simple buffer overflow bug not detected by clang static analyzer

[llvmbot]

Bugzilla Link	38276
Version	unspecified
OS	All
Attachments	contains sample cpp file and build command used
Reporter	LLVM Bugzilla Contributor
CC	@haoNoQ

Extended Description

scan-build is not able to detect a simple buffer overflow even with experimental checkers ON [see attached file]. It uses a simple loop

int * buffer = new int[10]; // allocate 10 bytes for(int i=0;i<200;i++) buffer[i] =23; // accessing elements till 199 bytes --- overflow

[haoNoQ]

Expreimental loop unrolling might help:

-analyzer-config unroll-loops=true

And you'll need to bump MAXIMUM_STEP_UNROLLED in LoopUnrolling.cpp (i guess it was never exposed in the analyzer config) or decrease the loop limit to ~100.

Then the bug would be found:

test.cpp:4:15: warning: Access out-of-bound array element (buffer overflow) buffer[i] = 23; // accessing elements till 199 bytes --- overflow

  test.cpp:3:3: note: Loop condition is true. Entering loop body
    for (int i = 0; i < 200; i++)
    ^
  test.cpp:3:3: note: Loop condition is true. Entering loop body
  test.cpp:3:3: note: Loop condition is true. Entering loop body
  test.cpp:3:3: note: Loop condition is true. Entering loop body
  test.cpp:3:3: note: Loop condition is true. Entering loop body
  test.cpp:3:3: note: Loop condition is true. Entering loop body
  test.cpp:3:3: note: Loop condition is true. Entering loop body
  test.cpp:3:3: note: Loop condition is true. Entering loop body
  test.cpp:3:3: note: Loop condition is true. Entering loop body
  test.cpp:3:3: note: Loop condition is true. Entering loop body
  test.cpp:3:3: note: Loop condition is true. Entering loop body
  test.cpp:4:15: note: Access out-of-bound array element (buffer overflow)
      buffer[i] = 23; // accessing elements till 199 bytes --- overflow
      ~~~~~~~~~ ^

But, again, this isn't a very efficient way of finding this sort of bugs; they require a different sort of analysis.

[llvmbot]

assigned to @devincoughlin