// RUN: %clang_analyze_cc1 -verify %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-disable-checker=alpha.unix.cstring.UninitializedRead \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false
//
// RUN: %clang_analyze_cc1 -verify %s -DUSE_BUILTINS \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-disable-checker=alpha.unix.cstring.UninitializedRead \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false
//===----------------------------------------------------------------------===
// Declarations
//===----------------------------------------------------------------------===
// Some functions are implemented as builtins. These should be #defined as
// BUILTIN(f), which will prepend "__builtin_" if USE_BUILTINS is defined.
#ifdef USE_BUILTINS
# define BUILTIN(f) __builtin_ ## f
#else /* USE_BUILTINS */
# define BUILTIN(f) f
#endif /* USE_BUILTINS */
typedef __SIZE_TYPE__ size_t;
typedef __WCHAR_TYPE__ wchar_t;
void clang_analyzer_eval(int);
//===----------------------------------------------------------------------===
// wmemcpy()
//===----------------------------------------------------------------------===
#define wmemcpy BUILTIN(wmemcpy)
wchar_t *wmemcpy(wchar_t *restrict s1, const wchar_t *restrict s2, size_t n);
void wmemcpy0 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[4] = {0};
wmemcpy(dst, src, 4); // no-warning
clang_analyzer_eval(wmemcpy(dst, src, 4) == dst); // expected-warning{{TRUE}}
// If we actually model the copy, we can make this known.
// The important thing for now is that the old value has been invalidated.
clang_analyzer_eval(dst[0] != 0); // expected-warning{{UNKNOWN}}
}
void wmemcpy1 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[10];
wmemcpy(dst, src, 5); // expected-warning{{Memory copy function accesses out-of-bound array element}}
}
void wmemcpy2 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[1];
wmemcpy(dst, src, 4); // expected-warning {{Memory copy function overflows the destination buffer}}
}
void wmemcpy3 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[3];
wmemcpy(dst+1, src+2, 2); // no-warning
}
void wmemcpy4 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[10];
wmemcpy(dst+2, src+2, 3); // expected-warning{{Memory copy function accesses out-of-bound array element}}
}
void wmemcpy5(void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[3];
wmemcpy(dst + 2, src + 2, 2); // expected-warning{{Memory copy function overflows the destination buffer}}
}
void wmemcpy6(void) {
wchar_t a[4] = {0};
wmemcpy(a, a, 2); // expected-warning{{overlapping}}
}
void wmemcpy7(void) {
wchar_t a[4] = {0};
wmemcpy(a+2, a+1, 2); // expected-warning{{overlapping}}
}
void wmemcpy8(void) {
wchar_t a[4] = {0};
wmemcpy(a+1, a+2, 2); // expected-warning{{overlapping}}
}
void wmemcpy9(void) {
wchar_t a[4] = {0};
wmemcpy(a+2, a+1, 1); // no-warning
wmemcpy(a+1, a+2, 1); // no-warning
}
void wmemcpy10(void) {
wchar_t a[4] = {0};
wmemcpy(0, a, 1); // expected-warning{{Null pointer passed as 1st argument to memory copy function}}
}
void wmemcpy11(void) {
wchar_t a[4] = {0};
wmemcpy(a, 0, 1); // expected-warning{{Null pointer passed as 2nd argument to memory copy function}}
}
void wmemcpy12(void) {
wchar_t a[4] = {0};
wmemcpy(0, a, 0); // no-warning
}
void wmemcpy13(void) {
wchar_t a[4] = {0};
wmemcpy(a, 0, 0); // no-warning
}
void wmemcpy_unknown_size (size_t n) {
wchar_t a[4], b[4] = {1};
clang_analyzer_eval(wmemcpy(a, b, n) == a); // expected-warning{{TRUE}}
}
void wmemcpy_unknown_size_warn (size_t n) {
wchar_t a[4];
void *result = wmemcpy(a, 0, n); // expected-warning{{Null pointer passed as 2nd argument to memory copy function}}
clang_analyzer_eval(result == a); // no-warning (above is fatal)
}
//===----------------------------------------------------------------------===
// wmempcpy()
//===----------------------------------------------------------------------===
wchar_t *wmempcpy(wchar_t *restrict s1, const wchar_t *restrict s2, size_t n);
void wmempcpy0 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[5] = {0};
wmempcpy(dst, src, 4); // no-warning
clang_analyzer_eval(wmempcpy(dst, src, 4) == &dst[4]); // expected-warning{{TRUE}}
// If we actually model the copy, we can make this known.
