When checking if a buffer access is valid, first make sure the buffer has a valid...

author Jordy Rose <jediknil@belkadan.com>

Thu, 5 Aug 2010 23:11:30 +0000 (23:11 +0000)

committer Jordy Rose <jediknil@belkadan.com>

Thu, 5 Aug 2010 23:11:30 +0000 (23:11 +0000)
author Jordy Rose <jediknil@belkadan.com>
Thu, 5 Aug 2010 23:11:30 +0000 (23:11 +0000)
committer Jordy Rose <jediknil@belkadan.com>
Thu, 5 Aug 2010 23:11:30 +0000 (23:11 +0000)
diff --git a/lib/Checker/CStringChecker.cpp b/lib/Checker/CStringChecker.cpp

index a883c32d9299dfc87c85af17bc52b74eb7f1c3a7..bb40b04bb1a0d209deb267e329cd72cd913d8f5c 100644 (file)
--- a/lib/Checker/CStringChecker.cpp
+++ b/lib/Checker/CStringChecker.cpp
@@ -221,14 +221,16 @@ const GRState *CStringChecker::CheckBufferAccess(CheckerContext &C,
                                                    *Length, One, SizeTy));
  
    // Check that the first buffer is sufficently long.
-  Loc BufStart = cast<Loc>(SV.EvalCast(BufVal, PtrTy, FirstBuf->getType()));
-  SVal BufEnd
-    = SV.EvalBinOpLN(state, BinaryOperator::Add, BufStart, LastOffset, PtrTy);
-  state = CheckLocation(C, state, FirstBuf, BufEnd);
+  SVal BufStart = SV.EvalCast(BufVal, PtrTy, FirstBuf->getType());
+  if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) {
+    SVal BufEnd = SV.EvalBinOpLN(state, BinaryOperator::Add, *BufLoc,
+                                 LastOffset, PtrTy);
+    state = CheckLocation(C, state, FirstBuf, BufEnd);
  
-  // If the buffer isn't large enough, abort.
-  if (!state)
-    return NULL;
+    // If the buffer isn't large enough, abort.
+    if (!state)
+      return NULL;
+  }
  
    // If there's a second buffer, check it as well.
    if (SecondBuf) {
@@ -237,10 +239,12 @@ const GRState *CStringChecker::CheckBufferAccess(CheckerContext &C,
      if (!state)
        return NULL;
  
-    BufStart = cast<Loc>(SV.EvalCast(BufVal, PtrTy, SecondBuf->getType()));
-    BufEnd
-      = SV.EvalBinOpLN(state, BinaryOperator::Add, BufStart, LastOffset, PtrTy);
-    state = CheckLocation(C, state, SecondBuf, BufEnd);
+    BufStart = SV.EvalCast(BufVal, PtrTy, SecondBuf->getType());
+    if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) {
+      SVal BufEnd = SV.EvalBinOpLN(state, BinaryOperator::Add, *BufLoc,
+                                   LastOffset, PtrTy);
+      state = CheckLocation(C, state, SecondBuf, BufEnd);
+    }
    }
  
    // Large enough or not, return this state!
diff --git a/test/Analysis/bstring.c b/test/Analysis/bstring.c

index 418b3233003cb0f6d1d42bc1ec7bb2ac1b5a0e79..ae9ba4f973eb096e5dca9a04dd88da12e2919269 100644 (file)
--- a/test/Analysis/bstring.c
+++ b/test/Analysis/bstring.c
@@ -246,6 +246,12 @@ void memcmp6 (char *a, char *b, size_t n) {
      (void)*(char*)0; // expected-warning{{null}}
  }
  
+int memcmp7 (char *a, size_t x, size_t y, size_t n) {
+  // We used to crash when either of the arguments was unknown.
+  return memcmp(a, &a[x*y], n) +
+         memcmp(&a[x*y], a, n);
+}
+
  //===----------------------------------------------------------------------===
  // bcopy()
  //===----------------------------------------------------------------------===
author	Jordy Rose <jediknil@belkadan.com>
	Thu, 5 Aug 2010 23:11:30 +0000 (23:11 +0000)
committer	Jordy Rose <jediknil@belkadan.com>
	Thu, 5 Aug 2010 23:11:30 +0000 (23:11 +0000)
lib/Checker/CStringChecker.cpp		patch \| blob \| history
test/Analysis/bstring.c		patch \| blob \| history