This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
2/4
CStringChecker.cpp
-
test/Analysis/
-
Analysis/
-
cstring-plist.c
-
malloc.c
-
string.c

Differential D48831

[Analyzer] alpha.unix.cstring.OutOfBounds checker enable/disable fix
ClosedPublic

Authored by dkrupp on Jul 2 2018, 7:56 AM.

Download Raw Diff

Details

Reviewers

xazax.hun
martong
baloghadamsoftware
NoQ
george.karpenkov

Commits

rGbf966f523755: [Analyzer] alpha.unix.cstring.OutOfBounds checker enable/disable fix
rL337000: [Analyzer] alpha.unix.cstring.OutOfBounds checker enable/disable fix
rC337000: [Analyzer] alpha.unix.cstring.OutOfBounds checker enable/disable fix

Summary

It was not possible to disable alpha.unix.cstring.OutOfBounds checker's reports
since unix.Malloc checker always implicitly enabled the filter.
Moreover if the checker was disabled from command line (-analyzer-disable-checker ...)
the out of bounds warnings were nevertheless emitted under different
checker names such as unix.cstring.NullArg, or unix.Malloc.

This patch fixes the case sot that Malloc checker only enables implicitly the underlying
modeling of strcpy, memcpy etc. but not the warning messages that would have been
emmitted by alpha.unix.cstring.OutOfBounds

Diff Detail

Event Timeline

dkrupp created this revision.Jul 2 2018, 7:56 AM

Herald added a subscriber: rnkovacs. · View Herald TranscriptJul 2 2018, 7:56 AM

dkrupp added reviewers: baloghadamsoftware, NoQ.Jul 2 2018, 8:00 AM

dkrupp set the repository for this revision to rC Clang.

dkrupp removed a project: Restricted Project.

Herald added a subscriber: cfe-commits. · View Herald TranscriptJul 2 2018, 8:00 AM

Uhm, so we had an alpha checker enabled all along? Thanks for patching this up!

lib/StaticAnalyzer/Checkers/CStringChecker.cpp
308	Accidental double space.
311	Could we preserve the other portion of the assertion on this branch? I.e., `assert(Filter.CheckCStringNullArg)`. Additionally, do you really want to continue analysis on this path? Maybe `return nullptr` to sink?

The patch has been updated.
Changes:

-The analysis path is cut if overvlow is detected even if CStringOutOfBounds is disabled

The assert(Filter.CheckCStringOutOfBounds || Filter.CheckCStringNullArg); cannot be put back, because if both checkers are disabled, the assertion is not true.

dkrupp marked 2 inline comments as done.Jul 3 2018, 6:30 AM

dkrupp added inline comments.

lib/StaticAnalyzer/Checkers/CStringChecker.cpp
311	I was unsure whether to return nullptr or StOutBound. I thought that alpha.unix.cstring.OutOfBounds is in alpha because it may falsely detect buffer overflows and then we would cut the path unnecessarily. But OK, it is safer this way. I could not put back the assertion, because if only unix.Malloc checker is enabled (and CStringOutOfBounds and CStringNullArg are not) the assertion is not true.

LGTM! But wait for Artem's acceptance before submitting.

lib/StaticAnalyzer/Checkers/CStringChecker.cpp
311	I think the assertion could be preserved after the early exit, but it has no point to repeat the same condition in subsequent lines.

This revision is now accepted and ready to land.Jul 5 2018, 11:21 PM

@NoQ do we need any more update to this patch? Thanks.

Whoops, sry, yeah, looks good, please commit!

Closed by commit rC337000: [Analyzer] alpha.unix.cstring.OutOfBounds checker enable/disable fix (authored by baloghadamsoftware). · Explain WhyJul 13 2018, 6:49 AM

This revision was automatically updated to reflect the committed changes.

baloghadamsoftware retitled this revision from alpha.unix.cstring.OutOfBounds checker enable/disable fix to [Analyzer] alpha.unix.cstring.OutOfBounds checker enable/disable fix.Jul 13 2018, 6:51 AM

Herald added a reviewer: george.karpenkov. · View Herald TranscriptJul 13 2018, 6:51 AM

Herald added subscribers: mikhail.ramalho, a.sidorin, szepet, whisperity. · View Herald Transcript

