Author: xazax Date: Mon Sep 19 15:39:52 2016 New Revision: 281934 URL: http://llvm.org/viewvc/llvm-project?rev=281934&view=rev Log: [analyzer] Calculate extent size for memory regions allocated by new expression.
ArrayBoundChecker did not detect out of bounds memory access errors in case an array was allocated by the new expression. This patch resolves this issue. Patch by Daniel Krupp! Differential Revision: https://reviews.llvm.org/D24307 Added: cfe/trunk/test/Analysis/out-of-bounds-new.cpp Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp?rev=281934&r1=281933&r2=281934&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp Mon Sep 19 15:39:52 2016 @@ -68,18 +68,11 @@ public: static SVal computeExtentBegin(SValBuilder &svalBuilder, const MemRegion *region) { - while (true) - switch (region->getKind()) { - default: - return svalBuilder.makeZeroArrayIndex(); - case MemRegion::SymbolicRegionKind: - // FIXME: improve this later by tracking symbolic lower bounds - // for symbolic regions. - return UnknownVal(); - case MemRegion::ElementRegionKind: - region = cast<SubRegion>(region)->getSuperRegion(); - continue; - } + const MemSpaceRegion *SR = region->getMemorySpace(); + if (SR->getKind() == MemRegion::UnknownSpaceRegionKind) + return UnknownVal(); + else + return svalBuilder.makeZeroArrayIndex(); } // TODO: once the constraint manager is smart enough to handle non simplified Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp?rev=281934&r1=281933&r2=281934&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp Mon Sep 19 15:39:52 2016 @@ -287,6 +287,9 @@ private: ProgramStateRef State, AllocationFamily Family = AF_Malloc); + static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE, + ProgramStateRef State); + // Check if this malloc() for special flags. At present that means M_ZERO or // __GFP_ZERO (in which case, treat it like calloc). llvm::Optional<ProgramStateRef> @@ -981,10 +984,59 @@ void MallocChecker::checkPostStmt(const // existing binding. State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray : AF_CXXNew); + State = addExtentSize(C, NE, State); State = ProcessZeroAllocation(C, NE, 0, State); C.addTransition(State); } +// Sets the extent value of the MemRegion allocated by +// new expression NE to its size in Bytes. +// +ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C, + const CXXNewExpr *NE, + ProgramStateRef State) { + if (!State) + return nullptr; + SValBuilder &svalBuilder = C.getSValBuilder(); + SVal ElementCount; + const LocationContext *LCtx = C.getLocationContext(); + const SubRegion *Region; + if (NE->isArray()) { + const Expr *SizeExpr = NE->getArraySize(); + ElementCount = State->getSVal(SizeExpr, C.getLocationContext()); + // Store the extent size for the (symbolic)region + // containing the elements. + Region = (State->getSVal(NE, LCtx)) + .getAsRegion() + ->getAs<SubRegion>() + ->getSuperRegion() + ->getAs<SubRegion>(); + } else { + ElementCount = svalBuilder.makeIntVal(1, true); + Region = (State->getSVal(NE, LCtx)).getAsRegion()->getAs<SubRegion>(); + } + assert(Region); + + // Set the region's extent equal to the Size in Bytes. + QualType ElementType = NE->getAllocatedType(); + ASTContext &AstContext = C.getASTContext(); + CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType); + + if (Optional<DefinedOrUnknownSVal> DefinedSize = + ElementCount.getAs<DefinedOrUnknownSVal>()) { + DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder); + // size in Bytes = ElementCount*TypeSize + SVal SizeInBytes = svalBuilder.evalBinOpNN( + State, BO_Mul, ElementCount.castAs<NonLoc>(), + svalBuilder.makeArrayIndex(TypeSize.getQuantity()), + svalBuilder.getArrayIndexType()); + DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ( + State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>()); + State = State->assume(extentMatchesSize, true); + } + return State; +} + void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const { Added: cfe/trunk/test/Analysis/out-of-bounds-new.