This is an archive of the discontinued LLVM Phabricator instance.

Differential D11832

[Patch] [Analyzer] false positive: Potential leak connected with memcpy (PR 22954)
ClosedPublic

Authored by pgousseau on Aug 7 2015, 7:09 AM.

Details

Reviewers
dcoughlin
zaks.anna
xazax.hun
ayartsev
Commits
rG35d5dd29862a: [analyzer] When memcpy'ing into a fixed-size array, do not invalidate entire…
rC246345: [analyzer] When memcpy'ing into a fixed-size array, do not invalidate entire…
rL246345: [analyzer] When memcpy'ing into a fixed-size array, do not invalidate entire…
Summary

Dear All,

I would like to propose a patch to avoid the false positive memory leak warning kindly reported by krzysztof in https://llvm.org/bugs/show_bug.cgi?id=22954

The issue seems originates from the CString checker's handling of 'memcpy' (and string copy functions in general).
Given the below code snippet:

struct aa { char *s; char data[32];};
...
a.s = malloc(nbytes);
memcpy(a.data, source, len);
...

As the CString checker handles the memcpy call, it requests the invalidation of the 'a.data' region. But the invalidation worker marks the whole memory region of 'a' as to be invalidated. The Malloc checker is not made aware of this causing the false positive.

Following advices from Anton Yartsev and Gabor Horvath on cfe-dev (http://lists.cs.uiuc.edu/pipermail/cfe-dev/2015-July/043786.html), this patch introduces a new trait 'TK_DoNotInvalidateSuperRegion', for the invalidation worker to take into account, when invalidating a destination buffer of type 'FieldRegion'.

Please let me know if this is an acceptable change and if yes eventually commit it for me (as I do not have svn access) ?

Regards,

Pierre Gousseau
SN Systems - Sony Computer Entertainment

Diff Detail

Repository
rL LLVM

Event Timeline

pgousseau updated this revision to Diff 31510.Aug 7 2015, 7:09 AM
pgousseau retitled this revision from to [Patch] [Analyzer] false positive: Potential leak connected with memcpy (PR 22954).
pgousseau updated this object.
pgousseau added reviewers: cfe-commits, ayartsev, xazax.hun.
zaks.anna added reviewers: zaks.anna, dcoughlin.Aug 7 2015, 4:42 PM
pgousseau updated this object.Aug 10 2015, 1:44 AM
pgousseau removed a reviewer: cfe-commits.
pgousseau added a subscriber: cfe-commits.
zaks.anna added inline comments.Aug 10 2015, 4:41 PM
lib/StaticAnalyzer/Core/RegionStore.cpp
1098 ↗(On Diff #31510)

What happens on early returns? Here and the one below. Are there tests for these cases?

ayartsev added inline comments.Aug 11 2015, 6:08 AM
lib/StaticAnalyzer/Core/RegionStore.cpp
2359 ↗(On Diff #31510)

Too much unnecessary passing around of RegionAndSymbolInvalidationTraits parameter. What about moving "RegionAndSymbolInvalidationTraits" member from "invalidateRegionsWorker" class to the base class "ClusterAnalysis"?

pgousseau added inline comments.Aug 11 2015, 9:58 AM
lib/StaticAnalyzer/Core/RegionStore.cpp
1098 ↗(On Diff #31510)

Oops yes returning here is wrong, if we return here we skip the code conjuring the default value at line 1122.
I will change it to a goto conjure_default for !NumElements == true.
Also a value of 0 for ElemSize is ok so no need to return actually.
I will add a test for 0 sized elements' array and 0 elements array and update the patch.
What do you think ?
Thanks !

2359 ↗(On Diff #31510)

Makes sense, I will update the patch.
Thanks !

pgousseau updated this revision to Diff 31940.Aug 12 2015, 8:12 AM

Removed 'return' statements and added tests for empty arrays following Anna review.
Refactored parameter passing of 'TK_DoNotInvalidateSuperRegion' following Anton review, by adding a new member function 'hasTrait' to 'ClusterAnalysis'.

Please let me know if this is acceptable and if yes eventually commit it for me ?
Regards,
Pierre

dcoughlin edited edge metadata.Aug 13 2015, 6:13 PM

I'm still looking at this. Higher-level comments coming soon.

lib/StaticAnalyzer/Core/RegionStore.cpp
1110 ↗(On Diff #31940)

R0.getOffset() will assert if R0 is a symbolic region offset. This can happen if the invalidated array is itself in an array (e.g., someOtherArray[i].array) or is in a union.

1118 ↗(On Diff #31940)

getOffset() here will assert also if there is any key with a symbolic offset in SuperR.

1119 ↗(On Diff #31940)

Should this be ROffset < UpperOffset?

ayartsev added inline comments.Aug 14 2015, 6:31 AM
lib/StaticAnalyzer/Core/RegionStore.cpp
746 ↗(On Diff #31940)

Hmm.. Either we completely encapsulate 'RegionAndSymbolInvalidationTraits' in the 'invalidateRegionsWorker' class or we move 'RegionAndSymbolInvalidationTraits' (maybe renamed to the more general name) to the base 'ClusterAnalysis' class.
In the suggested solution you on the one hand make processing of 'RegionAndSymbolInvalidationTraits' specific to 'invalidateRegionsWorker' class but on the other hand explicitly refer to 'RegionAndSymbolInvalidationTraits::InvalidationKinds' and 'RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion' in the 'ClusterAnalysis' class.
It seems to me the proper way to encapsulate 'RegionAndSymbolInvalidationTraits' in the 'invalidateRegionsWorker' is to just override 'AddToWorkList()' in subclasses (as you done with 'hasTrait()').

dcoughlin added a comment.Aug 14 2015, 5:22 PM

You should consider what should happen when the memcpy may write past the end of the fixed-size array and add tests that specify correct behavior for these cases. An important example is:

struct Foo {
  char data[4];
  int i;
};

Foo f;
f.i = 10;

memcpy(f.data, someBuf, 100);

clang_analyzer_eval(f.i == 10); // What should this yield?

I think it is also important to add tests for regions at symbolic offsets, for bindings in the super region having keys with symbolic offsets, and for cases where there is potential aliasing and casting between regions with symbolic offsets.

Also, Jordan wrote up a description of the region store in docs/analyzer/RegionStore.txt that you might find helpful if you haven't already seen it.

pgousseau added a comment.Aug 17 2015, 2:10 AM
In D11832#224929, @dcoughlin wrote:

You should consider what should happen when the memcpy may write past the end of the fixed-size array and add tests that specify correct behavior for these cases. An important example is:

struct Foo {
  char data[4];
  int i;
};

Foo f;
f.i = 10;

memcpy(f.data, someBuf, 100);

clang_analyzer_eval(f.i == 10); // What should this yield?

I think it is also important to add tests for regions at symbolic offsets, for bindings in the super region having keys with symbolic offsets, and for cases where there is potential aliasing and casting between regions with symbolic offsets.

Yes it seems I overlooked symbolic offsets in the test cases, will handle those.

Also, Jordan wrote up a description of the region store in docs/analyzer/RegionStore.txt that you might find helpful if you haven't already seen it.

Very usefull thanks !

lib/StaticAnalyzer/Core/RegionStore.cpp
746 ↗(On Diff #31940)

I agree yes overriding AddToWorkList would fit better, will upload new patch. Thanks !

1110 ↗(On Diff #31940)

Yes that definitely needs fixing. Thanks !

1118 ↗(On Diff #31940)

Will fix. Thanks !

1119 ↗(On Diff #31940)

Yes, will change to (ROffset < UpperOffset || (LowerOffset == UpperOffset && ROffset == LowerOffset)).
To handle arrays of 0 elements and arrays of 0 sized elements.
Thanks !

pgousseau updated this revision to Diff 32955.Aug 24 2015, 7:22 AM
pgousseau edited edge metadata.