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Checkers/

CStringChecker.cpp

11 lines

test/

Analysis/

cstring-plist.c

22 lines

malloc.c

23 lines

string.c

25 lines

Diff 153718

lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 Lines • Show All 299 Lines • ▼ Show 20 Lines	ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,

// Get the index of the accessed element.		// Get the index of the accessed element.
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();		DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();

ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);		ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);		ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
if (StOutBound && !StInBound) {		if (StOutBound && !StInBound) {
// These checks are either enabled by the CString out-of-bounds checker		// These checks are either enabled by the CString out-of-bounds checker
// explicitly or the "basic" CStringNullArg checker support that Malloc		// explicitly or implicitly by the Malloc checker.
		NoQUnsubmitted Done Reply Inline Actions Accidental double space. NoQ: Accidental double space.
// checker enables.		// In the latter case we only do modeling but do not emit warning.
assert(Filter.CheckCStringOutOfBounds \|\| Filter.CheckCStringNullArg);		if (!Filter.CheckCStringOutOfBounds)
		return StOutBound;
		NoQUnsubmitted Done Reply Inline Actions Could we preserve the other portion of the assertion on this branch? I.e., `assert(Filter.CheckCStringNullArg)`. Additionally, do you really want to continue analysis on this path? Maybe `return nullptr` to sink? NoQ: Could we preserve the other portion of the assertion on this branch? I.e., `assert(Filter.
		dkruppAuthorUnsubmitted Not Done Reply Inline Actions I was unsure whether to return nullptr or StOutBound. I thought that alpha.unix.cstring.OutOfBounds is in alpha because it may falsely detect buffer overflows and then we would cut the path unnecessarily. But OK, it is safer this way. I could not put back the assertion, because if only unix.Malloc checker is enabled (and CStringOutOfBounds and CStringNullArg are not) the assertion is not true. dkrupp: I was unsure whether to return nullptr or StOutBound. I thought that alpha.unix.cstring.
		baloghadamsoftwareUnsubmitted Not Done Reply Inline Actions I think the assertion could be preserved after the early exit, but it has no point to repeat the same condition in subsequent lines. baloghadamsoftware: I think the assertion could be preserved after the early exit, but it has no point to repeat…

// Emit a bug report.		// Emit a bug report.
if (warningMsg) {		if (warningMsg) {
emitOutOfBoundsBug(C, StOutBound, S, warningMsg);		emitOutOfBoundsBug(C, StOutBound, S, warningMsg);
} else {		} else {
assert(CurrentFunctionDescription);		assert(CurrentFunctionDescription);
assert(CurrentFunctionDescription[0] != '\0');		assert(CurrentFunctionDescription[0] != '\0');

▲ Show 20 Lines • Show All 715 Lines • ▼ Show 20 Lines	if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
// Get the base region's extent.		// Get the base region's extent.
auto *SubReg = cast<SubRegion>(BR);		auto *SubReg = cast<SubRegion>(BR);
DefinedOrUnknownSVal Extent = SubReg->getExtent(svalBuilder);		DefinedOrUnknownSVal Extent = SubReg->getExtent(svalBuilder);

ProgramStateRef StateWholeReg, StateNotWholeReg;		ProgramStateRef StateWholeReg, StateNotWholeReg;
std::tie(StateWholeReg, StateNotWholeReg) =		std::tie(StateWholeReg, StateNotWholeReg) =
State->assume(svalBuilder.evalEQ(State, Extent, *SizeNL));		State->assume(svalBuilder.evalEQ(State, Extent, *SizeNL));

// With the semantic of 'memset()', we should convert the CharVal to		// With the semantic of 'memset()', we should convert the CharVal to
// unsigned char.		// unsigned char.
CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);		CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);

ProgramStateRef StateNullChar, StateNonNullChar;		ProgramStateRef StateNullChar, StateNonNullChar;
std::tie(StateNullChar, StateNonNullChar) =		std::tie(StateNullChar, StateNonNullChar) =
assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);		assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);

if (StateWholeReg && !StateNotWholeReg && StateNullChar &&		if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
▲ Show 20 Lines • Show All 1,362 Lines • ▼ Show 20 Lines	#define REGISTER_CHECKER(name) \
}		}

