This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Improve underflow handling in ArrayBoundV2
ClosedPublic

Authored by donat.nagy on Aug 4 2023, 8:05 AM.

Details

Summary

This minor change ensures that underflow errors are reported on arrays that are in unknown space but have well-defined size.

As a concrete example, the following test case did not produce a warning previously, but will produce a warning after this patch:

typedef struct {
  int id;
  char name[256];
} user_t;

user_t *get_symbolic_user(void);
char test_underflow_symbolic_2() {
  user_t *user = get_symbolic_user();
  return user->name[-1];
}

Diff Detail

Event Timeline

donat.nagy created this revision.Aug 4 2023, 8:05 AM
Herald added a project: Restricted Project. · View Herald Transcript
donat.nagy requested review of this revision.Aug 4 2023, 8:05 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 4 2023, 8:05 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Note: this commit is split off from the larger commit https://reviews.llvm.org/D150446, which combined this simple improvement with other, more complex changes that had problematic side-effects.

I'll try to upload results on open source projects, probably on Tuesday (I'm on vacation on Monday).

gamesh411 accepted this revision.Aug 10 2023, 6:43 AM

Seems like a straightforward extension, LGTM.

This revision is now accepted and ready to land.Aug 10 2023, 6:43 AM
steakhal accepted this revision.Aug 11 2023, 8:45 AM

Looks safe and good. I'm interested in the diff though.
Let me know once you have the results.
I wanna have a look before we land this.

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
184

Such as the MallocChecker.

clang/test/Analysis/out-of-bounds.c
176

Try not to introduce unrelated hunks, as it might introduce more conflicts for downstream users than absolutely necessary.

donat.nagy marked 2 inline comments as done.EditedAug 14 2023, 4:59 AM

I didn't upload the test results yet because right now there is some incompatibility between our local fork and the upstream. There is ongoing work to fix this (by rebasing our fork), but until it's done I can't use our automated tools to run the analysis with revisions that are close to the upstream main branch.

donat.nagy added a comment.EditedAug 18 2023, 6:34 AM

The results on open-source projects are depressing, but acceptable. This checker is looking for a serious defect, so it doesn't find any true positives on stable releases; however it produces a steady trickle of false positives because the Clang SA engine regularly misinterprets complicated code. As the only effect of this patch is that it allows this checker to analyze more situations, it introduces no true positives and a manageable amount of false positives (on average ~1/project).

Table of raw results:

memcachedNew reportsLost reportsno change
tmuxNew reportsLost reportsno change
twinNew reportsLost reportsno change
vimNew reportsLost reportsno change
opensslNew reportsLost reportsno change
sqliteNew reportsLost reportsno change
ffmpegNew reportsLost reportsfour new reports (probably FPs), two of them are from the same macro
postgresNew reportsLost reportstwo new false positives
tinyxml2New reportsLost reportsno change
libwebmNew reportsLost reportsno change
xercesNew reportsLost reportsno change
bitcoinNew reportsLost reportsno change
protobufNew reportsLost reportsseven new FPs, but six of them are caused by incorrect config of our CI
qtbaseNew reportsLost reportsone new FP and one new result of UndefinedBinaryOperatorResult
contourNew reportsLost reportsno change

(In protobuf, our CI misconfigures the build, so the preprocessor handles an assert-like macro incorrectly and six of the seven new false positives are on "assume that this assertion fails, but we continue to execute the code" branches. On qtbase I don't understand why did the UndefinedBinaryOperatorResult report appear [perhaps unpredictable changes of graph traversal?] but it's technically a true positive.)

donat.nagy added a comment.EditedAug 21 2023, 2:08 AM

A (somewhat delayed) ping to @steakhal because you asked me to tell you when I have the results. (I'm writing this only because I don't know whether you have seen the table that I uploaded on Friday.)

steakhal accepted this revision.Aug 21 2023, 3:15 AM

Thanks!

Hold on, make sure this is clang-format compliant before committing.
(Check buildkite)

Yup, there was a superfluous line break that was corrected by git clang-format; thanks for bringing it to my attention. As this is a very trivial change, I'll merge the fixed commit directly, without uploading it into Phabricator.

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
202–203

This will be a single line in the commit that I'll merge.

This revision was landed with ongoing or failed builds.Aug 21 2023, 8:19 AM
This revision was automatically updated to reflect the committed changes.