Reject multiplication by zero cases in MallocOverflowSecurityChecker
Currently MallocOverflowSecurityChecker does not catch cases like: malloc(n * 0
* sizeof(int));
This patch rejects such cases.
Also replaced isa with dyn_cast.
http://reviews.llvm.org/D9741
Files:
lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
test/Analysis/malloc-overflow.c
EMAIL PREFERENCES
http://reviews.llvm.org/settings/panel/emailpreferences/
Index: lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
===================================================================
--- lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
+++ lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
@@ -23,11 +23,14 @@
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
+#include "llvm/ADT/APSInt.h"
#include "llvm/ADT/SmallVector.h"
using namespace clang;
using namespace ento;
+using llvm::APSInt;
+
namespace {
struct MallocOverflowCheck {
const BinaryOperator *mulop;
@@ -54,6 +57,11 @@
};
} // end anonymous namespace
+// Return true for computations which evaluate to zero: e.g., mult by 0.
+static inline bool EvaluatesToZero(APSInt &Val, BinaryOperatorKind op) {
+ return (op == BO_Mul) && (Val == 0);
+}
+
void MallocOverflowSecurityChecker::CheckMallocArgument(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const Expr *TheArgument,
@@ -64,13 +72,12 @@
Reject anything that applies to the variable: an explicit cast,
conditional expression, an operation that could reduce the range
of the result, or anything too complicated :-). */
- const Expr * e = TheArgument;
+ const Expr *e = TheArgument;
const BinaryOperator * mulop = nullptr;
for (;;) {
e = e->IgnoreParenImpCasts();
- if (isa<BinaryOperator>(e)) {
- const BinaryOperator * binop = dyn_cast<BinaryOperator>(e);
+ if (const BinaryOperator *binop = dyn_cast<BinaryOperator>(e)) {
BinaryOperatorKind opc = binop->getOpcode();
// TODO: ignore multiplications by 1, reject if multiplied by 0.
if (mulop == nullptr && opc == BO_Mul)
@@ -80,11 +87,19 @@
const Expr *lhs = binop->getLHS();
const Expr *rhs = binop->getRHS();
- if (rhs->isEvaluatable(Context))
+ if (rhs->isEvaluatable(Context)) {
e = lhs;
+ APSInt Val = rhs->EvaluateKnownConstInt(Context);
+ if (EvaluatesToZero(Val, opc))
+ return;
+ }
else if ((opc == BO_Add || opc == BO_Mul)
- && lhs->isEvaluatable(Context))
+ && lhs->isEvaluatable(Context)) {
+ APSInt Val = lhs->EvaluateKnownConstInt(Context);
+ if (EvaluatesToZero(Val, opc))
+ return;
e = rhs;
+ }
else
return;
}
@@ -133,7 +148,7 @@
theVecType::iterator e = toScanFor.begin();
if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E)) {
- const Decl * EdreD = DR->getDecl();
+ const Decl *EdreD = DR->getDecl();
while (i != e) {
--i;
if (const DeclRefExpr *DR_i = dyn_cast<DeclRefExpr>(i->variable)) {
@@ -162,7 +177,7 @@
const Expr * rhs = E->getRHS();
// Ignore comparisons against zero, since they generally don't
// protect against an overflow.
- if (!isIntZeroExpr(lhs) && ! isIntZeroExpr(rhs)) {
+ if (!isIntZeroExpr(lhs) && !isIntZeroExpr(rhs)) {
CheckExpr(lhs);
CheckExpr(rhs);
}
@@ -243,12 +258,12 @@
const FunctionDecl *FD = TheCall->getDirectCallee();
if (!FD)
- return;
+ continue;
// Get the name of the callee. If it's a builtin, strip off the prefix.
IdentifierInfo *FnInfo = FD->getIdentifier();
if (!FnInfo)
- return;
+ continue;
if (FnInfo->isStr ("malloc") || FnInfo->isStr ("_MALLOC")) {
if (TheCall->getNumArgs() == 1)
Index: test/Analysis/malloc-overflow.c
===================================================================
--- test/Analysis/malloc-overflow.c
+++ test/Analysis/malloc-overflow.c
@@ -111,3 +111,9 @@
return NULL;
return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
}
+
+void * f15(int n)
+{
+ return malloc(n * 0 * sizeof(int)); // no warning
+}
+
_______________________________________________
cfe-commits mailing list
[email protected]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
