analyzer
analyzer copied to clipboard
goblint
`def_exc` ranges for `int` and `short` tops not correct in memOutOfBounds analysis
When running the following modifications of test 01-oob-heap-simple.c:
// PARAM: --set ana.activated[+] memOutOfBounds --enable ana.int.interval
#include <stdlib.h>
int main(int argc, char const *argv[]) {
char *ptr = malloc(5 * sizeof(char));
int r;
*ptr = 'a';//NOWARN
*(ptr + 1) = 'b';//NOWARN
*(ptr + 10) = 'c';//WARN
*(ptr + r) = 'd';//WARN
free(ptr);
return 0;
}
// PARAM: --set ana.activated[+] memOutOfBounds --enable ana.int.interval
#include <stdlib.h>
int main(int argc, char const *argv[]) {
char *ptr = malloc(5 * sizeof(char));
short r;
*ptr = 'a';//NOWARN
*(ptr + 1) = 'b';//NOWARN
*(ptr + 10) = 'c';//WARN
*(ptr + r) = 'd';//WARN
free(ptr);
return 0;
}
The corresponding warnings are:
[Warning][Behavior > Undefined > MemoryOutOfBoundsAccess][CWE-823] Could not compare pointer size (5) with offset ((Unknown int([-31,32]),[-2147483648,2147483647])). Memory out-of-bounds access may occur (tests/regression/74-invalid_deref/01-oob-heap-simple.c:11:5-11:21)
[Warning][Behavior > Undefined > MemoryOutOfBoundsAccess][CWE-823] Could not compare pointer size (5) with offset ((Unknown int([-15,16]),[-32768,32767])). Memory out-of-bounds access may occur (tests/regression/74-invalid_deref/01-oob-heap-simple.c:11:5-11:21)
It is fine with long, though, yielding:
[Warning][Behavior > Undefined > MemoryOutOfBoundsAccess][CWE-823] Could not compare pointer size ((5,[5,5])) with offset ((Unknown int([-63,63]),[-9223372036854775808,9223372036854775807])). Memory out-of-bounds access may occur (tests/regression/74-invalid_deref/01-oob-heap-simple.c:11:5-11:21)
