diff options
| author | Zhongxing Xu <xuzhongxing@gmail.com> | 2009-11-11 11:55:54 +0000 |
|---|---|---|
| committer | Zhongxing Xu <xuzhongxing@gmail.com> | 2009-11-11 11:55:54 +0000 |
| commit | b991f48ccff0567d581cf95e4eda1bffd5bbada3 (patch) | |
| tree | 9c55b74d3e9c1f17c2d78dc1d6e9ee61aeb2c18c /lib/Analysis/ReturnPointerRangeChecker.cpp | |
| parent | 387ecbd1e60b28d0c3c072b6a8c42ab2a176e036 (diff) | |
ReturnPointerRangeChecker: use StripCasts() instead of checking for zero index
explicitly.
Fix 80-col violations.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86833 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'lib/Analysis/ReturnPointerRangeChecker.cpp')
| -rw-r--r-- | lib/Analysis/ReturnPointerRangeChecker.cpp | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/lib/Analysis/ReturnPointerRangeChecker.cpp b/lib/Analysis/ReturnPointerRangeChecker.cpp index 181d736199..261081ebb4 100644 --- a/lib/Analysis/ReturnPointerRangeChecker.cpp +++ b/lib/Analysis/ReturnPointerRangeChecker.cpp @@ -48,6 +48,12 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C, SVal V = state->getSVal(RetE); const MemRegion *R = V.getAsRegion(); + if (!R) + return; + + R = R->StripCasts(); + if (!R) + return; const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R); if (!ER) @@ -55,13 +61,8 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C, DefinedOrUnknownSVal &Idx = cast<DefinedOrUnknownSVal>(ER->getIndex()); - // FIXME: All of this out-of-bounds checking should eventually be refactored into a - // common place. - - // Zero index is always in bound, this also passes ElementRegions created for - // pointer casts. - if (Idx.isZeroConstant()) - return; + // FIXME: All of this out-of-bounds checking should eventually be refactored + // into a common place. SVal NumVal = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion()); @@ -75,14 +76,16 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C, if (!N) return; - // FIXME: This bug correspond to CWE-466. Eventually we should have bug types explicitly - // reference such exploit categories (when applicable). + // FIXME: This bug correspond to CWE-466. Eventually we should have bug + // types explicitly reference such exploit categories (when applicable). if (!BT) BT = new BuiltinBug("Return of pointer value outside of expected range", - "Returned pointer value points outside the original object (potential buffer overflow)"); + "Returned pointer value points outside the original object " + "(potential buffer overflow)"); - // FIXME: It would be nice to eventually make this diagnostic more clear, e.g., by referencing - // the original declaration or by saying *why* this reference is outside the range. + // FIXME: It would be nice to eventually make this diagnostic more clear, + // e.g., by referencing the original declaration or by saying *why* this + // reference is outside the range. // Generate a report for this bug. RangedBugReport *report = |