIE->getOpcode()) {
case BO_Mul:		case BO_Mul:
// The constant should never be 0 here, since it the result of scaling		// In a SymIntExpr multiplication the constant cannot be 0, because
// based on the size of a type which is never 0.		// then the enginge would've replaced it with a constant 0 value.
if ((extent.getValue() % constant) != 0)		if ((extent.getValue() % constant) != 0)
return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent);		return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent);
else		else
return getSimplifiedOffsets(		return getSimplifiedOffsets(
nonloc::SymbolVal(SIE->getLHS()),		nonloc::SymbolVal(SIE->getLHS()),
svalBuilder.makeIntVal(extent.getValue() / constant),		svalBuilder.makeIntVal(extent.getValue() / constant),
svalBuilder);		svalBuilder);
case BO_Add:		case BO_Add:
Show All 36 Lines	auto BelowThreshold =
SVB.evalBinOpNN(State, BO_LT, Value, Threshold, SVB.getConditionType()).getAs<NonLoc>();		SVB.evalBinOpNN(State, BO_LT, Value, Threshold, SVB.getConditionType()).getAs<NonLoc>();

if (BelowThreshold)		if (BelowThreshold)
return State->assume(*BelowThreshold);		return State->assume(*BelowThreshold);

return {nullptr, nullptr};		return {nullptr, nullptr};
}		}

void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad,		void ArrayBoundCheckerV2::checkPreStmt(const ArraySubscriptExpr *ASE,
const Stmt* LoadS,		CheckerContext &C) const {
CheckerContext &checkerContext) const {

// NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping		// NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping
// some new logic here that reasons directly about memory region extents.		// some new logic here that reasons directly about memory region extents.
// Once that logic is more mature, we can bring it back to assumeInBound()		// Once that logic is more mature, we can bring it back to assumeInBound()
// for all clients to use.		// for all clients to use.
//
// The algorithm we are using here for bounds checking is to see if the
// memory access is within the extent of the base region. Since we
// have some flexibility in defining the base region, we can achieve
// various levels of conservatism in our buffer overflow checking.

// The header ctype.h (from e.g. glibc) implements the isXXXXX() macros as		// The header ctype.h (from e.g. glibc) implements the isXXXXX() macros as
// #define isXXXXX(arg) (LOOKUP_TABLE[arg] & BITMASK_FOR_XXXXX)		// #define isXXXXX(arg) (LOOKUP_TABLE[arg] & BITMASK_FOR_XXXXX)
// and incomplete analysis of these leads to false positives. As even		// and incomplete analysis of these leads to false positives. As even
// accurate reports would be confusing for the users, just disable reports		// accurate reports would be confusing for the users, just disable reports
// from these macros:		// from these macros:
if (isFromCtypeMacro(LoadS, checkerContext.getASTContext()))		if (isFromCtypeMacro(ASE, C.getASTContext()))
return;		return;

ProgramStateRef state = checkerContext.getState();		ProgramStateRef state = C.getState();

		SValBuilder &svalBuilder = C.getSValBuilder();

		const LocationContext *LCtx = C.getLocationContext();

SValBuilder &svalBuilder = checkerContext.getSValBuilder();
const std::optional<RegionRawOffsetV2> &RawOffset =		const std::optional<RegionRawOffsetV2> &RawOffset =
RegionRawOffsetV2::computeOffset(state, svalBuilder, location);		RegionRawOffsetV2::computeOffset(state, svalBuilder, LCtx, ASE);

if (!RawOffset)		if (!RawOffset)
return;		return;

NonLoc ByteOffset = RawOffset->getByteOffset();		NonLoc ByteOffset = RawOffset->getByteOffset();
		const SubRegion *Reg = RawOffset->getRegion();

// CHECK LOWER BOUND		// CHECK LOWER BOUND
const MemSpaceRegion *SR = RawOffset->getRegion()->getMemorySpace();		const MemSpaceRegion *Space = Reg->getMemorySpace();
if (!llvm::isa<UnknownSpaceRegion>(SR)) {		if (!(isa<SymbolicRegion>(Reg) && isa<UnknownSpaceRegion>(Space))) {
// A pointer to UnknownSpaceRegion may point to the middle of		// Symbolic regions in unknown spaces are used for modelling unknown
// an allocated region.		// pointers, so they may point to the middle of an array.

auto [state_precedesLowerBound, state_withinLowerBound] =		auto [state_precedesLowerBound, state_withinLowerBound] =
compareValueToThreshold(state, ByteOffset,		compareValueToThreshold(state, ByteOffset,
svalBuilder.makeZeroArrayIndex(), svalBuilder);		svalBuilder.makeZeroArrayIndex(), svalBuilder);

if (state_precedesLowerBound && !state_withinLowerBound) {		if (state_precedesLowerBound && !state_withinLowerBound) {
// We know that the index definitely precedes the lower bound.		// We know that the index definitely precedes the lower bound.
reportOOB(checkerContext, state_precedesLowerBound, OOB_Precedes);		reportOOB(C, state_precedesLowerBound, OOB_Precedes);
return;		return;
}		}

if (state_withinLowerBound)		if (state_withinLowerBound)
state = state_withinLowerBound;		state = state_withinLowerBound;
}		}

