From ee073c798515e56b23463391a7b40d5ee6527337 Mon Sep 17 00:00:00 2001 From: Balazs Benics Date: Mon, 30 Nov 2020 18:06:28 +0100 Subject: [PATCH] [analyzer][StdLibraryFunctionsChecker] Fix typos in summaries of mmap and mmap64 The fd parameter of ``` void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset) ``` should be constrained to the range [0, IntMax] as that is of type int. Constraining to the range [0, Off_tMax] would result in a crash as that is of a signed type with the value of 0xff..f (-1). The crash would happen when we try to apply the arg constraints. At line 583: assert(Min <= Max), as 0 <= -1 is not satisfied The mmap64 is fixed for the same reason. Reviewed By: martong, vsavchenko Differential Revision: https://reviews.llvm.org/D92307 --- .../Checkers/StdLibraryFunctionsChecker.cpp | 6 ++---- clang/test/Analysis/std-c-library-posix-crash.c | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 4 deletions(-) create mode 100644 clang/test/Analysis/std-c-library-posix-crash.c diff --git a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp index 10011ef..f8eafde 100644 --- a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp @@ -1722,7 +1722,6 @@ void StdLibraryFunctionsChecker::initFunctionSummaries( "ftello", Signature(ArgTypes{FilePtrTy}, RetType{Off_tTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); - Optional Off_tMax = getMaxValue(Off_tTy); // void *mmap(void *addr, size_t length, int prot, int flags, int fd, // off_t offset); addToFunctionSummaryMap( @@ -1732,10 +1731,9 @@ void StdLibraryFunctionsChecker::initFunctionSummaries( Summary(NoEvalCall) .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax))) .ArgConstraint( - ArgumentCondition(4, WithinRange, Range(0, Off_tMax)))); + ArgumentCondition(4, WithinRange, Range(0, IntMax)))); Optional Off64_tTy = lookupTy("off64_t"); - Optional Off64_tMax = getMaxValue(Off_tTy); // void *mmap64(void *addr, size_t length, int prot, int flags, int fd, // off64_t offset); addToFunctionSummaryMap( @@ -1745,7 +1743,7 @@ void StdLibraryFunctionsChecker::initFunctionSummaries( Summary(NoEvalCall) .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax))) .ArgConstraint( - ArgumentCondition(4, WithinRange, Range(0, Off64_tMax)))); + ArgumentCondition(4, WithinRange, Range(0, IntMax)))); // int pipe(int fildes[2]); addToFunctionSummaryMap( diff --git a/clang/test/Analysis/std-c-library-posix-crash.c b/clang/test/Analysis/std-c-library-posix-crash.c new file mode 100644 index 0000000..23321d5 --- /dev/null +++ b/clang/test/Analysis/std-c-library-posix-crash.c @@ -0,0 +1,18 @@ +// RUN: %clang_analyze_cc1 \ +// RUN: -analyzer-checker=core,apiModeling.StdCLibraryFunctions \ +// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true \ +// RUN: -verify %s +// +// expected-no-diagnostics + +typedef long off_t; +typedef long long off64_t; +typedef unsigned long size_t; + +void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset); +void *mmap64(void *addr, size_t length, int prot, int flags, int fd, off64_t offset); + +void test(long len) { + mmap(0, len, 2, 1, 0, 0); // no-crash + mmap64(0, len, 2, 1, 0, 0); // no-crash +} -- 2.7.4