[static analyzer] Extend VLA size checking to look for undefined sizes.

llvm-svn: 60734
This commit is contained in:
Ted Kremenek 2008-12-09 00:44:16 +00:00
parent 37c496979c
commit c28ce29a12
4 changed files with 51 additions and 18 deletions

View File

@ -139,13 +139,13 @@ public:
/// MUST be zero or undefined. /// MUST be zero or undefined.
ErrorNodes ExplicitBadDivides; ErrorNodes ExplicitBadDivides;
/// ImplicitZeroSizedVLA - Nodes in the ExplodedGraph that result from /// ImplicitBadSizedVLA - Nodes in the ExplodedGraph that result from
/// constructing a zero-sized VLA where the size may be zero. /// constructing a zero-sized VLA where the size may be zero.
ErrorNodes ImplicitZeroSizedVLA; ErrorNodes ImplicitBadSizedVLA;
/// ExplicitZeroSizedVLA - Nodes in the ExplodedGraph that result from /// ExplicitBadSizedVLA - Nodes in the ExplodedGraph that result from
/// constructing a zero-sized VLA where the size must be zero. /// constructing a zero-sized VLA where the size must be zero.
ErrorNodes ExplicitZeroSizedVLA; ErrorNodes ExplicitBadSizedVLA;
/// UndefResults - Nodes in the ExplodedGraph where the operands are defined /// UndefResults - Nodes in the ExplodedGraph where the operands are defined
/// by the result is not. Excludes divide-by-zero errors. /// by the result is not. Excludes divide-by-zero errors.

View File

@ -1821,6 +1821,14 @@ void GRExprEngine::VisitDeclStmt(DeclStmt* DS, NodeTy* Pred, NodeSet& Dst) {
Expr* SE = VLA->getSizeExpr(); Expr* SE = VLA->getSizeExpr();
SVal Size = GetSVal(St, SE); SVal Size = GetSVal(St, SE);
if (Size.isUndef()) {
if (NodeTy* N = Builder->generateNode(DS, St, Pred)) {
N->markAsSink();
ExplicitBadSizedVLA.insert(N);
}
continue;
}
bool isFeasibleZero = false; bool isFeasibleZero = false;
const GRState* ZeroSt = Assume(St, Size, false, isFeasibleZero); const GRState* ZeroSt = Assume(St, Size, false, isFeasibleZero);
@ -1830,8 +1838,8 @@ void GRExprEngine::VisitDeclStmt(DeclStmt* DS, NodeTy* Pred, NodeSet& Dst) {
if (isFeasibleZero) { if (isFeasibleZero) {
if (NodeTy* N = Builder->generateNode(DS, ZeroSt, Pred)) { if (NodeTy* N = Builder->generateNode(DS, ZeroSt, Pred)) {
N->markAsSink(); N->markAsSink();
if (isFeasibleNotZero) ImplicitZeroSizedVLA.insert(N); if (isFeasibleNotZero) ImplicitBadSizedVLA.insert(N);
else ExplicitZeroSizedVLA.insert(N); else ExplicitBadSizedVLA.insert(N);
} }
} }

View File

@ -40,6 +40,7 @@ ExplodedNode<GRState>* GetNode(GRExprEngine::undef_arg_iterator I) {
namespace { namespace {
class VISIBILITY_HIDDEN BuiltinBug : public BugTypeCacheLocation { class VISIBILITY_HIDDEN BuiltinBug : public BugTypeCacheLocation {
protected:
const char* name; const char* name;
const char* desc; const char* desc;
public: public:
@ -332,26 +333,45 @@ public:
} }
}; };
class VISIBILITY_HIDDEN ZeroSizeVLA : public BuiltinBug { class VISIBILITY_HIDDEN BadSizeVLA : public BuiltinBug {
public: public:
ZeroSizeVLA() : BuiltinBug("Zero-sized VLA", BadSizeVLA() : BuiltinBug("Zero-sized VLA",
"VLAs with zero-size are undefined.") {} "VLAs with zero-size are undefined.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) { virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
for (GRExprEngine::ErrorNodes::iterator for (GRExprEngine::ErrorNodes::iterator
I = Eng.ExplicitZeroSizedVLA.begin(), I = Eng.ExplicitBadSizedVLA.begin(),
E = Eng.ExplicitZeroSizedVLA.end(); I!=E; ++I) { E = Eng.ExplicitBadSizedVLA.end(); I!=E; ++I) {
// Generate a report for this bug. // Determine whether this was a 'zero-sized' VLA or a VLA with an
PostStmt PS = cast<PostStmt>((*I)->getLocation()); // undefined size.
GRExprEngine::NodeTy* N = *I;
PostStmt PS = cast<PostStmt>(N->getLocation());
DeclStmt *DS = cast<DeclStmt>(PS.getStmt()); DeclStmt *DS = cast<DeclStmt>(PS.getStmt());
VarDecl* VD = cast<VarDecl>(*DS->decl_begin()); VarDecl* VD = cast<VarDecl>(*DS->decl_begin());
QualType T = Eng.getContext().getCanonicalType(VD->getType()); QualType T = Eng.getContext().getCanonicalType(VD->getType());
VariableArrayType* VT = cast<VariableArrayType>(T); VariableArrayType* VT = cast<VariableArrayType>(T);
Expr* SizeExpr = VT->getSizeExpr();
RangedBugReport report(*this, *I); std::string buf;
report.addRange(VT->getSizeExpr()->getSourceRange()); llvm::raw_string_ostream os(buf);
os << "The expression used to specify the number of elements in the VLA '"
<< VD->getNameAsString() << "' evaluates to ";
SVal X = Eng.getStateManager().GetSVal(N->getState(), SizeExpr);
if (X.isUndef()) {
name = "Undefined size for VLA";
os << "an undefined or garbage value.";
}
else {
name = "Zero-sized VLA";
os << " to 0. VLAs with no elements have undefined behavior.";
}
desc = os.str().c_str();
RangedBugReport report(*this, N);
report.addRange(SizeExpr->getSourceRange());
// Emit the warning. // Emit the warning.
BR.EmitWarning(report); BR.EmitWarning(report);
@ -430,6 +450,6 @@ void GRExprEngine::RegisterInternalChecks() {
Register(new BadMsgExprArg()); Register(new BadMsgExprArg());
Register(new BadReceiver()); Register(new BadReceiver());
Register(new OutOfBoundMemoryAccess()); Register(new OutOfBoundMemoryAccess());
Register(new ZeroSizeVLA()); Register(new BadSizeVLA());
AddCheck(new CheckAttrNonNull(), Stmt::CallExprClass); AddCheck(new CheckAttrNonNull(), Stmt::CallExprClass);
} }

View File

@ -79,6 +79,11 @@ void check_zero_sized_VLA(int x) {
if (x) if (x)
return; return;
int vla[x]; // expected-warning{{VLAs with zero-size are undefined}} int vla[x]; // expected-warning{{VLAs with no elements have undefined behavior}}
}
void check_uninit_sized_VLA() {
int x;
int vla[x]; // expected-warning{{The expression used to specify the number of elements in the VLA 'vla' evaluates to an undefined or garbage value.}}
} }