reference, declaration → definition
definition → references, declarations, derived classes, virtual overrides
reference to multiple definitions → definitions
unreferenced

    1
    2
    3
    4
    5
    6
    7
    8
    9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31
   32
   33
   34
   35
   36
   37
   38
   39
   40
   41
   42
   43
   44
   45
   46
   47
   48
   49
   50
   51
   52
   53
   54
   55
   56
   57
   58
   59
   60
   61
   62
   63
   64
   65
   66
   67
   68
   69
   70
   71
   72
   73
   74
   75
   76
   77
   78
   79
   80
   81
   82
   83
   84
   85
   86
   87
   88
   89
   90
   91
   92
   93
   94
   95
   96
   97
   98
   99
  100
  101
  102
  103
  104
  105
  106
  107
  108
  109
  110
  111
  112
  113
  114
  115
  116
  117
  118
  119
  120
  121
  122
  123
  124
  125
  126
  127
  128

// RUN: %clang_analyze_cc1 -Wno-array-bounds -analyzer-store=region -verify %s \
// RUN:   -analyzer-checker=core \
// RUN:   -analyzer-checker=unix \
// RUN:   -analyzer-checker=alpha.security.ArrayBound \
// RUN:   -analyzer-config unix.DynamicMemoryModeling:Optimistic=true

typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);
void *calloc(size_t, size_t);

char f1() {
  char* s = "abcd";
  char c = s[4]; // no-warning
  return s[5] + c; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
}

void f2() {
  int *p = malloc(12);
  p[3] = 4; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
}

struct three_words {
  int c[3];
};

struct seven_words {
  int c[7];
};

void f3() {
  struct three_words a, *p;
  p = &a;
  p[0] = a; // no-warning
  p[1] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
}

void f4() {
  struct seven_words c;
  struct three_words a, *p = (struct three_words *)&c;
  p[0] = a; // no-warning
  p[1] = a; // no-warning
  p[2] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
}

void f5() {
  char *p = calloc(2,2);
  p[3] = '.'; // no-warning
  p[4] = '!'; // expected-warning{{out-of-bound}}
}

void f6() {
  char a[2];
  int *b = (int*)a;
  b[1] = 3; // expected-warning{{out-of-bound}}
}

void f7() {
  struct three_words a;
  a.c[3] = 1; // expected-warning{{out-of-bound}}
}

void vla(int a) {
  if (a == 5) {
    int x[a];
    x[4] = 4; // no-warning
    x[5] = 5; // expected-warning{{out-of-bound}}
  }
}

void alloca_region(int a) {
  if (a == 5) {
    char *x = __builtin_alloca(a);
    x[4] = 4; // no-warning
    x[5] = 5; // expected-warning{{out-of-bound}}
  }
}

int symbolic_index(int a) {
  int x[2] = {1, 2};
  if (a == 2) {
    return x[a]; // expected-warning{{out-of-bound}}
  }
  return 0;
}

int symbolic_index2(int a) {
  int x[2] = {1, 2};
  if (a < 0) {
    return x[a]; // expected-warning{{out-of-bound}}
  }
  return 0;
}

int overflow_binary_search(double in) {
  int eee = 16;
  if (in < 1e-8 || in > 1e23) {
    return 0;
  } else {
    static const double ins[] = {1e-8, 1e-7, 1e-6, 1e-5, 1e-4, 1e-3, 1e-2, 1e-1,
                                 1e0, 1e1, 1e2, 1e3, 1e4, 1e5, 1e6, 1e7,
                                 1e8, 1e9, 1e10, 1e11, 1e12, 1e13, 1e14, 1e15,
                                 1e16, 1e17, 1e18, 1e19, 1e20, 1e21, 1e22};
    if (in < ins[eee]) {
      eee -= 8;
    } else {
      eee += 8;
    }
    if (in < ins[eee]) {
      eee -= 4;
    } else {
      eee += 4;
    }
    if (in < ins[eee]) {
      eee -= 2;
    } else {
      eee += 2;
    }
    if (in < ins[eee]) {
      eee -= 1;
    } else {
      eee += 1;
    }
    if (in < ins[eee]) { // expected-warning {{Access out-of-bound array element (buffer overflow)}}
      eee -= 1;
    }
  }
  return eee;
}