Encapsulate 'RegionAndSymbolInvalidationTraits' by overriding 'AddToWorkList' following Anton's review.
Also as pointed out by Devin's review:
Add tests cases and handling for regions, bindings in super regions, and aliased/casted regions, with symbolic offsets.
Add test case and handling for writing past the array.
Replace 'ROffset <= UpperOffset' by 'ROffset < UpperOffset'.

Please let me know if this an acceptable change ?
Regards,
Pierre

dcoughlin added a comment.Aug 25 2015, 5:34 PM

Thanks for adding handling of the symbolic cases! Some more comments inline.

lib/StaticAnalyzer/Checkers/CStringChecker.cpp
825 ↗(On Diff #32955)

It seems odd that you return a ProgramStateRef here but don't use it in the only caller of this function. Could you just return a boolean instead? Alternatively, if you really want to add the assumption that the buffer is valid to the post-state, then you should thread the state returned from the call to this function through the rest of CStringChecker::InvalidateBuffer.

840 ↗(On Diff #32955)

You have a lot of early returns of the form:

if (!Foo)
  return state;

that don't seem to be exercised in your tests. Can these actually trigger? If so, you should add tests for these cases. If not, maybe asserts/cast<T>()/castAs<T>() would be more appropriate.

Also: should these early returns return state? Or should they return null?

851 ↗(On Diff #32955)

Can you rewrite this if/else to avoid the indentation? (See http://llvm.org/docs/CodingStandards.html#don-t-use-else-after-a-return).

866 ↗(On Diff #32955)

"CheckLocation" is copy pasta here.

lib/StaticAnalyzer/Core/RegionStore.cpp
1115 ↗(On Diff #32955)

This nesting is getting pretty deep. Can you invert some guards and change to goto/continue where appropriate.

For example:

if (!SuperR)
  goto conjure_default;

and

const ClusterBindings *C = B.lookup(SuperR)
if (!C)
  continue;
1125 ↗(On Diff #32955)

Please add a comment here to say that this is to handle arrays of 0 elements and arrays of 0-sized elements.

1132 ↗(On Diff #32955)

If you are not going to use the result, you can use isa<SymbolicRegion>(R) here instead of dyn_cast.

test/Analysis/pr22954.c
476 ↗(On Diff #32955)

Should this test m->s3[j] as well?

498 ↗(On Diff #32955)

Can you also add a test where the size argument to memcpy is the result of sizeof()?

pgousseau added inline comments.Aug 26 2015, 9:17 AM
lib/StaticAnalyzer/Checkers/CStringChecker.cpp
825 ↗(On Diff #32955)

Yes returning a bool would be better thanks, I did not meant for this function to add the assumption that the buffer is valid.

840 ↗(On Diff #32955)

Yes most of those checks seems redundant and/or might need to return nullptr/false, will double check thanks.

851 ↗(On Diff #32955)

Yes thanks for the link !

866 ↗(On Diff #32955)

Will fix !

lib/StaticAnalyzer/Core/RegionStore.cpp
1115 ↗(On Diff #32955)

Makes sense thanks.

1125 ↗(On Diff #32955)

Will do !

1132 ↗(On Diff #32955)

Will do !

test/Analysis/pr22954.c
476 ↗(On Diff #32955)

Yes that is what I meant thanks !

498 ↗(On Diff #32955)

Will do !

pgousseau updated this revision to Diff 33326.Aug 27 2015, 7:51 AM

Following Devin's review:

Modified 'IsFirstBufInBound()' to return a bool instead of a state.
Removed redundant checks in 'IsFirstBufInBound'.
Added tests to exercise 'IsFirstBufInBound' more.
Removed if/else to avoid indentation.
Removed copy paste error.
Inverted guards in 'VisitCluster' to decrease indentation.
Added comments regarding 0 elements/0-sized elements arrays.
Fixed unused var warning with isa instead of dyn_cast.
Fixed test typo and added sizeof test.

Please let me know if this is an acceptable change ?

Regards,

Pierre

dcoughlin added a comment.Aug 27 2015, 3:07 PM

Other than one teeny nit, looks good to me.

lib/StaticAnalyzer/Checkers/CStringChecker.cpp
863 ↗(On Diff #33326)

You can use cast<ElementRegion>(R) here, which will assert that R is an ElementRegion, and remove the assert below.

pgousseau added inline comments.Aug 28 2015, 1:59 AM
lib/StaticAnalyzer/Checkers/CStringChecker.cpp
863 ↗(On Diff #33326)

Will do ! Thanks.

pgousseau updated this revision to Diff 33402.Aug 28 2015, 2:08 AM

Replace 'dyn_cast' by 'cast' following Devin's review.

If all looks good could someone commit this patch for me ?

Regards,

Pierre

dcoughlin accepted this revision.Aug 28 2015, 11:00 AM
dcoughlin edited edge metadata.

I will commit. Thanks for your work on this, Pierre!

This revision is now accepted and ready to land.Aug 28 2015, 11:00 AM
Closed by commit rL246345: [analyzer] When memcpy'ing into a fixed-size array, do not invalidate entire… (authored by dcoughlin). · Explain WhyAug 28 2015, 3:27 PM
This revision was automatically updated to reflect the committed changes.
pgousseau added a comment.Aug 31 2015, 6:22 AM
In D11832#235301, @dcoughlin wrote:

I will commit. Thanks for your work on this, Pierre!

Much appreciated ! Thanks for your help.

xazax.hun edited edge metadata.EditedAug 31 2015, 12:04 PM

Hi!

With this patch committed I noticed a regression in the static analyzer.

I analyzed openssl-1.0.0d (using the test suite in utils/analyzer/SATestBuild.py).
I got the following assertion error:

