ikos icon indicating copy to clipboard operation
ikos copied to clipboard

Published 20 hours ago verified publisher icon NASA-SW-VnV

False positive because of unknown intrinsic function

Open gh2375 opened this issue 6 years ago • 3 comments

Code:

#include <new>

int main(int argc, char * argv[])
{
    int n = 10;
    int * arr = new int[n];

    for(int * p = arr; n > 0; n--, p++)
        new (p) int();

    delete[] arr;

    return 0;
}

Output:

# Results
main-placement-new.cpp: In function 'main':
main-placement-new.cpp:10:3: warning: possible buffer overflow, could not bound index for access of dynamic memory allocated at 'main:7:14'
                new (p) int();
                ^

System:

MSYS2

Version:

d9a9c44e1ff23c533dc49bcab40328961ef70abb

gh2375 avatar Feb 08 '19 05:02 gh2375

The problem is more clear with 79942e6469bbcbe8a9e0acaf651a65cba1653502:

test.cpp: In function 'main':
test.cpp:6:17: warning: ignored side effect of call to extern function 'llvm.umul.with.overflow.i64'. Analysis might be unsound.
    int * arr = new int[n];
                ^
test.cpp: In function 'main':
test.cpp:9:9: warning: possible buffer overflow, could not bound index for access of dynamic memory allocated at 'main:6:17'
        new (p) int();
        ^

LLVM has an intrinsic llvm.umul.with.overflow.i64 to compute the size of the array, i.e n * sizeof(int) and check for overflows. I will have to teach this intrinsic to ikos.

arthaud avatar Feb 11 '19 20:02 arthaud