Home | History | Annotate | Download | only in Analysis 
      1 // RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-checker=core,unix.experimental,security.experimental.ArrayBound -analyzer-store=region -verify %s
      2 
      3 typedef __typeof(sizeof(int)) size_t;
      4 void *malloc(size_t);
      5 void *calloc(size_t, size_t);
      6 
      7 char f1() {
      8   char* s = "abcd";
      9   char c = s[4]; // no-warning
     10   return s[5] + c; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
     11 }
     12 
     13 void f2() {
     14   int *p = malloc(12);
     15   p[3] = 4; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
     16 }
     17 
     18 struct three_words {
     19   int c[3];
     20 };
     21 
     22 struct seven_words {
     23   int c[7];
     24 };
     25 
     26 void f3() {
     27   struct three_words a, *p;
     28   p = &a;
     29   p[0] = a; // no-warning
     30   p[1] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
     31 }
     32 
     33 void f4() {
     34   struct seven_words c;
     35   struct three_words a, *p = (struct three_words *)&c;
     36   p[0] = a; // no-warning
     37   p[1] = a; // no-warning
     38   p[2] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
     39 }
     40 
     41 void f5() {
     42   char *p = calloc(2,2);
     43   p[3] = '.'; // no-warning
     44   p[4] = '!'; // expected-warning{{out-of-bound}}
     45 }
     46 
     47 void f6() {
     48   char a[2];
     49   int *b = (int*)a;
     50   b[1] = 3; // expected-warning{{out-of-bound}}
     51 }
     52 
     53 void f7() {
     54   struct three_words a;
     55   a.c[3] = 1; // expected-warning{{out-of-bound}}
     56 }
     57 
     58 void vla(int a) {
     59   if (a == 5) {
     60     int x[a];
     61     x[4] = 4; // no-warning
     62     x[5] = 5; // expected-warning{{out-of-bound}}
     63   }
     64 }
     65 
     66 void sizeof_vla(int a) {
     67   if (a == 5) {
     68     char x[a];
     69     int y[sizeof(x)];
     70     y[4] = 4; // no-warning
     71     y[5] = 5; // expected-warning{{out-of-bound}}
     72   }
     73 }
     74 
     75 void alloca_region(int a) {
     76   if (a == 5) {
     77     char *x = __builtin_alloca(a);
     78     x[4] = 4; // no-warning
     79     x[5] = 5; // expected-warning{{out-of-bound}}
     80   }
     81 }
     82 
     83 int symbolic_index(int a) {
     84   int x[2] = {1, 2};
     85   if (a == 2) {
     86     return x[a]; // expected-warning{{out-of-bound}}
     87   }
     88   return 0;
     89 }
     90 
     91 int symbolic_index2(int a) {
     92   int x[2] = {1, 2};
     93   if (a < 0) {
     94     return x[a]; // expected-warning{{out-of-bound}}
     95   }
     96   return 0;
     97 }
     98