This revision was automatically updated to reflect the committed changes.
Closed by commit rG6097a4192458: [analyzer] Extend the documentation of
MallocOverflow (authored by steakhal).
Herald added a project: clang.
Herald added a subscriber: cfe-commits.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D107756/new/
https://reviews.llvm.org/D107756
Files:
clang/docs/analyzer/checkers.rst
Index: clang/docs/analyzer/checkers.rst
===================================================================
--- clang/docs/analyzer/checkers.rst
+++ clang/docs/analyzer/checkers.rst
@@ -2154,7 +2154,14 @@
alpha.security.MallocOverflow (C)
"""""""""""""""""""""""""""""""""
-Check for overflows in the arguments to malloc().
+Check for overflows in the arguments to ``malloc()``.
+It tries to catch ``malloc(n * c)`` patterns, where:
+ - ``n``: a variable or member access of an object
+ - ``c``: a constant foldable integral
+
+This checker was designed for code audits, so expect false-positive reports.
+One is supposed to silence this checker by ensuring proper bounds checking on
+the variable in question using e.g. an ``assert()`` or a branch.
.. code-block:: c
@@ -2168,6 +2175,26 @@
void *p = malloc(n * sizeof(int)); // no warning
}
+ void test3(int n) {
+ assert(n <= 100 && "Contract violated.");
+ void *p = malloc(n * sizeof(int)); // no warning
+ }
+
+Limitations:
+ - The checker won't warn for variables involved in explicit casts,
+ since that might limit the variable's domain.
+ E.g.: ``(unsigned char)int x`` would limit the domain to ``[0,255]``.
+ The checker will miss the true-positive cases when the explicit cast would
+ not tighten the domain to prevent the overflow in the subsequent
+ multiplication operation.
+
+ - If the variable ``n`` participates in a comparison anywhere in the enclosing
+ function's scope, even after the ``malloc()``, the report will be still
+ suppressed.
+
+ - It is an AST-based checker, thus it does not make use of the
+ path-sensitive taint-analysis.
+
.. _alpha-security-MmapWriteExec:
alpha.security.MmapWriteExec (C)
Index: clang/docs/analyzer/checkers.rst
===================================================================
--- clang/docs/analyzer/checkers.rst
+++ clang/docs/analyzer/checkers.rst
@@ -2154,7 +2154,14 @@
alpha.security.MallocOverflow (C)
"""""""""""""""""""""""""""""""""
-Check for overflows in the arguments to malloc().
+Check for overflows in the arguments to ``malloc()``.
+It tries to catch ``malloc(n * c)`` patterns, where:
+ - ``n``: a variable or member access of an object
+ - ``c``: a constant foldable integral
+
+This checker was designed for code audits, so expect false-positive reports.
+One is supposed to silence this checker by ensuring proper bounds checking on
+the variable in question using e.g. an ``assert()`` or a branch.
.. code-block:: c
@@ -2168,6 +2175,26 @@
void *p = malloc(n * sizeof(int)); // no warning
}
+ void test3(int n) {
+ assert(n <= 100 && "Contract violated.");
+ void *p = malloc(n * sizeof(int)); // no warning
+ }
+
+Limitations:
+ - The checker won't warn for variables involved in explicit casts,
+ since that might limit the variable's domain.
+ E.g.: ``(unsigned char)int x`` would limit the domain to ``[0,255]``.
+ The checker will miss the true-positive cases when the explicit cast would
+ not tighten the domain to prevent the overflow in the subsequent
+ multiplication operation.
+
+ - If the variable ``n`` participates in a comparison anywhere in the enclosing
+ function's scope, even after the ``malloc()``, the report will be still
+ suppressed.
+
+ - It is an AST-based checker, thus it does not make use of the
+ path-sensitive taint-analysis.
+
.. _alpha-security-MmapWriteExec:
alpha.security.MmapWriteExec (C)
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