(lldb) bt
* thread #1: tid = 0xa1fcb, 0x00007fff943e50ae libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
  * frame #0: 0x00007fff943e50ae libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff943f25fd libsystem_pthread.dylib`pthread_kill + 90
    frame #2: 0x0000000100960106 clang`::abort() [inlined] raise(sig=6) + 18 at Signals.inc:504
    frame #3: 0x00000001009600f4 clang`::abort() + 4 at Signals.inc:521
    frame #4: 0x00000001009600e1 clang`::__assert_rtn(func=<unavailable>, file=<unavailable>, line=<unavailable>, expr=<unavailable>) + 81 at Signals.inc:517
    frame #5: 0x00000001018fc418 clang`(anonymous namespace)::CStringChecker::InvalidateBuffer(clang::ento::CheckerContext&, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::Expr const*, clang::ento::SVal, bool, clang::Expr const*) [inlined] clang::ento::NonLoc clang::ento::SVal::castAs<clang::ento::NonLoc>() const + 1448 at SVals.h:76
    frame #6: 0x00000001018fc3f9 clang`(anonymous namespace)::CStringChecker::InvalidateBuffer(clang::ento::CheckerContext&, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::Expr const*, clang::ento::SVal, bool, clang::Expr const*) [inlined] (anonymous namespace)::CStringChecker::IsFirstBufInBound(state=clang::ento::ProgramStateRef @ 0x0000000103bf2080, FirstBuf=0x0000000103a86768) at CStringChecker.cpp:842
    frame #7: 0x00000001018fc3f9 clang`(anonymous namespace)::CStringChecker::InvalidateBuffer(C=<unavailable>, state=<unavailable>, E=0x0000000103a86768, V=<unavailable>, IsSourceBuffer=<unavailable>, Size=<unavailable>) + 1417 at CStringChecker.cpp:920
    frame #8: 0x00000001018fadf7 clang`(anonymous namespace)::CStringChecker::evalCopyCommon(this=0x0000000103212fb0, C=0x00007fff5fbfc1a0, CE=<unavailable>, state=clang::ento::ProgramStateRef @ 0x00007fff5fbfc0c0, Size=0x0000000103a867b0, Dest=0x0000000103a86768, Source=<unavailable>, Restricted=<unavailable>, IsMempcpy=<unavailable>) const + 3991 at CStringChecker.cpp:1079
    frame #9: 0x00000001018f8ad8 clang`(anonymous namespace)::CStringChecker::evalMemcpy(this=0x0000000103212fb0, C=0x00007fff5fbfc1a0, CE=0x0000000103a86720) const + 248 at CStringChecker.cpp:1101
    frame #10: 0x00000001018f89b6 clang`bool clang::ento::eval::Call::_evalCall<(anonymous namespace)::CStringChecker>(void*, clang::CallExpr const*, clang::ento::CheckerContext&) [inlined] (anonymous namespace)::CStringChecker::evalCall(CE=0x0000000103a86720, C=0x00007fff5fbfc1a0) const + 655 at CStringChecker.cpp:2002
    frame #11: 0x00000001018f8727 clang`bool clang::ento::eval::Call::_evalCall<(anonymous namespace)::CStringChecker>(checker=0x0000000103212fb0, CE=0x0000000103a86720, C=0x00007fff5fbfc1a0) + 23 at Checker.h:438
    frame #12: 0x0000000101a0417d clang`clang::ento::CheckerManager::runCheckersForEvalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&, clang::ento::ExprEngine&) [inlined] clang::ento::CheckerFn<bool (clang::CallExpr const*, clang::ento::CheckerContext&)>::operator(this=<unavailable>, ps=<unavailable>)(clang::CallExpr const*, clang::ento::CheckerContext&) const + 653 at CheckerManager.h:58
    frame #13: 0x0000000101a0416b clang`clang::ento::CheckerManager::runCheckersForEvalCall(this=0x0000000103211950, Dst=0x00007fff5fbfc2d8, Src=<unavailable>, Call=0x0000000103ac2070, Eng=0x00007fff5fbfcd90) + 635 at CheckerManager.cpp:549
    frame #14: 0x0000000101a361af clang`clang::ento::ExprEngine::evalCall(this=0x00007fff5fbfcd90, Dst=0x00007fff5fbfc448, Pred=<unavailable>, Call=0x0000000103ac2070) + 383 at ExprEngineCallAndReturn.cpp:527
    frame #15: 0x0000000101a35ee0 clang`clang::ento::ExprEngine::VisitCallExpr(this=0x00007fff5fbfcd90, CE=0x0000000103a86720, Pred=<unavailable>, dst=0x00007fff5fbfc9b8) + 528 at ExprEngineCallAndReturn.cpp:499
    frame #16: 0x0000000101a1b4a0 clang`clang::ento::ExprEngine::Visit(this=0x00007fff5fbfcd90, S=0x0000000103a86720, Pred=<unavailable>, DstTop=<unavailable>) + 12224 at ExprEngine.cpp:1075
    frame #17: 0x0000000101a16c30 clang`clang::ento::ExprEngine::ProcessStmt(this=0x00007fff5fbfcd90, S=<unavailable>, Pred=<unavailable>) + 880 at ExprEngine.cpp:446
    frame #18: 0x0000000101a1681e clang`clang::ento::ExprEngine::processCFGElement(this=<unavailable>, E=<unavailable>, Pred=0x0000000103bf1be0, StmtIdx=<unavailable>, Ctx=0x00007fff5fbfcc98) + 190 at ExprEngine.cpp:295
    frame #19: 0x0000000101a0c128 clang`clang::ento::CoreEngine::HandlePostStmt(this=<unavailable>, B=<unavailable>, StmtIdx=<unavailable>, Pred=<unavailable>) + 136 at CoreEngine.cpp:503
    frame #20: 0x0000000101a0b71b clang`clang::ento::CoreEngine::ExecuteWorkList(this=0x00007fff5fbfcda8, L=<unavailable>, Steps=150000, InitState=clang::ento::ProgramStateRef @ 0x00007fff5fbfd120) + 491 at CoreEngine.cpp:223
    frame #21: 0x00000001012698a0 clang`(anonymous namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) [inlined] clang::ento::ExprEngine::ExecuteWorkList(L=0x00000001032c84a0, Steps=<unavailable>) + 35 at ExprEngine.h:109
    frame #22: 0x000000010126987d clang`(anonymous namespace)::AnalysisConsumer::ActionExprEngine(this=0x0000000103211090, D=0x00000001039b8418, ObjCGCEnabled=<unavailable>, IMode=<unavailable>, VisitedCallees=<unavailable>) + 973 at AnalysisConsumer.cpp:659
    frame #23: 0x000000010126931d clang`(anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) [inlined] (anonymous namespace)::AnalysisConsumer::RunPathSensitiveChecks(this=<unavailable>, D=<unavailable>, IMode=<unavailable>, Visited=<unavailable>) + 1501 at AnalysisConsumer.cpp:689
    frame #24: 0x00000001012692c9 clang`(anonymous namespace)::AnalysisConsumer::HandleCode(this=<unavailable>, D=<unavailable>, Mode=<unavailable>, IMode=Inline_Regular, VisitedCallees=<unavailable>) + 1417 at AnalysisConsumer.cpp:627
    frame #25: 0x000000010125bd31 clang`(anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) + 743 at AnalysisConsumer.cpp:491
    frame #26: 0x000000010125ba4a clang`(anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(this=0x0000000103211090, C=<unavailable>) + 650 at AnalysisConsumer.cpp:542
    frame #27: 0x0000000101274065 clang`clang::ParseAST(S=0x0000000103858a00, PrintStats=false, SkipFunctionBodies=<unavailable>) + 581 at ParseAST.cpp:168
    frame #28: 0x0000000100d96adb clang`clang::FrontendAction::Execute(this=<unavailable>) + 75 at FrontendAction.cpp:439
    frame #29: 0x0000000100d621eb clang`clang::CompilerInstance::ExecuteAction(this=0x0000000103208240, Act=0x0000000103209ae0) + 843 at CompilerInstance.cpp:830
    frame #30: 0x0000000100dd48bf clang`clang::ExecuteCompilerInvocation(Clang=0x0000000103208240) + 4047 at ExecuteCompilerInvocation.cpp:222
    frame #31: 0x000000010000608c clang`cc1_main(Argv=<unavailable>, Argv0="/Users/ghorvath/Documents/LLVM/build/bin/clang", MainAddr=0x0000000100001df0) + 1180 at cc1_main.cpp:116
    frame #32: 0x0000000100004cc9 clang`main [inlined] ExecuteCC1Tool(Tool=<unavailable>) + 83 at driver.cpp:380
    frame #33: 0x0000000100004c76 clang`main(argc_=<unavailable>, argv_=<unavailable>) + 11830 at driver.cpp:443
    frame #34: 0x00007fff881eb5ad libdyld.dylib`start + 1
    frame #35: 0x00007fff881eb5ad libdyld.dylib`start + 1

Could you look into this?

xazax.hun added a comment.Aug 31 2015, 1:18 PM

I reverted the commit until this assertion is fixed.

Steps to reproduce:
Download the following preprocessed file:

clang_crash_7QnDaH.i88 KBDownload

Execute the analyzer on that one: clang -cc1 -analyze -analyzer-checker=core -analyzer-checker=unix -fblocks clang_crash_7QnDaH.i

pgousseau added a comment.Sep 1 2015, 12:30 AM
In D11832#236672, @xazax.hun wrote:

I reverted the commit until this assertion is fixed.

Steps to reproduce:
Download the following preprocessed file:

clang_crash_7QnDaH.i88 KBDownload

Execute the analyzer on that one: clang -cc1 -analyze -analyzer-checker=core -analyzer-checker=unix -fblocks clang_crash_7QnDaH.i

Thanks for the reproducible and revert, I will have a look !

pgousseau added a comment.Sep 3 2015, 2:49 AM
In D11832#237110, @pgousseau wrote:
In D11832#236672, @xazax.hun wrote:

I reverted the commit until this assertion is fixed.

Steps to reproduce:
Download the following preprocessed file:

clang_crash_7QnDaH.i88 KBDownload

Execute the analyzer on that one: clang -cc1 -analyze -analyzer-checker=core -analyzer-checker=unix -fblocks clang_crash_7QnDaH.i

Thanks for the reproducible and revert, I will have a look !

