2019-07-28 21:38:04 +08:00
|
|
|
// RUN: %clang_analyze_cc1 -Wno-format-security -verify %s \
|
|
|
|
// RUN: -analyzer-checker=alpha.security.taint \
|
|
|
|
// RUN: -analyzer-checker=core \
|
|
|
|
// RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
|
|
|
|
// RUN: -analyzer-config \
|
|
|
|
// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
|
|
|
|
|
|
|
|
// RUN: %clang_analyze_cc1 -Wno-format-security -verify %s \
|
|
|
|
// RUN: -DFILE_IS_STRUCT \
|
|
|
|
// RUN: -analyzer-checker=alpha.security.taint \
|
|
|
|
// RUN: -analyzer-checker=core \
|
|
|
|
// RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
|
|
|
|
// RUN: -analyzer-config \
|
|
|
|
// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
|
|
|
|
|
|
|
|
// RUN: not %clang_analyze_cc1 -verify %s \
|
|
|
|
// RUN: -analyzer-checker=alpha.security.taint \
|
|
|
|
// RUN: -analyzer-config \
|
|
|
|
// RUN: alpha.security.taint.TaintPropagation:Config=justguessit \
|
|
|
|
// RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-FILE
|
|
|
|
|
|
|
|
// CHECK-INVALID-FILE: (frontend): invalid input for checker option
|
|
|
|
// CHECK-INVALID-FILE-SAME: 'alpha.security.taint.TaintPropagation:Config',
|
|
|
|
// CHECK-INVALID-FILE-SAME: that expects a valid filename instead of
|
|
|
|
// CHECK-INVALID-FILE-SAME: 'justguessit'
|
|
|
|
|
|
|
|
// RUN: not %clang_analyze_cc1 -verify %s \
|
|
|
|
// RUN: -analyzer-checker=alpha.security.taint \
|
|
|
|
// RUN: -analyzer-config \
|
|
|
|
// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \
|
|
|
|
// RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-ILL-FORMED
|
|
|
|
|
|
|
|
// CHECK-ILL-FORMED: (frontend): invalid input for checker option
|
|
|
|
// CHECK-ILL-FORMED-SAME: 'alpha.security.taint.TaintPropagation:Config',
|
|
|
|
// CHECK-ILL-FORMED-SAME: that expects a valid yaml file: Invalid argument
|
|
|
|
|
|
|
|
// RUN: not %clang_analyze_cc1 -verify %s \
|
|
|
|
// RUN: -analyzer-checker=alpha.security.taint \
|
|
|
|
// RUN: -analyzer-config \
|
|
|
|
// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \
|
|
|
|
// RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-ARG
|
|
|
|
|
|
|
|
// CHECK-INVALID-ARG: (frontend): invalid input for checker option
|
|
|
|
// CHECK-INVALID-ARG-SAME: 'alpha.security.taint.TaintPropagation:Config',
|
|
|
|
// CHECK-INVALID-ARG-SAME: that expects an argument number for propagation
|
|
|
|
// CHECK-INVALID-ARG-SAME: rules greater or equal to -1
|
2011-11-17 03:58:17 +08:00
|
|
|
|
|
|
|
int scanf(const char *restrict format, ...);
|
2019-03-05 20:42:59 +08:00
|
|
|
char *gets(char *str);
|
2011-11-17 03:58:17 +08:00
|
|
|
int getchar(void);
|
|
|
|
|
2012-01-12 10:22:34 +08:00
|
|
|
typedef struct _FILE FILE;
|
[analyzer] Improves the logic of GenericTaintChecker identifying stdin.
Summary:
GenericTaintChecker can't recognize stdin in some cases. The reason is that `if (PtrTy->getPointeeType() == C.getASTContext().getFILEType()` does not hold when stdin is encountered.
My platform is ubuntu16.04 64bit, gcc 5.4.0, glibc 2.23. The definition of stdin is as follows:
```
__BEGIN_NAMESPACE_STD
/* The opaque type of streams. This is the definition used elsewhere. */
typedef struct _IO_FILE FILE;
___END_NAMESPACE_STD
...
/* The opaque type of streams. This is the definition used elsewhere. */
typedef struct _IO_FILE __FILE;
...
/* Standard streams. */
extern struct _IO_FILE *stdin; /* Standard input stream. */
extern struct _IO_FILE *stdout; /* Standard output stream. */
extern struct _IO_FILE *stderr; /* Standard error output stream. */
```
The type of stdin is as follows AST:
```
ElaboratedType 0xc911170'struct _IO_FILE'sugar
`-RecordType 0xc911150'struct _IO_FILE'
`-CXXRecord 0xc923ff0'_IO_FILE'
```
`C.getASTContext().GetFILEType()` is as follows AST:
```
TypedefType 0xc932710 'FILE' sugar
|-Typedef 0xc9111c0 'FILE'
`-ElaboratedType 0xc911170 'struct _IO_FILE' sugar
`-RecordType 0xc911150 'struct _IO_FILE'
`-CXXRecord 0xc923ff0 '_IO_FILE'
```
So I think it's better to use `getCanonicalType()`.
Reviewers: zaks.anna, NoQ, george.karpenkov, a.sidorin
Reviewed By: zaks.anna, a.sidorin
Subscribers: a.sidorin, cfe-commits, xazax.hun, szepet, MTC
Differential Revision: https://reviews.llvm.org/D39159
llvm-svn: 326709
2018-03-05 23:41:15 +08:00
|
|
|
#ifdef FILE_IS_STRUCT
|
|
|
|
extern struct _FILE *stdin;
|
|
|
|
#else
|
2012-01-12 10:22:34 +08:00
|
|
|
extern FILE *stdin;
|
[analyzer] Improves the logic of GenericTaintChecker identifying stdin.
Summary:
GenericTaintChecker can't recognize stdin in some cases. The reason is that `if (PtrTy->getPointeeType() == C.getASTContext().getFILEType()` does not hold when stdin is encountered.
My platform is ubuntu16.04 64bit, gcc 5.4.0, glibc 2.23. The definition of stdin is as follows:
```
__BEGIN_NAMESPACE_STD
/* The opaque type of streams. This is the definition used elsewhere. */
typedef struct _IO_FILE FILE;
___END_NAMESPACE_STD
...
/* The opaque type of streams. This is the definition used elsewhere. */
typedef struct _IO_FILE __FILE;
...
/* Standard streams. */
extern struct _IO_FILE *stdin; /* Standard input stream. */
extern struct _IO_FILE *stdout; /* Standard output stream. */
extern struct _IO_FILE *stderr; /* Standard error output stream. */
```
The type of stdin is as follows AST:
```
ElaboratedType 0xc911170'struct _IO_FILE'sugar
`-RecordType 0xc911150'struct _IO_FILE'
`-CXXRecord 0xc923ff0'_IO_FILE'
```
`C.getASTContext().GetFILEType()` is as follows AST:
```
TypedefType 0xc932710 'FILE' sugar
|-Typedef 0xc9111c0 'FILE'
`-ElaboratedType 0xc911170 'struct _IO_FILE' sugar
`-RecordType 0xc911150 'struct _IO_FILE'
`-CXXRecord 0xc923ff0 '_IO_FILE'
```
So I think it's better to use `getCanonicalType()`.
Reviewers: zaks.anna, NoQ, george.karpenkov, a.sidorin
Reviewed By: zaks.anna, a.sidorin
Subscribers: a.sidorin, cfe-commits, xazax.hun, szepet, MTC
Differential Revision: https://reviews.llvm.org/D39159
llvm-svn: 326709
2018-03-05 23:41:15 +08:00
|
|
|
#endif
|
|
|
|
|
2012-01-12 10:22:34 +08:00
|
|
|
int fscanf(FILE *restrict stream, const char *restrict format, ...);
|
|
|
|
int sprintf(char *str, const char *format, ...);
|
|
|
|
void setproctitle(const char *fmt, ...);
|
|
|
|
typedef __typeof(sizeof(int)) size_t;
|
|
|
|
|
|
|
|
// Define string functions. Use builtin for some of them. They all default to
|
|
|
|
// the processing in the taint checker.