// CHECK UPPER BOUND		// CHECK UPPER BOUND
DefinedOrUnknownSVal Size =		DefinedOrUnknownSVal Size = getDynamicExtent(state, Reg, svalBuilder);
getDynamicExtent(state, RawOffset->getRegion(), svalBuilder);
if (auto KnownSize = Size.getAs<NonLoc>()) {		if (auto KnownSize = Size.getAs<NonLoc>()) {
auto [state_withinUpperBound, state_exceedsUpperBound] =		auto [state_withinUpperBound, state_exceedsUpperBound] =
compareValueToThreshold(state, ByteOffset, *KnownSize, svalBuilder);		compareValueToThreshold(state, ByteOffset, *KnownSize, svalBuilder);

if (state_exceedsUpperBound) {		if (state_exceedsUpperBound) {
if (!state_withinUpperBound) {		if (!state_withinUpperBound) {
// We know that the index definitely exceeds the upper bound.		// We know that the index definitely exceeds the upper bound.
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes);		reportOOB(C, state_exceedsUpperBound, OOB_Excedes);
return;		return;
}		}
if (isTainted(state, ByteOffset)) {		if (isTainted(state, ByteOffset)) {
// Both cases are possible, but the index is tainted, so report.		// Both cases are possible, but the index is tainted, so report.
reportTaintOOB(checkerContext, state_exceedsUpperBound, ByteOffset);		reportTaintOOB(C, state_exceedsUpperBound, ByteOffset);
return;		return;
}		}
}		}

if (state_withinUpperBound)		if (state_withinUpperBound)
state = state_withinUpperBound;		state = state_withinUpperBound;
}		}

checkerContext.addTransition(state);		C.addTransition(state);
}		}

void ArrayBoundCheckerV2::reportTaintOOB(CheckerContext &checkerContext,		void ArrayBoundCheckerV2::reportTaintOOB(CheckerContext &checkerContext,
ProgramStateRef errorState,		ProgramStateRef errorState,
SVal TaintedSVal) const {		SVal TaintedSVal) const {
ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState);		ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState);
if (!errorNode)		if (!errorNode)
return;		return;
▲ Show 20 Lines • Show All 69 Lines • ▼ Show 20 Lines	LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const {
dumpToStream(llvm::errs());		dumpToStream(llvm::errs());
}		}

void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const {		void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const {
os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}';		os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}';
}		}
#endif		#endif

/// For a given Location that can be represented as a symbolic expression		/// For a given ArraySubscriptExpr 'Ptr[Idx]', calculate a (Region, Offset)
/// Arr[Idx] (or perhaps Arr[Idx1][Idx2] etc.), return the parent memory block		/// pair where Region is the memory area that may be legitimately accessed via
/// Arr and the distance of Location from the beginning of Arr (expressed in a		/// Ptr and Offset is the distance of Ptr[Idx] from the beginning of Region
/// NonLoc that specifies the number of CharUnits). Returns nullopt when these		/// (expressed as a NonLoc that specifies the number of CharUnits). Returns
/// cannot be determined.		/// nullopt when these cannot be determined.
std::optional<RegionRawOffsetV2>		std::optional<RegionRawOffsetV2>
RegionRawOffsetV2::computeOffset(ProgramStateRef State, SValBuilder &SVB,		RegionRawOffsetV2::computeOffset(ProgramStateRef State, SValBuilder &SVB,
SVal Location) {		const LocationContext *LCtx,
QualType T = SVB.getArrayIndexType();		const ArraySubscriptExpr *ASE) {
auto Calc = [&SVB, State, T](BinaryOperatorKind Op, NonLoc LHS, NonLoc RHS) {		QualType ElemType = ASE->getType();
// We will use this utility to add and multiply values.		assert(!ElemType->isIncompleteType());
return SVB.evalBinOpNN(State, Op, LHS, RHS, T).getAs<NonLoc>();
};		QualType IdxType = SVB.getArrayIndexType();

