This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
1/2
ArrayBoundCheckerV2.cpp
-
test/Analysis/
-
Analysis/
-
out-of-bounds-new.cpp

Differential D159106

[analyzer] ArrayBoundCheckerV2 should listen to check::Bind as well
AbandonedPublic

Authored by steakhal on Aug 29 2023, 8:20 AM.

Download Raw Diff

Details

Reviewers

NoQ
xazax.hun
donat.nagy
Szelethus

Summary

Turns out check::Location is not always called when storing a value to a
location. See the details here:
https://discourse.llvm.org/t/checklocation-vs-checkbind-when-isload-false/72728

To catch the remaining cases when binding to a location, subscribe to the
check::Bind callback.

(CWE-122 Heap Based Buffer Overflow: CWE-805-class-loop)

Depends on D159105

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

steakhal created this revision.Aug 29 2023, 8:20 AM

Herald added a project: Restricted Project. · View Herald TranscriptAug 29 2023, 8:20 AM

Herald added subscribers: manas, ASDenysPetrov, martong and 5 others. · View Herald Transcript

steakhal requested review of this revision.Aug 29 2023, 8:20 AM

Herald added a project: Restricted Project. · View Herald TranscriptAug 29 2023, 8:20 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

steakhal edited the summary of this revision. (Show Details)Aug 29 2023, 8:21 AM

steakhal added a parent revision: D159105: [analyzer] ArrayBoundCheckerV2 should check the region for taint as well.

steakhal added a child revision: D159107: [analyzer] ArrayBoundCheckerV2 should disallow forming lvalues to out-of-bounds locations.

Harbormaster completed remote builds in B255540: Diff 554352.Aug 29 2023, 11:05 AM

This seems to be a straightforward improvement over the current situation; LGTM if you test(ed) it on some real-life code (to ensure that it doesn't introduce a corner case that crashes).

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
46	I'd call this function `performCheck` or something similar, but "`impl`" is also fine especially if it's a traditional name (that I haven't encountered yet in clang SA code).

This revision is now accepted and ready to land.Aug 30 2023, 2:11 AM

steakhal added inline comments.Aug 30 2023, 2:34 AM

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
46	Yes, I'll rename it. I was already thinking about it.

This patch would cause FPs on this code:

struct S {};
void zero_size_array() {
  S arr[0];
  (void)arr;
}

Being short on time, I'll just drop this commit from the stack and come back in a late future.
This might be related to D131501.

steakhal mentioned this in D159107: [analyzer] ArrayBoundCheckerV2 should disallow forming lvalues to out-of-bounds locations.Aug 31 2023, 1:09 AM

steakhal abandoned this revision.Aug 31 2023, 2:49 AM

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

ArrayBoundCheckerV2.cpp

17 lines

test/

Analysis/

out-of-bounds-new.cpp

22 lines

Diff 554352

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

Show All 24 Lines
#include "llvm/Support/raw_ostream.h"		#include "llvm/Support/raw_ostream.h"
#include <optional>		#include <optional>

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;
using namespace taint;		using namespace taint;

namespace {		namespace {
class ArrayBoundCheckerV2 :		class ArrayBoundCheckerV2 : public Checker<check::Location, check::Bind> {
public Checker<check::Location> {
mutable std::unique_ptr<BugType> BT;		mutable std::unique_ptr<BugType> BT;
mutable std::unique_ptr<BugType> TaintBT;		mutable std::unique_ptr<BugType> TaintBT;

enum OOB_Kind { OOB_Precedes, OOB_Excedes };		enum OOB_Kind { OOB_Precedes, OOB_Excedes };

void reportOOB(CheckerContext &C, ProgramStateRef errorState,		void reportOOB(CheckerContext &C, ProgramStateRef errorState,
OOB_Kind kind) const;		OOB_Kind kind) const;
void reportTaintOOB(CheckerContext &C, ProgramStateRef errorState,		void reportTaintOOB(CheckerContext &C, ProgramStateRef errorState,
SVal TaintedSVal) const;		SVal TaintedSVal) const;

