Georgi Guninski wrote:
catching sign promotions
writing about 64 bit systems.
lengths of buffers > 2^31 are negative int32.
cast from negative int32 to size_t leads to *large* size_t, effectively
increasing the length:
(size_t) (int32) (2^32-1) == 2^64-1
gcc's -Wconversion warns about different width, but does not warn about
sign promotion.
is it easy to catch such cases *focusing on copying funcions*?
What exactly do you want to check for? E.g.:
(a) detect if a signed type of width less than 64 bits is passed as a
size_t argument
(b) detect if a negative value is passed as a size_t argument
(a) is pretty easy with Dehydra, I think. (b) might be difficult
statically but you might be able to catch some bugs of the sort with
Dehydra or Treehydra. Otherwise, an assertion (like your proposed macro)
for dynamic checks seems like the way to go.
It also seems to depend on what kind of code you want to write when
there is a signed variable being passed as the size_t. Presumably a
simple cast to size_t would be no improvement, and you would want a
check or a special conversion operator.
In C++, for (a) you might be able to define memcpy as taking a
class-typed argument for size that has implicit conversions only from
unsigned values, and maybe safe (however you want to define it)
constructors for signed values.
Dave
_______________________________________________
dev-static-analysis mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-static-analysis
