search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
28.52k stars 11.79k forks source link

clang-analyzer-alpha.security.ReturnPtrRange bug #28075

Open llvmbot opened 8 years ago

llvmbot commented 8 years ago
Bugzilla Link 27701
Version unspecified
OS Linux
Attachments file
Reporter LLVM Bugzilla Contributor
CC @EugeneZelenko

Extended Description

I am not sure if it's bug or not, but I got this warning after running small boost program

/usr/include/boost/lexical_cast/detail/converter_lexical_streams.hpp:170:17: warning: Returned pointer value points outside the original object (potential buffer overflow) [clang-analyzer-alpha.security.ReturnPtrRange] return finish; ^ /home/bpol0225/demo/test2.cc:5:14: note: Calling 'lexical_cast' auto s = boost::lexical_cast(42); ^ /usr/include/boost/lexical_cast.hpp:41:14: note: Calling 'try_lexical_convert' if (!boost::conversion::detail::try_lexical_convert(arg, result)) { ^ /usr/include/boost/lexical_cast/try_lexical_convert.hpp:173:20: note: Calling 'lexical_converter_impl::try_convert' return caster_type::try_convert(arg, result); ^ /usr/include/boost/lexical_cast/detail/converter_lexical.hpp:476:17: note: Taking false branch if (!(i_interpreter.operator <<(arg))) ^ /usr/include/boost/lexical_cast/detail/converter_lexical.hpp:479:64: note: Calling 'lexical_istream_limited_src::cend' o_interpreter_type out(i_interpreter.cbegin(), i_interpreter.cend()); ^ /usr/include/boost/lexical_cast/detail/converter_lexical_streams.hpp:170:17: note: Returned pointer value points outside the original object (potential buffer overflow) return finish; ^

llvmbot commented 5 years ago

This ticket is thus a duplicate of llvm/llvm-project#25600 .

llvmbot commented 5 years ago

I created a minimal example with CReduce:

template class b { int buffer[a]; int *c;

public: b() : c(buffer + a) {} int *e() { return c; } }; const long d = 1; void g() { b f; f.e(); }

The checker message is right: a pointer is returned which points after the end of the buffer. However, the corresponding fragment of the original code base is this:

62328 const CharT start;
62329 const CharT finish;
62330
62331 public:
62332 lexical_istream_limited_src()
62333 : start(buffer)
62334 , finish(buffer + CharacterBufferSize)
62335 {}
62336
62337 const CharT cbegin() const {
62338 return start;
62339 }
62340
62341 const CharT cend() const {
62342 return finish;
62343 }

The returned pointer defines the "end()" iterator, so the report seems to be a false positive.

My goal is to move alpha.security.ReturnPtrRange checker out from alpha state. Can a non-alpha checker afford such a false positive or should this be fixed somehow?

llvmbot commented 8 years ago

preprocesed file is to large to include https://drive.google.com/file/d/0B72TmzNsY6Z8aE1XaUZsa0YxeTA/view?usp=sharing

Huge test cases don't make it easy to debug issues. Could you reduce the test case (e.g. using creduce)?

llvmbot commented 8 years ago

preprocesed file is to large to include https://drive.google.com/file/d/0B72TmzNsY6Z8aE1XaUZsa0YxeTA/view?usp=sharing

llvmbot commented 8 years ago

assigned to @tkremenek