llvm-project/clang/test/Analysis/outofbound.c

// RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-checker=core,experimental.unix,experimental.security.ArrayBound -analyzer-store=region -verify %s

typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);
void *calloc(size_t, size_t);

char f1() {
  char* s = "abcd";
  char c = s[4]; // no-warning
  return s[5] + c; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
}

void f2() {
  int *p = malloc(12);
  p[3] = 4; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
}

struct three_words {
  int c[3];
};

struct seven_words {
  int c[7];
};

void f3() {
  struct three_words a, *p;
  p = &a;
  p[0] = a; // no-warning
  p[1] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
}

void f4() {
  struct seven_words c;
  struct three_words a, *p = (struct three_words *)&c;
  p[0] = a; // no-warning
  p[1] = a; // no-warning
  p[2] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
}

void f5() {
  char *p = calloc(2,2);
  p[3] = '.'; // no-warning
  p[4] = '!'; // expected-warning{{out-of-bound}}
}

void f6() {
  char a[2];
  int *b = (int*)a;
  b[1] = 3; // expected-warning{{out-of-bound}}
}

void f7() {
  struct three_words a;
  a.c[3] = 1; // expected-warning{{out-of-bound}}
}

void vla(int a) {
  if (a == 5) {
    int x[a];
    x[4] = 4; // no-warning
    x[5] = 5; // expected-warning{{out-of-bound}}
  }
}

void alloca_region(int a) {
  if (a == 5) {
    char *x = __builtin_alloca(a);
    x[4] = 4; // no-warning
    x[5] = 5; // expected-warning{{out-of-bound}}
  }
}

int symbolic_index(int a) {
  int x[2] = {1, 2};
  if (a == 2) {
    return x[a]; // expected-warning{{out-of-bound}}
  }
  return 0;
}

int symbolic_index2(int a) {
  int x[2] = {1, 2};
  if (a < 0) {
    return x[a]; // expected-warning{{out-of-bound}}
  }
  return 0;
}
[analyzer] rename all experimental checker packages to have 'experimental' be the common root package. llvm-svn: 136835 2011-08-04 07:14:55 +08:00			`// RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-checker=core,experimental.unix,experimental.security.ArrayBound -analyzer-store=region -verify %s`
Add support for computing size in elements for symbolic regions obtained from malloc(). llvm-svn: 93722 2010-01-18 16:54:31 +08:00
			`typedef __typeof(sizeof(int)) size_t;`
			`void *malloc(size_t);`
Add support for calloc() in MallocChecker. Patch by Jordy Rose, with my modification. llvm-svn: 105264 2010-06-01 11:01:33 +08:00			`void *calloc(size_t, size_t);`
Add test case for out-of-bound memory access checking. llvm-svn: 59931 2008-11-24 10:19:49 +08:00
			`char f1() {`
			`char* s = "abcd";`
Test more array logic in outofbound.c llvm-svn: 62782 2009-01-23 04:36:33 +08:00			`char c = s[4]; // no-warning`
Reimplement out-of-bound array access checker with the new checker interface. Now only one test case is XFAIL'ed. llvm-svn: 86834 2009-11-11 20:33:27 +08:00			`return s[5] + c; // expected-warning{{Access out-of-bound array element (buffer overflow)}}`
Add test case for out-of-bound memory access checking. llvm-svn: 59931 2008-11-24 10:19:49 +08:00			`}`
Add support for computing size in elements for symbolic regions obtained from malloc(). llvm-svn: 93722 2010-01-18 16:54:31 +08:00
			`void f2() {`
			`int *p = malloc(12);`
			`p[3] = 4; // expected-warning{{Access out-of-bound array element (buffer overflow)}}`
			`}`
Use the element type to compute the array size when the base region is a VarRegion. Patch by Jordy Rose. llvm-svn: 100099 2010-04-01 16:20:27 +08:00
			`struct three_words {`
			`int c[3];`
			`};`

			`struct seven_words {`
			`int c[7];`
			`};`

			`void f3() {`
			`struct three_words a, *p;`
			`p = &a;`
			`p[0] = a; // no-warning`
			`p[1] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}`
			`}`

			`void f4() {`
			`struct seven_words c;`
			`struct three_words a, p = (struct three_words )&c;`
			`p[0] = a; // no-warning`
			`p[1] = a; // no-warning`
			`p[2] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}`
			`}`
Add support for calloc() in MallocChecker. Patch by Jordy Rose, with my modification. llvm-svn: 105264 2010-06-01 11:01:33 +08:00
			`void f5() {`
			`char *p = calloc(2,2);`
			`p[3] = '.'; // no-warning`
			`p[4] = '!'; // expected-warning{{out-of-bound}}`
			`}`
When a constant size array is casted to another type, its length should be scaled as well. llvm-svn: 106911 2010-06-26 07:23:04 +08:00
			`void f6() {`
			`char a[2];`
			`int b = (int)a;`
			`b[1] = 3; // expected-warning{{out-of-bound}}`
			`}`
Add a new symbol type, SymbolExtent, to represent the extents of memory regions that may not be known at compile-time (such as those created by malloc). This replaces the old setExtent/getExtent API on Store, which used the GRState's GDM to store SVals. Also adds a getKnownValue() method to SValuator, which gets the integer value of an SVal if it is known to only have one possible value. There are more places in the code that could be using this, but in general we want to be dealing entirely in SVals, so its usefulness is limited. The only visible functionality change is that extents are now honored for any DeclRegion, such as fields and Objective-C ivars, rather than just variables. This shows up in bounds-checking and cast-size-checking. llvm-svn: 107577 2010-07-04 08:00:41 +08:00
			`void f7() {`
			`struct three_words a;`
			`a.c[3] = 1; // expected-warning{{out-of-bound}}`
			`}`
Track extents for VLAs. llvm-svn: 107603 2010-07-05 08:50:15 +08:00
			`void vla(int a) {`
			`if (a == 5) {`
			`int x[a];`
			`x[4] = 4; // no-warning`
			`x[5] = 5; // expected-warning{{out-of-bound}}`
			`}`
			`}`
Support sizeof for VLA expressions (sizeof(someVLA)). sizeof(int[n]) still unimplemented. A VLA region's sizeof value matches its extent. llvm-svn: 107611 2010-07-05 12:42:43 +08:00
Add a test for alloca region extents. llvm-svn: 111079 2010-08-15 04:46:10 +08:00			`void alloca_region(int a) {`
			`if (a == 5) {`
			`char *x = __builtin_alloca(a);`
			`x[4] = 4; // no-warning`
			`x[5] = 5; // expected-warning{{out-of-bound}}`
			`}`
			`}`
- Allow making ElementRegions with complex offsets (expressions or symbols) for the purpose of bounds-checking. - Rewrite GRState::AssumeInBound to actually do that checking, and to use the normal constraint path. - Remove ConstraintManager::AssumeInBound. - Teach RegionStore and FlatStore to ignore those regions for now. llvm-svn: 111116 2010-08-16 09:15:17 +08:00
			`int symbolic_index(int a) {`
			`int x[2] = {1, 2};`
			`if (a == 2) {`
			`return x[a]; // expected-warning{{out-of-bound}}`
			`}`
			`return 0;`
			`}`

			`int symbolic_index2(int a) {`
			`int x[2] = {1, 2};`
			`if (a < 0) {`
			`return x[a]; // expected-warning{{out-of-bound}}`
			`}`
			`return 0;`
			`}`