llvm-project/clang/test/Analysis/array-struct.c

// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=basic -analyzer-constraints=basic -verify %s
// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=basic -analyzer-constraints=range -verify %s
// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -analyzer-constraints=basic -verify %s
// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -analyzer-constraints=range -verify %s

struct s {
  int data;
  int data_array[10];
};

typedef struct {
  int data;
} STYPE;

void g(char *p);
void g1(struct s* p);

// Array to pointer conversion. Array in the struct field.
void f(void) {
  int a[10];
  int (*p)[10];
  p = &a;
  (*p)[3] = 1;
  
  struct s d;
  struct s *q;
  q = &d;
  q->data = 3;
  d.data_array[9] = 17;
}

// StringLiteral in lvalue context and pointer to array type.
// p: ElementRegion, q: StringRegion
void f2() {
  char *p = "/usr/local";
  char (*q)[4];
  q = &"abc";
}

// Typedef'ed struct definition.
void f3() {
  STYPE s;
}

// Initialize array with InitExprList.
void f4() {
  int a[] = { 1, 2, 3};
  int b[3] = { 1, 2 };
  struct s c[] = {{1,{1}}};
}

// Struct variable in lvalue context.
// Assign UnknownVal to the whole struct.
void f5() {
  struct s data;
  g1(&data);
}

// AllocaRegion test.
void f6() {
  char *p;
  p = __builtin_alloca(10); 
  g(p);
  char c = *p;
  p[1] = 'a';
  // Test if RegionStore::EvalBinOp converts the alloca region to element
  // region.
  p += 2;
}

struct s2;

void g2(struct s2 *p);

// Incomplete struct pointer used as function argument.
void f7() {
  struct s2 *p = __builtin_alloca(10);
  g2(p);
}

// sizeof() is unsigned while -1 is signed in array index.
void f8() {
  int a[10];
  a[sizeof(a)/sizeof(int) - 1] = 1; // no-warning
}

// Initialization of struct array elements.
void f9() {
  struct s a[10];
}

// Initializing array with string literal.
void f10() {
  char a1[4] = "abc";
  char a3[6] = "abc";
}

// Retrieve the default value of element/field region.
void f11() {
  struct s a;
  g1(&a);
  if (a.data == 0) // no-warning
    a.data = 1;
}

// Convert unsigned offset to signed when creating ElementRegion from 
// SymbolicRegion.
void f12(int *list) {
  unsigned i = 0;
  list[i] = 1;
}

struct s1 {
  struct s2 {
    int d;
  } e;
};

// The binding of a.e.d should not be removed. Test recursive subregion map
// building: a->e, e->d. Only then 'a' could be added to live region roots.
void f13(double timeout) {
  struct s1 a;
  a.e.d = (int) timeout;
  if (a.e.d == 10)
    a.e.d = 4;
}

struct s3 {
  int a[2];
};

static struct s3 opt;

// Test if the embedded array is retrieved correctly.
void f14() {
  struct s3 my_opt = opt;
}

void bar(int*);

// Test if the array is correctly invalidated.
void f15() {
  int a[10];
  bar(a);
  if (a[1]) // no-warning
    (void)1;
}

struct s3 p[1];

// Code from postgresql.
// Current cast logic of region store mistakenly leaves the final result region
// an ElementRegion of type 'char'. Then load a nonloc::SymbolVal from it and
// assigns to 'a'. 
void f16(struct s3 *p) {
  struct s3 a = *((struct s3*) ((char*) &p[0])); // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.}}
}

void inv(struct s1 *);

// Invalidate the struct field.
void f17() {
  struct s1 t;
  int x;
  inv(&t);
  if (t.e.d)
    x = 1;
}

void read(char*);

void f18() {
  char *q;
  char *p = (char *) __builtin_alloca(10);
  read(p);
  q = p;
  q++;
  if (*q) { // no-warning
  }
}
Update tests to use %clang_cc1 instead of 'clang-cc' or 'clang -cc1'. - This is designed to make it obvious that %clang_cc1 is a "test variable" which is substituted. It is '%clang_cc1' instead of '%clang -cc1' because it can be useful to redefine what gets run as 'clang -cc1' (for example, to set a default target). llvm-svn: 91446 2009-12-16 04:14:24 +08:00			`// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=basic -analyzer-constraints=basic -verify %s`
			`// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=basic -analyzer-constraints=range -verify %s`
			`// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -analyzer-constraints=basic -verify %s`
			`// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -analyzer-constraints=range -verify %s`
Add test case for array and struct variable lvalue evaluation. llvm-svn: 57670 2008-10-17 13:19:52 +08:00
Add random array and struct test code for SCA. llvm-svn: 58085 2008-10-24 16:51:58 +08:00			`struct s {`
			`int data;`
			`int data_array[10];`
			`};`
Add test case for array and struct variable lvalue evaluation. llvm-svn: 57670 2008-10-17 13:19:52 +08:00
Add test for SCA region store. llvm-svn: 58234 2008-10-27 17:19:25 +08:00			`typedef struct {`
			`int data;`
			`} STYPE;`

Treat AllocaRegion as SymbolicRegion in RegionStore::Retrieve(). llvm-svn: 72166 2009-05-20 17:18:48 +08:00			`void g(char *p);`
Add function side-effect test cast. llvm-svn: 58565 2008-11-02 21:17:44 +08:00			`void g1(struct s* p);`

Add documentation for test. llvm-svn: 60002 2008-11-25 09:45:11 +08:00			`// Array to pointer conversion. Array in the struct field.`
Add test case for array and struct variable lvalue evaluation. llvm-svn: 57670 2008-10-17 13:19:52 +08:00			`void f(void) {`
			`int a[10];`
			`int (*p)[10];`
			`p = &a;`
			`(*p)[3] = 1;`

			`struct s d;`
			`struct s *q;`
			`q = &d;`
Add random array and struct test code for SCA. llvm-svn: 58085 2008-10-24 16:51:58 +08:00			`q->data = 3;`
			`d.data_array[9] = 17;`
Add test case for array and struct variable lvalue evaluation. llvm-svn: 57670 2008-10-17 13:19:52 +08:00			`}`
Add StringLiteral test code. llvm-svn: 58136 2008-10-25 22:11:23 +08:00
Add documentation for test. llvm-svn: 60002 2008-11-25 09:45:11 +08:00			`// StringLiteral in lvalue context and pointer to array type.`
			`// p: ElementRegion, q: StringRegion`
Add StringLiteral test code. llvm-svn: 58136 2008-10-25 22:11:23 +08:00			`void f2() {`
			`char *p = "/usr/local";`
			`char (*q)[4];`
			`q = &"abc";`
			`}`
Add test for SCA region store. llvm-svn: 58234 2008-10-27 17:19:25 +08:00
Add documentation for test. llvm-svn: 60002 2008-11-25 09:45:11 +08:00			`// Typedef'ed struct definition.`
Add test for SCA region store. llvm-svn: 58234 2008-10-27 17:19:25 +08:00			`void f3() {`
			`STYPE s;`
			`}`
Add test code for array initialization. llvm-svn: 58502 2008-10-31 18:23:14 +08:00
Add documentation for test. llvm-svn: 60002 2008-11-25 09:45:11 +08:00			`// Initialize array with InitExprList.`
Add test code for array initialization. llvm-svn: 58502 2008-10-31 18:23:14 +08:00			`void f4() {`
			`int a[] = { 1, 2, 3};`
			`int b[3] = { 1, 2 };`
Add a test case for init expr of array and struct type. llvm-svn: 62845 2009-01-23 18:23:13 +08:00			`struct s c[] = {{1,{1}}};`
Add test code for array initialization. llvm-svn: 58502 2008-10-31 18:23:14 +08:00			`}`
Add function side-effect test cast. llvm-svn: 58565 2008-11-02 21:17:44 +08:00
Add documentation for test. llvm-svn: 60002 2008-11-25 09:45:11 +08:00			`// Struct variable in lvalue context.`
Add KillStruct to region store. - put the killed region in the kill set. - set its default value to unknown. - removes all bindings for its subregions. llvm-svn: 62138 2009-01-13 09:49:57 +08:00			`// Assign UnknownVal to the whole struct.`
Add function side-effect test cast. llvm-svn: 58565 2008-11-02 21:17:44 +08:00			`void f5() {`
			`struct s data;`
			`g1(&data);`
			`}`
Add a test case for alloca(). llvm-svn: 59233 2008-11-13 15:59:15 +08:00
Add documentation for test. llvm-svn: 60002 2008-11-25 09:45:11 +08:00			`// AllocaRegion test.`
Add a test case for alloca(). llvm-svn: 59233 2008-11-13 15:59:15 +08:00			`void f6() {`
			`char *p;`
			`p = __builtin_alloca(10);`
Treat AllocaRegion as SymbolicRegion in RegionStore::Retrieve(). llvm-svn: 72166 2009-05-20 17:18:48 +08:00			`g(p);`
			`char c = *p;`
Add a test case for alloca(). llvm-svn: 59233 2008-11-13 15:59:15 +08:00			`p[1] = 'a';`
Add comments to test case. llvm-svn: 72165 2009-05-20 17:03:10 +08:00			`// Test if RegionStore::EvalBinOp converts the alloca region to element`
			`// region.`
* API change: we need to pass GRState to GRExprEngine::EvalBinOp() because RegionStore needs to know the type of alloca region. * RegionStoreManager::EvalBinOp() now converts the alloca region to its first element region, as what is done to symbolic region. llvm-svn: 72164 2009-05-20 17:00:16 +08:00			`p += 2;`
Add a test case for alloca(). llvm-svn: 59233 2008-11-13 15:59:15 +08:00			`}`
Add test for incomplete struct pointer. llvm-svn: 59236 2008-11-13 16:44:52 +08:00
			`struct s2;`

