Home | History | Annotate | Download | only in Analysis
      1 // RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-checker=core,experimental.security.ArrayBoundV2 -verify %s
      2 
      3 // Tests doing an out-of-bounds access after the end of an array using:
      4 // - constant integer index
      5 // - constant integer size for buffer
      6 void test1(int x) {
      7   int buf[100];
      8   buf[100] = 1; // expected-warning{{Out of bound memory access}}
      9 }
     10 
     11 void test1_ok(int x) {
     12   int buf[100];
     13   buf[99] = 1; // no-warning
     14 }
     15 
     16 const char test1_strings_underrun(int x) {
     17   const char *mystr = "mary had a little lamb";
     18   return mystr[-1]; // expected-warning{{Out of bound memory access}}
     19 }
     20 
     21 const char test1_strings_overrun(int x) {
     22   const char *mystr = "mary had a little lamb";
     23   return mystr[1000];  // expected-warning{{Out of bound memory access}}
     24 }
     25 
     26 const char test1_strings_ok(int x) {
     27   const char *mystr = "mary had a little lamb";
     28   return mystr[5]; // no-warning
     29 }
     30 
     31 // Tests doing an out-of-bounds access after the end of an array using:
     32 // - indirect pointer to buffer
     33 // - constant integer index
     34 // - constant integer size for buffer
     35 void test1_ptr(int x) {
     36   int buf[100];
     37   int *p = buf;
     38   p[101] = 1; // expected-warning{{Out of bound memory access}}
     39 }
     40 
     41 void test1_ptr_ok(int x) {
     42   int buf[100];
     43   int *p = buf;
     44   p[99] = 1; // no-warning
     45 }
     46 
     47 // Tests doing an out-of-bounds access before the start of an array using:
     48 // - indirect pointer to buffer, manipulated using simple pointer arithmetic
     49 // - constant integer index
     50 // - constant integer size for buffer
     51 void test1_ptr_arith(int x) {
     52   int buf[100];
     53   int *p = buf;
     54   p = p + 100;
     55   p[0] = 1; // expected-warning{{Out of bound memory access}}
     56 }
     57 
     58 void test1_ptr_arith_ok(int x) {
     59   int buf[100];
     60   int *p = buf;
     61   p = p + 99;
     62   p[0] = 1; // no-warning
     63 }
     64 
     65 void test1_ptr_arith_bad(int x) {
     66   int buf[100];
     67   int *p = buf;
     68   p = p + 99;
     69   p[1] = 1; // expected-warning{{Out of bound memory access}}
     70 }
     71 
     72 void test1_ptr_arith_ok2(int x) {
     73   int buf[100];
     74   int *p = buf;
     75   p = p + 99;
     76   p[-1] = 1; // no-warning
     77 }
     78 
     79 // Tests doing an out-of-bounds access before the start of an array using:
     80 // - constant integer index
     81 // - constant integer size for buffer
     82 void test2(int x) {
     83   int buf[100];
     84   buf[-1] = 1; // expected-warning{{Out of bound memory access}}
     85 }
     86 
     87 // Tests doing an out-of-bounds access before the start of an array using:
     88 // - indirect pointer to buffer
     89 // - constant integer index
     90 // - constant integer size for buffer
     91 void test2_ptr(int x) {
     92   int buf[100];
     93   int *p = buf;
     94   p[-1] = 1; // expected-warning{{Out of bound memory access}}
     95 }
     96 
     97 // Tests doing an out-of-bounds access before the start of an array using:
     98 // - indirect pointer to buffer, manipulated using simple pointer arithmetic
     99 // - constant integer index
    100 // - constant integer size for buffer
    101 void test2_ptr_arith(int x) {
    102   int buf[100];
    103   int *p = buf;
    104   --p;
    105   p[0] = 1; // expected-warning {{Out of bound memory access (accessed memory precedes memory block)}}
    106 }
    107 
    108 // Tests doing an out-of-bounds access before the start of a multi-dimensional
    109 // array using:
    110 // - constant integer indices
    111 // - constant integer sizes for the array
    112 void test2_multi(int x) {
    113   int buf[100][100];
    114   buf[0][-1] = 1; // expected-warning{{Out of bound memory access}}
    115 }
    116 
    117 // Tests doing an out-of-bounds access before the start of a multi-dimensional
    118 // array using:
    119 // - constant integer indices
    120 // - constant integer sizes for the array
    121 void test2_multi_b(int x) {
    122   int buf[100][100];
    123   buf[-1][0] = 1; // expected-warning{{Out of bound memory access}}
    124 }
    125 
    126 void test2_multi_ok(int x) {
    127   int buf[100][100];
    128   buf[0][0] = 1; // no-warning
    129 }
    130 
    131 // Testing if solver handles (symbol * constant) < constant
    132 void test3(int x) {
    133   int buf[100];
    134   if (x < 0)
    135     buf[x] = 1; // expected-warning {{Out of bound memory access (accessed memory precedes memory block)}}
    136 }
    137 
    138 // *** FIXME ***
    139 // We don't get a warning here yet because our symbolic constraint solving
    140 // doesn't handle:  (symbol * constant) < constant
    141 void test4(int x) {
    142   int buf[100];
    143   if (x > 99)
    144     buf[x] = 1;
    145 }
    146 
    147 // Don't warn when indexing below the start of a symbolic region's whose
    148 // base extent we don't know.
    149 int *get_symbolic();
    150 void test_index_below_symboloc() {
    151   int *buf = get_symbolic();
    152   buf[-1] = 0; // no-warning;
    153 }
    154 
    155