| Issue |
115410
|
| Summary |
[analyzer] False negative in ArrayBoundV2 and TaintPropagation
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
z1nke
|
Example code: https://godbolt.org/z/xhbsaYex6
```cpp
// clang-19 --analyze -Xanalyzer -analyzer-checker="alpha.security,optin.taint" test.c // clang-19 and above
// clang-18 --analyze -Xanalyzer -analyzer-checker="alpha.security" test.c // clang-18 and below
#include <stdio.h>
#include <stdlib.h>
void foo1() {
char buf[20];
if (fgets(buf, sizeof(buf), stdin) == NULL)
return;
int idx = atoi(buf);
buf[idx] = '\0'; // expect-warning
}
void foo2() {
char buf[20];
fgets(buf, sizeof(buf), stdin);
int idx = atoi(buf);
buf[idx] = '\0'; // expect-warning
}
```
Results:
```
// clang-19 and above
<source>:17:3: warning: Potential out of bound access to 'buf' with tainted index [alpha.security.ArrayBoundV2]
17 | buf[idx] = '\0'; // expect-warning
| ^~~~~~~~
1 warning generated.
```
```
// clang-18 and below
<source>:10:3: warning: Potential out of bound access to 'buf' with tainted index [alpha.security.ArrayBoundV2]
10 | buf[idx] = '\0'; // expect-warning
| ^~~~~~~~
<source>:17:3: warning: Potential out of bound access to 'buf' with tainted index [alpha.security.ArrayBoundV2]
17 | buf[idx] = '\0'; // expect-warning
| ^~~~~~~~
2 warnings generated.
```
I found that clang-19 version had a false negative in the `foo1` test case.
After some debugging, I found there might be problem with the modeling of `fgets` in `StdLibraryFunctionsChecker`.
https://github.com/llvm/llvm-project/blob/ab51eccf88f5321e7c60591c5546b254b6afab99/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp#L2267-L2280
I am not very familiar with function summary modeling. Should we add the following case for the `fgets` function here?
```cpp
.Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg)
```
![]()
_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