I have now uploaded a patch for this at http://reviews.llvm.org/D12571

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
4 lines
lib/
StaticAnalyzer/
Checkers/
92 lines
Core/
83 lines
test/
Analysis/
697 lines

Diff 33478

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h

Show First 20 LinesShow All 1,327 Lines▼ Show 20 Lines typedef llvm::DenseMap<SymbolRef, StorageTypeForKinds>::const_iterator
const_symbol_iterator; const_symbol_iterator;
public: public:
/// \brief Describes different invalidation traits. /// \brief Describes different invalidation traits.
enum InvalidationKinds { enum InvalidationKinds {
/// Tells that a region's contents is not changed. /// Tells that a region's contents is not changed.
TK_PreserveContents = 0x1, TK_PreserveContents = 0x1,
/// Suppress pointer-escaping of a region. /// Suppress pointer-escaping of a region.
TK_SuppressEscape = 0x2 TK_SuppressEscape = 0x2,
// Do not invalidate super region.
TK_DoNotInvalidateSuperRegion = 0x4
// Do not forget to extend StorageTypeForKinds if number of traits exceed // Do not forget to extend StorageTypeForKinds if number of traits exceed
// the number of bits StorageTypeForKinds can store. // the number of bits StorageTypeForKinds can store.
}; };
void setTrait(SymbolRef Sym, InvalidationKinds IK); void setTrait(SymbolRef Sym, InvalidationKinds IK);
void setTrait(const MemRegion *MR, InvalidationKinds IK); void setTrait(const MemRegion *MR, InvalidationKinds IK);
bool hasTrait(SymbolRef Sym, InvalidationKinds IK); bool hasTrait(SymbolRef Sym, InvalidationKinds IK);
Show All 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 LinesShow All 139 Lines▼ Show 20 Linespublic:
const StringLiteral *getCStringLiteral(CheckerContext &C, const StringLiteral *getCStringLiteral(CheckerContext &C,
ProgramStateRef &state, ProgramStateRef &state,
const Expr *expr, const Expr *expr,
SVal val) const; SVal val) const;
static ProgramStateRef InvalidateBuffer(CheckerContext &C, static ProgramStateRef InvalidateBuffer(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
const Expr *Ex, SVal V, const Expr *Ex, SVal V,
bool IsSourceBuffer); bool IsSourceBuffer,
const Expr *Size);
static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx, static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
const MemRegion *MR); const MemRegion *MR);
// Re-usable checks // Re-usable checks
ProgramStateRef checkNonNull(CheckerContext &C, ProgramStateRef checkNonNull(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
const Expr *S, const Expr *S,
Show All 31 Lines void emitOverlapBug(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
const Stmt *First, const Stmt *First,
const Stmt *Second) const; const Stmt *Second) const;
ProgramStateRef checkAdditionOverflow(CheckerContext &C, ProgramStateRef checkAdditionOverflow(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
NonLoc left, NonLoc left,
NonLoc right) const; NonLoc right) const;
// Return true if destination buffer of copy function is in bound.
// Expects SVal of Size to be positive and unsigned.
// Expects SVal of FirstBuf to be a FieldRegion.
static bool IsFirstBufInBound(CheckerContext &C,
ProgramStateRef state,
const Expr *FirstBuf,
const Expr *Size);
}; };
} //end anonymous namespace } //end anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal) REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Individual checks and utility methods. // Individual checks and utility methods.
▲ Show 20 LinesShow All 605 Lines▼ Show 20 Linesconst StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion); const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
if (!strRegion) if (!strRegion)
return nullptr; return nullptr;
// Return the actual string in the string region. // Return the actual string in the string region.
return strRegion->getStringLiteral(); return strRegion->getStringLiteral();
} }
bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
ProgramStateRef state,
const Expr *FirstBuf,
const Expr *Size) {
// Originally copied from CheckBufferAccess and CheckLocation.
SValBuilder &svalBuilder = C.getSValBuilder();
ASTContext &Ctx = svalBuilder.getContext();
const LocationContext *LCtx = C.getLocationContext();
QualType sizeTy = Size->getType();
QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
SVal BufVal = state->getSVal(FirstBuf, LCtx);
SVal LengthVal = state->getSVal(Size, LCtx);
// Cast is safe as the size argument to copy functions are of integral type.
NonLoc Length = LengthVal.castAs<NonLoc>();
// Compute the offset of the last element to be accessed: size-1.
NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
NonLoc LastOffset =
svalBuilder.evalBinOpNN(state, BO_Sub, Length, One, sizeTy)
.castAs<NonLoc>();
// Check that the first buffer is sufficiently long.
SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
// Cast is safe as caller checks BufVal is a MemRegionVal.
Loc BufLoc = BufStart.castAs<Loc>();
SVal BufEnd =
svalBuilder.evalBinOpLN(state, BO_Add, BufLoc, LastOffset, PtrTy);
// Check for out of bound array element access.
const MemRegion *R = BufEnd.getAsRegion();
// BufStart is a MemRegionVal so BufEnd should be one too.
assert(R && "BufEnd should be a MemRegion");
// Cast is safe as BufVal's region is a FieldRegion.
const ElementRegion *ER = cast<ElementRegion>(R);
assert(ER->getValueType() == C.getASTContext().CharTy &&
"IsFirstBufInBound should only be called with char* ElementRegions");
// Get the size of the array.
const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
SVal Extent =
svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
// Get the index of the accessed element.
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
return static_cast<bool>(StInBound);
}
ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C, ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
const Expr *E, SVal V, const Expr *E, SVal V,
bool IsSourceBuffer) { bool IsSourceBuffer,
const Expr *Size) {
Optional<Loc> L = V.getAs<Loc>(); Optional<Loc> L = V.getAs<Loc>();
if (!L) if (!L)
return state; return state;
// FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
// some assumptions about the value that CFRefCount can't. Even so, it should // some assumptions about the value that CFRefCount can't. Even so, it should
// probably be refactored. // probably be refactored.
if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) { if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
Show All 13 Lines if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
RegionAndSymbolInvalidationTraits ITraits; RegionAndSymbolInvalidationTraits ITraits;
// Invalidate and escape only indirect regions accessible through the source // Invalidate and escape only indirect regions accessible through the source
// buffer. // buffer.
if (IsSourceBuffer) { if (IsSourceBuffer) {
ITraits.setTrait(R, ITraits.setTrait(R,
