diff options
| author | Carlo Zancanaro <carlo@pc-4w14-0.cs.usyd.edu.au> | 2012-10-15 17:10:06 +1100 |
|---|---|---|
| committer | Carlo Zancanaro <carlo@pc-4w14-0.cs.usyd.edu.au> | 2012-10-15 17:10:06 +1100 |
| commit | be1de4be954c80875ad4108e0a33e8e131b2f2c0 (patch) | |
| tree | 1fbbecf276bf7c7bdcbb4dd446099d6d90eaa516 /clang/test/Analysis/out-of-bounds.c | |
| parent | c4626a62754862d20b41e8a46a3574264ea80e6d (diff) | |
| parent | f1bd2e48c5324d3f7cda4090c87f8a5b6f463ce2 (diff) | |
Merge branch 'master' of ssh://bitbucket.org/czan/honours
Diffstat (limited to 'clang/test/Analysis/out-of-bounds.c')
| -rw-r--r-- | clang/test/Analysis/out-of-bounds.c | 154 |
1 files changed, 154 insertions, 0 deletions
diff --git a/clang/test/Analysis/out-of-bounds.c b/clang/test/Analysis/out-of-bounds.c new file mode 100644 index 0000000..a97bba5 --- /dev/null +++ b/clang/test/Analysis/out-of-bounds.c @@ -0,0 +1,154 @@ +// RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-checker=core,experimental.security.ArrayBoundV2 -verify %s + +// Tests doing an out-of-bounds access after the end of an array using: +// - constant integer index +// - constant integer size for buffer +void test1(int x) { + int buf[100]; + buf[100] = 1; // expected-warning{{Out of bound memory access}} +} + +void test1_ok(int x) { + int buf[100]; + buf[99] = 1; // no-warning +} + +const char test1_strings_underrun(int x) { + const char *mystr = "mary had a little lamb"; + return mystr[-1]; // expected-warning{{Out of bound memory access}} +} + +const char test1_strings_overrun(int x) { + const char *mystr = "mary had a little lamb"; + return mystr[1000]; // expected-warning{{Out of bound memory access}} +} + +const char test1_strings_ok(int x) { + const char *mystr = "mary had a little lamb"; + return mystr[5]; // no-warning +} + +// Tests doing an out-of-bounds access after the end of an array using: +// - indirect pointer to buffer +// - constant integer index +// - constant integer size for buffer +void test1_ptr(int x) { + int buf[100]; + int *p = buf; + p[101] = 1; // expected-warning{{Out of bound memory access}} +} + +void test1_ptr_ok(int x) { + int buf[100]; + int *p = buf; + p[99] = 1; // no-warning +} + +// Tests doing an out-of-bounds access before the start of an array using: +// - indirect pointer to buffer, manipulated using simple pointer arithmetic +// - constant integer index +// - constant integer size for buffer +void test1_ptr_arith(int x) { + int buf[100]; + int *p = buf; + p = p + 100; + p[0] = 1; // expected-warning{{Out of bound memory access}} +} + +void test1_ptr_arith_ok(int x) { + int buf[100]; + int *p = buf; + p = p + 99; + p[0] = 1; // no-warning +} + +void test1_ptr_arith_bad(int x) { + int buf[100]; + int *p = buf; + p = p + 99; + p[1] = 1; // expected-warning{{Out of bound memory access}} +} + +void test1_ptr_arith_ok2(int x) { + int buf[100]; + int *p = buf; + p = p + 99; + p[-1] = 1; // no-warning +} + +// Tests doing an out-of-bounds access before the start of an array using: +// - constant integer index +// - constant integer size for buffer +void test2(int x) { + int buf[100]; + buf[-1] = 1; // expected-warning{{Out of bound memory access}} +} + +// Tests doing an out-of-bounds access before the start of an array using: +// - indirect pointer to buffer +// - constant integer index +// - constant integer size for buffer +void test2_ptr(int x) { + int buf[100]; + int *p = buf; + p[-1] = 1; // expected-warning{{Out of bound memory access}} +} + +// Tests doing an out-of-bounds access before the start of an array using: +// - indirect pointer to buffer, manipulated using simple pointer arithmetic +// - constant integer index +// - constant integer size for buffer +void test2_ptr_arith(int x) { + int buf[100]; + int *p = buf; + --p; + p[0] = 1; // expected-warning {{Out of bound memory access (accessed memory precedes memory block)}} +} + +// Tests doing an out-of-bounds access before the start of a multi-dimensional +// array using: +// - constant integer indices +// - constant integer sizes for the array +void test2_multi(int x) { + int buf[100][100]; + buf[0][-1] = 1; // expected-warning{{Out of bound memory access}} +} + +// Tests doing an out-of-bounds access before the start of a multi-dimensional +// array using: +// - constant integer indices +// - constant integer sizes for the array +void test2_multi_b(int x) { + int buf[100][100]; + buf[-1][0] = 1; // expected-warning{{Out of bound memory access}} +} + +void test2_multi_ok(int x) { + int buf[100][100]; + buf[0][0] = 1; // no-warning +} + +// Testing if solver handles (symbol * constant) < constant +void test3(int x) { + int buf[100]; + if (x < 0) + buf[x] = 1; // expected-warning {{Out of bound memory access (accessed memory precedes memory block)}} +} + +// *** FIXME *** +// We don't get a warning here yet because our symbolic constraint solving +// doesn't handle: (symbol * constant) < constant +void test4(int x) { + int buf[100]; + if (x > 99) + buf[x] = 1; +} + +// Don't warn when indexing below the start of a symbolic region's whose +// base extent we don't know. +int *get_symbolic(); +void test_index_below_symboloc() { + int *buf = get_symbolic(); + buf[-1] = 0; // no-warning; +} + |