• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-checker=core,unix,alpha.security.ArrayBound -analyzer-store=region -verify -analyzer-config unix:Optimistic=true %s
2 
3 typedef __typeof(sizeof(int)) size_t;
4 void *malloc(size_t);
5 void *calloc(size_t, size_t);
6 
f1()7 char f1() {
8   char* s = "abcd";
9   char c = s[4]; // no-warning
10   return s[5] + c; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
11 }
12 
f2()13 void f2() {
14   int *p = malloc(12);
15   p[3] = 4; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
16 }
17 
18 struct three_words {
19   int c[3];
20 };
21 
22 struct seven_words {
23   int c[7];
24 };
25 
f3()26 void f3() {
27   struct three_words a, *p;
28   p = &a;
29   p[0] = a; // no-warning
30   p[1] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
31 }
32 
f4()33 void f4() {
34   struct seven_words c;
35   struct three_words a, *p = (struct three_words *)&c;
36   p[0] = a; // no-warning
37   p[1] = a; // no-warning
38   p[2] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
39 }
40 
f5()41 void f5() {
42   char *p = calloc(2,2);
43   p[3] = '.'; // no-warning
44   p[4] = '!'; // expected-warning{{out-of-bound}}
45 }
46 
f6()47 void f6() {
48   char a[2];
49   int *b = (int*)a;
50   b[1] = 3; // expected-warning{{out-of-bound}}
51 }
52 
f7()53 void f7() {
54   struct three_words a;
55   a.c[3] = 1; // expected-warning{{out-of-bound}}
56 }
57 
vla(int a)58 void vla(int a) {
59   if (a == 5) {
60     int x[a];
61     x[4] = 4; // no-warning
62     x[5] = 5; // expected-warning{{out-of-bound}}
63   }
64 }
65 
alloca_region(int a)66 void alloca_region(int a) {
67   if (a == 5) {
68     char *x = __builtin_alloca(a);
69     x[4] = 4; // no-warning
70     x[5] = 5; // expected-warning{{out-of-bound}}
71   }
72 }
73 
symbolic_index(int a)74 int symbolic_index(int a) {
75   int x[2] = {1, 2};
76   if (a == 2) {
77     return x[a]; // expected-warning{{out-of-bound}}
78   }
79   return 0;
80 }
81 
symbolic_index2(int a)82 int symbolic_index2(int a) {
83   int x[2] = {1, 2};
84   if (a < 0) {
85     return x[a]; // expected-warning{{out-of-bound}}
86   }
87   return 0;
88 }
89 
overflow_binary_search(double in)90 int overflow_binary_search(double in) {
91   int eee = 16;
92   if (in < 1e-8 || in > 1e23) {
93     return 0;
94   } else {
95     static const double ins[] = {1e-8, 1e-7, 1e-6, 1e-5, 1e-4, 1e-3, 1e-2, 1e-1,
96                                  1e0, 1e1, 1e2, 1e3, 1e4, 1e5, 1e6, 1e7,
97                                  1e8, 1e9, 1e10, 1e11, 1e12, 1e13, 1e14, 1e15,
98                                  1e16, 1e17, 1e18, 1e19, 1e20, 1e21, 1e22};
99     if (in < ins[eee]) {
100       eee -= 8;
101     } else {
102       eee += 8;
103     }
104     if (in < ins[eee]) {
105       eee -= 4;
106     } else {
107       eee += 4;
108     }
109     if (in < ins[eee]) {
110       eee -= 2;
111     } else {
112       eee += 2;
113     }
114     if (in < ins[eee]) {
115       eee -= 1;
116     } else {
117       eee += 1;
118     }
119     if (in < ins[eee]) { // expected-warning {{Access out-of-bound array element (buffer overflow)}}
120       eee -= 1;
121     }
122   }
123   return eee;
124 }
125