From f3b50dc6b231b8aef0d46a3f53315f428e948092 Mon Sep 17 00:00:00 2001 From: George Karpenkov Date: Sat, 31 Mar 2018 01:20:08 +0000 Subject: [PATCH] [analyzer] Fix assertion crash in CStringChecker An offset might be unknown. rdar://39054939 Differential Revision: https://reviews.llvm.org/D45115 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@328912 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/StaticAnalyzer/Checkers/CStringChecker.cpp | 13 ++++++++----- test/Analysis/string.c | 11 +++++++++++ 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/lib/StaticAnalyzer/Checkers/CStringChecker.cpp b/lib/StaticAnalyzer/Checkers/CStringChecker.cpp index bd4033784e..a906ee63af 100644 --- a/lib/StaticAnalyzer/Checkers/CStringChecker.cpp +++ b/lib/StaticAnalyzer/Checkers/CStringChecker.cpp @@ -395,8 +395,10 @@ ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C, // Compute the offset of the last element to be accessed: size-1. NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs(); - NonLoc LastOffset = svalBuilder - .evalBinOpNN(state, BO_Sub, *Length, One, sizeTy).castAs(); + SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy); + if (Offset.isUnknown()) + return nullptr; + NonLoc LastOffset = Offset.castAs(); // Check that the first buffer is sufficiently long. SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); @@ -862,9 +864,10 @@ bool CStringChecker::IsFirstBufInBound(CheckerContext &C, // Compute the offset of the last element to be accessed: size-1. NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs(); - NonLoc LastOffset = - svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy) - .castAs(); + SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy); + if (Offset.isUnknown()) + return true; // cf top comment + NonLoc LastOffset = Offset.castAs(); // Check that the first buffer is sufficiently long. SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); diff --git a/test/Analysis/string.c b/test/Analysis/string.c index 8ea2068c56..5bfa31e732 100644 --- a/test/Analysis/string.c +++ b/test/Analysis/string.c @@ -30,6 +30,7 @@ typedef typeof(sizeof(int)) size_t; void clang_analyzer_eval(int); int scanf(const char *restrict format, ...); +void *memcpy(void *, const void *, unsigned long); //===----------------------------------------------------------------------=== // strlen() @@ -1173,6 +1174,7 @@ void strcat_symbolic_src_length(char *src) { clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{UNKNOWN}} } + // The analyzer_eval call below should evaluate to true. Most likely the same // issue as the test above. void strncpy_exactly_matching_buffer2(char *y) { @@ -1185,3 +1187,12 @@ void strncpy_exactly_matching_buffer2(char *y) { // This time, we know that y fits in x anyway. clang_analyzer_eval(strlen(x) <= 3); // expected-warning{{UNKNOWN}} } + +struct S { + char f; +}; + +void nocrash_on_locint_offset(void *addr, void* from, struct S s) { + int iAdd = (int) addr; + memcpy(((void *) &(s.f)), from, iAdd); +} -- 2.40.0