-
Notifications
You must be signed in to change notification settings - Fork 421
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Abstract Execution Fails to Trace Correct Allocation Size #1390
Comments
The first case looks to be an integer overflow. The maximum value of unsigned char is 255, plus one will be an undefined value hence reporting an overflow warning. The second one depends on your algorithm. A path-sensitive AE could be something you want. |
Thanks for your response. I think the first case is not integer overflow since the param of malloc has a type of i64. So the program
As it shows above, the The second one is more like a question. Glad to know it is possible to solve this case. I'll try to learn how to implement a custom checker for this. |
'zext' Instruction
Abstract execution fails to trace the correct allocation size when encountering instructions like "zext". This leads to incorrect buffer size calculations, resulting in false alerts of buffer overflow.
Sample Code:
Here is the compiled llvm ir.
The expected allocation size should be 256, but the output says it's 0. This should not be a buffer overflow case.
Branch Condition
I was wondering if abstract execution might be able to address this case and how. I'm doing some test like the code below, the allocation size depends on
a
. The output says there's no overflow here. Is it possible to trace both data flow and warn the overflow one and the condtions likea==0
?The text was updated successfully, but these errors were encountered: