steakhal created this revision.
steakhal added reviewers: NoQ, vsavchenko, Szelethus, martong.
Herald added subscribers: ASDenysPetrov, Charusso, dkrupp, donat.nagy,
mikhail.ramalho, a.sidorin, rnkovacs, szepet, baloghadamsoftware, xazax.hun,
whisperity.
steakhal requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.
It adds some comments about the ArrayBound and ArrayBoundV2. It would help the
users deciding which to enable.
Further thoughts on this:
If V2 warns for all cases where V1 does, why do we let them enable both at the
same time?
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D100829
Files:
clang/docs/analyzer/checkers.rst
Index: clang/docs/analyzer/checkers.rst
===================================================================
--- clang/docs/analyzer/checkers.rst
+++ clang/docs/analyzer/checkers.rst
@@ -2083,6 +2083,7 @@
alpha.security.ArrayBound (C)
"""""""""""""""""""""""""""""
Warn about buffer overflows (older checker).
+It does not consider tainted indices.
.. code-block:: c
@@ -2103,8 +2104,7 @@
p[2] = a; // warn
}
- // note: requires unix.Malloc or
- // alpha.unix.MallocWithAnnotations checks enabled.
+ // note: also requires the unix.Malloc checker.
void test() {
int *p = malloc(12);
p[3] = 4; // warn
@@ -2121,6 +2121,15 @@
alpha.security.ArrayBoundV2 (C)
"""""""""""""""""""""""""""""""
Warn about buffer overflows (newer checker).
+It should warn for all the cases where the ArrayBound would and for more.
+For tainted indices, you have to prove/assert that the index must be inbound
+if the taint checker also enabled.
+
+This checker transforms buffer accesses more aggressively. While it can infer
+more accurate constraints for the possible values ranges of the variables
+constituting to the index expression compared to the simple ArrayBound checker,
+the complexity of the bug paths of not only this but any other checker can also
+increase if enabled.
.. code-block:: c
@@ -2150,6 +2159,14 @@
char c = s[x]; // warn: index is tainted
}
+ void test() {
+ char s[] = "abc";
+ int x = getchar();
+ x = (x < 0) ? 0 : (x > 3) ? 3 : x;
+ // 'x' is still tainted, but constrained to be within [0,3].
+ char c = s[x]; // no warning
+ }
+
.. _alpha-security-MallocOverflow:
alpha.security.MallocOverflow (C)
Index: clang/docs/analyzer/checkers.rst
===================================================================
--- clang/docs/analyzer/checkers.rst
+++ clang/docs/analyzer/checkers.rst
@@ -2083,6 +2083,7 @@
alpha.security.ArrayBound (C)
"""""""""""""""""""""""""""""
Warn about buffer overflows (older checker).
+It does not consider tainted indices.
.. code-block:: c
@@ -2103,8 +2104,7 @@
p[2] = a; // warn
}
- // note: requires unix.Malloc or
- // alpha.unix.MallocWithAnnotations checks enabled.
+ // note: also requires the unix.Malloc checker.
void test() {
int *p = malloc(12);
p[3] = 4; // warn
@@ -2121,6 +2121,15 @@
alpha.security.ArrayBoundV2 (C)
"""""""""""""""""""""""""""""""
Warn about buffer overflows (newer checker).
+It should warn for all the cases where the ArrayBound would and for more.
+For tainted indices, you have to prove/assert that the index must be inbound
+if the taint checker also enabled.
+
+This checker transforms buffer accesses more aggressively. While it can infer
+more accurate constraints for the possible values ranges of the variables
+constituting to the index expression compared to the simple ArrayBound checker,
+the complexity of the bug paths of not only this but any other checker can also
+increase if enabled.
.. code-block:: c
@@ -2150,6 +2159,14 @@
char c = s[x]; // warn: index is tainted
}
+ void test() {
+ char s[] = "abc";
+ int x = getchar();
+ x = (x < 0) ? 0 : (x > 3) ? 3 : x;
+ // 'x' is still tainted, but constrained to be within [0,3].
+ char c = s[x]; // no warning
+ }
+
.. _alpha-security-MallocOverflow:
alpha.security.MallocOverflow (C)
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
