=?utf-8?q?Donát?= Nagy <donat.n...@ericsson.com>,
=?utf-8?q?Donát?= Nagy <donat.n...@ericsson.com>,
=?utf-8?q?Donát?= Nagy <donat.n...@ericsson.com>,
=?utf-8?q?Donát?= Nagy <donat.n...@ericsson.com>,
=?utf-8?q?Donát?= Nagy <donat.n...@ericsson.com>,
=?utf-8?q?Donát?= Nagy <donat.n...@ericsson.com>
Message-ID:
In-Reply-To: <llvm.org/llvm/llvm-project/pull/78...@github.com>
================
@@ -318,17 +403,95 @@ static Messages getTaintMsgs(const SubRegion *Region,
const char *OffsetName) {
RegName, OffsetName)};
}
-void ArrayBoundCheckerV2::performCheck(const Expr *E, CheckerContext &C) const
{
- // NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping
- // some new logic here that reasons directly about memory region extents.
- // Once that logic is more mature, we can bring it back to assumeInBound()
- // for all clients to use.
- //
- // The algorithm we are using here for bounds checking is to see if the
- // memory access is within the extent of the base region. Since we
- // have some flexibility in defining the base region, we can achieve
- // various levels of conservatism in our buffer overflow checking.
+const NoteTag *StateUpdateReporter::createNoteTag(CheckerContext &C) const {
+ // Don't create a note tag if we didn't assume anything:
+ if (!AssumedNonNegative && !AssumedUpperBound)
+ return nullptr;
+
+ return C.getNoteTag([*this](PathSensitiveBugReport &BR) -> std::string {
+ return getMessage(BR);
+ });
+}
+
+std::string StateUpdateReporter::getMessage(PathSensitiveBugReport &BR) const {
+ bool ShouldReportNonNegative = AssumedNonNegative;
+ if (!providesInformationAboutInteresting(ByteOffsetVal, BR)) {
+ if (AssumedUpperBound &&
+ providesInformationAboutInteresting(*AssumedUpperBound, BR)) {
+ // Even if the byte offset isn't interesting (e.g. it's a constant
value),
+ // the assumption can still be interesting if it provides information
+ // about an interesting symbolic upper bound.
+ // FIXME: This code path is currently non-functional and untested because
+ // `getSimplifiedOffsets()` only works when the RHS (extent) is constant.
----------------
NagyDonat wrote:
This `FIXME` is inaccurate, it seems that I'll be able to test this code path
in TCs where the LHS (=index) is constant and the RHS (=extent) is a symbolic
value. (It's true that `getSimplifiedOffsets()` only works when the RHS
(extent) is constant, but this doesn't block this kind of testing. Previously I
thought that the lack of `getSimplifiedOffsets()` caused the lack of a warning
in a TC with a non-constant RHS, but it turns out that there the lack of
warning was caused by an unrelated issue (too eager garbage collection of
constraints).
https://github.com/llvm/llvm-project/pull/78315
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