RegionAndSymbolInvalidationTraits::TK_PreserveContents); RegionAndSymbolInvalidationTraits::TK_PreserveContents);
ITraits.setTrait(R, RegionAndSymbolInvalidationTraits::TK_SuppressEscape); ITraits.setTrait(R, RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
CausesPointerEscape = true; CausesPointerEscape = true;
} else {
const MemRegion::Kind& K = R->getKind();
if (K == MemRegion::FieldRegionKind)
if (Size && IsFirstBufInBound(C, state, E, Size)) {
// If destination buffer is a field region and access is in bound,
// do not invalidate its super region.
ITraits.setTrait(
R,
RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
}
} }
return state->invalidateRegions(R, E, C.blockCount(), LCtx, return state->invalidateRegions(R, E, C.blockCount(), LCtx,
CausesPointerEscape, nullptr, nullptr, CausesPointerEscape, nullptr, nullptr,
&ITraits); &ITraits);
} }
// If we have a non-region value by chance, just remove the binding. // If we have a non-region value by chance, just remove the binding.
▲ Show 20 LinesShow All 137 Lines▼ Show 20 Lines if (stateNonZeroSize) {
// Invalidate the destination (regular invalidation without pointer-escaping // Invalidate the destination (regular invalidation without pointer-escaping
// the address of the top-level region). // the address of the top-level region).
// FIXME: Even if we can't perfectly model the copy, we should see if we // FIXME: Even if we can't perfectly model the copy, we should see if we
// can use LazyCompoundVals to copy the source values into the destination. // can use LazyCompoundVals to copy the source values into the destination.
// This would probably remove any existing bindings past the end of the // This would probably remove any existing bindings past the end of the
// copied region, but that's still an improvement over blank invalidation. // copied region, but that's still an improvement over blank invalidation.
state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest), state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
/*IsSourceBuffer*/false); /*IsSourceBuffer*/false, Size);
// Invalidate the source (const-invalidation without const-pointer-escaping // Invalidate the source (const-invalidation without const-pointer-escaping
// the address of the top-level region). // the address of the top-level region).
state = InvalidateBuffer(C, state, Source, C.getSVal(Source), state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
/*IsSourceBuffer*/true); /*IsSourceBuffer*/true, nullptr);
C.addTransition(state); C.addTransition(state);
} }
} }
void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
if (CE->getNumArgs() < 3) if (CE->getNumArgs() < 3)
▲ Show 20 LinesShow All 598 Lines▼ Show 20 Lines if (Optional<loc::MemRegionVal> dstRegVal =
// Invalidate the destination (regular invalidation without pointer-escaping // Invalidate the destination (regular invalidation without pointer-escaping
// the address of the top-level region). This must happen before we set the // the address of the top-level region). This must happen before we set the
// C string length because invalidation will clear the length. // C string length because invalidation will clear the length.
// FIXME: Even if we can't perfectly model the copy, we should see if we // FIXME: Even if we can't perfectly model the copy, we should see if we
// can use LazyCompoundVals to copy the source values into the destination. // can use LazyCompoundVals to copy the source values into the destination.
// This would probably remove any existing bindings past the end of the // This would probably remove any existing bindings past the end of the
// string, but that's still an improvement over blank invalidation. // string, but that's still an improvement over blank invalidation.
state = InvalidateBuffer(C, state, Dst, *dstRegVal, state = InvalidateBuffer(C, state, Dst, *dstRegVal,
/*IsSourceBuffer*/false); /*IsSourceBuffer*/false, nullptr);
// Invalidate the source (const-invalidation without const-pointer-escaping // Invalidate the source (const-invalidation without const-pointer-escaping
// the address of the top-level region). // the address of the top-level region).
state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true); state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
nullptr);
// Set the C string length of the destination, if we know it. // Set the C string length of the destination, if we know it.
if (isBounded && !isAppending) { if (isBounded && !isAppending) {
// strncpy is annoying in that it doesn't guarantee to null-terminate // strncpy is annoying in that it doesn't guarantee to null-terminate
// the result string. If the original string didn't fit entirely inside // the result string. If the original string didn't fit entirely inside
// the bound (including the null-terminator), we don't know how long the // the bound (including the null-terminator), we don't know how long the
// result is. // result is.
if (amountCopied != strLength) if (amountCopied != strLength)
▲ Show 20 LinesShow All 207 Lines▼ Show 20 Linesvoid CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
SVal Result; SVal Result;
if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) { if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
// Get the current value of the search string pointer, as a char*. // Get the current value of the search string pointer, as a char*.
Result = State->getSVal(*SearchStrLoc, CharPtrTy); Result = State->getSVal(*SearchStrLoc, CharPtrTy);
// Invalidate the search string, representing the change of one delimiter // Invalidate the search string, representing the change of one delimiter
// character to NUL. // character to NUL.
State = InvalidateBuffer(C, State, SearchStrPtr, Result, State = InvalidateBuffer(C, State, SearchStrPtr, Result,
/*IsSourceBuffer*/false); /*IsSourceBuffer*/false, nullptr);
// Overwrite the search string pointer. The new value is either an address // Overwrite the search string pointer. The new value is either an address
// further along in the same string, or NULL if there are no more tokens. // further along in the same string, or NULL if there are no more tokens.
State = State->bindLoc(*SearchStrLoc, State = State->bindLoc(*SearchStrLoc,
SVB.conjureSymbolVal(getTag(), CE, LCtx, CharPtrTy, SVB.conjureSymbolVal(getTag(), CE, LCtx, CharPtrTy,
C.blockCount())); C.blockCount()));
} else { } else {
assert(SearchStrVal.isUnknown()); assert(SearchStrVal.isUnknown());
▲ Show 20 LinesShow All 225 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 LinesShow All 704 Lines▼ Show 20 Linespublic:
bool AddToWorkList(WorkListElement E, const ClusterBindings *C) { bool AddToWorkList(WorkListElement E, const ClusterBindings *C) {
if (C && !Visited.insert(C).second) if (C && !Visited.insert(C).second)
return false; return false;
WL.push_back(E); WL.push_back(E);
return true; return true;
} }
