steakhal created this revision.
steakhal added reviewers: martong, NoQ, vsavchenko, balazske, Szelethus.
Herald added subscribers: cfe-commits, ASDenysPetrov, Charusso, dkrupp,
donat.nagy, mikhail.ramalho, a.sidorin, rnkovacs, szepet, baloghadamsoftware,
xazax.hun, whisperity.
Herald added a project: clang.
steakhal requested review of this revision.
The `fd` parameter of
void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t
offset)
should be constrained to the range `[0, IntMax]` as that is of type `int`.
Constraining to the range `[0, Off_tMax]` would result in a crash as that is
of an unsigned type with the value of `0xff..f`.
The crash would happen when we try to apply the arg constraints.
At line 583: `assert(Min <= Max)`, as `0 <= -1` is not satisfied
The `mmap64` is fixed for the same reason.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D92307
Files:
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
clang/test/Analysis/std-c-library-posix-crash.c
Index: clang/test/Analysis/std-c-library-posix-crash.c
===================================================================
--- /dev/null
+++ clang/test/Analysis/std-c-library-posix-crash.c
@@ -0,0 +1,18 @@
+// RUN: %clang_analyze_cc1 \
+// RUN: -analyzer-checker=core,apiModeling.StdCLibraryFunctions \
+// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true \
+// RUN: -verify %s
+//
+// expected-no-diagnostics
+
+typedef long off_t;
+typedef long long off64_t;
+typedef unsigned long size_t;
+
+void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t
offset);
+void *mmap64(void *addr, size_t length, int prot, int flags, int fd, off64_t
offset);
+
+void test(long len) {
+ mmap(0, len, 2, 1, 0, 0); // no-crash
+ mmap64(0, len, 2, 1, 0, 0); // no-crash
+}
Index: clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
@@ -1722,7 +1722,6 @@
"ftello", Signature(ArgTypes{FilePtrTy}, RetType{Off_tTy}),
Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
- Optional<RangeInt> Off_tMax = getMaxValue(Off_tTy);
// void *mmap(void *addr, size_t length, int prot, int flags, int fd,
// off_t offset);
addToFunctionSummaryMap(
@@ -1732,10 +1731,9 @@
Summary(NoEvalCall)
.ArgConstraint(ArgumentCondition(1, WithinRange, Range(1,
SizeMax)))
.ArgConstraint(
- ArgumentCondition(4, WithinRange, Range(0, Off_tMax))));
+ ArgumentCondition(4, WithinRange, Range(0, IntMax))));
Optional<QualType> Off64_tTy = lookupTy("off64_t");
- Optional<RangeInt> Off64_tMax = getMaxValue(Off_tTy);
// void *mmap64(void *addr, size_t length, int prot, int flags, int fd,
// off64_t offset);
addToFunctionSummaryMap(
@@ -1745,7 +1743,7 @@
Summary(NoEvalCall)
.ArgConstraint(ArgumentCondition(1, WithinRange, Range(1,
SizeMax)))
.ArgConstraint(
- ArgumentCondition(4, WithinRange, Range(0, Off64_tMax))));
+ ArgumentCondition(4, WithinRange, Range(0, IntMax))));
// int pipe(int fildes[2]);
addToFunctionSummaryMap(
Index: clang/test/Analysis/std-c-library-posix-crash.c
===================================================================
--- /dev/null
+++ clang/test/Analysis/std-c-library-posix-crash.c
@@ -0,0 +1,18 @@
+// RUN: %clang_analyze_cc1 \
+// RUN: -analyzer-checker=core,apiModeling.StdCLibraryFunctions \
+// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true \
+// RUN: -verify %s
+//
+// expected-no-diagnostics
+
+typedef long off_t;
+typedef long long off64_t;
+typedef unsigned long size_t;
+
+void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset);
+void *mmap64(void *addr, size_t length, int prot, int flags, int fd, off64_t offset);
+
+void test(long len) {
+ mmap(0, len, 2, 1, 0, 0); // no-crash
+ mmap64(0, len, 2, 1, 0, 0); // no-crash
+}
Index: clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
@@ -1722,7 +1722,6 @@
"ftello", Signature(ArgTypes{FilePtrTy}, RetType{Off_tTy}),
Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
- Optional<RangeInt> Off_tMax = getMaxValue(Off_tTy);
// void *mmap(void *addr, size_t length, int prot, int flags, int fd,
// off_t offset);
addToFunctionSummaryMap(
@@ -1732,10 +1731,9 @@
Summary(NoEvalCall)
.ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax)))
.ArgConstraint(
- ArgumentCondition(4, WithinRange, Range(0, Off_tMax))));
+ ArgumentCondition(4, WithinRange, Range(0, IntMax))));
Optional<QualType> Off64_tTy = lookupTy("off64_t");
- Optional<RangeInt> Off64_tMax = getMaxValue(Off_tTy);
// void *mmap64(void *addr, size_t length, int prot, int flags, int fd,
// off64_t offset);
addToFunctionSummaryMap(
@@ -1745,7 +1743,7 @@
Summary(NoEvalCall)
.ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax)))
.ArgConstraint(
- ArgumentCondition(4, WithinRange, Range(0, Off64_tMax))));
+ ArgumentCondition(4, WithinRange, Range(0, IntMax))));
// int pipe(int fildes[2]);
addToFunctionSummaryMap(
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
