diff --git a/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp --- a/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp @@ -34,24 +34,24 @@ : public Checker, check::PreStmt> { mutable std::unique_ptr BT; - enum VLASize_Kind { VLA_Garbage, VLA_Zero, VLA_Tainted, VLA_Negative }; + enum VLASize_Kind { + VLA_Garbage, + VLA_Zero, + VLA_Tainted, + VLA_Negative, + VLA_Overflow + }; /// Check a VLA for validity. - /// Every dimension of the array is checked for validity, and - /// dimension sizes are collected into 'VLASizes'. 'VLALast' is set to the - /// innermost VLA that was encountered. - /// In "int vla[x][2][y][3]" this will be the array for index "y" (with type - /// int[3]). 'VLASizes' contains 'x', '2', and 'y'. Returns null or a new - /// state where the size is validated for every dimension. - ProgramStateRef checkVLA(CheckerContext &C, ProgramStateRef State, - const VariableArrayType *VLA, - const VariableArrayType *&VLALast, - llvm::SmallVector &VLASizes) const; - - /// Check one VLA dimension for validity. + /// Every dimension of the array and the total size is checked for validity. /// Returns null or a new state where the size is validated. - ProgramStateRef checkVLASize(CheckerContext &C, ProgramStateRef State, - const Expr *SizeE) const; + /// 'ArraySize' will contain SVal that refers to the total size (in char) + /// of the array. + ProgramStateRef checkVLA(CheckerContext &C, ProgramStateRef State, + const VariableArrayType *VLA, SVal &ArraySize) const; + /// Check a single VLA index size expression for validity. + ProgramStateRef checkVLAIndexSize(CheckerContext &C, ProgramStateRef State, + const Expr *SizeE) const; void reportBug(VLASize_Kind Kind, const Expr *SizeE, ProgramStateRef State, CheckerContext &C, @@ -64,20 +64,25 @@ }; } // end anonymous namespace -ProgramStateRef -VLASizeChecker::checkVLA(CheckerContext &C, ProgramStateRef State, - const VariableArrayType *VLA, - const VariableArrayType *&VLALast, - llvm::SmallVector &VLASizes) const { +ProgramStateRef VLASizeChecker::checkVLA(CheckerContext &C, + ProgramStateRef State, + const VariableArrayType *VLA, + SVal &ArraySize) const { assert(VLA && "Function should be called with non-null VLA argument."); - VLALast = nullptr; + const VariableArrayType *VLALast = nullptr; + llvm::SmallVector VLASizes; + // Walk over the VLAs for every dimension until a non-VLA is found. // There is a VariableArrayType for every dimension (fixed or variable) until // the most inner array that is variably modified. + // Dimension sizes are collected into 'VLASizes'. 'VLALast' is set to the + // innermost VLA that was encountered. + // In "int vla[x][2][y][3]" this will be the array for index "y" (with type + // int[3]). 'VLASizes' contains 'x', '2', and 'y'. while (VLA) { const Expr *SizeE = VLA->getSizeExpr(); - State = checkVLASize(C, State, SizeE); + State = checkVLAIndexSize(C, State, SizeE); if (!State) return nullptr; VLASizes.push_back(SizeE); @@ -87,12 +92,61 @@ assert(VLALast && "Array should have at least one variably-modified dimension."); + ASTContext &Ctx = C.getASTContext(); + SValBuilder &SVB = C.getSValBuilder(); + CanQualType SizeTy = Ctx.getSizeType(); + uint64_t SizeMax = + SVB.getBasicValueFactory().getMaxValue(SizeTy).getZExtValue(); + + // Get the element size. + CharUnits EleSize = Ctx.getTypeSizeInChars(VLALast->getElementType()); + NonLoc ArrSize = + SVB.makeIntVal(EleSize.getQuantity(), SizeTy).castAs(); + + // Try to calculate the known real size of the array in KnownSize. + uint64_t KnownSize = 0; + if (const llvm::APSInt *KV = SVB.getKnownValue(State, ArrSize)) + KnownSize = KV->getZExtValue(); + + for (const Expr *SizeE : VLASizes) { + auto SizeD = C.getSVal(SizeE).castAs(); + // Convert the array length to size_t. + NonLoc IndexLength = + SVB.evalCast(SizeD, SizeTy, SizeE->getType()).castAs(); + // Multiply the array length by the element size. + SVal Mul = SVB.evalBinOpNN(State, BO_Mul, ArrSize, IndexLength, SizeTy); + if (auto MulNonLoc = Mul.getAs()) + ArrSize = *MulNonLoc; + else + // Extent could not be determined. + return State; + + if (const llvm::APSInt *IndexLVal = SVB.getKnownValue(State, IndexLength)) { + // Check if the array size will overflow. + // Size overflow check does not work with symbolic expressions because a + // overflow situation can not be detected easily. + uint64_t IndexL = IndexLVal->getZExtValue(); + assert(IndexL > 0 && "Index length should have been checked for zero."); + if (KnownSize <= SizeMax / IndexL) { + KnownSize *= IndexL; + } else { + // Array size does not fit into size_t. + reportBug(VLA_Overflow, SizeE, State, C); + return nullptr; + } + } else { + KnownSize = 0; + } + } + + ArraySize = ArrSize; + return State; } -ProgramStateRef VLASizeChecker::checkVLASize(CheckerContext &C, - ProgramStateRef State, - const Expr *SizeE) const { +ProgramStateRef VLASizeChecker::checkVLAIndexSize(CheckerContext &C, + ProgramStateRef State, + const Expr *SizeE) const { SVal SizeV = C.getSVal(SizeE); if (SizeV.isUndef()) { @@ -140,7 +194,7 @@ std::tie(StateNeg, StatePos) = CM.assumeDual(State, *LessThanZeroDVal); if (StateNeg && !StatePos) { - reportBug(VLA_Negative, SizeE, State, C); // FIXME: StateNeg ? + reportBug(VLA_Negative, SizeE, State, C); return nullptr; } State = StatePos; @@ -177,6 +231,9 @@ case VLA_Negative: os << "has negative size"; break; + case VLA_Overflow: + os << "has too large size"; + break; } auto report = std::make_unique(*BT, os.str(), N); @@ -209,53 +266,36 @@ return; // Check the VLA sizes for validity. - llvm::SmallVector VLASizes; - const VariableArrayType *VLALast = nullptr; - State = checkVLA(C, State, VLA, VLALast, VLASizes); + SVal ArraySize; + + State = checkVLA(C, State, VLA, ArraySize); if (!State) return; - if (!VD) + auto ArraySizeNL = ArraySize.getAs(); + if (!ArraySizeNL) { + // Array size could not be determined but state may contain new assumptions. + C.addTransition(State); return; + } // VLASizeChecker is responsible for defining the extent of the array being // declared. We do this by multiplying the array length by the element size, // then matching that with the array region's extent symbol. - CanQualType SizeTy = Ctx.getSizeType(); - // Get the element size. - CharUnits EleSize = Ctx.getTypeSizeInChars(VLALast->getElementType()); - NonLoc ArraySize = - SVB.makeIntVal(EleSize.getQuantity(), SizeTy).castAs(); - - for (const Expr *SizeE : VLASizes) { - auto SizeD = C.getSVal(SizeE).castAs(); - // Convert the array length to size_t. - NonLoc IndexLength = - SVB.evalCast(SizeD, SizeTy, SizeE->getType()).castAs(); - // Multiply the array length by the element size. - SVal Mul = SVB.evalBinOpNN(State, BO_Mul, ArraySize, IndexLength, SizeTy); - if (auto MulNonLoc = Mul.getAs()) { - ArraySize = *MulNonLoc; - } else { - // Extent could not be determined. - // The state was probably still updated by the validation checks. - C.addTransition(State); - return; - } - } - - // Finally, assume that the array's size matches the given size. - const LocationContext *LC = C.getLocationContext(); - DefinedOrUnknownSVal DynSize = - getDynamicSize(State, State->getRegion(VD, LC), SVB); + if (VD) { + // Assume that the array's size matches the region size. + const LocationContext *LC = C.getLocationContext(); + DefinedOrUnknownSVal DynSize = + getDynamicSize(State, State->getRegion(VD, LC), SVB); - DefinedOrUnknownSVal SizeIsKnown = SVB.evalEQ(State, DynSize, ArraySize); - State = State->assume(SizeIsKnown, true); + DefinedOrUnknownSVal SizeIsKnown = SVB.evalEQ(State, DynSize, *ArraySizeNL); + State = State->assume(SizeIsKnown, true); - // Assume should not fail at this point. - assert(State); + // Assume should not fail at this point. + assert(State); + } // Remember our assumptions! C.addTransition(State); @@ -271,17 +311,15 @@ if (!UETTE->isArgumentType()) return; - const VariableArrayType *VLA = - C.getASTContext().getAsVariableArrayType(UETTE->getTypeOfArgument()); + const VariableArrayType *VLA = C.getASTContext().getAsVariableArrayType( + UETTE->getTypeOfArgument().getCanonicalType()); // Ensure that the type is a VLA. if (!VLA) return; ProgramStateRef State = C.getState(); - - llvm::SmallVector VLASizes; - const VariableArrayType *VLALast = nullptr; - State = checkVLA(C, State, VLA, VLALast, VLASizes); + SVal ArraySize; + State = checkVLA(C, State, VLA, ArraySize); if (!State) return; diff --git a/clang/test/Analysis/vla-overflow.c b/clang/test/Analysis/vla-overflow.c new file mode 100644 --- /dev/null +++ b/clang/test/Analysis/vla-overflow.c @@ -0,0 +1,25 @@ +// RUN: %clang_analyze_cc1 -triple x86_64-pc-linux-gnu -analyzer-checker=core -verify %s + +typedef unsigned long size_t; +#define BIGINDEX 65536U + +size_t check_VLA_overflow_sizeof(unsigned int x) { + if (x == BIGINDEX) { + // We expect here that size_t is a 64 bit value. + // Size of this array should be the first to overflow. + size_t s = sizeof(char[x][x][x][x]); // expected-warning{{Declared variable-length array (VLA) has too large size [core.VLASize]}} + return s; + } + return 0; +} + +void check_VLA_overflow_typedef() { + unsigned int x = BIGINDEX; + typedef char VLA[x][x][x][x]; // expected-warning{{Declared variable-length array (VLA) has too large size [core.VLASize]}} +} + +void check_VLA_no_overflow() { + unsigned int x = BIGINDEX; + typedef char VLA[x][x][x][x - 1]; + typedef char VLA1[0xffffffffu]; +}