const MemRegion *Region = Location.getAsRegion();		if (auto Idx = State->getSVal(ASE->getIdx(), LCtx).getAs<NonLoc>()) {
NonLoc Offset = SVB.makeZeroArrayIndex();		const MemRegion *R = State->getSVal(ASE->getBase(), LCtx).getAsRegion();
		const ElementRegion *ER;
while (Region) {		while ((ER = dyn_cast_or_null<ElementRegion>(R)) &&
if (const auto *ERegion = dyn_cast<ElementRegion>(Region)) {		ER->getElementType() == ElemType) {
		donat.nagyAuthorUnsubmitted Done Reply Inline Actions This is the heuristic that I'm talking about in the main comment block. Note that the new code only strips ElementRegion layers where the type is the same, while the old code stripped all ElementRegion layers (and thus produced crazy FNs on multidimensional arrays). donat.nagy: This is the heuristic that I'm talking about in the main comment block. Note that the new code…
if (const auto Index = ERegion->getIndex().getAs<NonLoc>()) {		// Special case to strip ElementRegion layers that represent pointer
QualType ElemType = ERegion->getElementType();		// arithmetics. For example in code like
// If the element is an incomplete type, go no further.		// char Text[] = "Hello world!", *Word = Text+6;
if (ElemType->isIncompleteType())		// the area *Word is represented as Element{<Text>, 6 S64B, char} which
		// is nominally a single byte area, but logically we want to handle
		// Word[X] equivalently to Text[X + 6]. On the other hand if we have
		// int Matrix[10][10];
		// we want to warn when we see Matrix[0][20] because this is logically
		// invalid and technically invokes undefined behavior when it takes the
		// 20th element of the int[10] value Matrix[0].
		R = ER->getSuperRegion();
		Idx = SVB.evalBinOpNN(State, BO_Add, *Idx, ER->getIndex(), IdxType)
		.getAs<NonLoc>();
		if (!Idx)
return std::nullopt;		return std::nullopt;
		}

// Perform Offset += Index * sizeof(ElemType); then continue the offset		if (const auto *SRegion = dyn_cast_or_null<SubRegion>(R)) {
// calculations with SuperRegion:		NonLoc ESize = SVB.makeArrayIndex(
NonLoc Size = SVB.makeArrayIndex(
SVB.getContext().getTypeSizeInChars(ElemType).getQuantity());		SVB.getContext().getTypeSizeInChars(ElemType).getQuantity());
if (auto Delta = Calc(BO_Mul, *Index, Size)) {		SVal Offset = SVB.evalBinOpNN(State, BO_Mul, ESize, *Idx, IdxType);
if (auto NewOffset = Calc(BO_Add, Offset, *Delta)) {		if (const auto OffsetNL = Offset.getAs<NonLoc>()) {
Offset = *NewOffset;		return RegionRawOffsetV2(SRegion, *OffsetNL);
Region = ERegion->getSuperRegion();
continue;
}
}		}
}		}
} else if (const auto *SRegion = dyn_cast<SubRegion>(Region)) {
// NOTE: The dyn_cast<>() is expected to succeed, it'd be very surprising
// to see a MemSpaceRegion at this point.
// FIXME: We may return with {<Region>, 0} even if we didn't handle any
// ElementRegion layers. I think that this behavior was introduced
// accidentally by 8a4c760c204546aba566e302f299f7ed2e00e287 in 2011, so
// it may be useful to review it in the future.
return RegionRawOffsetV2(SRegion, Offset);
}
return std::nullopt;
}		}
return std::nullopt;		return std::nullopt;
}		}

void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) {		void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) {
mgr.registerChecker<ArrayBoundCheckerV2>();		mgr.registerChecker<ArrayBoundCheckerV2>();
}		}

bool ento::shouldRegisterArrayBoundCheckerV2(const CheckerManager &mgr) {		bool ento::shouldRegisterArrayBoundCheckerV2(const CheckerManager &mgr) {
return true;		return true;
}		}

clang/test/Analysis/out-of-bounds.c

	Show First 20 Lines • Show All 168 Lines • ▼ Show 20 Lines
	}			}

	void test_assume_after_access2(unsigned long x) {			void test_assume_after_access2(unsigned long x) {
	char buf[100];			char buf[100];
	buf[x] = 1;			buf[x] = 1;
	clang_analyzer_eval(x <= 99); // expected-warning{{TRUE}}			clang_analyzer_eval(x <= 99); // expected-warning{{TRUE}}
	}			}

				void use_ptr(int *arg) {
				*arg = 42; //no-warning
				}

				void test_indirect_use(void) {
				int arr[10];
				use_ptr(&arr[100]); // expected-warning{{Out of bound memory access}}
				}

				extern int matrix[5][5];

				int test_multidim_zero(void) {
				// TODO: Currently this does not warn because MemRegion::stripCasts() uses an
				// overzealuos heuristic and thinks that matrix[0] just represents a cast
				// expression and not a real indexing operation.
				return matrix[0][10]; // expected - warning{{Out of bound memory access}}
				}

				int test_multidim_generic(void) {
				// This is the generic case that does not trigger the stripCasts() issue:
				return matrix[1][10]; // expected-warning{{Out of bound memory access}}
				}

				struct s {
				int field;
				} arr[10] = {0};

				int test_field(void) {
				return arr[20].field; // expected-warning{{Out of bound memory access}}
				}

				typedef struct {
				int id;
				char name[256];
				} user_t;

				char test_in_unknown_space(user_t *userptr) {
				return userptr->name[-1]; // expected-warning{{Out of bound memory access}}
				}

				void test_undersized_region(void) {
				// TODO: Currently the checker does not look for this kind of error.
				char arr[2];
				long p = (long )arr;
				p[0] = 3; // expected - warning{{Out of bound memory access}}
				}