It is safe to copy a string literal to an array which is compile time known to be large enough.
This reduces the number of false positives, while (hopefully) not introducing any false negatives.
Details
- Reviewers
dcoughlin xazax.hun NoQ george.karpenkov - Commits
- rG1ebd1c4f9d99: [analyzer] Don't flag strcpy of string literals into sufficiently large buffers.
rC322410: [analyzer] Don't flag strcpy of string literals into sufficiently large buffers.
rL322410: [analyzer] Don't flag strcpy of string literals into sufficiently large buffers.
Diff Detail
- Repository
- rL LLVM
Event Timeline
In the tests there are multiple variants of the strcpy function guarded by macros. Maybe we should run the tests multiple times to test all variants with different defines?
Move negative test next to the positive ones, because the necessary macros and run-lines are already defined there.
This patch makes a totally valid point :)
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp | ||
---|---|---|
513 ↗ | (On Diff #127739) | You might want to use a wider integer type because 64-bit arrays may have 2³¹ or more elements (not sure about string literals). |
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp | ||
---|---|---|
522 ↗ | (On Diff #129465) | Nesting this if- inside the previous one would simplify the outer scope and let you assign to ArraySize at declaration size. |
526 ↗ | (On Diff #129465) | Why not put this if-expression into the one above where StrLen is found? |
test/Analysis/security-syntax-checks.m | ||
151 ↗ | (On Diff #129465) | I think it would make sense to add another test case where the warning is expected, even though string length and array size are known at compile time. |
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp | ||
---|---|---|
526 ↗ | (On Diff #129465) | Good point. This makes StrLen itself redundant as well. |
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp | ||
---|---|---|
517 ↗ | (On Diff #129508) | This can be simplified to const auto *Array = DeclRef->getType()->getAs<ConstantArrayType>(). |
518 ↗ | (On Diff #129508) | Hmm, actually, ArraySize is the number of elements in the array, not its byte size, so you may want (if you like) to also suppress the warning when the array is not a char array (even if it's a weird code anyway) by instead taking ASTContext.getTypeSize() here instead. Also i guess it's nice to use uint64_t because that's the return type of .getLimitedValue() and that's what we usually use all over the place when we have to deal with those values. |
I don't have, please commit it.
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp | ||
---|---|---|
517 ↗ | (On Diff #129508) | Using getAs yielded:
|
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp | ||
---|---|---|
517 ↗ | (On Diff #129508) | Whoops, yeah, right, array types are the rare exception. It should be ASTContext.getAsConstantArrayType(), see the docs for getAsArrayType() for some explanation of why it was made this way. I guess we don't really care about these aspects, so your code is fine :) |
cfe/trunk/lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp | ||
---|---|---|
517 | Rather than dividing by '8', I suggest using ASTContext's getTypeSizeInChars(). This will make sure we handle those annoying platforms that don't have 8-bit chars. |
Rather than dividing by '8', I suggest using ASTContext's getTypeSizeInChars(). This will make sure we handle those annoying platforms that don't have 8-bit chars.