// The important thing for now is that the old value has been invalidated.
clang_analyzer_eval(dst[0] != 0); // expected-warning{{UNKNOWN}}
}
void wmempcpy1 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[10];
wmempcpy(dst, src, 5); // expected-warning{{Memory copy function accesses out-of-bound array element}}
}
void wmempcpy2 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[1];
wmempcpy(dst, src, 4); // expected-warning{{Memory copy function overflows the destination buffer}}
}
void wmempcpy3 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[3];
wmempcpy(dst+1, src+2, 2); // no-warning
}
void wmempcpy4 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[10];
wmempcpy(dst+2, src+2, 3); // expected-warning{{Memory copy function accesses out-of-bound array element}}
}
void wmempcpy5(void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[3];
wmempcpy(dst + 2, src + 2, 2); // expected-warning{{Memory copy function overflows the destination buffer}}
}
void wmempcpy6(void) {
wchar_t a[4] = {0};
wmempcpy(a, a, 2); // expected-warning{{overlapping}}
}
void wmempcpy7(void) {
wchar_t a[4] = {0};
wmempcpy(a+2, a+1, 2); // expected-warning{{overlapping}}
}
void wmempcpy8(void) {
wchar_t a[4] = {0};
wmempcpy(a+1, a+2, 2); // expected-warning{{overlapping}}
}
void wmempcpy9(void) {
wchar_t a[4] = {0};
wmempcpy(a+2, a+1, 1); // no-warning
wmempcpy(a+1, a+2, 1); // no-warning
}
void wmempcpy10(void) {
wchar_t a[4] = {0};
wmempcpy(0, a, 1); // expected-warning{{Null pointer passed as 1st argument to memory copy function}}
}
void wmempcpy11(void) {
wchar_t a[4] = {0};
wmempcpy(a, 0, 1); // expected-warning{{Null pointer passed as 2nd argument to memory copy function}}
}
void wmempcpy12(void) {
wchar_t a[4] = {0};
wmempcpy(0, a, 0); // no-warning
}
void wmempcpy13(void) {
wchar_t a[4] = {0};
wmempcpy(a, 0, 0); // no-warning
}
void wmempcpy14(void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[5] = {0};
wchar_t *p;
p = wmempcpy(dst, src, 4);
clang_analyzer_eval(p == &dst[4]); // expected-warning{{TRUE}}
}
struct st {
wchar_t i;
wchar_t j;
};
void wmempcpy15(void) {
struct st s1 = {0};
struct st s2;
struct st *p1;
struct st *p2;
p1 = (&s2) + 1;
p2 = (struct st *)wmempcpy((wchar_t *)&s2, (wchar_t *)&s1, 2);
clang_analyzer_eval(p1 == p2); // expected-warning{{TRUE}}
}
void wmempcpy16(void) {
struct st s1[10] = {{0}};
struct st s2[10];
struct st *p1;
struct st *p2;
p1 = (&s2[0]) + 5;
p2 = (struct st *)wmempcpy((wchar_t *)&s2[0], (wchar_t *)&s1[0], 5 * 2);
clang_analyzer_eval(p1 == p2); // expected-warning{{TRUE}}
}
void wmempcpy_unknown_size_warn (size_t n) {
wchar_t a[4];
void *result = wmempcpy(a, 0, n); // expected-warning{{Null pointer passed as 2nd argument to memory copy function}}
clang_analyzer_eval(result == a); // no-warning (above is fatal)
}
void wmempcpy_unknownable_size (wchar_t *src, float n) {
wchar_t a[4];
// This used to crash because we don't model floats.
