-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IKOS should tolerate snprintf(NULL, 0, ...)
#221
Comments
I could be wrong, but at first glance I think we'd need to change: ikos/analyzer/src/checker/null_dereference.cpp Lines 335 to 338 in ae8200b
so that |
Maybe handling the special case of argument 1 being the 0 constant would be fine for now since that seems like a common use case. |
snprintf(NULL, 0, ...)
snprintf(NULL, 0, ...)
snprintf(NULL, 0, ...)
IKOS currently considers that the first argument of snprintf should never be null. However, a first argument null is allowed when the second argument is zero. This commit introduces a check for that second value; only when it is not the literal zero is the first argument checked. This check is not perfect: the second argument could also be a variable with the value or function call that returns zero. However, since passing the literal zero is the most common scenario, we check for that case for now.
I've just pushed to a branch what I consider may be a possible implementation. I have not tried to compile it on my machine, but I think it should be pretty close. Feel free to check it and point out any issues you see. It's possible that there's a simpler way to check for the argument to be zero than what I'm doing. |
IKOS currently considers that the first argument of snprintf should never be null. However, a first argument null is allowed when the second argument is zero. This commit introduces a check for that second value; only when it is not the literal zero is the first argument checked. This check is not perfect: the second argument could also be a variable with the value or function call that returns zero. However, since passing the literal zero is the most common scenario, we check for that case for now.
I've placed a first attempt at fixing this issue here: I haven't tried it yet, but it does compile. I feel like there may be a simpler way of checking whether the value is the literal zero, and I'm just not seeing it (it's just lack of familiarity with all of IKOS). I could also check whether it's a variable and it's zero, and it seems like that should not be hard to do. @arthaud is what I'm doing too far off? |
IKOS currently considers that the first argument of snprintf should never be null. However, a first argument null is allowed when the second argument is zero. This commit introduces a check for that second value; only when it is not the literal zero is the first argument checked. This check is not perfect: the second argument could also be a variable with the value or function call that returns zero. However, since passing the literal zero is the most common scenario, we check for that case for now.
IKOS currently considers that the first argument of snprintf should never be null. However, a first argument null is allowed when the second argument is zero. This commit introduces a check for that second value; only when it is not the literal zero is the first argument checked. This check is not perfect: the second argument could also be a variable with the value or function call that returns zero. However, since passing the literal zero is the most common scenario, we check for that case for now.
ikos claims that the following C program is unsafe because of the null pointer passed to
snprintf()
:However, according to cppreference, when the second argument is
0
, the first argument is allowed to beNULL
.https://en.cppreference.com/w/c/io/fprintf
We use this feature to determine the number of characters that would be written before actually writing them.
The text was updated successfully, but these errors were encountered: