clang-analyzer-alpha.security.ReturnPtrRange bug

[Quuxplusone]

Bugzilla Link	PR27701
Status	NEW
Importance	P normal
Reported by	Piotr Padlewski (piotr.padlewski@gmail.com)
Reported on	2016-05-10 13:27:51 -0700
Last modified on	2019-08-21 02:46:41 -0700
Version	unspecified
Hardware	PC Linux
CC	alexfh@google.com, djasper@google.com, eugene.zelenko@gmail.com, klimek@google.com, llvm-bugs@lists.llvm.org, tibor.brunner@ericsson.com
Fixed by commit(s)
Attachments	test2.cc (119 bytes, text/x-c++src)
Blocks
Blocked by
See also

I am not sure if it's bug or not, but I got this warning after running small
boost program

/usr/include/boost/lexical_cast/detail/converter_lexical_streams.hpp:170:17:
warning: Returned pointer value points outside the original object (potential
buffer overflow) [clang-analyzer-alpha.security.ReturnPtrRange]
                return finish;
                ^
/home/bpol0225/demo/test2.cc:5:14: note: Calling 'lexical_cast'
    auto s = boost::lexical_cast<std::string>(42);
             ^
/usr/include/boost/lexical_cast.hpp:41:14: note: Calling 'try_lexical_convert'
        if (!boost::conversion::detail::try_lexical_convert(arg, result)) {
             ^
/usr/include/boost/lexical_cast/try_lexical_convert.hpp:173:20: note: Calling
'lexical_converter_impl::try_convert'
            return caster_type::try_convert(arg, result);
                   ^
/usr/include/boost/lexical_cast/detail/converter_lexical.hpp:476:17: note:
Taking false branch
                if (!(i_interpreter.operator <<(arg)))
                ^
/usr/include/boost/lexical_cast/detail/converter_lexical.hpp:479:64: note:
Calling 'lexical_istream_limited_src::cend'
                o_interpreter_type out(i_interpreter.cbegin(), i_interpreter.cend());
                                                               ^
/usr/include/boost/lexical_cast/detail/converter_lexical_streams.hpp:170:17:
note: Returned pointer value points outside the original object (potential
buffer overflow)
                return finish;
                ^

[Quuxplusone]

Attached test2.cc (119 bytes, text/x-c++src): file

[Quuxplusone]

preprocesed file is to large to include
https://drive.google.com/file/d/0B72TmzNsY6Z8aE1XaUZsa0YxeTA/view?usp=sharing

[Quuxplusone]

(In reply to comment #2)
> preprocesed file is to large to include
> https://drive.google.com/file/d/0B72TmzNsY6Z8aE1XaUZsa0YxeTA/view?usp=sharing

Huge test cases don't make it easy to debug issues. Could you reduce the test
case (e.g. using creduce)?

[Quuxplusone]

I created a minimal example with CReduce:

template <int a> class b {
  int buffer[a];
  int *c;

public:
  b() : c(buffer + a) {}
  int *e() { return c; }
};
const long d = 1;
void g() {
  b<d> f;
  f.e();
}

The checker message is right: a pointer is returned which points after the end
of the buffer. However, the corresponding fragment of the original code base is
this:

62328             const CharT* start;
62329             const CharT* finish;
62330
62331         public:
62332             lexical_istream_limited_src()
62333               : start(buffer)
62334               , finish(buffer + CharacterBufferSize)
62335             {}
62336
62337             const CharT* cbegin() const {
62338                 return start;
62339             }
62340
62341             const CharT* cend() const {
62342                 return finish;
62343             }

The returned pointer defines the "end()" iterator, so the report seems to be a
false positive.

My goal is to move alpha.security.ReturnPtrRange checker out from alpha state.
Can a non-alpha checker afford such a false positive or should this be fixed
somehow?

[Quuxplusone]

This ticket is thus a duplicate of https://bugs.llvm.org/show_bug.cgi?id=25226.