REGISTER_CHECKER(CStringNullArg)		REGISTER_CHECKER(CStringNullArg)
REGISTER_CHECKER(CStringOutOfBounds)		REGISTER_CHECKER(CStringOutOfBounds)
REGISTER_CHECKER(CStringBufferOverlap)		REGISTER_CHECKER(CStringBufferOverlap)
REGISTER_CHECKER(CStringNotNullTerm)		REGISTER_CHECKER(CStringNotNullTerm)

void ento::registerCStringCheckerBasic(CheckerManager &Mgr) {		void ento::registerCStringCheckerBasic(CheckerManager &Mgr) {
registerCStringNullArg(Mgr);		Mgr.registerChecker<CStringChecker>();
}		}

test/Analysis/cstring-plist.c

This file was added.

				// RUN: rm -f %t
				// RUN: %clang_analyze_cc1 -fblocks -analyzer-checker=core,unix.Malloc,unix.cstring.NullArg -analyzer-disable-checker=alpha.unix.cstring.OutOfBounds -analyzer-output=plist -analyzer-config path-diagnostics-alternate=false -o %t %s
				// RUN: FileCheck -input-file %t %s

				typedef __typeof(sizeof(int)) size_t;
				void *malloc(size_t);
				void free(void *);
				char strncpy(char restrict s1, const char *restrict s2, size_t n);



				void cstringchecker_bounds_nocrash() {
				char *p = malloc(2);
				strncpy(p, "AAA", sizeof("AAA")); // we don't expect warning as the checker is disabled
				free(p);
				}

				// CHECK: <key>diagnostics</key>
				// CHECK-NEXT: <array>
				// CHECK-NEXT: </array>
				// CHECK-NEXT: </dict>
				// CHECK-NEXT: </plist>

test/Analysis/malloc.c

Show First 20 Lines • Show All 369 Lines • ▼ Show 20 Lines	void CheckUseZeroReallocatedPathWarn(_Bool b) {
free(q);		free(q);
}		}

// This case tests that storing malloc'ed memory to a static variable which is		// This case tests that storing malloc'ed memory to a static variable which is
// then returned is not leaked. In the absence of known contracts for functions		// then returned is not leaked. In the absence of known contracts for functions
// or inter-procedural analysis, this is a conservative answer.		// or inter-procedural analysis, this is a conservative answer.
int *f3() {		int *f3() {
static int *p = 0;		static int *p = 0;
p = malloc(12);		p = malloc(12);
return p; // no-warning		return p; // no-warning
}		}

// This case tests that storing malloc'ed memory to a static global variable		// This case tests that storing malloc'ed memory to a static global variable
// which is then returned is not leaked. In the absence of known contracts for		// which is then returned is not leaked. In the absence of known contracts for
// functions or inter-procedural analysis, this is a conservative answer.		// functions or inter-procedural analysis, this is a conservative answer.
static int *p_f4 = 0;		static int *p_f4 = 0;
int *f4() {		int *f4() {
p_f4 = malloc(12);		p_f4 = malloc(12);
return p_f4; // no-warning		return p_f4; // no-warning
}		}

int *f5() {		int *f5() {
int *q = malloc(12);		int *q = malloc(12);
q = realloc(q, 20);		q = realloc(q, 20);
return q; // no-warning		return q; // no-warning
}		}
▲ Show 20 Lines • Show All 831 Lines • ▼ Show 20 Lines
// a heap allocation for small work sizes. This tests the analyzer's		// a heap allocation for small work sizes. This tests the analyzer's
// understanding that the malloc'ed memory is not the same as stackBuffer.		// understanding that the malloc'ed memory is not the same as stackBuffer.
void radar10978247(int myValueSize) {		void radar10978247(int myValueSize) {
char stackBuffer[128];		char stackBuffer[128];
char *buffer;		char *buffer;

if (myValueSize <= sizeof(stackBuffer))		if (myValueSize <= sizeof(stackBuffer))
buffer = stackBuffer;		buffer = stackBuffer;
else		else
buffer = malloc(myValueSize);		buffer = malloc(myValueSize);

