Home | History | Annotate | Download | only in Analysis 
      1 // RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-checker=core,unix,alpha.security.ArrayBound -analyzer-store=region -verify -analyzer-config unix:Optimistic=true %s
      2 
      3 typedef __typeof(sizeof(int)) size_t;
      4 void *malloc(size_t);
      5 void *calloc(size_t, size_t);
      6 
      7 char f1() {
      8   char* s = "abcd";
      9   char c = s[4]; // no-warning
     10   return s[5] + c; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
     11 }
     12 
     13 void f2() {
     14   int *p = malloc(12);
     15   p[3] = 4; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
     16 }
     17 
     18 struct three_words {
     19   int c[3];
     20 };
     21 
     22 struct seven_words {
     23   int c[7];
     24 };
     25 
     26 void f3() {
     27   struct three_words a, *p;
     28   p = &a;
     29   p[0] = a; // no-warning
     30   p[1] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
     31 }
     32 
     33 void f4() {
     34   struct seven_words c;
     35   struct three_words a, *p = (struct three_words *)&c;
     36   p[0] = a; // no-warning
     37   p[1] = a; // no-warning
     38   p[2] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
     39 }
     40 
     41 void f5() {
     42   char *p = calloc(2,2);
     43   p[3] = '.'; // no-warning
     44   p[4] = '!'; // expected-warning{{out-of-bound}}
     45 }
     46 
     47 void f6() {
     48   char a[2];
     49   int *b = (int*)a;
     50   b[1] = 3; // expected-warning{{out-of-bound}}
     51 }
     52 
     53 void f7() {
     54   struct three_words a;
     55   a.c[3] = 1; // expected-warning{{out-of-bound}}
     56 }
     57 
     58 void vla(int a) {
     59   if (a == 5) {
     60     int x[a];
     61     x[4] = 4; // no-warning
     62     x[5] = 5; // expected-warning{{out-of-bound}}
     63   }
     64 }
     65 
     66 void alloca_region(int a) {
     67   if (a == 5) {
     68     char *x = __builtin_alloca(a);
     69     x[4] = 4; // no-warning
     70     x[5] = 5; // expected-warning{{out-of-bound}}
     71   }
     72 }
     73 
     74 int symbolic_index(int a) {
     75   int x[2] = {1, 2};
     76   if (a == 2) {
     77     return x[a]; // expected-warning{{out-of-bound}}
     78   }
     79   return 0;
     80 }
     81 
     82 int symbolic_index2(int a) {
     83   int x[2] = {1, 2};
     84   if (a < 0) {
     85     return x[a]; // expected-warning{{out-of-bound}}
     86   }
     87   return 0;
     88 }
     89 
     90 int overflow_binary_search(double in) {
     91   int eee = 16;
     92   if (in < 1e-8 || in > 1e23) {
     93     return 0;
     94   } else {
     95     static const double ins[] = {1e-8, 1e-7, 1e-6, 1e-5, 1e-4, 1e-3, 1e-2, 1e-1,
     96                                  1e0, 1e1, 1e2, 1e3, 1e4, 1e5, 1e6, 1e7,
     97                                  1e8, 1e9, 1e10, 1e11, 1e12, 1e13, 1e14, 1e15,
     98                                  1e16, 1e17, 1e18, 1e19, 1e20, 1e21, 1e22};
     99     if (in < ins[eee]) {
    100       eee -= 8;
    101     } else {
    102       eee += 8;
    103     }
    104     if (in < ins[eee]) {
    105       eee -= 4;
    106     } else {
    107       eee += 4;
    108     }
    109     if (in < ins[eee]) {
    110       eee -= 2;
    111     } else {
    112       eee += 2;
    113     }
    114     if (in < ins[eee]) {
    115       eee -= 1;
    116     } else {
    117       eee += 1;
    118     }
    119     if (in < ins[eee]) { // expected-warning {{Access out-of-bound array element (buffer overflow)}}
    120       eee -= 1;
    121     }
    122   }
    123   return eee;
    124 }
    125