search

checkedc / checkedc-llvm-project

This was a fork of Checked C clang used from 2021-2024. The changes have been merged into the original Checked C clang repo, which is now at https://github.com/checkedc/checkedc-clang.
https://www.checkedc.org
13 stars 19 forks source link

Bounds checking for pointer dereferences and array subscripts #1172

Closed secure-sw-dev-bot closed 2 years ago

secure-sw-dev-bot commented 2 years ago

This issue was copied from https://github.com/microsoft/checkedc-clang/issues/1176

This PR updates bounds validation to handle the following cases:

  1. Validate the bounds of a pointer dereference *p or array subscript p[i].
  2. Account for uses of pointer dereferences and array subscripts in observed bounds

The behavior for synthesizing member expressions whose bounds depend on a member expression that is being modified via an assignment has been extended: we now synthesize member expressions whose bounds depend on an lvalue expression that uses a member expression to update memory via an assignment. For example:

struct S {
  _Array_ptr<int> f : count(*ptr_to_len);
  _Array_ptr<int> ptr_to_len : count(10);
};

void f(struct S *s) {
  *s->ptr_to_len = 0;
}

The lvalue expression *s->ptr_to_len uses the member expression s->ptr_to_len to write to memory. We synthesize the member expression s->f whose declared bounds bounds(s->f, s->f + *s->ptr_to_len) depend on *s->ptr_to_len.

There is also a minor fix included in this PR that the pointer bounds checking depends on: in PreorderAST, the canonical form of e1[e2] is now *(e1 + e2 + 0) rather than *(e1 + e2). This enables bounds validation to treat expressions such as p[i] and *(p + i) as equivalent, since PreorderAST canonicalizes *(p + i) to *(p + i + 0).

secure-sw-dev-bot commented 2 years ago

Comment from @mgrang:

LGTM.