// do stuff with the buffer		// do stuff with the buffer
if (buffer != stackBuffer)		if (buffer != stackBuffer)
free(buffer);		free(buffer);
}		}

void radar10978247_positive(int myValueSize) {		void radar10978247_positive(int myValueSize) {
char stackBuffer[128];		char stackBuffer[128];
char *buffer;		char *buffer;

if (myValueSize <= sizeof(stackBuffer))		if (myValueSize <= sizeof(stackBuffer))
buffer = stackBuffer;		buffer = stackBuffer;
else		else
buffer = malloc(myValueSize);		buffer = malloc(myValueSize);

// do stuff with the buffer		// do stuff with the buffer
if (buffer == stackBuffer)		if (buffer == stackBuffer)
return;		return;
else		else
return; // expected-warning {{leak}}		return; // expected-warning {{leak}}
}␋		}
// <rdar://problem/11269741> Previously this triggered a false positive		// <rdar://problem/11269741> Previously this triggered a false positive
// because malloc() is known to return uninitialized memory and the binding		// because malloc() is known to return uninitialized memory and the binding
// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.		// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
struct rdar11269741_a_t {		struct rdar11269741_a_t {
struct rdar11269741_b_t {		struct rdar11269741_b_t {
int m;		int m;
} n;		} n;
};		};
▲ Show 20 Lines • Show All 427 Lines • ▼ Show 20 Lines	if (new_memory != 0) {
*memory = new_memory;		*memory = new_memory;
}		}
}		}

// PR16558		// PR16558
void *smallocNoWarn(size_t size) {		void *smallocNoWarn(size_t size) {
if (size == 0) {		if (size == 0) {
return malloc(1); // this branch is never called		return malloc(1); // this branch is never called
}		}
else {		else {
return malloc(size);		return malloc(size);
}		}
}		}

char dupstrNoWarn(const char s) {		char dupstrNoWarn(const char s) {
const int len = strlen(s);		const int len = strlen(s);
char p = (char) smallocNoWarn(len + 1);		char p = (char) smallocNoWarn(len + 1);
▲ Show 20 Lines • Show All 62 Lines • ▼ Show 20 Lines	void freeIndirectFunctionPtr() {
void p = (void )fnptr;		void p = (void )fnptr;
free(p); // expected-warning {{Argument to free() is a function pointer}}		free(p); // expected-warning {{Argument to free() is a function pointer}}
}		}

void freeFunctionPtr() {		void freeFunctionPtr() {
free((void *)fnptr); // expected-warning {{Argument to free() is a function pointer}}		free((void *)fnptr); // expected-warning {{Argument to free() is a function pointer}}
}		}

// Enabling the malloc checker enables some of the buffer-checking portions
// of the C-string checker.
void cstringchecker_bounds_nocrash() {
char *p = malloc(2);
strncpy(p, "AAA", sizeof("AAA")); // expected-warning {{Size argument is greater than the length of the destination buffer}}

free(p);
}

void allocateSomeMemory(void offendingParameter, void *ptr) {		void allocateSomeMemory(void offendingParameter, void *ptr) {
*ptr = malloc(1);		*ptr = malloc(1);
}		}

void testNoCrashOnOffendingParameter() {		void testNoCrashOnOffendingParameter() {
// "extern" is necessary to avoid unrelated warnings		// "extern" is necessary to avoid unrelated warnings
// on passing uninitialized value.		// on passing uninitialized value.
extern void *offendingParameter;		extern void *offendingParameter;
void* ptr;		void* ptr;
allocateSomeMemory(offendingParameter, &ptr);		allocateSomeMemory(offendingParameter, &ptr);
} // expected-warning {{Potential leak of memory pointed to by 'ptr'}}		} // expected-warning {{Potential leak of memory pointed to by 'ptr'}}

// ----------------------------------------------------------------------------		// ----------------------------------------------------------------------------
// False negatives.		// False negatives.
Show All 23 Lines

test/Analysis/string.c

Show All 25 Lines
#endif /* USE_BUILTINS */		#endif /* USE_BUILTINS */

#define NULL 0		#define NULL 0
typedef typeof(sizeof(int)) size_t;		typedef typeof(sizeof(int)) size_t;

void clang_analyzer_eval(int);		void clang_analyzer_eval(int);

int scanf(const char *restrict format, ...);		int scanf(const char *restrict format, ...);
		void *malloc(size_t);
		void free(void *);

