caio/clang-p2996
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a96480ebc187e4e3722b7cdfd582fe3441211b13
clang-p2996/clang/test/Analysis/bstring.c
Erik Pilkington b6e16ea006 [Sema] Add some compile time _FORTIFY_SOURCE diagnostics 
These diagnose overflowing calls to subset of fortifiable functions. Some
functions, like sprintf or strcpy aren't supported right not, but we should
probably support these in the future. We previously supported this kind of
functionality with -Wbuiltin-memcpy-chk-size, but that diagnostic doesn't work
with _FORTIFY implementations that use wrapper functions. Also unlike that
diagnostic, we emit these warnings regardless of whether _FORTIFY_SOURCE is
actually enabled, which is nice for programs that don't enable the runtime
checks.

Why not just use diagnose_if, like Bionic does? We can get better diagnostics in
the compiler (i.e. mention the sizes), and we have the potential to diagnose
sprintf and strcpy which is impossible with diagnose_if (at least, in languages
that don't support C++14 constexpr). This approach also saves standard libraries
from having to add diagnose_if.

rdar://48006655

Differential revision: https://reviews.llvm.org/D58797

llvm-svn: 356397
2019-03-18 19:23:45 +00:00

494 lines
13 KiB
C
Raw Blame History

// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify -analyzer-config eagerly-assume=false %s
// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify -analyzer-config eagerly-assume=false %s
// RUN: %clang_analyze_cc1 -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify -analyzer-config eagerly-assume=false %s
// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify -analyzer-config eagerly-assume=false %s
//===----------------------------------------------------------------------===
// Declarations
//===----------------------------------------------------------------------===
// Some functions are so similar to each other that they follow the same code
// path, such as memcpy and __memcpy_chk, or memcmp and bcmp. If VARIANT is
// defined, make sure to use the variants instead to make sure they are still
// checked by the analyzer.
// Some functions are implemented as builtins. These should be #defined as
// BUILTIN(f), which will prepend "__builtin_" if USE_BUILTINS is defined.
// Functions that have variants and are also available as builtins should be
// declared carefully! See memcpy() for an example.
#ifdef USE_BUILTINS
# define BUILTIN(f) __builtin_ ## f
#else /* USE_BUILTINS */
# define BUILTIN(f) f
#endif /* USE_BUILTINS */
typedef typeof(sizeof(int)) size_t;
void clang_analyzer_eval(int);
//===----------------------------------------------------------------------===
// memcpy()
//===----------------------------------------------------------------------===
#ifdef VARIANT
#define __memcpy_chk BUILTIN(__memcpy_chk)
void *__memcpy_chk(void *restrict s1, const void *restrict s2, size_t n,
size_t destlen);
#define memcpy(a,b,c) __memcpy_chk(a,b,c,(size_t)-1)
#else /* VARIANT */
#define memcpy BUILTIN(memcpy)
void *memcpy(void *restrict s1, const void *restrict s2, size_t n);
#endif /* VARIANT */
void memcpy0 () {
char src[] = {1, 2, 3, 4};
char dst[4] = {0};
memcpy(dst, src, 4); // no-warning
clang_analyzer_eval(memcpy(dst, src, 4) == dst); // expected-warning{{TRUE}}
// If we actually model the copy, we can make this known.
// The important thing for now is that the old value has been invalidated.
