Fixed #2956 (False negative: read array and then immediately check the index 'str[i] && i<sizeof(str)')

This commit is contained in:
Daniel Marjamäki 2011-08-04 11:15:14 +02:00
parent e86abfdc5f
commit ceb763f57a
3 changed files with 57 additions and 0 deletions

View File

@ -2179,3 +2179,35 @@ void CheckBufferOverrun::executionPaths()
void CheckBufferOverrun::arrayIndexThenCheck()
{
if (!_settings->_checkCodingStyle)
return;
for (const Token *tok = _tokenizer->tokens(); tok; tok = tok->next())
{
if (Token::Match(tok, "%var% [ %var% ]"))
{
const std::string arrayName(tok->str());
const std::string indexName(tok->strAt(2));
// skip array index..
tok = tok->tokAt(4);
while (tok->str() == "[")
tok = tok->link()->next();
// skip comparison
if (Token::Match(tok, "==|!=|<|<=|>|>= %any% &&"))
tok = tok->tokAt(2);
// check if array index is ok
if (Token::Match(tok, ("&& " + indexName + " <|<=").c_str()))
arrayIndexThenCheckError(tok, indexName);
}
}
}
void CheckBufferOverrun::arrayIndexThenCheckError(const Token *tok, const std::string &indexName)
{
reportError(tok, Severity::style, "arrayIndexThenCheck", "array index " + indexName + " is used before bounds check");
}

View File

@ -64,6 +64,7 @@ public:
CheckBufferOverrun checkBufferOverrun(tokenizer, settings, errorLogger); CheckBufferOverrun checkBufferOverrun(tokenizer, settings, errorLogger);
checkBufferOverrun.bufferOverrun(); checkBufferOverrun.bufferOverrun();
checkBufferOverrun.negativeIndex(); checkBufferOverrun.negativeIndex();
checkBufferOverrun.arrayIndexThenCheck();
/** ExecutionPath checking.. */ /** ExecutionPath checking.. */
checkBufferOverrun.executionPaths(); checkBufferOverrun.executionPaths();
@ -72,6 +73,9 @@ public:
/** @brief %Check for buffer overruns */ /** @brief %Check for buffer overruns */
void bufferOverrun(); void bufferOverrun();
/** @brief Using array index before bounds check */
void arrayIndexThenCheck();
/** @brief %Check for buffer overruns by inspecting execution paths */ /** @brief %Check for buffer overruns by inspecting execution paths */
void executionPaths(); void executionPaths();
@ -216,6 +220,7 @@ public:
void negativeIndexError(const Token *tok, MathLib::bigint index); void negativeIndexError(const Token *tok, MathLib::bigint index);
void cmdLineArgsError(const Token *tok); void cmdLineArgsError(const Token *tok);
void pointerOutOfBounds(const Token *tok, const std::string &object); // UB when result of calculation is out of bounds void pointerOutOfBounds(const Token *tok, const std::string &object); // UB when result of calculation is out of bounds
void arrayIndexThenCheckError(const Token *tok, const std::string &indexName);
void getErrorMessages(ErrorLogger *errorLogger, const Settings *settings) void getErrorMessages(ErrorLogger *errorLogger, const Settings *settings)
{ {
@ -229,6 +234,7 @@ public:
c.negativeIndexError(0, -1); c.negativeIndexError(0, -1);
c.cmdLineArgsError(0); c.cmdLineArgsError(0);
c.pointerOutOfBounds(0, "array"); c.pointerOutOfBounds(0, "array");
c.arrayIndexThenCheckError(0, "index");
} }
std::string myName() const std::string myName() const

View File

@ -60,6 +60,7 @@ private:
CheckBufferOverrun checkBufferOverrun(&tokenizer, &settings, this); CheckBufferOverrun checkBufferOverrun(&tokenizer, &settings, this);
checkBufferOverrun.bufferOverrun(); checkBufferOverrun.bufferOverrun();
checkBufferOverrun.negativeIndex(); checkBufferOverrun.negativeIndex();
checkBufferOverrun.arrayIndexThenCheck();
} }
void run() void run()
@ -217,6 +218,9 @@ private:
TEST_CASE(getErrorMessages); TEST_CASE(getErrorMessages);
TEST_CASE(unknownMacroNoDecl); // #2638 - not variable declaration: 'AAA a[0] = 0;' TEST_CASE(unknownMacroNoDecl); // #2638 - not variable declaration: 'AAA a[0] = 0;'
// Access array and then check if the used index is within bounds
TEST_CASE(arrayIndexThenCheck);
} }
@ -3015,6 +3019,21 @@ private:
"}"); "}");
ASSERT_EQUALS("", errout.str()); ASSERT_EQUALS("", errout.str());
} }
void arrayIndexThenCheck()
{
check("void f(const char s[]) {\n"
" if (s[i] == 'x' && i < y) {\n"
" }"
"}");
ASSERT_EQUALS("[test.cpp:2]: (style) array index i is used before bounds check\n", errout.str());
check("void f(const char s[]) {\n"
" for (i = 0; s[i] == 'x' && i < y; ++i) {\n"
" }"
"}");
ASSERT_EQUALS("[test.cpp:2]: (style) array index i is used before bounds check\n", errout.str());
}
}; };
REGISTER_TEST(TestBufferOverrun) REGISTER_TEST(TestBufferOverrun)