//===----------------------------------------------------------------------===		//===----------------------------------------------------------------------===
// strlen()		// strlen()
//===----------------------------------------------------------------------===		//===----------------------------------------------------------------------===

#define strlen BUILTIN(strlen)		#define strlen BUILTIN(strlen)
size_t strlen(const char *s);		size_t strlen(const char *s);

▲ Show 20 Lines • Show All 63 Lines • ▼ Show 20 Lines

extern char global_str[];		extern char global_str[];
void strlen_global() {		void strlen_global() {
size_t a = strlen(global_str);		size_t a = strlen(global_str);
size_t b = strlen(global_str);		size_t b = strlen(global_str);
if (a == 0) {		if (a == 0) {
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}		clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
// Make sure clang_analyzer_eval does not invalidate globals.		// Make sure clang_analyzer_eval does not invalidate globals.
clang_analyzer_eval(strlen(global_str) == 0); // expected-warning{{TRUE}}		clang_analyzer_eval(strlen(global_str) == 0); // expected-warning{{TRUE}}
}		}

// Call a function with unknown effects, which should invalidate globals.		// Call a function with unknown effects, which should invalidate globals.
use_string(0);		use_string(0);

size_t c = strlen(global_str);		size_t c = strlen(global_str);
if (a == 0)		if (a == 0)
clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
▲ Show 20 Lines • Show All 182 Lines • ▼ Show 20 Lines	if (globalInt != 42)
return;		return;

clang_analyzer_eval(strcpy(x, y) == x); // expected-warning{{TRUE}}		clang_analyzer_eval(strcpy(x, y) == x); // expected-warning{{TRUE}}
clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{TRUE}}		clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{TRUE}}
clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(globalInt == 42); // expected-warning{{TRUE}}		clang_analyzer_eval(globalInt == 42); // expected-warning{{TRUE}}
}		}

		#ifndef SUPPRESS_OUT_OF_BOUND
void strcpy_overflow(char *y) {		void strcpy_overflow(char *y) {
char x[4];		char x[4];
if (strlen(y) == 4)		if (strlen(y) == 4)
strcpy(x, y); // expected-warning{{String copy function overflows destination buffer}}		strcpy(x, y); // expected-warning{{String copy function overflows destination buffer}}
}		}
		#endif

void strcpy_no_overflow(char *y) {		void strcpy_no_overflow(char *y) {
char x[4];		char x[4];
if (strlen(y) == 3)		if (strlen(y) == 3)
strcpy(x, y); // no-warning		strcpy(x, y); // no-warning
}		}

//===----------------------------------------------------------------------===		//===----------------------------------------------------------------------===
Show All 18 Lines
void stpcpy_effect(char x, char y) {		void stpcpy_effect(char x, char y) {
char a = x[0];		char a = x[0];

clang_analyzer_eval(stpcpy(x, y) == &x[strlen(y)]); // expected-warning{{TRUE}}		clang_analyzer_eval(stpcpy(x, y) == &x[strlen(y)]); // expected-warning{{TRUE}}
clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{TRUE}}		clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{TRUE}}
clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}
}		}

		#ifndef SUPPRESS_OUT_OF_BOUND
void stpcpy_overflow(char *y) {		void stpcpy_overflow(char *y) {
char x[4];		char x[4];
if (strlen(y) == 4)		if (strlen(y) == 4)
stpcpy(x, y); // expected-warning{{String copy function overflows destination buffer}}		stpcpy(x, y); // expected-warning{{String copy function overflows destination buffer}}
}		}
		#endif

void stpcpy_no_overflow(char *y) {		void stpcpy_no_overflow(char *y) {
char x[4];		char x[4];
if (strlen(y) == 3)		if (strlen(y) == 3)
stpcpy(x, y); // no-warning		stpcpy(x, y); // no-warning
}		}

//===----------------------------------------------------------------------===		//===----------------------------------------------------------------------===
Show All 34 Lines	void strcat_effects(char *y) {

if (strlen(y) != 4)		if (strlen(y) != 4)
return;		return;

clang_analyzer_eval(strcat(x, y) == x); // expected-warning{{TRUE}}		clang_analyzer_eval(strcat(x, y) == x); // expected-warning{{TRUE}}
clang_analyzer_eval((int)strlen(x) == (orig_len + strlen(y))); // expected-warning{{TRUE}}		clang_analyzer_eval((int)strlen(x) == (orig_len + strlen(y))); // expected-warning{{TRUE}}
}		}

		#ifndef SUPPRESS_OUT_OF_BOUND
void strcat_overflow_0(char *y) {		void strcat_overflow_0(char *y) {
char x[4] = "12";		char x[4] = "12";
if (strlen(y) == 4)		if (strlen(y) == 4)
strcat(x, y); // expected-warning{{String copy function overflows destination buffer}}		strcat(x, y); // expected-warning{{String copy function overflows destination buffer}}
}		}

void strcat_overflow_1(char *y) {		void strcat_overflow_1(char *y) {
char x[4] = "12";		char x[4] = "12";
if (strlen(y) == 3)		if (strlen(y) == 3)
strcat(x, y); // expected-warning{{String copy function overflows destination buffer}}		strcat(x, y); // expected-warning{{String copy function overflows destination buffer}}
}		}

void strcat_overflow_2(char *y) {		void strcat_overflow_2(char *y) {
char x[4] = "12";		char x[4] = "12";
if (strlen(y) == 2)		if (strlen(y) == 2)
strcat(x, y); // expected-warning{{String copy function overflows destination buffer}}		strcat(x, y); // expected-warning{{String copy function overflows destination buffer}}
}		}
		#endif

void strcat_no_overflow(char *y) {		void strcat_no_overflow(char *y) {
char x[5] = "12";		char x[5] = "12";
if (strlen(y) == 2)		if (strlen(y) == 2)
strcat(x, y); // no-warning		strcat(x, y); // no-warning
}		}

void strcat_symbolic_dst_length(char *dst) {		void strcat_symbolic_dst_length(char *dst) {
▲ Show 20 Lines • Show All 60 Lines • ▼ Show 20 Lines
void strncpy_effects(char x, char y) {		void strncpy_effects(char x, char y) {
char a = x[0];		char a = x[0];

clang_analyzer_eval(strncpy(x, y, 5) == x); // expected-warning{{TRUE}}		clang_analyzer_eval(strncpy(x, y, 5) == x); // expected-warning{{TRUE}}
clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}
}		}

		#ifndef SUPPRESS_OUT_OF_BOUND
		// Enabling the malloc checker enables some of the buffer-checking portions
		// of the C-string checker.
		void cstringchecker_bounds_nocrash() {
		char *p = malloc(2);
		strncpy(p, "AAA", sizeof("AAA")); // expected-warning {{Size argument is greater than the length of the destination buffer}}
		free(p);
		}

void strncpy_overflow(char *y) {		void strncpy_overflow(char *y) {
char x[4];		char x[4];
if (strlen(y) == 4)		if (strlen(y) == 4)
strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}}		strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}}
}		}

void strncpy_no_overflow(char *y) {		void strncpy_no_overflow(char *y) {
char x[4];		char x[4];
if (strlen(y) == 3)		if (strlen(y) == 3)
strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}}		strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}}
}		}

void strncpy_no_overflow2(char *y, int n) {		void strncpy_no_overflow2(char *y, int n) {
if (n <= 4)		if (n <= 4)
return;		return;

char x[4];		char x[4];
if (strlen(y) == 3)		if (strlen(y) == 3)
strncpy(x, y, n); // expected-warning{{Size argument is greater than the length of the destination buffer}}		strncpy(x, y, n); // expected-warning{{Size argument is greater than the length of the destination buffer}}
}		}
		#endif

void strncpy_truncate(char *y) {		void strncpy_truncate(char *y) {
char x[4];		char x[4];
if (strlen(y) == 4)		if (strlen(y) == 4)
strncpy(x, y, 3); // no-warning		strncpy(x, y, 3); // no-warning
}		}

void strncpy_no_truncate(char *y) {		void strncpy_no_truncate(char *y) {
▲ Show 20 Lines • Show All 60 Lines • ▼ Show 20 Lines	void strncat_effects(char *y) {

if (strlen(y) != 4)		if (strlen(y) != 4)
return;		return;

clang_analyzer_eval(strncat(x, y, strlen(y)) == x); // expected-warning{{TRUE}}		clang_analyzer_eval(strncat(x, y, strlen(y)) == x); // expected-warning{{TRUE}}
clang_analyzer_eval(strlen(x) == (orig_len + strlen(y))); // expected-warning{{TRUE}}		clang_analyzer_eval(strlen(x) == (orig_len + strlen(y))); // expected-warning{{TRUE}}
}		}

		#ifndef SUPPRESS_OUT_OF_BOUND
void strncat_overflow_0(char *y) {		void strncat_overflow_0(char *y) {
char x[4] = "12";		char x[4] = "12";
if (strlen(y) == 4)		if (strlen(y) == 4)
strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}}		strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
}		}

void strncat_overflow_1(char *y) {		void strncat_overflow_1(char *y) {
char x[4] = "12";		char x[4] = "12";
if (strlen(y) == 3)		if (strlen(y) == 3)
strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}}		strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
}		}

void strncat_overflow_2(char *y) {		void strncat_overflow_2(char *y) {
char x[4] = "12";		char x[4] = "12";
if (strlen(y) == 2)		if (strlen(y) == 2)
strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}}		strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
}		}

void strncat_overflow_3(char *y) {		void strncat_overflow_3(char *y) {
char x[4] = "12";		char x[4] = "12";
if (strlen(y) == 4)		if (strlen(y) == 4)
strncat(x, y, 2); // expected-warning{{Size argument is greater than the free space in the destination buffer}}		strncat(x, y, 2); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
}		}
		#endif

void strncat_no_overflow_1(char *y) {		void strncat_no_overflow_1(char *y) {
char x[5] = "12";		char x[5] = "12";
if (strlen(y) == 2)		if (strlen(y) == 2)
strncat(x, y, strlen(y)); // no-warning		strncat(x, y, strlen(y)); // no-warning
}		}

void strncat_no_overflow_2(char *y) {		void strncat_no_overflow_2(char *y) {
char x[4] = "12";		char x[4] = "12";
if (strlen(y) == 4)		if (strlen(y) == 4)
strncat(x, y, 1); // no-warning		strncat(x, y, 1); // no-warning
}		}

void strncat_symbolic_dst_length(char *dst) {		void strncat_symbolic_dst_length(char *dst) {
strncat(dst, "1234", 5);		strncat(dst, "1234", 5);
clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}		clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
}		}

		#ifndef SUPPRESS_OUT_OF_BOUND
void strncat_symbolic_src_length(char *src) {		void strncat_symbolic_src_length(char *src) {
char dst[8] = "1234";		char dst[8] = "1234";
strncat(dst, src, 3);		strncat(dst, src, 3);
clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}		clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}

char dst2[8] = "1234";		char dst2[8] = "1234";
strncat(dst2, src, 4); // expected-warning{{Size argument is greater than the free space in the destination buffer}}		strncat(dst2, src, 4); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
}		}

void strncat_unknown_src_length(char *src, int offset) {		void strncat_unknown_src_length(char *src, int offset) {
char dst[8] = "1234";		char dst[8] = "1234";
strncat(dst, &src[offset], 3);		strncat(dst, &src[offset], 3);
clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}		clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}

char dst2[8] = "1234";		char dst2[8] = "1234";
strncat(dst2, &src[offset], 4); // expected-warning{{Size argument is greater than the free space in the destination buffer}}		strncat(dst2, &src[offset], 4); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
}		}
		#endif

// There is no strncat_unknown_dst_length because if we can't get a symbolic		// There is no strncat_unknown_dst_length because if we can't get a symbolic
// length for the "before" strlen, we won't be able to set one for "after".		// length for the "before" strlen, we won't be able to set one for "after".

void strncat_symbolic_limit(unsigned limit) {		void strncat_symbolic_limit(unsigned limit) {
char dst[6] = "1234";		char dst[6] = "1234";
char src[] = "567";		char src[] = "567";
strncat(dst, src, limit); // no-warning		strncat(dst, src, limit); // no-warning
▲ Show 20 Lines • Show All 814 Lines • Show Last 20 Lines