From: Ted Kremenek Date: Fri, 6 Nov 2009 20:16:31 +0000 (+0000) Subject: Sentence-case bug type, and pull tests from region-only-test.c into misc-ps-region... X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6f516f50e53b621613d281ef186c76c5160d9d35;p=clang Sentence-case bug type, and pull tests from region-only-test.c into misc-ps-region.store.m (removing an extra unneeded test file). Also add a bunch of FIXME comments for future enhancements. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86282 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/lib/Analysis/ReturnPointerRangeChecker.cpp b/lib/Analysis/ReturnPointerRangeChecker.cpp index 4ca72716a8..181d736199 100644 --- a/lib/Analysis/ReturnPointerRangeChecker.cpp +++ b/lib/Analysis/ReturnPointerRangeChecker.cpp @@ -51,10 +51,13 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C, const ElementRegion *ER = dyn_cast_or_null(R); if (!ER) - return; + return; DefinedOrUnknownSVal &Idx = cast(ER->getIndex()); + // FIXME: All of this out-of-bounds checking should eventually be refactored into a + // common place. + // Zero index is always in bound, this also passes ElementRegions created for // pointer casts. if (Idx.isZeroConstant()) @@ -72,15 +75,21 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C, if (!N) return; + // FIXME: This bug correspond to CWE-466. Eventually we should have bug types explicitly + // reference such exploit categories (when applicable). if (!BT) - BT = new BuiltinBug("Return of Pointer Value Outside of Expected Range"); - + BT = new BuiltinBug("Return of pointer value outside of expected range", + "Returned pointer value points outside the original object (potential buffer overflow)"); + + // FIXME: It would be nice to eventually make this diagnostic more clear, e.g., by referencing + // the original declaration or by saying *why* this reference is outside the range. + // Generate a report for this bug. RangedBugReport *report = new RangedBugReport(*BT, BT->getDescription().c_str(), N); - report->addRange(RS->getSourceRange()); - + report->addRange(RetE->getSourceRange()); + C.EmitReport(report); } } diff --git a/test/Analysis/misc-ps-region-store.m b/test/Analysis/misc-ps-region-store.m index 4cde7726b4..90242abbbd 100644 --- a/test/Analysis/misc-ps-region-store.m +++ b/test/Analysis/misc-ps-region-store.m @@ -431,3 +431,26 @@ pr5316_REFRESH_ELEMENT; static void pr5316(pr5316_REFRESH_ELEMENT *dst, const pr5316_REFRESH_ELEMENT *src) { while ((*dst++ = *src++).chr != L'\0') ; } + +//===----------------------------------------------------------------------===// +// Exercise creating ElementRegion with symbolic super region. +//===----------------------------------------------------------------------===// +void element_region_with_symbolic_superregion(int* p) { + int *x; + int a; + if (p[0] == 1) + x = &a; + if (p[0] == 1) + (void)*x; // no-warning +} + +//===----------------------------------------------------------------------===// +// Test returning an out-of-bounds pointer (CWE-466) +//===----------------------------------------------------------------------===// + +static int test_cwe466_return_outofbounds_pointer_a[10]; +int *test_cwe466_return_outofbounds_pointer() { + int *p = test_cwe466_return_outofbounds_pointer_a+10; + return p; // expected-warning{{Returned pointer value points outside the original object}} +} + diff --git a/test/Analysis/region-only-test.c b/test/Analysis/region-only-test.c deleted file mode 100644 index b1e70a9054..0000000000 --- a/test/Analysis/region-only-test.c +++ /dev/null @@ -1,20 +0,0 @@ -// RUN: clang-cc -analyze -checker-cfref -analyzer-store=region -verify %s - -// Region store must be enabled for tests in this file. - -// Exercise creating ElementRegion with symbolic super region. -void foo(int* p) { - int *x; - int a; - if (p[0] == 1) - x = &a; - if (p[0] == 1) - (void)*x; // no-warning -} - -int a[10]; - -int *f0() { - int *p = a+10; - return p; // expected-warning{{Return of Pointer Value Outside of Expected Range}} -}