|
|
|
|
#define strcpy(dest, src) \
|
|
|
|
((__builtin_object_size(dest, 0) != -1ULL) \
|
|
|
|
? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
|
|
|
|
: __inline_strcpy_chk(dest, src))
|
|
|
|
|
|
|
|
static char *__inline_strcpy_chk (char *dest, const char *src) {
|
|
|
|
return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
|
|
|
|
}
|
|
|
|
char *stpcpy(char *restrict s1, const char *restrict s2);
|
|
|
|
char *strncpy( char * destination, const char * source, size_t num );
|
2012-01-18 10:45:07 +08:00
|
|
|
char *strndup(const char *s, size_t n);
|
2012-01-18 10:45:11 +08:00
|
|
|
char *strncat(char *restrict s1, const char *restrict s2, size_t n);
|
|
|
|
|
|
|
|
void *malloc(size_t);
|
|
|
|
void *calloc(size_t nmemb, size_t size);
|
|
|
|
void bcopy(void *s1, void *s2, size_t n);
|
2012-01-12 10:22:34 +08:00
|
|
|
|
2011-11-17 03:58:17 +08:00
|
|
|
#define BUFSIZE 10
|
|
|
|
|
|
|
|
int Buffer[BUFSIZE];
|
2011-11-29 04:43:40 +08:00
|
|
|
void bufferScanfDirect(void)
|
2011-11-17 03:58:17 +08:00
|
|
|
{
|
|
|
|
int n;
|
|
|
|
scanf("%d", &n);
|
|
|
|
Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
|
|
|
|
}
|
2011-11-18 07:07:28 +08:00
|
|
|
|
|
|
|
void bufferScanfArithmetic1(int x) {
|
|
|
|
int n;
|
|
|
|
scanf("%d", &n);
|
|
|
|
int m = (n - 3);
|
|
|
|
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
|
|
|
|
}
|
|
|
|
|
|
|
|
void bufferScanfArithmetic2(int x) {
|
|
|
|
int n;
|
|
|
|
scanf("%d", &n);
|
2012-01-21 04:28:31 +08:00
|
|
|
int m = 100 - (n + 3) * x;
|
2011-11-18 07:07:28 +08:00
|
|
|
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
|
|
|
|
}
|
2011-11-18 10:26:36 +08:00
|
|
|
|
2011-11-29 04:43:40 +08:00
|
|
|
void bufferScanfAssignment(int x) {
|
|
|
|
int n;
|
|
|
|
scanf("%d", &n);
|
|
|
|
int m;
|
|
|
|
if (x > 0) {
|
|
|
|
m = n;
|
|
|
|
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-11-18 10:26:36 +08:00
|
|
|
void scanfArg() {
|
2012-01-21 04:28:31 +08:00
|
|
|
int t = 0;
|
2012-01-21 05:52:58 +08:00
|
|
|
scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
|
2011-11-18 10:26:36 +08:00
|
|
|
}
|
2011-11-29 04:43:40 +08:00
|
|
|
|
|
|
|
void bufferGetchar(int x) {
|
|
|
|
int m = getchar();
|
2012-01-21 13:07:33 +08:00
|
|
|
Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
|
2011-11-29 04:43:40 +08:00
|
|
|
}
|
2012-01-07 10:33:10 +08:00
|
|
|
|
2012-01-12 10:22:34 +08:00
|
|
|
void testUncontrolledFormatString(char **p) {
|
2012-01-07 10:33:10 +08:00
|
|
|
char s[80];
|
|
|
|
fscanf(stdin, "%s", s);
|
|
|
|
char buf[128];
|
|
|
|
sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
|
|
|
|
setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
|
2012-01-12 10:22:34 +08:00
|
|
|
|
|
|
|
// Test taint propagation through strcpy and family.
|
|
|
|
char scpy[80];
|
|
|
|
strcpy(scpy, s);
|
|
|
|
sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
|
|
|
|
|
2012-01-13 08:56:55 +08:00
|
|
|
stpcpy(*(++p), s); // this generates __inline.
|
|
|
|
setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
|
|
|
|
|
2012-01-12 10:22:34 +08:00
|
|
|
char spcpy[80];
|
|
|
|
stpcpy(spcpy, s);
|
|
|
|
setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
|
|
|
|
|
2012-01-18 10:45:07 +08:00
|
|
|
char *spcpyret;
|
|
|
|
spcpyret = stpcpy(spcpy, s);
|
|
|
|
setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
|
|
|
|
|
2012-01-12 10:22:34 +08:00
|
|
|
char sncpy[80];
|
|
|
|
strncpy(sncpy, s, 20);
|
|
|
|
setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
|
2012-01-18 10:45:07 +08:00
|
|
|
|
|
|
|
char *dup;
|
|
|
|
dup = strndup(s, 20);
|
|
|
|
setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
|
|
|
|
|
2012-01-07 10:33:10 +08:00
|
|
|
}
|
2012-01-14 10:48:40 +08:00
|
|
|
|
|
|
|
int system(const char *command);
|
|
|
|
void testTaintSystemCall() {
|
|
|
|
char buffer[156];
|
|
|
|
char addr[128];
|
|
|
|
scanf("%s", addr);
|
2012-02-22 10:35:58 +08:00
|
|
|
system(addr); // expected-warning {{Untrusted data is passed to a system call}}
|
2012-01-18 10:45:07 +08:00
|
|
|
|
|
|
|
// Test that spintf transfers taint.
