diff options
| author | Kristóf Umann <dkszelethus@gmail.com> | 2024-07-04 13:46:22 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-07-04 13:46:22 +0200 |
| commit | 483557224b8d36761f39d5847e17ef7361757f1b (patch) | |
| tree | cb4ce70453fc892ad86ea3bd9b06cab4faf4ae62 /clang/include | |
| parent | d6af73e9fbc84315100499a096f17ec5eeeeea23 (diff) | |
| download | llvm-483557224b8d36761f39d5847e17ef7361757f1b.zip llvm-483557224b8d36761f39d5847e17ef7361757f1b.tar.gz llvm-483557224b8d36761f39d5847e17ef7361757f1b.tar.bz2 | |
[analyzer] Check the correct first and last elements in cstring.UninitializedRead (#95408)
I intend to fix this checker up so that we can move it out of alpha. I
made a bunch of analyses, and found many similar false positives:
```c++
int t[] = {1,2,3};
memcpy(dst, t, sizeof(t) / sizeof(t[0])); // warn
```
The problem here is the way CStringChecker checks whether the
destination and source buffers are initialized: heuristically, it only
checks the first and last element. This is fine, however, it retrieves
these elements as characters, even if the underlaying object is not a
character array. Reading the last byte of an integer is undefined, so
the checker emits a bug here.
A quick search tells you the rationale: "Both objects are reinterpreted
as arrays of unsigned char.". But the static analyzer right now can't
check byte-by-byte if a memory region is _initialized_, it can only
check if its a well-defined character or not.
In this patch, I pry the original array out of the arguments to memcpy
(and similar functions), and retrieve the actual first and last elements
according to the array's actual element type.
Currently, my improvements reduced the number of reports to 29 on these
projects: memcached,tmux,curl,twin,vim,openssl,sqlite,ffmpeg,postgres
https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?detection-status=New&detection-status=Reopened&detection-status=Unresolved&is-unique=on&run=%2acstring_uninit_upper_bound_patched&newcheck=%2acstring_uninit_upper_bounds_patched&diff-type=New&checker-name=alpha.unix.cstring.UninitializedRead&items-per-page=100
Before my patch, there were 87.
https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?detection-status=New&detection-status=Reopened&detection-status=Unresolved&is-unique=on&run=%2acstring_uninit_baseline&newcheck=%2acstring_uninit_upper_bounds_patched&diff-type=New&checker-name=alpha.unix.cstring.UninitializedRead&items-per-page=100
Diffstat (limited to 'clang/include')
| -rw-r--r-- | clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h index c0d3fbd..0d95662 100644 --- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h +++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h @@ -34,6 +34,7 @@ #include "llvm/ADT/iterator_range.h" #include "llvm/Support/Allocator.h" #include "llvm/Support/Casting.h" +#include "llvm/Support/ErrorHandling.h" #include <cassert> #include <cstdint> #include <limits> @@ -99,6 +100,8 @@ public: #define REGION(Id, Parent) Id ## Kind, #define REGION_RANGE(Id, First, Last) BEGIN_##Id = First, END_##Id = Last, #include "clang/StaticAnalyzer/Core/PathSensitive/Regions.def" +#undef REGION +#undef REGION_RANGE }; private: @@ -171,6 +174,8 @@ public: Kind getKind() const { return kind; } + StringRef getKindStr() const; + template<typename RegionTy> const RegionTy* getAs() const; template <typename RegionTy> LLVM_ATTRIBUTE_RETURNS_NONNULL const RegionTy *castAs() const; |