clang_analyzer_eval(dst[0] != 0); // expected-warning{{UNKNOWN}}
}
void memcpy1 () {
char src[] = {1, 2, 3, 4};
char dst[10];
memcpy(dst, src, 5); // expected-warning{{Memory copy function accesses out-of-bound array element}}
}
void memcpy2 () {
char src[] = {1, 2, 3, 4};
char dst[1];
memcpy(dst, src, 4); // expected-warning{{Memory copy function overflows destination buffer}}
#ifndef VARIANT
// expected-warning@-2{{memcpy' will always overflow; destination buffer has size 1, but size argument is 4}}
#endif
}
void memcpy3 () {
char src[] = {1, 2, 3, 4};
char dst[3];
memcpy(dst+1, src+2, 2); // no-warning
}
void memcpy4 () {
char src[] = {1, 2, 3, 4};
char dst[10];
memcpy(dst+2, src+2, 3); // expected-warning{{Memory copy function accesses out-of-bound array element}}
}
void memcpy5() {
char src[] = {1, 2, 3, 4};
char dst[3];
memcpy(dst+2, src+2, 2); // expected-warning{{Memory copy function overflows destination buffer}}
#ifndef VARIANT
// expected-warning@-2{{memcpy' will always overflow; destination buffer has size 1, but size argument is 2}}
#endif
}
void memcpy6() {
int a[4] = {0};
memcpy(a, a, 8); // expected-warning{{overlapping}}
}
void memcpy7() {
int a[4] = {0};
memcpy(a+2, a+1, 8); // expected-warning{{overlapping}}
}
void memcpy8() {
int a[4] = {0};
memcpy(a+1, a+2, 8); // expected-warning{{overlapping}}
}
void memcpy9() {
int a[4] = {0};
memcpy(a+2, a+1, 4); // no-warning
memcpy(a+1, a+2, 4); // no-warning
}
void memcpy10() {
char a[4] = {0};
memcpy(0, a, 4); // expected-warning{{Null pointer argument in call to memory copy function}}
}
void memcpy11() {
char a[4] = {0};
memcpy(a, 0, 4); // expected-warning{{Null pointer argument in call to memory copy function}}
}
void memcpy12() {
char a[4] = {0};
memcpy(0, a, 0); // no-warning
}
void memcpy13() {
char a[4] = {0};
memcpy(a, 0, 0); // no-warning
}
void memcpy_unknown_size (size_t n) {
char a[4], b[4] = {1};
clang_analyzer_eval(memcpy(a, b, n) == a); // expected-warning{{TRUE}}
}
void memcpy_unknown_size_warn (size_t n) {
char a[4];
void *result = memcpy(a, 0, n); // expected-warning{{Null pointer argument in call to memory copy function}}
clang_analyzer_eval(result == a); // no-warning (above is fatal)
}
//===----------------------------------------------------------------------===
// mempcpy()
//===----------------------------------------------------------------------===
#ifdef VARIANT
#define __mempcpy_chk BUILTIN(__mempcpy_chk)
void *__mempcpy_chk(void *restrict s1, const void *restrict s2, size_t n,
size_t destlen);
#define mempcpy(a,b,c) __mempcpy_chk(a,b,c,(size_t)-1)
#else /* VARIANT */
#define mempcpy BUILTIN(mempcpy)
void *mempcpy(void *restrict s1, const void *restrict s2, size_t n);
#endif /* VARIANT */
void mempcpy0 () {
char src[] = {1, 2, 3, 4};
char dst[5] = {0};
mempcpy(dst, src, 4); // no-warning
clang_analyzer_eval(mempcpy(dst, src, 4) == &dst[4]); // expected-warning{{TRUE}}
// If we actually model the copy, we can make this known.
// The important thing for now is that the old value has been invalidated.
