search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
29.37k stars 12.14k forks source link

[clang-static-analyzer] Missing diagnostic for buffer overflow and allocated size check. #100295

Closed iamanonymouscs closed 4 months ago

iamanonymouscs commented 4 months ago

Clang version

$ clang -v
Ubuntu clang version 19.0.0 (++20240722031324+65825cd5431c-1~exp1~20240722151445.1819)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-19/bin
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/11
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/11
Candidate multilib: .;@m64
Selected multilib: .;@m64

It seems that CSA miss diagnostic for buffer overflow and allocated size check. The program is as follow:

#include <stdlib.h>
#include <stdint.h>

void a (void) 
{
  int32_t *b = (int32_t *) malloc (3);  \\allocation-size
  if (b == NULL) exit (1);
  b[0] = 14738;  \\out-of-bounds
  b[1] = 26715;  \\out-of-bounds
  b[2] = 96321;  \\out-of-bounds
  free (b);
}

GCC's analyzer finds these issues. https://godbolt.org/z/nc55zdjG8

CSA can't find these issues. https://godbolt.org/z/aT6rnnhMT

$ clang-tidy program.c 
Error while trying to load a compilation database:
Could not auto-detect compilation database for file "program.c"
No compilation database found in /home/code/analyze or any parent directory
fixed-compilation-database: Error while opening fixed database: No such file or directory
json-compilation-database: Error while opening JSON database: No such file or directory
Running without flags.

Is there any clang options that I might have overlooked?

llvmbot commented 4 months ago

@llvm/issue-subscribers-clang-static-analyzer

Author: Anonymous (iamanonymouscs)

Clang version ``` $ clang -v Ubuntu clang version 19.0.0 (++20240722031324+65825cd5431c-1~exp1~20240722151445.1819) Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/lib/llvm-19/bin Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/11 Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/11 Candidate multilib: .;@m64 Selected multilib: .;@m64 ``` It seems that CSA miss diagnostic for buffer overflow and allocated size check. The program is as follow: ``` #include <stdlib.h> #include <stdint.h> void a (void) { int32_t *b = (int32_t *) malloc (3); \\allocation-size if (b == NULL) exit (1); b[0] = 14738; \\out-of-bounds b[1] = 26715; \\out-of-bounds b[2] = 96321; \\out-of-bounds free (b); } ``` GCC's analyzer finds these issues. https://godbolt.org/z/nc55zdjG8 CSA can't find these issues. https://godbolt.org/z/aT6rnnhMT ``` $ clang-tidy program.c Error while trying to load a compilation database: Could not auto-detect compilation database for file "program.c" No compilation database found in /home/code/analyze or any parent directory fixed-compilation-database: Error while opening fixed database: No such file or directory json-compilation-database: Error while opening JSON database: No such file or directory Running without flags. ``` Is there any clang options that I might have overlooked?
steakhal commented 4 months ago

You need to also enable the alpha.security.ArrayBoundV2 checker. https://godbolt.org/z/1Ynh1YcM6 That is an "alpha" checker as the diagnostics weren't as good as it is today. But even today, those diagnostics can go wild so it's not enabled by default. But as far as I'm aware of, most tool vendors shipping CSA enable this checker in their default configuration, and CSA is not really suited to be used without some wrapper tool around it to fine tune the configurations, like scan-build or CodeChecker. Probably using such tools would lead to a fairer comparison if your goal was to compare different static analysis tools.

iamanonymouscs commented 4 months ago

You need to also enable the alpha.security.ArrayBoundV2 checker. https://godbolt.org/z/1Ynh1YcM6 That is an "alpha" checker as the diagnostics weren't as good as it is today. But even today, those diagnostics can go wild so it's not enabled by default. But as far as I'm aware of, most tool vendors shipping CSA enable this checker in their default configuration, and CSA is not really suited to be used without some wrapper tool around it to fine tune the configurations, like scan-build or CodeChecker. Probably using such tools would lead to a fairer comparison if your goal was to compare different static analysis tools.

Thank you so much for your advice! :)