C++: Reuse bounded predicate in TaintedAllocationSize query #17220
Conversation
| // There can be two separate reasons for `convertedExprMightOverflow` not holding: | ||
| // 1. `e` really cannot overflow. | ||
| // 2. `e` isn't analyzable. | ||
| // If we didn't rule out case 2 we would declare anything that isn't analyzable as bounded. |
There was a problem hiding this comment.
Note that it's a pretty common pattern to have three cases to think about (1) a thing holds (2) the thing doesn't hold and (3) we weren't able to determine either. If we had another predicate, convertedExprNeverOverflows, this would not be the inverse of convertedExprMightOverflow (due to case 3) and the choice between using convertedExprNeverOverflows or not convertedExprMightOverflow as we do here would be meaningful.
paldepind
force-pushed
the
reuse-unbounded-in-tainted-allocation-size
branch
from
668a02e to
c7d76da
Compare
|
I've taken a look at the results in the DCA report. With this PR there are 11 less query results. One of the disappearing results is in git. The added barrier is 8 of the disappearing results are in vim. After looking at them, they all go through the same function with a bitwise The last 2 results are in openjdk. Here the paths are short (10 steps). The source reads a file which ends up tainting an allocation. In between some bit manipulation goes on, apparently to extract the right bits from a header. I think this could be a true positive for the purpose of the query, but it's clearly deliberate that those bits in the header should end up affecting the allocation. I think the results seem fine. I think one future approach that could increase precision would be to consider that actual values used in the arithmetic operations ( |
paldepind
force-pushed
the
reuse-unbounded-in-tainted-allocation-size
branch
from
b79e550 to
0eaa984
Compare
paldepind
force-pushed
the
reuse-unbounded-in-tainted-allocation-size
branch
from
0eaa984 to
1665bad
Compare
|
Fixed some conflicts after merging the other PR related to |
|
|
||
| if (size % 100) | ||
| { | ||
| malloc(size * sizeof(int)); // GOOD |
There was a problem hiding this comment.
Why is this example "GOOD", but the one from lines 132-136 isn't?
That is, I can't see a real difference here:
https://godbolt.org/z/bPWaoPMYY
There was a problem hiding this comment.
I guess my actual question is: how is modulo supposed to bound the input here?
There was a problem hiding this comment.
That's a good point. It does not 😅. As it stands it's actually an example of a false negative. What I had in my mind was an example like this:
int size = atoi(getenv("USER"));
int size2 = size % 100;
malloc(size2 * sizeof(int));There was a problem hiding this comment.
Thanks for pointing this out @intrigus-lgtm. It's fixed now by #17269.
Reuse the
boundedpredicate in theTaintedAllocationSizequery.