clang_analyzer_eval(dst[0] != 0); // expected-warning{{UNKNOWN}}
}
void mempcpy1 () {
char src[] = {1, 2, 3, 4};
char dst[10];
mempcpy(dst, src, 5); // expected-warning{{Memory copy function accesses out-of-bound array element}}
}
void mempcpy2 () {
char src[] = {1, 2, 3, 4};
char dst[1];
mempcpy(dst, src, 4); // expected-warning{{Memory copy function overflows destination buffer}}
}
void mempcpy3 () {
char src[] = {1, 2, 3, 4};
char dst[3];
mempcpy(dst+1, src+2, 2); // no-warning
}
void mempcpy4 () {
char src[] = {1, 2, 3, 4};
char dst[10];
mempcpy(dst+2, src+2, 3); // expected-warning{{Memory copy function accesses out-of-bound array element}}
}
void mempcpy5() {
char src[] = {1, 2, 3, 4};
char dst[3];
mempcpy(dst+2, src+2, 2); // expected-warning{{Memory copy function overflows destination buffer}}
}
void mempcpy6() {
int a[4] = {0};
mempcpy(a, a, 8); // expected-warning{{overlapping}}
}
void mempcpy7() {
int a[4] = {0};
mempcpy(a+2, a+1, 8); // expected-warning{{overlapping}}
}
void mempcpy8() {
int a[4] = {0};
mempcpy(a+1, a+2, 8); // expected-warning{{overlapping}}
}
void mempcpy9() {
int a[4] = {0};
mempcpy(a+2, a+1, 4); // no-warning
mempcpy(a+1, a+2, 4); // no-warning
}
void mempcpy10() {
char a[4] = {0};
mempcpy(0, a, 4); // expected-warning{{Null pointer argument in call to memory copy function}}
}
void mempcpy11() {
char a[4] = {0};
mempcpy(a, 0, 4); // expected-warning{{Null pointer argument in call to memory copy function}}
}
void mempcpy12() {
char a[4] = {0};
mempcpy(0, a, 0); // no-warning
}
void mempcpy13() {
char a[4] = {0};
mempcpy(a, 0, 0); // no-warning
}
void mempcpy14() {
int src[] = {1, 2, 3, 4};
int dst[5] = {0};
int *p;
p = mempcpy(dst, src, 4 * sizeof(int));
clang_analyzer_eval(p == &dst[4]); // expected-warning{{TRUE}}
}
struct st {
int i;
int j;
};
void mempcpy15() {
struct st s1 = {0};
struct st s2;
struct st *p1;
struct st *p2;
p1 = (&s2) + 1;
p2 = mempcpy(&s2, &s1, sizeof(struct st));
clang_analyzer_eval(p1 == p2); // expected-warning{{TRUE}}
}
void mempcpy16() {
struct st s1[10] = {{0}};
struct st s2[10];
struct st *p1;
struct st *p2;
p1 = (&s2[0]) + 5;
p2 = mempcpy(&s2[0], &s1[0], 5 * sizeof(struct st));
clang_analyzer_eval(p1 == p2); // expected-warning{{TRUE}}
}
void mempcpy_unknown_size_warn (size_t n) {
char a[4];
void *result = mempcpy(a, 0, n); // expected-warning{{Null pointer argument in call to memory copy function}}
clang_analyzer_eval(result == a); // no-warning (above is fatal)
}
void mempcpy_unknownable_size (char *src, float n) {
char a[4];
// This used to crash because we don't model floats.
mempcpy(a, src, (size_t)n);
}
//===----------------------------------------------------------------------===
// memmove()
//===----------------------------------------------------------------------===
#ifdef VARIANT
#define __memmove_chk BUILTIN(__memmove_chk)
void *__memmove_chk(void *s1, const void *s2, size_t n, size_t destlen);
#define memmove(a,b,c) __memmove_chk(a,b,c,(size_t)-1)
#else /* VARIANT */
#define memmove BUILTIN(memmove)
void *memmove(void *s1, const void *s2, size_t n);
#endif /* VARIANT */
void memmove0 () {
char src[] = {1, 2, 3, 4};
char dst[4] = {0};
memmove(dst, src, 4); // no-warning
clang_analyzer_eval(memmove(dst, src, 4) == dst); // expected-warning{{TRUE}}
// If we actually model the copy, we can make this known.
// The important thing for now is that the old value has been invalidated.
clang_analyzer_eval(dst[0] != 0); // expected-warning{{UNKNOWN}}
}
void memmove1 () {
char src[] = {1, 2, 3, 4};
char dst[10];
memmove(dst, src, 5); // expected-warning{{out-of-bound}}
}
void memmove2 () {
char src[] = {1, 2, 3, 4};
char dst[1];
memmove(dst, src, 4); // expected-warning{{Memory copy function overflows destination buffer}}
#ifndef VARIANT
// expected-warning@-2{{memmove' will always overflow; destination buffer has size 1, but size argument is 4}}
#endif
}
//===----------------------------------------------------------------------===
// memcmp()
//===----------------------------------------------------------------------===
#ifdef VARIANT
#define bcmp BUILTIN(bcmp)
int bcmp(const void *s1, const void *s2, size_t n);
#define memcmp bcmp
//
#else /* VARIANT */
#define memcmp BUILTIN(memcmp)
int memcmp(const void *s1, const void *s2, size_t n);
#endif /* VARIANT */
void memcmp0 () {
char a[] = {1, 2, 3, 4};
char b[4] = { 0 };
memcmp(a, b, 4); // no-warning
}
void memcmp1 () {
char a[] = {1, 2, 3, 4};
char b[10] = { 0 };
memcmp(a, b, 5); // expected-warning{{out-of-bound}}
}
void memcmp2 () {
char a[] = {1, 2, 3, 4};
char b[1] = { 0 };
memcmp(a, b, 4); // expected-warning{{out-of-bound}}
}
void memcmp3 () {
char a[] = {1, 2, 3, 4};
clang_analyzer_eval(memcmp(a, a, 4) == 0); // expected-warning{{TRUE}}
}
void memcmp4 (char *input) {
char a[] = {1, 2, 3, 4};
clang_analyzer_eval(memcmp(a, input, 4) == 0); // expected-warning{{UNKNOWN}}
}
void memcmp5 (char *input) {
char a[] = {1, 2, 3, 4};
clang_analyzer_eval(memcmp(a, 0, 0) == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(memcmp(0, a, 0) == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(memcmp(a, input, 0) == 0); // expected-warning{{TRUE}}
}
void memcmp6 (char *a, char *b, size_t n) {
int result = memcmp(a, b, n);
if (result != 0)
clang_analyzer_eval(n != 0); // expected-warning{{TRUE}}
// else
// analyzer_assert_unknown(n == 0);
// We can't do the above comparison because n has already been constrained.
// On one path n == 0, on the other n != 0.
}
int memcmp7 (char *a, size_t x, size_t y, size_t n) {
// We used to crash when either of the arguments was unknown.
return memcmp(a, &a[x*y], n) +
memcmp(&a[x*y], a, n);
}
//===----------------------------------------------------------------------===
// bcopy()
//===----------------------------------------------------------------------===
#define bcopy BUILTIN(bcopy)
// __builtin_bcopy is not defined with const in Builtins.def.
void bcopy(/*const*/ void *s1, void *s2, size_t n);
void bcopy0 () {
char src[] = {1, 2, 3, 4};
char dst[4] = {0};
bcopy(src, dst, 4); // no-warning
// If we actually model the copy, we can make this known.
// The important thing for now is that the old value has been invalidated.
clang_analyzer_eval(dst[0] != 0); // expected-warning{{UNKNOWN}}
}
void bcopy1 () {
char src[] = {1, 2, 3, 4};
char dst[10];
bcopy(src, dst, 5); // expected-warning{{out-of-bound}}
}
void bcopy2 () {
char src[] = {1, 2, 3, 4};
char dst[1];
bcopy(src, dst, 4); // expected-warning{{overflow}}
}
void *malloc(size_t);
void free(void *);
char radar_11125445_memcopythenlogfirstbyte(const char *input, size_t length) {
char *bytes = malloc(sizeof(char) * (length + 1));
memcpy(bytes, input, length);
char x = bytes[0]; // no warning
free(bytes);
return x;
}
struct S {
char f;
};
void nocrash_on_locint_offset(void *addr, void* from, struct S s) {
int iAdd = (int) addr;
memcpy(((void *) &(s.f)), from, iAdd);
}
Reference in New Issue View Git Blame Copy Permalink