2019-05-23 23:49:04 +08:00
|
|
|
// RUN: %clang_analyze_cc1 -verify %s -std=gnu99 \
|
|
|
|
|
// RUN: -analyzer-checker=core \
|
|
|
|
|
// RUN: -analyzer-checker=alpha.core \
|
|
|
|
|
// RUN: -analyzer-checker=unix \
|
|
|
|
|
// RUN: -analyzer-checker=alpha.unix
|
2009-04-29 17:24:35 +08:00
|
|
|
|
2017-06-20 14:41:06 +08:00
|
|
|
#include "Inputs/system-header-simulator.h"
|
|
|
|
|
|
|
|
|
|
typedef __typeof(sizeof(int)) size_t;
|
|
|
|
|
void *memset(void *__s, int __c, size_t __n);
|
|
|
|
|
void *malloc(size_t __size);
|
|
|
|
|
void free(void *__ptr);
|
2009-04-29 17:24:35 +08:00
|
|
|
|
|
|
|
|
// The store for 'a[1]' should not be removed mistakenly. SymbolicRegions may
|
|
|
|
|
// also be live roots.
|
|
|
|
|
void f14(int *a) {
|
|
|
|
|
int i;
|
|
|
|
|
a[1] = 1;
|
|
|
|
|
i = a[1];
|
|
|
|
|
if (i != 1) {
|
|
|
|
|
int *p = 0;
|
|
|
|
|
i = *p; // no-warning
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-06-20 14:41:06 +08:00
|
|
|
|
|
|
|
|
void foo() {
|
|
|
|
|
int *x = malloc(sizeof(int));
|
|
|
|
|
memset(x, 0, sizeof(int));
|
2018-05-16 20:37:53 +08:00
|
|
|
int n = 1 / *x; // expected-warning {{Division by zero}}
|
2017-06-20 14:41:06 +08:00
|
|
|
free(x);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void bar() {
|
|
|
|
|
int *x = malloc(sizeof(int));
|
|
|
|
|
memset(x, 0, 1);
|
|
|
|
|
int n = 1 / *x; // no-warning
|
|
|
|
|
free(x);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void testConcreteNull() {
|
|
|
|
|
int *x = 0;
|
2019-12-11 08:48:17 +08:00
|
|
|
memset(x, 0, 1); // expected-warning {{Null pointer passed as 1st argument to memory set function}}
|
2017-06-20 14:41:06 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void testStackArray() {
|
|
|
|
|
char buf[13];
|
|
|
|
|
memset(buf, 0, 1); // no-warning
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void testHeapSymbol() {
|
|
|
|
|
char *buf = (char *)malloc(13);
|
|
|
|
|
memset(buf, 0, 1); // no-warning
|
|
|
|
|
free(buf);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void testStackArrayOutOfBound() {
|
|
|
|
|
char buf[1];
|
[analyzer] NFCi: Refactor CStringChecker: use strongly typed internal API
Summary:
I wanted to extend the diagnostics of the CStringChecker with taintedness.
This requires the CStringChecker to be refactored to support a more flexible
reporting mechanism.
This patch does only refactorings, such:
- eliminates always false parameters (like WarnAboutSize)
- reduces the number of parameters
- makes strong types differentiating *source* and *destination* buffers
(same with size expressions)
- binds the argument expression and the index, making diagnostics accurate
and easy to emit
- removes a bunch of default parameters to make it more readable
- remove random const char* warning message parameters, making clear where
and what is going to be emitted
Note that:
- CheckBufferAccess now checks *only* one buffer, this removed about 100 LOC
code duplication
- not every function was refactored to use the /new/ strongly typed API, since
the CString related functions are really closely coupled monolithic beasts,
I will refactor them separately
- all tests are preserved and passing; only the message changed at some places.
In my opinion, these messages are holding the same information.
I would also highlight that this refactoring caught a bug in
clang/test/Analysis/string.c:454 where the diagnostic did not reflect reality.
This catch backs my effort on simplifying this monolithic CStringChecker.
Reviewers: NoQ, baloghadamsoftware, Szelethus, rengolin, Charusso
Reviewed By: NoQ
Subscribers: whisperity, xazax.hun, szepet, rnkovacs, a.sidorin,
mikhail.ramalho, donat.nagy, dkrupp, Charusso, martong, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D74806
2020-04-09 22:06:32 +08:00
|
|
|
memset(buf, 0, 1024);
|
|
|
|
|
// expected-warning@-1 {{Memory set function overflows the destination buffer}}
|
|
|
|
|
// expected-warning@-2 {{'memset' will always overflow; destination buffer has size 1, but size argument is 1024}}
|
2017-06-20 14:41:06 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void testHeapSymbolOutOfBound() {
|
|
|
|
|
char *buf = (char *)malloc(1);
|
[analyzer] NFCi: Refactor CStringChecker: use strongly typed internal API
Summary:
I wanted to extend the diagnostics of the CStringChecker with taintedness.
This requires the CStringChecker to be refactored to support a more flexible
reporting mechanism.
This patch does only refactorings, such:
- eliminates always false parameters (like WarnAboutSize)
- reduces the number of parameters
- makes strong types differentiating *source* and *destination* buffers
(same with size expressions)
- binds the argument expression and the index, making diagnostics accurate
and easy to emit
- removes a bunch of default parameters to make it more readable
- remove random const char* warning message parameters, making clear where
and what is going to be emitted
Note that:
- CheckBufferAccess now checks *only* one buffer, this removed about 100 LOC
code duplication
- not every function was refactored to use the /new/ strongly typed API, since
the CString related functions are really closely coupled monolithic beasts,
I will refactor them separately
- all tests are preserved and passing; only the message changed at some places.
In my opinion, these messages are holding the same information.
I would also highlight that this refactoring caught a bug in
clang/test/Analysis/string.c:454 where the diagnostic did not reflect reality.
This catch backs my effort on simplifying this monolithic CStringChecker.
Reviewers: NoQ, baloghadamsoftware, Szelethus, rengolin, Charusso
Reviewed By: NoQ
Subscribers: whisperity, xazax.hun, szepet, rnkovacs, a.sidorin,
mikhail.ramalho, donat.nagy, dkrupp, Charusso, martong, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D74806
2020-04-09 22:06:32 +08:00
|
|
|
memset(buf, 0, 1024);
|
|
|
|
|
// expected-warning@-1 {{Memory set function overflows the destination buffer}}
|
2017-06-20 14:41:06 +08:00
|
|
|
free(buf);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void testStackArraySameSize() {
|
|
|
|
|
char buf[1];
|
|
|
|
|
memset(buf, 0, sizeof(buf)); // no-warning
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void testHeapSymbolSameSize() {
|
|
|
|
|
char *buf = (char *)malloc(1);
|
|
|
|
|
memset(buf, 0, 1); // no-warning
|
|
|
|
|
free(buf);
|
|
|
|
|
}
|