static bool isFromCtypeMacro(const Stmt *S, ASTContext &AC);		static bool isFromCtypeMacro(const Stmt *S, ASTContext &AC);

		void impl(SVal Loc, bool isLoad, const Stmt *S, CheckerContext &C) const;
		donat.nagyUnsubmitted Not Done Reply Inline Actions I'd call this function `performCheck` or something similar, but "`impl`" is also fine especially if it's a traditional name (that I haven't encountered yet in clang SA code). donat.nagy: I'd call this function `performCheck` or something similar, but "`impl`" is also fine…
		steakhalAuthorUnsubmitted Done Reply Inline Actions Yes, I'll rename it. I was already thinking about it. steakhal: Yes, I'll rename it. I was already thinking about it.

public:		public:
void checkLocation(SVal l, bool isLoad, const Stmt *S,		void checkLocation(SVal l, bool isLoad, const Stmt *S,
CheckerContext &C) const;		CheckerContext &C) const;
		void checkBind(SVal Loc, SVal, const Stmt *S, CheckerContext &) const;
};		};

// FIXME: Eventually replace RegionRawOffset with this class.		// FIXME: Eventually replace RegionRawOffset with this class.
class RegionRawOffsetV2 {		class RegionRawOffsetV2 {
private:		private:
const SubRegion *baseRegion;		const SubRegion *baseRegion;
NonLoc byteOffset;		NonLoc byteOffset;

▲ Show 20 Lines • Show All 80 Lines • ▼ Show 20 Lines	if (BelowThreshold)
return State->assume(*BelowThreshold);		return State->assume(*BelowThreshold);

return {nullptr, nullptr};		return {nullptr, nullptr};
}		}

void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad,		void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad,
const Stmt* LoadS,		const Stmt* LoadS,
CheckerContext &checkerContext) const {		CheckerContext &checkerContext) const {
		if (isLoad)
		impl(location, isLoad, LoadS, checkerContext);
		}

		void ArrayBoundCheckerV2::checkBind(SVal Loc, SVal, const Stmt *S,
		CheckerContext &C) const {
		impl(Loc, /isLoad=/false, S, C);
		}

		void ArrayBoundCheckerV2::impl(SVal location, bool isLoad, const Stmt *LoadS,
		CheckerContext &checkerContext) const {

// NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping		// NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping
// some new logic here that reasons directly about memory region extents.		// some new logic here that reasons directly about memory region extents.
// Once that logic is more mature, we can bring it back to assumeInBound()		// Once that logic is more mature, we can bring it back to assumeInBound()
// for all clients to use.		// for all clients to use.
//		//
// The algorithm we are using here for bounds checking is to see if the		// The algorithm we are using here for bounds checking is to see if the
// memory access is within the extent of the base region. Since we		// memory access is within the extent of the base region. Since we
▲ Show 20 Lines • Show All 218 Lines • Show Last 20 Lines

clang/test/Analysis/out-of-bounds-new.cpp

Show First 20 Lines • Show All 148 Lines • ▼ Show 20 Lines	void test_dynamic_size(int s) {
buf[0] = 1; // no-warning		buf[0] = 1; // no-warning
}		}
//Tests complex arithmetic		//Tests complex arithmetic
//in new expression		//in new expression
void test_dynamic_size2(unsigned m,unsigned n){		void test_dynamic_size2(unsigned m,unsigned n){
unsigned *U = nullptr;		unsigned *U = nullptr;
U = new unsigned[m + n + 1];		U = new unsigned[m + n + 1];
}		}


		int rng();
		struct ManyInts {
		int a, b, c, d, e, f, g;
		};
		void test_trivial_copy_move_is_checked_by_the_checker() {
		ManyInts v;
		ManyInts *p = &v;

		switch (rng()) {
		case 0:
		*p = ManyInts{3,2,1}; // ok
		break;
		case -1:
		*--p = ManyInts{3,2,1}; // expected-warning {{Out of bound memory access (accessed memory precedes memory block)}}
		break;
		case 1:
		*++p = ManyInts{3,2,1}; // expected-warning {{Out of bound memory access (access exceeds upper limit of memory block)}}
		break;
		}
		}