Skip to content

[Wunsafe-buffer-usage] False positives for & expression indexing constant size array (arr[anything & 0]) #112284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 24, 2025
Merged

[Wunsafe-buffer-usage] False positives for & expression indexing constant size array (arr[anything & 0]) #112284

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bf1f0b8
[Wunsafe-buffer-usage] False positives for & expression indexing cons…
Oct 11, 2024
da96efb
Add more tests and a comment explaining the idea behind the change.
Feb 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions clang/lib/Analysis/UnsafeBufferUsage.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -462,8 +462,25 @@ AST_MATCHER(ArraySubscriptExpr, isSafeArraySubscript) {
// bug
if (ArrIdx.isNonNegative() && ArrIdx.getLimitedValue() < limit)
return true;
}
return false;
} else if (const auto *BE = dyn_cast<BinaryOperator>(IndexExpr)) {
if (BE->getOpcode() != BO_And)
return false;

const Expr *LHS = BE->getLHS();
const Expr *RHS = BE->getRHS();

if ((!LHS->isValueDependent() &&
Copy link
Contributor

@ziqingluo-90 ziqingluo-90 Feb 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if LHS->isValueDependent(), no constant value can be derived from LHS anyway. So I suspect this condition is not needed.

Copy link
Contributor Author

@malavikasamak malavikasamak Feb 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Expr::EvaluateAsInt(...) method assumes the expression it operates on in not value dependent. So, we have to check this before hand to make sure the method does not crash. We can only skip this check if we can be guaranteed the expression is never value dependent. I don't think that is true here.

LHS->EvaluateAsInt(EVResult, Finder->getASTContext())) ||
(!RHS->isValueDependent() &&
RHS->EvaluateAsInt(EVResult, Finder->getASTContext()))) {
llvm::APSInt result = EVResult.Val.getInt();
if (result.isNonNegative() && result.getLimitedValue() < limit)
return true;
}
return false;

} else
Copy link
Contributor

@ziqingluo-90 ziqingluo-90 Feb 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this else is not needed. (VSCode often warns me about this.)

Copy link
Contributor Author

@malavikasamak malavikasamak Feb 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will get rid of it. Thanks!

return false;
}

AST_MATCHER_P(CallExpr, hasNumArgs, unsigned, Num) {
Expand Down
31 changes: 31 additions & 0 deletions clang/test/SemaCXX/warn-unsafe-buffer-usage-array.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ void foo2(unsigned idx) {

struct Foo {
int member_buffer[10];
int x;
};

void foo2(Foo& f, unsigned idx) {
f.member_buffer[idx] = 0; // expected-warning{{unsafe buffer access}}
}
Expand All @@ -33,6 +35,35 @@ void constant_idx_safe0(unsigned idx) {
buffer[0] = 0;
}

int array[10]; // expected-warning {{'array' is an unsafe buffer that does not perform bounds checks}}

void masked_idx1(unsigned long long idx, Foo f) {
// Bitwise and operation
array[idx & 5] = 10; // no warning
array[idx & 11 & 5] = 3; // no warning
array[idx & 11] = 20; // expected-note{{used in buffer access here}}
array[idx &=5]; // expected-note{{used in buffer access here}}
array[f.x & 5];
}

typedef unsigned long long uint64_t;
typedef unsigned int uint32_t;
typedef unsigned char uint8_t;

void type_conversions(uint64_t idx1, uint32_t idx2, uint8_t idx3) {
array[(uint32_t)idx1 & 3];
array[idx2 & 3];
array[idx3 & 3];
}

int array2[5]; // expected-warning {{'array2' is an unsafe buffer that does not perform bounds checks}}

void masked_idx_safe(unsigned long long idx) {
array2[6 & 5]; // no warning
array2[6 & idx & (idx + 1) & 5]; // expected-note{{used in buffer access here}}
}


Copy link
Contributor

@ziqingluo-90 ziqingluo-90 Feb 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about some test cases for negative integer constants?

void constant_idx_unsafe(unsigned idx) {
int buffer[10]; // expected-warning{{'buffer' is an unsafe buffer that does not perform bounds checks}}
// expected-note@-1{{change type of 'buffer' to 'std::array' to label it for hardening}}
Expand Down