pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[inferbo][bugfix] Add index to offset at array fields

Browse Source 
Summary: It corrects a bug that `&(x.f[n])` was evaluated to `&(x.f[0])`.

Reviewed By: mbouaziz

Differential Revision: D7179620

fbshipit-source-id: 04cbaa7
master
Sungkeun Cho 7 years ago committed by Facebook Github Bot
parent 469a5f64ed
commit 8fd04d5312
3 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File

2
infer/src/bufferoverrun/bufferOverrunSemantics.ml
Unescape View File

@ -230,7 +230,7 @@ module Make (CFG : ProcCfg.S) = struct
the memory section using the abstract memory, though the the memory section using the abstract memory, though the
memory lookup is not required to evaluate the address of memory lookup is not required to evaluate the address of
x.f[n] in the concrete semantics. *) x.f[n] in the concrete semantics. *)
Mem.find_set (Val.get_pow_loc array_v) mem Val.plus_pi (Mem.find_set (Val.get_pow_loc array_v) mem) index_v
| _ -> | _ ->
Val.of_pow_loc PowLoc.unknown Val.of_pow_loc PowLoc.unknown
else arr else arr

13
infer/tests/codetoanalyze/c/bufferoverrun/array_field.c
Unescape View File

@ -23,3 +23,16 @@ void array_field_access_Bad(struct S1 x, struct S1 y) {
x.f[0] = 1; x.f[0] = 1;
a[y.f[0]] = 0; a[y.f[0]] = 0;
} }
void decreasing_pointer_Good(struct S1* x) {
int* p = &(x->f[1]);
p--;
*p = 0;
}
void decreasing_pointer_Bad(struct S1* x) {
int* p = &(x->f[1]);
p--;
p--;
*p = 0;
}

1
infer/tests/codetoanalyze/c/bufferoverrun/issues.exp
Unescape View File

@ -2,6 +2,7 @@ codetoanalyze/c/bufferoverrun/arith.c, modulo_signed_Bad, 2, BUFFER_OVERRUN_L3,
codetoanalyze/c/bufferoverrun/arith.c, modulo_signed_neg_Bad, 2, BUFFER_OVERRUN_L3, [ArrayDeclaration,ArrayAccess: Offset: [-4, 4] Size: [5, 5]] codetoanalyze/c/bufferoverrun/arith.c, modulo_signed_neg_Bad, 2, BUFFER_OVERRUN_L3, [ArrayDeclaration,ArrayAccess: Offset: [-4, 4] Size: [5, 5]]
codetoanalyze/c/bufferoverrun/array_dynlength.c, init_variable_array, 3, BUFFER_OVERRUN_L2, [Offset: [3xs$0 + 1, 3xs$1 + 1] Size: [3xs$0 + 1, 3xs$1 + 1]] codetoanalyze/c/bufferoverrun/array_dynlength.c, init_variable_array, 3, BUFFER_OVERRUN_L2, [Offset: [3xs$0 + 1, 3xs$1 + 1] Size: [3xs$0 + 1, 3xs$1 + 1]]
codetoanalyze/c/bufferoverrun/array_field.c, array_field_access_Bad, 4, BUFFER_OVERRUN_L1, [ArrayDeclaration,Assignment,ArrayAccess: Offset: [20, 20] Size: [10, 10]] codetoanalyze/c/bufferoverrun/array_field.c, array_field_access_Bad, 4, BUFFER_OVERRUN_L1, [ArrayDeclaration,Assignment,ArrayAccess: Offset: [20, 20] Size: [10, 10]]
codetoanalyze/c/bufferoverrun/array_field.c, decreasing_pointer_Bad, 4, BUFFER_OVERRUN_L1, [Assignment,Assignment,Assignment,ArrayAccess: Offset: [-1, -1] Size: [2, 2]]
codetoanalyze/c/bufferoverrun/break_continue_return.c, break_continue_return, 4, CONDITION_ALWAYS_TRUE, [] codetoanalyze/c/bufferoverrun/break_continue_return.c, break_continue_return, 4, CONDITION_ALWAYS_TRUE, []
codetoanalyze/c/bufferoverrun/break_continue_return.c, break_continue_return, 13, CONDITION_ALWAYS_TRUE, [] codetoanalyze/c/bufferoverrun/break_continue_return.c, break_continue_return, 13, CONDITION_ALWAYS_TRUE, []
codetoanalyze/c/bufferoverrun/break_continue_return.c, break_continue_return, 16, BUFFER_OVERRUN_L2, [ArrayDeclaration,Assignment,ArrayAccess: Offset: [0, 10] Size: [10, 10]] codetoanalyze/c/bufferoverrun/break_continue_return.c, break_continue_return, 16, BUFFER_OVERRUN_L2, [ArrayDeclaration,Assignment,ArrayAccess: Offset: [0, 10] Size: [10, 10]]

Write Preview
Loading…
Cancel
Save