Skip to content

[C++ BoundsSafety] Fix false positives when pointer argument is a function call #11046

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: next
Choose a base branch
from

Conversation

ziqingluo-90
Copy link

This PR attempts to fix false positives in such an example:

void cb(int *__counted_by(count) p, size_t count);
int *__counted_by(n) f(size_t n);

void test(size_t len) {
  cb(f(len), len); // false positive
}

The analysis needs to compare the size of f(len), which is specified by __counted_by(n), with the expected count of the first argument of cb, which is specified by __counted_by(count). The comparison interprets the two comparands at two "call contexts" respectively: the count n needs to be interpreted at the call f(len) with a mapping {n -> len} and the count count needs to be interpreted at the call cb(f(len), len) with a mapping {p -> f(len), count -> len}.

The existing compare algorithm is extended from assuming only one comparand needs a substitution map to assuming both comparands need substitution maps.

rdar://155952016

@ziqingluo-90 ziqingluo-90 changed the title [Draft][C++ BoundsSafety] Fix false positives when pointer argument is a function call [C++ BoundsSafety] Fix false positives when pointer argument is a function call Jul 22, 2025
@ziqingluo-90
Copy link
Author

@patrykstefanski This is my attempt to extend the existing CompatibleCountExprVisitor to take two substitution maps, though I think we've reached the limit of this Visitor-based comparison approach. It traverses only one of the comparands so it does not know when to apply substitution for the other comparand. The result is that I have to trySubstitute at each of the overloaded methods.
I'd like to refactor this comparison code later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant