================
@@ -1042,10 +1049,29 @@ SVal CStringChecker::getCStringLength(CheckerContext
&C, ProgramStateRef &state,
case MemRegion::CompoundLiteralRegionKind:
// FIXME: Can we track this? Is it necessary?
return UnknownVal();
- case MemRegion::ElementRegionKind:
- // FIXME: How can we handle this? It's not good enough to subtract the
- // offset from the base string length; consider "123\x00567" and &a[5].
+ case MemRegion::ElementRegionKind: {
+ // If an offset into the string literal is used, use the original length
+ // minus the offset.
+ // FIXME: Embedded null characters are not handled.
+ const ElementRegion *ER = cast<ElementRegion>(MR);
+ const SubRegion *SuperReg =
+ cast<SubRegion>(ER->getSuperRegion()->StripCasts());
+ const StringLiteral *StrLit = getStringLiteralFromRegion(SuperReg);
+ if (!StrLit)
+ return UnknownVal();
+ SValBuilder &SVB = C.getSValBuilder();
+ NonLoc Idx = ER->getIndex();
+ NonLoc LengthVal =
+ SVB.makeIntVal(StrLit->getLength(), SVB.getContext().getSizeType())
+ .castAs<NonLoc>();
+ if (state->assume(SVB.evalBinOpNN(state, BO_LE, Idx, LengthVal,
+ SVB.getConditionType())
+ .castAs<DefinedOrUnknownSVal>(),
+ true))
----------------
NagyDonat wrote:
Here you validate that `Idx` can be less than or equal to the length of the
string literal, but you don't record this assumption in the state.
At first glance I thought that this is surprising/problematic, but now that I
think more about this I feel that this bounds checking should be the
responsibility of the `ArrayBound` checker, so I think the current code is good.
(No action expected.)
https://github.com/llvm/llvm-project/pull/159795
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