			`void g2(struct s2 *p);`

Add documentation for test. llvm-svn: 60002 2008-11-25 09:45:11 +08:00			`// Incomplete struct pointer used as function argument.`
Add test for incomplete struct pointer. llvm-svn: 59236 2008-11-13 16:44:52 +08:00			`void f7() {`
			`struct s2 *p = __builtin_alloca(10);`
			`g2(p);`
			`}`
Add test for unsigned array index. llvm-svn: 59239 2008-11-13 17:20:05 +08:00
Add documentation for test. llvm-svn: 60002 2008-11-25 09:45:11 +08:00			`// sizeof() is unsigned while -1 is signed in array index.`
Add test for unsigned array index. llvm-svn: 59239 2008-11-13 17:20:05 +08:00			`void f8() {`
			`int a[10];`
Add no-warning to test case. llvm-svn: 59995 2008-11-25 07:45:56 +08:00			`a[sizeof(a)/sizeof(int) - 1] = 1; // no-warning`
Add test for unsigned array index. llvm-svn: 59239 2008-11-13 17:20:05 +08:00			`}`
Add test cast for struct array. llvm-svn: 59522 2008-11-18 21:30:46 +08:00
Add documentation for test. llvm-svn: 60002 2008-11-25 09:45:11 +08:00			`// Initialization of struct array elements.`
Add test cast for struct array. llvm-svn: 59522 2008-11-18 21:30:46 +08:00			`void f9() {`
			`struct s a[10];`
			`}`
Add test for initializing array with string literal. llvm-svn: 60281 2008-11-30 13:51:19 +08:00
			`// Initializing array with string literal.`
			`void f10() {`
			`char a1[4] = "abc";`
			`char a3[6] = "abc";`
			`}`
Implement retrieval of the default value of element and field regions. llvm-svn: 62847 2009-01-23 19:22:12 +08:00
			`// Retrieve the default value of element/field region.`
			`void f11() {`
			`struct s a;`
Treat AllocaRegion as SymbolicRegion in RegionStore::Retrieve(). llvm-svn: 72166 2009-05-20 17:18:48 +08:00			`g1(&a);`
Implement retrieval of the default value of element and field regions. llvm-svn: 62847 2009-01-23 19:22:12 +08:00			`if (a.data == 0) // no-warning`
			`a.data = 1;`
			`}`
add test case. llvm-svn: 65036 2009-02-19 16:42:43 +08:00
			`// Convert unsigned offset to signed when creating ElementRegion from`
			`// SymbolicRegion.`
			`void f12(int *list) {`
			`unsigned i = 0;`
			`list[i] = 1;`
			`}`
add test case. llvm-svn: 67154 2009-03-18 10:07:30 +08:00
			`struct s1 {`
			`struct s2 {`
			`int d;`
			`} e;`
			`};`

