Clang Static Analyzer not taking all paths

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Clang Static Analyzer not taking all paths

Hans Wennborg via cfe-dev
Hi,

I ran the CSA on the CGC HackMan challenge:
https://github.com/trailofbits/cb-multios/blob/master/challenges/HackMan/src/main.c

Starting from line 190, there is an uninitialized read:

...
   while (1)
   {
     error = 0;
     if (win || cgc_strlen(h_state.word) == 0)
       goto new_chal;
...
new_chal:
         if (h_state.new_challenge_handler == NULL)
           h_state.new_challenge_handler = cgc_new_challenge;
...

CSA does not find this uninitialized read, however if a "if (!win);" is
placed before the loop, it is found.

Can anyone tell me why?

Thanks,
Nils
_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Clang Static Analyzer not taking all paths

Hans Wennborg via cfe-dev
The analyzer's method never gives a guarantee to explore all paths, as
there may potentially be infinitely many paths or a finite but
hyper-exponentially exploding amount of paths. However, this example
seems to start working after we've recently changed path exploration
order in svn r326157 "[analyzer] Switch the default exploration strategy
to priority queue based on coverage":

$ clang (...) --analyze -Xclang -analyzer-config -Xclang
exploration_strategy=dfs main.c
$ clang (...) --analyze main.c
main.c:202:43: warning: The left operand of '==' is a garbage value
         if (h_state.new_challenge_handler == NULL)
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^


On 08/03/2018 7:18 AM, via cfe-dev wrote:

> Hi,
>
> I ran the CSA on the CGC HackMan challenge:
> https://github.com/trailofbits/cb-multios/blob/master/challenges/HackMan/src/main.c 
>
>
> Starting from line 190, there is an uninitialized read:
>
> ...
>   while (1)
>   {
>     error = 0;
>     if (win || cgc_strlen(h_state.word) == 0)
>       goto new_chal;
> ...
> new_chal:
>         if (h_state.new_challenge_handler == NULL)
>           h_state.new_challenge_handler = cgc_new_challenge;
> ...
>
> CSA does not find this uninitialized read, however if a "if (!win);"
> is placed before the loop, it is found.
>
> Can anyone tell me why?
>
> Thanks,
> Nils
> _______________________________________________
> cfe-dev mailing list
> [hidden email]
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev