2019-12-14 09:59:36 +08:00
|
|
|
// RUN: %clang_analyze_cc1 -w -verify %s \
|
2019-05-23 23:49:04 +08:00
|
|
|
// RUN: -analyzer-checker=core \
|
|
|
|
// RUN: -analyzer-checker=unix.cstring.NullArg \
|
|
|
|
// RUN: -analyzer-checker=alpha.unix.cstring \
|
|
|
|
// RUN: -analyzer-checker=debug.ExprInspection
|
2018-05-15 06:32:24 +08:00
|
|
|
|
|
|
|
#define NULL ((void *)0)
|
|
|
|
|
|
|
|
typedef __typeof(sizeof(int)) size_t;
|
|
|
|
size_t strlcpy(char *dst, const char *src, size_t n);
|
|
|
|
size_t strlcat(char *dst, const char *src, size_t n);
|
2019-11-08 07:58:01 +08:00
|
|
|
size_t strlen(const char *s);
|
2018-05-15 06:32:24 +08:00
|
|
|
void clang_analyzer_eval(int);
|
|
|
|
|
|
|
|
void f1() {
|
|
|
|
char overlap[] = "123456789";
|
|
|
|
strlcpy(overlap, overlap + 1, 3); // expected-warning{{Arguments must not be overlapping buffers}}
|
|
|
|
}
|
|
|
|
|
|
|
|
void f2() {
|
|
|
|
char buf[5];
|
2019-11-08 07:58:01 +08:00
|
|
|
size_t len;
|
|
|
|
len = strlcpy(buf, "abcd", sizeof(buf)); // expected-no-warning
|
|
|
|
clang_analyzer_eval(len == 4); // expected-warning{{TRUE}}
|
|
|
|
len = strlcat(buf, "efgh", sizeof(buf)); // expected-no-warning
|
|
|
|
clang_analyzer_eval(len == 8); // expected-warning{{TRUE}}
|
2018-05-15 06:32:24 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void f3() {
|
|
|
|
char dst[2];
|
|
|
|
const char *src = "abdef";
|
[analyzer] NFCi: Refactor CStringChecker: use strongly typed internal API
Summary:
I wanted to extend the diagnostics of the CStringChecker with taintedness.
This requires the CStringChecker to be refactored to support a more flexible
reporting mechanism.
This patch does only refactorings, such:
- eliminates always false parameters (like WarnAboutSize)
- reduces the number of parameters
- makes strong types differentiating *source* and *destination* buffers
(same with size expressions)
- binds the argument expression and the index, making diagnostics accurate
and easy to emit
- removes a bunch of default parameters to make it more readable
- remove random const char* warning message parameters, making clear where
and what is going to be emitted
Note that:
- CheckBufferAccess now checks *only* one buffer, this removed about 100 LOC
code duplication
- not every function was refactored to use the /new/ strongly typed API, since
the CString related functions are really closely coupled monolithic beasts,
I will refactor them separately
- all tests are preserved and passing; only the message changed at some places.
In my opinion, these messages are holding the same information.
I would also highlight that this refactoring caught a bug in
clang/test/Analysis/string.c:454 where the diagnostic did not reflect reality.
This catch backs my effort on simplifying this monolithic CStringChecker.
Reviewers: NoQ, baloghadamsoftware, Szelethus, rengolin, Charusso
Reviewed By: NoQ
Subscribers: whisperity, xazax.hun, szepet, rnkovacs, a.sidorin,
mikhail.ramalho, donat.nagy, dkrupp, Charusso, martong, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D74806
2020-04-09 22:06:32 +08:00
|
|
|
strlcpy(dst, src, 5); // expected-warning{{String copy function overflows the destination buffer}}
|
2018-05-15 06:32:24 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void f4() {
|
2019-12-11 08:48:17 +08:00
|
|
|
strlcpy(NULL, "abcdef", 6); // expected-warning{{Null pointer passed as 1st argument to string copy function}}
|
2018-05-15 06:32:24 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void f5() {
|
2019-12-11 08:48:17 +08:00
|
|
|
strlcat(NULL, "abcdef", 6); // expected-warning{{Null pointer passed as 1st argument to string concatenation function}}
|
2018-05-15 06:32:24 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void f6() {
|
|
|
|
char buf[8];
|
|
|
|
strlcpy(buf, "abc", 3);
|
|
|
|
size_t len = strlcat(buf, "defg", 4);
|
|
|
|
clang_analyzer_eval(len == 7); // expected-warning{{TRUE}}
|
|
|
|
}
|
2018-05-23 12:38:25 +08:00
|
|
|
|
|
|
|
int f7() {
|
|
|
|
char buf[8];
|
|
|
|
return strlcpy(buf, "1234567", 0); // no-crash
|
|
|
|
}
|
2019-11-08 07:58:01 +08:00
|
|
|
|
|
|
|
void f8(){
|
|
|
|
char buf[5];
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
// basic strlcpy
|
|
|
|
len = strlcpy(buf,"123", sizeof(buf));
|
|
|
|
clang_analyzer_eval(len==3);// expected-warning{{TRUE}}
|
|
|
|
len = strlen(buf);
|
|
|
|
clang_analyzer_eval(len==3);// expected-warning{{TRUE}}
|
|
|
|
|
|
|
|
// testing bounded strlcat
|
|
|
|
len = strlcat(buf,"456", sizeof(buf));
|
|
|
|
clang_analyzer_eval(len==6);// expected-warning{{TRUE}}
|
|
|
|
len = strlen(buf);
|
|
|
|
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
|
|
|
|
|
|
|
|
// testing strlcat with size==0
|
|
|
|
len = strlcat(buf,"789", 0);
|
|
|
|
clang_analyzer_eval(len==7);// expected-warning{{TRUE}}
|
|
|
|
len = strlen(buf);
|
|
|
|
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
|
|
|
|
|
|
|
|
// testing strlcpy with size==0
|
|
|
|
len = strlcpy(buf,"123",0);
|
|
|
|
clang_analyzer_eval(len==3);// expected-warning{{TRUE}}
|
|
|
|
len = strlen(buf);
|
|
|
|
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
void f9(int unknown_size, char* unknown_src, char* unknown_dst){
|
|
|
|
char buf[8];
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
len = strlcpy(buf,"abba",sizeof(buf));
|
|
|
|
|
|
|
|
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
|
|
|
|
clang_analyzer_eval(strlen(buf)==4);// expected-warning{{TRUE}}
|
|
|
|
|
|
|
|
//size is unknown
|
|
|
|
len = strlcat(buf,"cd", unknown_size);
|
|
|
|
clang_analyzer_eval(len==6);// expected-warning{{TRUE}}
|
|
|
|
clang_analyzer_eval(strlen(buf)>=4);// expected-warning{{TRUE}}
|
|
|
|
|
|
|
|
//dst is unknown
|
|
|
|
len = strlcpy(unknown_dst,"abbc",unknown_size);
|
|
|
|
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
|
|
|
|
clang_analyzer_eval(strlen(unknown_dst));// expected-warning{{UNKNOWN}}
|
|
|
|
|
|
|
|
//src is unknown
|
|
|
|
len = strlcpy(buf,unknown_src, sizeof(buf));
|
|
|
|
clang_analyzer_eval(len);// expected-warning{{UNKNOWN}}
|
|
|
|
clang_analyzer_eval(strlen(buf));// expected-warning{{UNKNOWN}}
|
|
|
|
|
|
|
|
//src, dst is unknown
|
|
|
|
len = strlcpy(unknown_dst, unknown_src, unknown_size);
|
|
|
|
clang_analyzer_eval(len);// expected-warning{{UNKNOWN}}
|
|
|
|
clang_analyzer_eval(strlen(unknown_dst));// expected-warning{{UNKNOWN}}
|
|
|
|
|
|
|
|
//size is unknown
|
[analyzer] NFCi: Refactor CStringChecker: use strongly typed internal API
Summary:
I wanted to extend the diagnostics of the CStringChecker with taintedness.
This requires the CStringChecker to be refactored to support a more flexible
reporting mechanism.