wmempcpy(a, src, (size_t)n);
}
//===----------------------------------------------------------------------===
// wmemmove()
//===----------------------------------------------------------------------===
#define wmemmove BUILTIN(wmemmove)
wchar_t *wmemmove(wchar_t *s1, const wchar_t *s2, size_t n);
void wmemmove0 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[4] = {0};
wmemmove(dst, src, 4); // no-warning
clang_analyzer_eval(wmemmove(dst, src, 4) == dst); // expected-warning{{TRUE}}
clang_analyzer_eval(dst[0] != 0); // expected-warning{{UNKNOWN}}
}
void wmemmove1 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[10];
wmemmove(dst, src, 5); // expected-warning{{out-of-bound}}
}
void wmemmove2 (void) {
wchar_t src[] = {1, 2, 3, 4};
wchar_t dst[1];
wmemmove(dst, src, 4); // expected-warning{{Memory copy function overflows the destination buffer}}
}
//===----------------------------------------------------------------------===
// wmemcmp()
//===----------------------------------------------------------------------===
#define wmemcmp BUILTIN(wmemcmp)
int wmemcmp(const wchar_t *s1, const wchar_t *s2, size_t n);
void wmemcmp0 (void) {
wchar_t a[] = {1, 2, 3, 4};
wchar_t b[4] = { 0 };
wmemcmp(a, b, 4); // no-warning
}
void wmemcmp1 (void) {
wchar_t a[] = {1, 2, 3, 4};
wchar_t b[10] = { 0 };
wmemcmp(a, b, 5); // expected-warning{{out-of-bound}}
}
void wmemcmp2 (void) {
wchar_t a[] = {1, 2, 3, 4};
wchar_t b[1] = { 0 };
wmemcmp(a, b, 4); // expected-warning{{out-of-bound}}
}
void wmemcmp3 (void) {
wchar_t a[] = {1, 2, 3, 4};
clang_analyzer_eval(wmemcmp(a, a, 4) == 0); // expected-warning{{TRUE}}
}
void wmemcmp4 (wchar_t *input) {
wchar_t a[] = {1, 2, 3, 4};
clang_analyzer_eval(wmemcmp(a, input, 4) == 0); // expected-warning{{UNKNOWN}}
}
void wmemcmp5 (wchar_t *input) {
wchar_t a[] = {1, 2, 3, 4};
clang_analyzer_eval(wmemcmp(a, 0, 0) == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(wmemcmp(0, a, 0) == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(wmemcmp(a, input, 0) == 0); // expected-warning{{TRUE}}
}
void wmemcmp6 (wchar_t *a, wchar_t *b, size_t n) {
int result = wmemcmp(a, b, n);
if (result != 0)
clang_analyzer_eval(n != 0); // expected-warning{{TRUE}}
// else
// analyzer_assert_unknown(n == 0);
// We can't do the above comparison because n has already been constrained.
// On one path n == 0, on the other n != 0.
}
int wmemcmp7 (wchar_t *a, size_t x, size_t y, size_t n) {
// We used to crash when either of the arguments was unknown.
return wmemcmp(a, &a[x*y], n) +
wmemcmp(&a[x*y], a, n);
}
int wmemcmp8(wchar_t *a, size_t n) {
wchar_t *b = 0;
// Do not warn about the first argument!
return wmemcmp(a, b, n); // expected-warning{{Null pointer passed as 2nd argument to memory comparison function}}
}
//===----------------------------------------------------------------------===
// wcslen()
//===----------------------------------------------------------------------===
#define wcslen BUILTIN(wcslen)
size_t wcslen(const wchar_t *s);
void wcslen_constant0(void) {
clang_analyzer_eval(wcslen(L"123") == 3); // expected-warning{{TRUE}}
}
void wcslen_constant1(void) {
const wchar_t *a = L"123";
clang_analyzer_eval(wcslen(a) == 3); // expected-warning{{TRUE}}
}
void wcslen_constant2(wchar_t x) {
wchar_t a[] = L"123";
clang_analyzer_eval(wcslen(a) == 3); // expected-warning{{TRUE}}
a[0] = x;
clang_analyzer_eval(wcslen(a) == 3); // expected-warning{{UNKNOWN}}
}
size_t wcslen_null(void) {
return wcslen(0); // expected-warning{{Null pointer passed as 1st argument to string length function}}
}
size_t wcslen_fn(void) {
return wcslen((wchar_t*)&wcslen_fn); // expected-warning{{Argument to string length function is the address of the function 'wcslen_fn', which is not a null-terminated string}}
}
size_t wcslen_nonloc(void) {
label:
return wcslen((wchar_t*)&&label); // expected-warning{{Argument to string length function is the address of the label 'label', which is not a null-terminated string}}
}
void wcslen_subregion(void) {
struct two_strings { wchar_t a[2], b[2]; };
extern void use_two_strings(struct two_strings *);
struct two_strings z;
use_two_strings(&z);
size_t a = wcslen(z.a);
z.b[0] = 5;
size_t b = wcslen(z.a);
if (a == 0)
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
use_two_strings(&z);
size_t c = wcslen(z.a);
if (a == 0)
clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
}
extern void use_string(wchar_t *);
void wcslen_argument(wchar_t *x) {
size_t a = wcslen(x);
size_t b = wcslen(x);
if (a == 0)
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
use_string(x);
size_t c = wcslen(x);
if (a == 0)
clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
}
extern wchar_t global_str[];
void wcslen_global(void) {
size_t a = wcslen(global_str);
size_t b = wcslen(global_str);
if (a == 0) {
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
// Make sure clang_analyzer_eval does not invalidate globals.
clang_analyzer_eval(wcslen(global_str) == 0); // expected-warning{{TRUE}}
}
// Call a function with unknown effects, which should invalidate globals.
use_string(0);
size_t c = wcslen(global_str);
if (a == 0)
clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
}
void wcslen_indirect(wchar_t *x) {
size_t a = wcslen(x);
wchar_t *p = x;
wchar_t **p2 = &p;
size_t b = wcslen(x);
if (a == 0)
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
extern void use_string_ptr(wchar_t*const*);
use_string_ptr(p2);
size_t c = wcslen(x);
if (a == 0)
clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
}
void wcslen_indirect2(wchar_t *x) {
size_t a = wcslen(x);
wchar_t *p = x;
wchar_t **p2 = &p;
extern void use_string_ptr2(wchar_t**);
use_string_ptr2(p2);
size_t c = wcslen(x);
if (a == 0)
clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
}
void wcslen_liveness(const wchar_t *x) {
if (wcslen(x) < 5)
return;
clang_analyzer_eval(wcslen(x) < 5); // expected-warning{{FALSE}}
}
size_t wcslenWrapper(const wchar_t *str) {
return wcslen(str);
}
extern void invalidate(wchar_t *s);
void testwcslenCallee(void) {
wchar_t str[42];
invalidate(str);
size_t lenBefore = wcslenWrapper(str);
invalidate(str);
size_t lenAfter = wcslenWrapper(str);
clang_analyzer_eval(lenBefore == lenAfter); // expected-warning{{UNKNOWN}}
}
//===----------------------------------------------------------------------===
// wcsnlen()
//===----------------------------------------------------------------------===
size_t wcsnlen(const wchar_t *s, size_t maxlen);
void wcsnlen_constant0(void) {
clang_analyzer_eval(wcsnlen(L"123", 10) == 3); // expected-warning{{TRUE}}
}
void wcsnlen_constant1(void) {
const wchar_t *a = L"123";
clang_analyzer_eval(wcsnlen(a, 10) == 3); // expected-warning{{TRUE}}
}
void wcsnlen_constant2(char x) {
wchar_t a[] = L"123";
clang_analyzer_eval(wcsnlen(a, 10) == 3); // expected-warning{{TRUE}}
a[0] = x;
clang_analyzer_eval(wcsnlen(a, 10) == 3); // expected-warning{{UNKNOWN}}
}
void wcsnlen_constant4(void) {
clang_analyzer_eval(wcsnlen(L"123456", 3) == 3); // expected-warning{{TRUE}}
}
void wcsnlen_constant5(void) {
const wchar_t *a = L"123456";
clang_analyzer_eval(wcsnlen(a, 3) == 3); // expected-warning{{TRUE}}
}
void wcsnlen_constant6(char x) {
wchar_t a[] = L"123456";
clang_analyzer_eval(wcsnlen(a, 3) == 3); // expected-warning{{TRUE}}
a[0] = x;
clang_analyzer_eval(wcsnlen(a, 3) == 3); // expected-warning{{UNKNOWN}}
}
size_t wcsnlen_null(void) {
return wcsnlen(0, 3); // expected-warning{{Null pointer passed as 1st argument to string length function}}
}
size_t wcsnlen_fn(void) {
return wcsnlen((wchar_t*)&wcsnlen_fn, 3); // expected-warning{{Argument to string length function is the address of the function 'wcsnlen_fn', which is not a null-terminated string}}
}
size_t wcsnlen_nonloc(void) {
label:
return wcsnlen((wchar_t*)&&label, 3); // expected-warning{{Argument to string length function is the address of the label 'label', which is not a null-terminated string}}
}
void wcsnlen_zero(void) {
clang_analyzer_eval(wcsnlen(L"abc", 0) == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(wcsnlen(0, 0) == 0); // expected-warning{{TRUE}}
}
size_t wcsnlen_compound_literal(void) {
// This used to crash because we don't model the string lengths of
// compound literals.
return wcsnlen((wchar_t[]) { 'a', 'b', 0 }, 1);
}
size_t wcsnlen_unknown_limit(float f) {
// This used to crash because we don't model the integer values of floats.
return wcsnlen(L"abc", (int)f);
}
void wcsnlen_is_not_wcslen(wchar_t *x) {
clang_analyzer_eval(wcsnlen(x, 10) == wcslen(x)); // expected-warning{{UNKNOWN}}
}
void wcsnlen_at_limit(wchar_t *x) {
size_t len = wcsnlen(x, 10);
clang_analyzer_eval(len <= 10); // expected-warning{{TRUE}}
clang_analyzer_eval(len == 10); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(len < 10); // expected-warning{{UNKNOWN}}
}
void wcsnlen_at_actual(size_t limit) {
size_t len = wcsnlen(L"abc", limit);
clang_analyzer_eval(len <= 3); // expected-warning{{TRUE}}
// This is due to eager assertion in wcsnlen.
if (limit == 0) {
clang_analyzer_eval(len == 0); // expected-warning{{TRUE}}
} else {
clang_analyzer_eval(len == 3); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(len < 3); // expected-warning{{UNKNOWN}}
}
}
//===----------------------------------------------------------------------===
// other tests
//===----------------------------------------------------------------------===
static const wchar_t w_str[] = L"Hello world";
void wmemcpy_sizeof(void) {
wchar_t a[32];
wmemcpy(a, w_str, sizeof(w_str) / sizeof(w_str[0]));
wmemcpy(a, w_str, (sizeof(w_str) / sizeof(w_str[0])) + 1); // expected-warning {{Memory copy function accesses out-of-bound array element}}
}
void wmemcpy_wcslen(void) {
wchar_t a[32];
// FIXME: This should work with 'w_str' instead of 'w_str1'
const wchar_t w_str1[] = L"Hello world";
wmemcpy(a, w_str1, wcslen(w_str1) + 1);
wmemcpy(a, w_str1, wcslen(w_str1) + 2); // expected-warning {{Memory copy function accesses out-of-bound array element}}
}
Codebase Browser
llvm