bool AddToWorkList(const MemRegion *R) { bool AddToWorkList(const MemRegion *R) {
const MemRegion *BaseR = R->getBaseRegion(); return static_cast<DERIVED*>(this)->AddToWorkList(R);
return AddToWorkList(WorkListElement(BaseR), getCluster(BaseR));
} }
void RunWorkList() { void RunWorkList() {
while (!WL.empty()) { while (!WL.empty()) {
WorkListElement E = WL.pop_back_val(); WorkListElement E = WL.pop_back_val();
const MemRegion *BaseR = E; const MemRegion *BaseR = E;
static_cast<DERIVED*>(this)->VisitCluster(BaseR, getCluster(BaseR)); static_cast<DERIVED*>(this)->VisitCluster(BaseR, getCluster(BaseR));
▲ Show 20 LinesShow All 228 Lines▼ Show 20 Lines invalidateRegionsWorker(RegionStoreManager &rm,
RegionAndSymbolInvalidationTraits &ITraitsIn, RegionAndSymbolInvalidationTraits &ITraitsIn,
StoreManager::InvalidatedRegions *r, StoreManager::InvalidatedRegions *r,
GlobalsFilterKind GFK) GlobalsFilterKind GFK)
: ClusterAnalysis<invalidateRegionsWorker>(rm, stateMgr, b, GFK), : ClusterAnalysis<invalidateRegionsWorker>(rm, stateMgr, b, GFK),
Ex(ex), Count(count), LCtx(lctx), IS(is), ITraits(ITraitsIn), Regions(r){} Ex(ex), Count(count), LCtx(lctx), IS(is), ITraits(ITraitsIn), Regions(r){}
void VisitCluster(const MemRegion *baseR, const ClusterBindings *C); void VisitCluster(const MemRegion *baseR, const ClusterBindings *C);
void VisitBinding(SVal V); void VisitBinding(SVal V);
using ClusterAnalysis::AddToWorkList;
bool AddToWorkList(const MemRegion *R);
}; };
} }
bool invalidateRegionsWorker::AddToWorkList(const MemRegion *R) {
bool doNotInvalidateSuperRegion = ITraits.hasTrait(
R, RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
const MemRegion *BaseR = doNotInvalidateSuperRegion ? R : R->getBaseRegion();
return AddToWorkList(WorkListElement(BaseR), getCluster(BaseR));
}
void invalidateRegionsWorker::VisitBinding(SVal V) { void invalidateRegionsWorker::VisitBinding(SVal V) {
// A symbol? Mark it touched by the invalidation. // A symbol? Mark it touched by the invalidation.
if (SymbolRef Sym = V.getAsSymbol()) if (SymbolRef Sym = V.getAsSymbol())
IS.insert(Sym); IS.insert(Sym);
if (const MemRegion *R = V.getAsRegion()) { if (const MemRegion *R = V.getAsRegion()) {
AddToWorkList(R); AddToWorkList(R);
return; return;
▲ Show 20 LinesShow All 96 Lines▼ Show 20 Lines if (T->isStructureOrClassType()) {
// conjured symbol. The type of the symbol is irrelevant. // conjured symbol. The type of the symbol is irrelevant.
DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(baseR, Ex, LCtx,
Ctx.IntTy, Count); Ctx.IntTy, Count);
B = B.addBinding(baseR, BindingKey::Default, V); B = B.addBinding(baseR, BindingKey::Default, V);
return; return;
} }
if (const ArrayType *AT = Ctx.getAsArrayType(T)) { if (const ArrayType *AT = Ctx.getAsArrayType(T)) {
bool doNotInvalidateSuperRegion = ITraits.hasTrait(
baseR,
RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
if (doNotInvalidateSuperRegion) {
// We are not doing blank invalidation of the whole array region so we
// have to manually invalidate each elements.
Optional<uint64_t> NumElements;
// Compute lower and upper offsets for region within array.
if (const ConstantArrayType *CAT = dyn_cast<ConstantArrayType>(AT))
NumElements = CAT->getSize().getZExtValue();
if (!NumElements) // We are not dealing with a constant size array
goto conjure_default;
QualType ElementTy = AT->getElementType();
uint64_t ElemSize = Ctx.getTypeSize(ElementTy);
const RegionOffset &RO = baseR->getAsOffset();
const MemRegion *SuperR = baseR->getBaseRegion();
if (RO.hasSymbolicOffset()) {
// If base region has a symbolic offset,
// we revert to invalidating the super region.
if (SuperR)
AddToWorkList(SuperR);
goto conjure_default;
}
assert(RO.getOffset() >= 0 && "Offset should not be negative");
uint64_t LowerOffset = RO.getOffset();
uint64_t UpperOffset = LowerOffset + *NumElements * ElemSize;
// Invalidate regions which are within array boundaries,
// or have a symbolic offset.
if (!SuperR)
goto conjure_default;
const ClusterBindings *C = B.lookup(SuperR);
if (!C)
goto conjure_default;
for (ClusterBindings::iterator I = C->begin(), E = C->end(); I != E;
++I) {
const BindingKey &BK = I.getKey();
Optional<uint64_t> ROffset =
BK.hasSymbolicOffset() ? Optional<uint64_t>() : BK.getOffset();
// Check offset is not symbolic and within array's boundaries.
// Handles arrays of 0 elements and of 0-sized elements as well.
if (!ROffset ||
(ROffset &&
((*ROffset >= LowerOffset && *ROffset < UpperOffset) ||
(LowerOffset == UpperOffset && *ROffset == LowerOffset)))) {
B = B.removeBinding(I.getKey());
// Bound symbolic regions need to be invalidated for dead symbol
// detection.
SVal V = I.getData();
const MemRegion *R = V.getAsRegion();
if (R && isa<SymbolicRegion>(R))
VisitBinding(V);
}
}
}
conjure_default:
// Set the default value of the array to conjured symbol. // Set the default value of the array to conjured symbol.
DefinedOrUnknownSVal V = DefinedOrUnknownSVal V =
svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, svalBuilder.conjureSymbolVal(baseR, Ex, LCtx,
AT->getElementType(), Count); AT->getElementType(), Count);
B = B.addBinding(baseR, BindingKey::Default, V); B = B.addBinding(baseR, BindingKey::Default, V);
return; return;
} }
▲ Show 20 LinesShow All 1,100 Lines▼ Show 20 Lines removeDeadBindingsWorker(RegionStoreManager &rm,
: ClusterAnalysis<removeDeadBindingsWorker>(rm, stateMgr, b, GFK_None), : ClusterAnalysis<removeDeadBindingsWorker>(rm, stateMgr, b, GFK_None),
SymReaper(symReaper), CurrentLCtx(LCtx) {} SymReaper(symReaper), CurrentLCtx(LCtx) {}
// Called by ClusterAnalysis. // Called by ClusterAnalysis.
void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C); void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C);
void VisitCluster(const MemRegion *baseR, const ClusterBindings *C); void VisitCluster(const MemRegion *baseR, const ClusterBindings *C);
using ClusterAnalysis<removeDeadBindingsWorker>::VisitCluster; using ClusterAnalysis<removeDeadBindingsWorker>::VisitCluster;
using ClusterAnalysis::AddToWorkList;
bool AddToWorkList(const MemRegion *R);
bool UpdatePostponed(); bool UpdatePostponed();
void VisitBinding(SVal V); void VisitBinding(SVal V);
}; };
} }
bool removeDeadBindingsWorker::AddToWorkList(const MemRegion *R) {
const MemRegion *BaseR = R->getBaseRegion();
return AddToWorkList(WorkListElement(BaseR), getCluster(BaseR));
}
void removeDeadBindingsWorker::VisitAddedToCluster(const MemRegion *baseR, void removeDeadBindingsWorker::VisitAddedToCluster(const MemRegion *baseR,
const ClusterBindings &C) { const ClusterBindings &C) {
if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) { if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) {
if (SymReaper.isLive(VR)) if (SymReaper.isLive(VR))
AddToWorkList(baseR, &C); AddToWorkList(baseR, &C);
return; return;
▲ Show 20 LinesShow All 151 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/pr22954.c