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/out-of-bounds-new.cpp?rev=281934&view=auto ============================================================================== --- cfe/trunk/test/Analysis/out-of-bounds-new.cpp (added) +++ cfe/trunk/test/Analysis/out-of-bounds-new.cpp Mon Sep 19 15:39:52 2016 @@ -0,0 +1,150 @@ +// RUN: %clang_cc1 -std=c++11 -Wno-array-bounds -analyze -analyzer-checker=unix,core,alpha.security.ArrayBoundV2 -verify %s + +// Tests doing an out-of-bounds access after the end of an array using: +// - constant integer index +// - constant integer size for buffer +void test1(int x) { + int *buf = new int[100]; + buf[100] = 1; // expected-warning{{Out of bound memory access}} +} + +void test1_ok(int x) { + int *buf = new int[100]; + buf[99] = 1; // no-warning +} + +// Tests doing an out-of-bounds access after the end of an array using: +// - indirect pointer to buffer +// - constant integer index +// - constant integer size for buffer +void test1_ptr(int x) { + int *buf = new int[100]; + int *p = buf; + p[101] = 1; // expected-warning{{Out of bound memory access}} +} + +void test1_ptr_ok(int x) { + int *buf = new int[100]; + int *p = buf; + p[99] = 1; // no-warning +} + +// Tests doing an out-of-bounds access before the start of an array using: +// - indirect pointer to buffer, manipulated using simple pointer arithmetic +// - constant integer index +// - constant integer size for buffer +void test1_ptr_arith(int x) { + int *buf = new int[100]; + int *p = buf; + p = p + 100; + p[0] = 1; // expected-warning{{Out of bound memory access}} +} + +void test1_ptr_arith_ok(int x) { + int *buf = new int[100]; + int *p = buf; + p = p + 99; + p[0] = 1; // no-warning +} + +void test1_ptr_arith_bad(int x) { + int *buf = new int[100]; + int *p = buf; + p = p + 99; + p[1] = 1; // expected-warning{{Out of bound memory access}} +} + +void test1_ptr_arith_ok2(int x) { + int *buf = new int[100]; + int *p = buf; + p = p + 99; + p[-1] = 1; // no-warning +} + +// Tests doing an out-of-bounds access before the start of an array using: +// - constant integer index +// - constant integer size for buffer +void test2(int x) { + int *buf = new int[100]; + buf[-1] = 1; // expected-warning{{Out of bound memory access}} +} + +// Tests doing an out-of-bounds access before the start of an array using: +// - indirect pointer to buffer +// - constant integer index +// - constant integer size for buffer +void test2_ptr(int x) { + int *buf = new int[100]; + int *p = buf; + p[-1] = 1; // expected-warning{{Out of bound memory access}} +} + +// Tests doing an out-of-bounds access before the start of an array using: +// - indirect pointer to buffer, manipulated using simple pointer arithmetic +// - constant integer index +// - constant integer size for buffer +void test2_ptr_arith(int x) { + int *buf = new int[100]; + int *p = buf; + --p; + p[0] = 1; // expected-warning {{Out of bound memory access (accessed memory precedes memory block)}} +} + +// Tests under-indexing +// of a multi-dimensional array +void test2_multi(int x) { + auto buf = new int[100][100]; + buf[0][-1] = 1; // expected-warning{{Out of bound memory access}} +} + +// Tests under-indexing +// of a multi-dimensional array +void test2_multi_b(int x) { + auto buf = new int[100][100]; + buf[-1][0] = 1; // expected-warning{{Out of bound memory access}} +} + +// Tests over-indexing +// of a multi-dimensional array +void test2_multi_c(int x) { + auto buf = new int[100][100]; + buf[100][0] = 1; // expected-warning{{Out of bound memory access}} +} + +// Tests over-indexing +// of a multi-dimensional array +void test2_multi_2(int x) { + auto buf = new int[100][100]; + buf[99][100] = 1; // expected-warning{{Out of bound memory access}} +} + +// Tests normal access of +// a multi-dimensional array +void test2_multi_ok(int x) { + auto buf = new int[100][100]; + buf[0][0] = 1; // no-warning +} + +// Tests over-indexing using different types +// array +void test_diff_types(int x) { + int *buf = new int[10]; //10*sizeof(int) Bytes allocated + char *cptr = (char *)buf; + cptr[sizeof(int) * 9] = 1; // no-warning + cptr[sizeof(int) * 10] = 1; // expected-warning{{Out of bound memory access}} +} + +// Tests over-indexing +//if the allocated area is non-array +void test_non_array(int x) { + int *ip = new int; + ip[0] = 1; // no-warning + ip[1] = 2; // expected-warning{{Out of bound memory access}} +} + +//Tests over-indexing +//if the allocated area size is a runtime parameter +void test_dynamic_size(int s) { + int *buf = new int[s]; + buf[0] = 1; // no-warning +} _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