|
|
|
|
sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
|
2012-02-22 10:35:58 +08:00
|
|
|
system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
|
2012-01-18 10:45:07 +08:00
|
|
|
}
|
2012-01-18 10:45:11 +08:00
|
|
|
|
2012-01-18 10:45:07 +08:00
|
|
|
void testTaintSystemCall2() {
|
|
|
|
// Test that snpintf transfers taint.
|
|
|
|
char buffern[156];
|
|
|
|
char addr[128];
|
|
|
|
scanf("%s", addr);
|
|
|
|
__builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
|
2012-02-22 10:35:58 +08:00
|
|
|
system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
|
2012-01-18 10:45:07 +08:00
|
|
|
}
|
2012-01-18 10:45:11 +08:00
|
|
|
|
2012-01-18 10:45:07 +08:00
|
|
|
void testTaintSystemCall3() {
|
|
|
|
char buffern2[156];
|
|
|
|
int numt;
|
|
|
|
char addr[128];
|
|
|
|
scanf("%s %d", addr, &numt);
|
|
|
|
__builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
|
2012-02-22 10:35:58 +08:00
|
|
|
system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
|
2012-01-14 10:48:40 +08:00
|
|
|
}
|
2012-01-18 10:45:11 +08:00
|
|
|
|
2019-03-05 20:42:59 +08:00
|
|
|
void testGets() {
|
|
|
|
char str[50];
|
|
|
|
gets(str);
|
|
|
|
system(str); // expected-warning {{Untrusted data is passed to a system call}}
|
|
|
|
}
|
|
|
|
|
2012-01-18 10:45:11 +08:00
|
|
|
void testTaintedBufferSize() {
|
|
|
|
size_t ts;
|
|
|
|
scanf("%zd", &ts);
|
|
|
|
|
2012-02-22 10:35:58 +08:00
|
|
|
int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
|
|
|
|
char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
|
|
|
|
bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
|
|
|
|
__builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
|
2012-01-18 10:45:11 +08:00
|
|
|
|
|
|
|
// If both buffers are trusted, do not issue a warning.
|
2012-02-22 10:35:58 +08:00
|
|
|
char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
|
2012-01-18 10:45:11 +08:00
|
|
|
strncat(dst2, dst, ts); // no-warning
|
2012-01-20 08:11:19 +08:00
|
|
|
}
|
2012-01-18 10:45:11 +08:00
|
|
|
|
2012-01-20 08:11:19 +08:00
|
|
|
#define AF_UNIX 1 /* local to host (pipes) */
|
|
|
|
#define AF_INET 2 /* internetwork: UDP, TCP, etc. */
|
|
|
|
#define AF_LOCAL AF_UNIX /* backward compatibility */
|
|
|
|
#define SOCK_STREAM 1
|
|
|
|
int socket(int, int, int);
|
|
|
|
size_t read(int, void *, size_t);
|
|
|
|
int execl(const char *, const char *, ...);
|
|
|
|
|
|
|
|
void testSocket() {
|
|
|
|
int sock;
|
|
|
|
char buffer[100];
|
|
|
|
|
|
|
|
sock = socket(AF_INET, SOCK_STREAM, 0);
|
|
|
|
read(sock, buffer, 100);
|
2012-02-22 10:35:58 +08:00
|
|
|
execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
|
2012-01-20 08:11:19 +08:00
|
|
|
|
|
|
|
sock = socket(AF_LOCAL, SOCK_STREAM, 0);
|
|
|
|
read(sock, buffer, 100);
|
|
|
|
execl(buffer, "filename", 0); // no-warning
|
2017-03-09 08:01:16 +08:00
|
|
|
|
|
|
|
sock = socket(AF_INET, SOCK_STREAM, 0);
|
|
|
|
// References to both buffer and &buffer as an argument should taint the argument
|
|
|
|
read(sock, &buffer, 100);
|
|
|
|
execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
|
|
|
|
}
|
|
|
|
|
|
|
|
void testStruct() {
|
|
|
|
struct {
|
|
|
|
char buf[16];
|
|
|
|
int length;
|
|
|
|
} tainted;
|
|
|
|
|
|
|
|
char buffer[16];
|
|
|
|
int sock;
|
|
|
|
|
|
|
|
sock = socket(AF_INET, SOCK_STREAM, 0);
|
|
|
|
read(sock, &tainted, sizeof(tainted));
|
|
|
|
__builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
|
|
|
|
}
|
|
|
|
|
|
|
|
void testStructArray() {
|
|
|
|
struct {
|
2017-05-29 23:42:56 +08:00
|
|
|
int length;
|
|
|
|
} tainted[4];
|
2017-03-09 08:01:16 +08:00
|
|
|
|
2017-05-29 23:42:56 +08:00
|
|
|
char dstbuf[16], srcbuf[16];
|
2017-03-09 08:01:16 +08:00
|
|
|
int sock;
|
|
|
|
|
|
|
|
sock = socket(AF_INET, SOCK_STREAM, 0);
|
2017-05-29 23:42:56 +08:00
|
|
|
__builtin_memset(srcbuf, 0, sizeof(srcbuf));
|
|
|
|
|
|
|
|
read(sock, &tainted[0], sizeof(tainted));
|
|
|
|
__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
|
|
|
|
|
|
|
|
__builtin_memset(&tainted, 0, sizeof(tainted));
|
|
|
|
read(sock, &tainted, sizeof(tainted));
|
|
|
|
__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
|
|
|
|
|
|
|
|
__builtin_memset(&tainted, 0, sizeof(tainted));
|
|
|
|
// If we taint element 1, we should not raise an alert on taint for element 0 or element 2
|
|
|
|
read(sock, &tainted[1], sizeof(tainted));
|
|
|
|
__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning
|
|
|
|
__builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning
|
|
|
|
}
|
|
|
|
|
|
|
|
void testUnion() {
|
|
|
|
union {
|
|
|
|
int x;
|
|
|
|
char y[4];
|
|
|
|
} tainted;
|
|
|
|
|
|
|
|
char buffer[4];
|
|
|
|
|
|
|
|
int sock = socket(AF_INET, SOCK_STREAM, 0);
|
|
|
|
read(sock, &tainted.y, sizeof(tainted.y));
|
|
|
|
// FIXME: overlapping regions aren't detected by isTainted yet
|
|
|
|
__builtin_memcpy(buffer, tainted.y, tainted.x);
|
2012-01-18 10:45:11 +08:00
|
|
|
}
|
2012-01-20 08:11:19 +08:00
|
|
|
|
2012-01-21 04:28:31 +08:00
|
|
|
int testDivByZero() {
|
|
|
|
int x;
|
|
|
|
scanf("%d", &x);
|
|
|
|
return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
|
|
|
|
}
|
2012-01-21 13:07:33 +08:00
|
|
|
|
|
|
|
// Zero-sized VLAs.
|
|
|
|
void testTaintedVLASize() {
|
|
|
|
int x;
|
|
|
|
scanf("%d", &x);
|
|
|
|
int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
|
|
|
|
}
|
2012-05-03 10:13:50 +08:00
|
|
|
|
|
|
|
// This computation used to take a very long time.
|
|
|
|
#define longcmp(a,b,c) { \
|
|
|
|
a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
|
|
|
|
a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }
|
|
|
|
|
|
|
|
unsigned radar11369570_hanging(const unsigned char *arr, int l) {
|
|
|
|
unsigned a, b, c;
|
|
|
|
a = b = c = 0x9899e3 + l;
|
|
|
|
while (l >= 6) {
|
|
|
|
unsigned t;
|
|
|
|
scanf("%d", &t);
|
|
|
|
a += b;
|
|
|
|
a ^= a;
|
|
|
|
a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
|
|
|
|
longcmp(a, t, c);
|
|
|
|
l -= 12;
|
|
|
|
}
|
|
|
|
return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
|
|
|
|
}
|
2012-05-03 10:13:53 +08:00
|
|
|
|
|
|
|
// Check that we do not assert of the following code.
|
|
|
|
int SymSymExprWithDiffTypes(void* p) {
|
|
|
|
int i;
|
|
|
|
scanf("%d", &i);
|
|
|
|
int j = (i % (int)(long)p);
|
|
|
|
return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
|
|
|
|
}
|
|
|
|
|
2013-03-25 04:25:22 +08:00
|
|
|
|
|
|
|
void constraintManagerShouldTreatAsOpaque(int rhs) {
|
|
|
|
int i;
|
|
|
|
scanf("%d", &i);
|
|
|
|
// This comparison used to hit an assertion in the constraint manager,
|
|
|
|
// which didn't handle NonLoc sym-sym comparisons.
|
|
|
|
if (i < rhs)
|
|
|
|
return;
|
|
|
|
if (i < rhs)
|
|
|
|
*(volatile int *) 0; // no-warning
|
|
|
|
}
|