// Given code 'struct aa { char s1[4]; char * s2;} a; memcpy(a.s1, ...);',
// this test checks that the CStringChecker only invalidates the destination buffer array a.s1 (instead of a.s1 and a.s2).
// At the moment the whole of the destination array content is invalidated.
// If a.s1 region has a symbolic offset, the whole region of 'a' is invalidated.
// Specific triple set to test structures of size 0.
// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
typedef __typeof(sizeof(int)) size_t;
char *strdup(const char *s);
void free(void *);
void *memcpy(void *dst, const void *src, size_t n); // expected-note{{passing argument to parameter 'dst' here}}
void *malloc(size_t n);
void clang_analyzer_eval(int);
struct aa {
char s1[4];
char *s2;
};
// Test different types of structure initialisation.
int f0() {
struct aa a0 = {{1, 2, 3, 4}, 0};
a0.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a0.s1, input, 4);
clang_analyzer_eval(a0.s1[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a0.s1[1] == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a0.s1[2] == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a0.s1[3] == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a0.s2 == 0); // expected-warning{{UNKNOWN}}
free(a0.s2); // no warning
return 0;
}
int f1() {
struct aa a1;
a1.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a1.s1, input, 4);
clang_analyzer_eval(a1.s1[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a1.s1[1] == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a1.s1[2] == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a1.s1[3] == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a1.s2 == 0); // expected-warning{{UNKNOWN}}
free(a1.s2); // no warning
return 0;
}
int f2() {
struct aa a2 = {{1, 2}};
a2.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a2.s1, input, 4);
clang_analyzer_eval(a2.s1[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a2.s1[1] == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a2.s1[2] == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a2.s1[3] == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a2.s2 == 0); // expected-warning{{UNKNOWN}}
free(a2.s2); // no warning
return 0;
}
int f3() {
struct aa a3 = {{1, 2, 3, 4}, 0};
a3.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
int * dest = (int*)a3.s1;
memcpy(dest, input, 4);
clang_analyzer_eval(a3.s1[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(dest[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a3.s1[1] == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(dest[1] == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a3.s1[2] == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(dest[2] == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a3.s1[3] == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(dest[3] == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a3.s2 == 0); // expected-warning{{UNKNOWN}}
free(a3.s2); // no warning
return 0;
}
struct bb {
struct aa a;
char * s2;
};
int f4() {
struct bb b0 = {{1, 2, 3, 4}, 0};
b0.s2 = strdup("hello");
b0.a.s2 = strdup("hola");
char input[] = {'a', 'b', 'c', 'd'};
char * dest = (char*)(b0.a.s1);
memcpy(dest, input, 4);
clang_analyzer_eval(b0.a.s1[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(dest[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(b0.a.s1[1] == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(dest[1] == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(b0.a.s1[2] == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(dest[2] == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(b0.a.s1[3] == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(dest[3] == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(b0.s2 == 0); // expected-warning{{UNKNOWN}}
free(b0.a.s2); // no warning
free(b0.s2); // no warning
return 0;
}
// Test that memory leaks are caught.
int f5() {
struct aa a0 = {{1, 2, 3, 4}, 0};
a0.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a0.s1, input, 4);
return 0; // expected-warning{{Potential leak of memory pointed to by 'a0.s2'}}
}
int f6() {
struct aa a1;
a1.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a1.s1, input, 4);
return 0; // expected-warning{{Potential leak of memory pointed to by 'a1.s2'}}
}
int f7() {
struct aa a2 = {{1, 2}};
a2.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a2.s1, input, 4);
return 0; // expected-warning{{Potential leak of memory pointed to by 'a2.s2'}}
}
int f8() {
struct aa a3 = {{1, 2, 3, 4}, 0};
a3.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
int * dest = (int*)a3.s1;
memcpy(dest, input, 4);
return 0; // expected-warning{{Potential leak of memory pointed to by 'a3.s2'}}
}
int f9() {
struct bb b0 = {{1, 2, 3, 4}, 0};
b0.s2 = strdup("hello");
b0.a.s2 = strdup("hola");
char input[] = {'a', 'b', 'c', 'd'};
char * dest = (char*)(b0.a.s1);
memcpy(dest, input, 4);
free(b0.a.s2); // expected-warning{{Potential leak of memory pointed to by 'b0.s2'}}
return 0;
}
int f10() {
struct bb b0 = {{1, 2, 3, 4}, 0};
b0.s2 = strdup("hello");
b0.a.s2 = strdup("hola");
char input[] = {'a', 'b', 'c', 'd'};
char * dest = (char*)(b0.a.s1);
memcpy(dest, input, 4);
free(b0.s2); // expected-warning{{Potential leak of memory pointed to by 'b0.a.s2'}}
return 0;
}
// Test invalidating fields being addresses of array.
struct cc {
char * s1;
char * s2;
};
int f11() {
char x[4] = {1, 2};
x[0] = 1;
x[1] = 2;
struct cc c0;
c0.s2 = strdup("hello");
c0.s1 = &x[0];
char input[] = {'a', 'b', 'c', 'd'};
memcpy(c0.s1, input, 4);
clang_analyzer_eval(x[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(x[1] == 2); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(c0.s1[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(c0.s1[1] == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(c0.s1[2] == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(c0.s1[3] == 'd'); // expected-warning{{UNKNOWN}}
free(c0.s2); // no-warning
return 0;
}
// Test inverting field position between s1 and s2.
struct dd {
char *s2;
char s1[4];
};
int f12() {
struct dd d0 = {0, {1, 2, 3, 4}};
d0.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(d0.s1, input, 4);
clang_analyzer_eval(d0.s1[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(d0.s1[1] == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(d0.s1[2] == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(d0.s1[3] == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(d0.s2 == 0); // expected-warning{{UNKNOWN}}
free(d0.s2); // no warning
return 0;
}
// Test arrays of structs.
struct ee {
int a;
char b;
};
struct EE {
struct ee s1[2];
char * s2;
};
int f13() {
struct EE E0 = {{{1, 2}, {3, 4}}, 0};
E0.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(E0.s1, input, 4);
clang_analyzer_eval(E0.s1[0].a == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(E0.s1[0].b == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(E0.s1[1].a == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(E0.s1[1].b == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(E0.s2 == 0); // expected-warning{{UNKNOWN}}
free(E0.s2); // no warning
return 0;
}
// Test global parameters.
struct aa a15 = {{1, 2, 3, 4}, 0};
int f15() {
a15.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a15.s1, input, 4);
clang_analyzer_eval(a15.s1[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a15.s1[1] == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a15.s1[2] == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a15.s1[3] == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a15.s2 == 0); // expected-warning{{UNKNOWN}}
free(a15.s2); // no warning
return 0;
}
// Test array of 0 sized elements.
struct empty {};
struct gg {
struct empty s1[4];
char * s2;
};
int f16() {
struct gg g0 = {{}, 0};
g0.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(g0.s1, input, 4);
clang_analyzer_eval(*(int*)(&g0.s1[0]) == 'a'); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'g0.s2'}}
clang_analyzer_eval(*(int*)(&g0.s1[1]) == 'b'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(*(int*)(&g0.s1[2]) == 'c'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(*(int*)(&g0.s1[3]) == 'd'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(g0.s2 == 0); // expected-warning{{UNKNOWN}}
free(g0.s2); // no warning
return 0;
}
// Test array of 0 elements.
struct hh {
char s1[0];
char * s2;
};
int f17() {
struct hh h0;
h0.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(h0.s1, input, 4);
clang_analyzer_eval(h0.s1[0] == 'a'); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'h0.s2'}}
clang_analyzer_eval(h0.s2 == 0); // expected-warning{{UNKNOWN}}
free(h0.s2); // no warning
return 0;
}
// Test writing past the array.
struct ii {
char s1[4];
int i;
int j;
char * s2;
};
int f18() {
struct ii i18 = {{1, 2, 3, 4}, 5, 6};
i18.i = 10;
i18.j = 11;
i18.s2 = strdup("hello");
char input[100] = {3};
memcpy(i18.s1, input, 100);
clang_analyzer_eval(i18.s1[0] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'i18.s2'}}
clang_analyzer_eval(i18.s1[1] == 2); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i18.s1[2] == 3); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i18.s1[3] == 4); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i18.i == 10); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i18.j == 11); // expected-warning{{UNKNOWN}}
return 0;
}
int f181() {
struct ii i181 = {{1, 2, 3, 4}, 5, 6};
i181.i = 10;
i181.j = 11;
i181.s2 = strdup("hello");
char input[100] = {3};
memcpy(i181.s1, input, 5); // invalidate the whole region of i181
clang_analyzer_eval(i181.s1[0] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'i181.s2'}}
clang_analyzer_eval(i181.s1[1] == 2); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i181.s1[2] == 3); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i181.s1[3] == 4); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i181.i == 10); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i181.j == 11); // expected-warning{{UNKNOWN}}
return 0;
}
// Test array with a symbolic offset.
struct jj {
char s1[2];
char * s2;
};
struct JJ {
struct jj s1[3];
char * s2;
};
int f19(int i) {
struct JJ J0 = {{{1, 2, 0}, {3, 4, 0}, {5, 6, 0}}, 0};
J0.s2 = strdup("hello");
J0.s1[0].s2 = strdup("hello");
J0.s1[1].s2 = strdup("hi");
J0.s1[2].s2 = strdup("world");
char input[2] = {'a', 'b'};
memcpy(J0.s1[i].s1, input, 2);
clang_analyzer_eval(J0.s1[0].s1[0] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by field 's2'}}\
expected-warning{{Potential leak of memory pointed to by 'J0.s2'}}
clang_analyzer_eval(J0.s1[0].s1[1] == 2); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(J0.s1[1].s1[0] == 3); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(J0.s1[1].s1[1] == 4); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(J0.s1[2].s1[0] == 5); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(J0.s1[2].s1[1] == 6); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(J0.s1[i].s1[0] == 5); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(J0.s1[i].s1[1] == 6); // expected-warning{{UNKNOWN}}
// FIXME: memory leak warning for J0.s2 should be emitted here instead of after memcpy call.
return 0; // no warning
}
// Test array with its super region having symbolic offseted regions.
int f20(int i) {
struct aa * a20 = malloc(sizeof(struct aa) * 2);
a20[0].s1[0] = 1;
a20[0].s1[1] = 2;
a20[0].s1[2] = 3;
a20[0].s1[3] = 4;
a20[0].s2 = strdup("hello");
a20[1].s1[0] = 5;
a20[1].s1[1] = 6;
a20[1].s1[2] = 7;
a20[1].s1[3] = 8;
a20[1].s2 = strdup("world");
a20[i].s2 = strdup("hola");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a20[0].s1, input, 4);
clang_analyzer_eval(a20[0].s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[0].s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[0].s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[0].s1[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[0].s2 == 0); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[1].s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[1].s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[1].s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[1].s1[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[1].s2 == 0); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[i].s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[i].s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[i].s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[i].s1[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a20[i].s2 == 0); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'a20'}}
return 0;
}
// Test array's region and super region both having symbolic offsets.
int f21(int i) {
struct aa * a21 = malloc(sizeof(struct aa) * 2);
a21[0].s1[0] = 1;
a21[0].s1[1] = 2;
a21[0].s1[2] = 3;
a21[0].s1[3] = 4;
a21[0].s2 = 0;
a21[1].s1[0] = 5;
a21[1].s1[1] = 6;
a21[1].s1[2] = 7;
a21[1].s1[3] = 8;
a21[1].s2 = 0;
a21[i].s2 = strdup("hello");
a21[i].s1[0] = 1;
a21[i].s1[1] = 2;
a21[i].s1[2] = 3;
a21[i].s1[3] = 4;
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a21[i].s1, input, 4);
clang_analyzer_eval(a21[0].s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[0].s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[0].s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[0].s1[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[0].s2 == 0); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[1].s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[1].s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[1].s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[1].s1[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[1].s2 == 0); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[i].s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[i].s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[i].s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[i].s1[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a21[i].s2 == 0); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'a21'}}
return 0;
}
// Test regions aliasing other regions.
struct ll {
char s1[4];
char * s2;
};
struct mm {
char s3[4];
char * s4;
};
int f24() {
struct ll l24 = {{1, 2, 3, 4}, 0};
struct mm * m24 = (struct mm *)&l24;
m24->s4 = strdup("hello");
char input[] = {1, 2, 3, 4};
memcpy(m24->s3, input, 4);
clang_analyzer_eval(m24->s3[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m24->s3[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m24->s3[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m24->s3[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(l24.s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(l24.s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(l24.s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(l24.s1[3] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by field 's4'}}
return 0;
}
// Test region with potential aliasing and symbolic offsets.
// Store assumes no aliasing.
int f25(int i, int j, struct ll * l, struct mm * m) {
m->s4 = strdup("hola"); // m->s4 not tracked
m->s3[0] = 1;
m->s3[1] = 2;
m->s3[2] = 3;
m->s3[3] = 4;
m->s3[j] = 5; // invalidates m->s3
l->s2 = strdup("hello"); // l->s2 not tracked
l->s1[0] = 6;
l->s1[1] = 7;
l->s1[2] = 8;
l->s1[3] = 9;
l->s1[i] = 10; // invalidates l->s1
char input[] = {1, 2, 3, 4};
memcpy(m->s3, input, 4); // does not invalidate l->s1[i]
clang_analyzer_eval(m->s3[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m->s3[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m->s3[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m->s3[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m->s3[i] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m->s3[j] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(l->s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(l->s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(l->s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(l->s1[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(l->s1[i] == 1); // expected-warning{{FALSE}}
clang_analyzer_eval(l->s1[j] == 1); // expected-warning{{UNKNOWN}}
return 0;
}
// Test size with symbolic size argument.
int f26(int i) {
struct aa a26 = {{1, 2, 3, 4}, 0};
a26.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a26.s1, input, i); // i assumed in bound
clang_analyzer_eval(a26.s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a26.s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a26.s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a26.s1[3] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'a26.s2'}}
return 0;
}
// Test sizeof as a size argument.
int f261() {
struct aa a261 = {{1, 2, 3, 4}, 0};
a261.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a261.s1, input, sizeof(a261.s1));
clang_analyzer_eval(a261.s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a261.s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a261.s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a261.s1[3] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'a261.s2'}}
return 0;
}
// Test negative size argument.
int f262() {
struct aa a262 = {{1, 2, 3, 4}, 0};
a262.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(a262.s1, input, -1);
clang_analyzer_eval(a262.s1[0] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'a262.s2'}}
clang_analyzer_eval(a262.s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a262.s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a262.s1[3] == 1); // expected-warning{{UNKNOWN}}
return 0;
}
// Test casting regions with symbolic offseted sub regions.
int f27(int i) {
struct mm m27 = {{1, 2, 3, 4}, 0};
m27.s4 = strdup("hello");
m27.s3[i] = 5;
char input[] = {'a', 'b', 'c', 'd'};
memcpy(((struct ll*)(&m27))->s1, input, 4);
clang_analyzer_eval(m27.s3[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m27.s3[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m27.s3[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m27.s3[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m27.s3[i] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'm27.s4'}}
return 0;
}
int f28(int i, int j, int k, int l) {
struct mm m28[2];
m28[i].s4 = strdup("hello");
m28[j].s3[k] = 1;
struct ll * l28 = (struct ll*)(&m28[1]);
l28->s1[l] = 2;
char input[] = {'a', 'b', 'c', 'd'};
memcpy(l28->s1, input, 4);
clang_analyzer_eval(m28[0].s3[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[0].s3[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[0].s3[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[0].s3[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[1].s3[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[1].s3[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[1].s3[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[1].s3[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[i].s3[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[i].s3[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[i].s3[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[i].s3[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m28[j].s3[k] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(l28->s1[l] == 2); // expected-warning{{UNKNOWN}}
return 0;
}
int f29(int i, int j, int k, int l, int m) {
struct mm m29[2];
m29[i].s4 = strdup("hello");
m29[j].s3[k] = 1;
struct ll * l29 = (struct ll*)(&m29[l]);
l29->s1[m] = 2;
char input[] = {'a', 'b', 'c', 'd'};
memcpy(l29->s1, input, 4);
clang_analyzer_eval(m29[0].s3[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[0].s3[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[0].s3[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[0].s3[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[1].s3[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[1].s3[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[1].s3[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[1].s3[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[i].s3[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[i].s3[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[i].s3[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[i].s3[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m29[j].s3[k] == 1); // expected-warning{{TRUE}}\
expected-warning{{Potential leak of memory pointed to by field 's4'}}
clang_analyzer_eval(l29->s1[m] == 2); // expected-warning{{UNKNOWN}}
return 0;
}
// Test unions' fields.
union uu {
char x;
char s1[4];
};
int f30() {
union uu u30 = { .s1 = {1, 2, 3, 4}};
char input[] = {1, 2, 3, 4};
memcpy(u30.s1, input, 4);
clang_analyzer_eval(u30.s1[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(u30.s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(u30.s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(u30.s1[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(u30.x == 1); // expected-warning{{UNKNOWN}}
return 0;
}
struct kk {
union uu u;
char * s2;
};
int f31() {
struct kk k31;
k31.s2 = strdup("hello");
k31.u.x = 1;
char input[] = {'a', 'b', 'c', 'd'};
memcpy(k31.u.s1, input, 4);
clang_analyzer_eval(k31.u.s1[0] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'k31.s2'}}
clang_analyzer_eval(k31.u.s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(k31.u.s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(k31.u.s1[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(k31.u.x == 1); // expected-warning{{UNKNOWN}}
// FIXME: memory leak warning for k31.s2 should be emitted here.
return 0;
}
union vv {
int x;
char * s2;
};
int f32() {
union vv v32;
v32.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(v32.s2, input, 4);
clang_analyzer_eval(v32.s2[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(v32.s2[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(v32.s2[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(v32.s2[3] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'v32.s2'}}
return 0;
}
struct nn {
int s1;
int i;
int j;
int k;
char * s2;
};
// Test bad types to dest buffer.
int f33() {
struct nn n33 = {1, 2, 3, 4, 0};
n33.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'};
memcpy(n33.s1, input, 4); // expected-warning{{incompatible integer to pointer conversion passing 'int' to parameter of type 'void *'}}
clang_analyzer_eval(n33.i == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(n33.j == 3); // expected-warning{{TRUE}}
clang_analyzer_eval(n33.k == 4); // expected-warning{{TRUE}}
clang_analyzer_eval(((char*)(n33.s1))[0] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{cast to 'char *' from smaller integer type 'int'}}
clang_analyzer_eval(((char*)(n33.s1))[1] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{cast to 'char *' from smaller integer type 'int'}}
clang_analyzer_eval(((char*)(n33.s1))[2] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{cast to 'char *' from smaller integer type 'int'}}
clang_analyzer_eval(((char*)(n33.s1))[3] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{cast to 'char *' from smaller integer type 'int'}}
clang_analyzer_eval(n33.s2 == 0); //expected-warning{{UNKNOWN}}
return 0; // expected-warning{{Potential leak of memory pointed to by 'n33.s2'}}
}