			`// The binding of a.e.d should not be removed. Test recursive subregion map`
			`// building: a->e, e->d. Only then 'a' could be added to live region roots.`
			`void f13(double timeout) {`
			`struct s1 a;`
Implement -Wconversion. Off by default, in the non-gcc group. There's significant work left to be done to reduce the false-positive rate here. llvm-svn: 86326 2009-11-07 11:30:10 +08:00			`a.e.d = (int) timeout;`
add test case. llvm-svn: 67154 2009-03-18 10:07:30 +08:00			`if (a.e.d == 10)`
			`a.e.d = 4;`
			`}`
region store: make Retrieve() can retrieve embedded array correctly. Also simplify the retrieve logic. llvm-svn: 70651 2009-05-03 08:27:40 +08:00
			`struct s3 {`
			`int a[2];`
			`};`

			`static struct s3 opt;`

			`// Test if the embedded array is retrieved correctly.`
			`void f14() {`
			`struct s3 my_opt = opt;`
			`}`
Add logic for invalidating array region to CFRefCount.cpp. When invalidating array region, set its default value to conjured symbol. When retrieving its element, create new region value symbol for the element. Also fix some 80 columns violations. llvm-svn: 71548 2009-05-12 18:10:00 +08:00
			`void bar(int*);`

			`// Test if the array is correctly invalidated.`
			`void f15() {`
			`int a[10];`
			`bar(a);`
			`if (a[1]) // no-warning`
Add casts to avoid a bunch of unused expr warnings. (They aren't reported right now due to a bug that I intend to fix). Ted, please review. llvm-svn: 77630 2009-07-31 06:37:41 +08:00			`(void)1;`
Add logic for invalidating array region to CFRefCount.cpp. When invalidating array region, set its default value to conjured symbol. When retrieving its element, create new region value symbol for the element. Also fix some 80 columns violations. llvm-svn: 71548 2009-05-12 18:10:00 +08:00			`}`
Bind the mistakenly generated nonloc::SymbolVal to struct correctly. See the comments for added test case for details. llvm-svn: 73189 2009-06-11 17:11:27 +08:00
			`struct s3 p[1];`

			`// Code from postgresql.`
			`// Current cast logic of region store mistakenly leaves the final result region`
			`// an ElementRegion of type 'char'. Then load a nonloc::SymbolVal from it and`
			`// assigns to 'a'.`
			`void f16(struct s3 *p) {`
Add checker for CWE-588: Attempt to Access Child of a Non-structure Pointer. llvm-svn: 86529 2009-11-09 16:07:38 +08:00			`struct s3 a = ((struct s3) ((char*) &p[0])); // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.}}`
Bind the mistakenly generated nonloc::SymbolVal to struct correctly. See the comments for added test case for details. llvm-svn: 73189 2009-06-11 17:11:27 +08:00			`}`
Invalidate a field of struct type by setting its default value to conjured symbol. llvm-svn: 74408 2009-06-28 21:59:24 +08:00
			`void inv(struct s1 *);`

			`// Invalidate the struct field.`
			`void f17() {`
			`struct s1 t;`
			`int x;`
			`inv(&t);`
			`if (t.e.d)`
			`x = 1;`
			`}`
Invalidate the alloca region by setting its default value to conjured symbol. llvm-svn: 74419 2009-06-29 14:43:40 +08:00
			`void read(char*);`

			`void f18() {`
			`char *q;`
			`char p = (char ) __builtin_alloca(10);`
			`read(p);`
			`q = p;`
			`q++;`
			`if (*q) { // no-warning`
			`}`
			`}`