This patch does only refactorings, such:
- eliminates always false parameters (like WarnAboutSize)
- reduces the number of parameters
- makes strong types differentiating *source* and *destination* buffers
(same with size expressions)
- binds the argument expression and the index, making diagnostics accurate
and easy to emit
- removes a bunch of default parameters to make it more readable
- remove random const char* warning message parameters, making clear where
and what is going to be emitted
Note that:
- CheckBufferAccess now checks *only* one buffer, this removed about 100 LOC
code duplication
- not every function was refactored to use the /new/ strongly typed API, since
the CString related functions are really closely coupled monolithic beasts,
I will refactor them separately
- all tests are preserved and passing; only the message changed at some places.
In my opinion, these messages are holding the same information.
I would also highlight that this refactoring caught a bug in
clang/test/Analysis/string.c:454 where the diagnostic did not reflect reality.
This catch backs my effort on simplifying this monolithic CStringChecker.
Reviewers: NoQ, baloghadamsoftware, Szelethus, rengolin, Charusso
Reviewed By: NoQ
Subscribers: whisperity, xazax.hun, szepet, rnkovacs, a.sidorin,
mikhail.ramalho, donat.nagy, dkrupp, Charusso, martong, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D74806
2020-04-09 22:06:32 +08:00
|
|
|
len = strlcat(buf + 2, unknown_src + 1, sizeof(buf));
|
|
|
|
// expected-warning@-1 {{String concatenation function overflows the destination buffer}}
|
2019-11-08 07:58:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void f10(){
|
|
|
|
char buf[8];
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
len = strlcpy(buf,"abba",sizeof(buf));
|
|
|
|
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
|
[analyzer] NFCi: Refactor CStringChecker: use strongly typed internal API
Summary:
I wanted to extend the diagnostics of the CStringChecker with taintedness.
This requires the CStringChecker to be refactored to support a more flexible
reporting mechanism.
This patch does only refactorings, such:
- eliminates always false parameters (like WarnAboutSize)
- reduces the number of parameters
- makes strong types differentiating *source* and *destination* buffers
(same with size expressions)
- binds the argument expression and the index, making diagnostics accurate
and easy to emit
- removes a bunch of default parameters to make it more readable
- remove random const char* warning message parameters, making clear where
and what is going to be emitted
Note that:
- CheckBufferAccess now checks *only* one buffer, this removed about 100 LOC
code duplication
- not every function was refactored to use the /new/ strongly typed API, since
the CString related functions are really closely coupled monolithic beasts,
I will refactor them separately
- all tests are preserved and passing; only the message changed at some places.
In my opinion, these messages are holding the same information.
I would also highlight that this refactoring caught a bug in
clang/test/Analysis/string.c:454 where the diagnostic did not reflect reality.
This catch backs my effort on simplifying this monolithic CStringChecker.
Reviewers: NoQ, baloghadamsoftware, Szelethus, rengolin, Charusso
Reviewed By: NoQ
Subscribers: whisperity, xazax.hun, szepet, rnkovacs, a.sidorin,
mikhail.ramalho, donat.nagy, dkrupp, Charusso, martong, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D74806
2020-04-09 22:06:32 +08:00
|
|
|
strlcat(buf, "efghi", 9);
|
|
|
|
// expected-warning@-1 {{String concatenation function overflows the destination buffer}}
|
2019-11-08 07:58:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void f11() {
|
|
|
|
//test for Bug 41729
|
|
|
|
char a[256], b[256];
|
|
|
|
strlcpy(a, "world", sizeof(a));
|
|
|
|
strlcpy(b, "hello ", sizeof(b));
|
|
|
|
strlcat(b, a, sizeof(b)); // no-warning
|
|
|
|
}
|
2019-12-14 09:59:36 +08:00
|
|
|
|
|
|
|
int a, b;
|
|
|
|
void unknown_val_crash() {
|
|
|
|
// We're unable to evaluate the integer-to-pointer cast.
|
|
|
|
strlcat(&b, a, 0); // no-crash
|
|
|
|
}
|