This is an archive of the discontinued LLVM Phabricator instance.

Differential D66847

[analyzer] Fix analyzer warnings.
ClosedPublic

Authored by NoQ on Aug 27 2019, 5:06 PM.

Details

Reviewers
dcoughlin
xazax.hun
a_sidorin
rnkovacs
Szelethus
baloghadamsoftware
Charusso
Commits
rG630f7daf80fe: [analyzer] Fix analyzer warnings on analyzer.
rL370246: [analyzer] Fix analyzer warnings on analyzer.
rC370246: [analyzer] Fix analyzer warnings on analyzer.
Summary

They ain't gonna fix themselves... well, not yet.

This is an outcome for this summer's GSoC! - http://lists.llvm.org/pipermail/cfe-dev/2019-August/063195.html

Found one real crash, added a couple tests:

Addressed 17 style issues that aren't real crashes - mostly misuses of dyn_cast / getAs (i.e., "if the dyn_ part is really necessary here, then you crash with a null dereference a few lines below because you didn't check the result"). These changes indeed made the code cleaner and shorter.

Suppressed 4 false positives; i found these assertions/refactorings nice anyway, except one (which i'd prefer to have as a post-condition on a certain function but we didn't invent post-conditions yet in C++).

That leaves us with only one remaining false positive that isn't really actionable; i'll have to investigate.

Diff Detail

Event Timeline

NoQ created this revision.Aug 27 2019, 5:06 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 27 2019, 5:07 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 3 others. · View Herald Transcript
NoQ updated this revision to Diff 217537.Aug 27 2019, 5:20 PM
NoQ edited the summary of this revision. (Show Details)

Use auto in one more place.

Szelethus accepted this revision.Aug 27 2019, 5:48 PM

if the dyn_ part is really necessary here, then you crash with a null dereference a few lines below because you didn't check the result

Hmm, can we detect things like this?:

if (isa<FunctionDecl>(D)) {
  const auto *FD = dyn_cast(D); // warn: D is known to be a FunctionDecl, prefer using cast<>
  // ...
}
This revision is now accepted and ready to land.Aug 27 2019, 5:48 PM
NoQ marked an inline comment as done.Aug 27 2019, 5:54 PM
In D66847#1648209, @Szelethus wrote:

if the dyn_ part is really necessary here, then you crash with a null dereference a few lines below because you didn't check the result

Hmm, can we detect things like this?:

if (isa<FunctionDecl>(D)) {
  const auto *FD = dyn_cast(D); // warn: D is known to be a FunctionDecl, prefer using cast<>
  // ...
}

We should be detecting things like this as of D66325 and D66423 (we remember which casts were successful and don't re-assume them again), but LocalizationChecker.cpp turned out to have a false positive of this kind. @Charusso, you may want to take a look.

clang/lib/StaticAnalyzer/Checkers/LocalizationChecker.cpp
885–888

Note: this was a false positive.

NoQ added a comment.EditedAug 27 2019, 5:56 PM

I mean, such code should indeed be refactored to query the custom RTTI only once, but given that it's locally obvious that there's no null dereference in this code, we should not be emitting a warning on it. Or, at least, emitting a different kind of warning.

Szelethus added a comment.Aug 27 2019, 6:25 PM

Another common mistake is this:

if (A) {
  const auto *B = dyn_cast_or_null<FunctionDecl>(A); // warn: A is known to be non-null, prefer dyn_cast
}
NoQ added a comment.Aug 27 2019, 6:41 PM
In D66847#1648209, @Szelethus wrote:
if (isa<FunctionDecl>(D)) {
  const auto *FD = dyn_cast<FunctionDecl>(D); // warn: D is known to be a FunctionDecl, prefer using cast<>
  // ...
}
In D66847#1648339, @Szelethus wrote:
if (A) {
  const auto *B = dyn_cast_or_null<FunctionDecl>(A); // warn: A is known to be non-null, prefer dyn_cast
}

Both of these are must-problems. They are hard to solve via symbolic execution because all execution paths need to be taken into account simultaneously. Eg.:

if (isa<FunctionDecl>(D)) {
  if (coin)
    D = getDecl(); // Maybe not a FunctionDecl.

  // It's not enough to know that D is a FunctionDecl assuming coin is false.
  const auto *FD = dyn_cast<FunctionDecl>(D); // no-warning:
}

We could maybe make a syntactic checker or a data flow checker to find these anti-patterns. @Charusso also had an idea for a clang-tidy checker that emits fixits for code like dyn_cast<T>(x)->foo() ("use 'cast' instead").

NoQ added a comment.Aug 27 2019, 6:51 PM

Filed the remaining false positive back on myself as https://bugs.llvm.org/show_bug.cgi?id=43135.

Closed by commit rL370246: [analyzer] Fix analyzer warnings on analyzer. (authored by NoQ). · Explain WhyAug 28 2019, 11:45 AM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptAug 28 2019, 11:45 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
6 lines
lib/
StaticAnalyzer/
Checkers/
27 lines
9 lines
15 lines
3 lines
23 lines
MPI-Checker/
4 lines
13 lines
2 lines
10 lines
2 lines
UninitializedObject/
9 lines
3 lines
Core/
2 lines
3 lines
5 lines
3 lines
5 lines
test/
Analysis/
19 lines
17 lines
19 lines

Diff 217537

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h

Show First 20 LinesShow All 163 Lines▼ Show 20 Linespublic:
/// ///
/// When this region represents a subexpression, the method is for printing /// When this region represents a subexpression, the method is for printing
/// an expression containing it. /// an expression containing it.
virtual void printPrettyAsExpr(raw_ostream &os) const; virtual void printPrettyAsExpr(raw_ostream &os) const;
Kind getKind() const { return kind; } Kind getKind() const { return kind; }
template<typename RegionTy> const RegionTy* getAs() const; template<typename RegionTy> const RegionTy* getAs() const;
template<typename RegionTy> const RegionTy* castAs() const;
virtual bool isBoundable() const { return false; } virtual bool isBoundable() const { return false; }
/// Get descriptive name for memory region. The name is obtained from /// Get descriptive name for memory region. The name is obtained from
/// the variable/field declaration retrieved from the memory region. /// the variable/field declaration retrieved from the memory region.
/// Regions that point to an element of an array are returned as: "arr[0]". /// Regions that point to an element of an array are returned as: "arr[0]".
/// Regions that point to a struct are returned as: "st.var". /// Regions that point to a struct are returned as: "st.var".
// //
▲ Show 20 LinesShow All 1,046 Lines▼ Show 20 Lines
template<typename RegionTy> template<typename RegionTy>
const RegionTy* MemRegion::getAs() const { const RegionTy* MemRegion::getAs() const {
if (const auto *RT = dyn_cast<RegionTy>(this)) if (const auto *RT = dyn_cast<RegionTy>(this))
return RT; return RT;
return nullptr; return nullptr;
} }
template<typename RegionTy>
const RegionTy* MemRegion::castAs() const {
return cast<RegionTy>(this);
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// MemRegionManager - Factory object for creating regions. // MemRegionManager - Factory object for creating regions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
class MemRegionManager { class MemRegionManager {
ASTContext &C; ASTContext &C;
llvm::BumpPtrAllocator& A; llvm::BumpPtrAllocator& A;
llvm::FoldingSet<MemRegion> Regions; llvm::FoldingSet<MemRegion> Regions;
▲ Show 20 LinesShow All 247 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp

Show First 20 LinesShow All 150 Lines▼ Show 20 Lines
} }
bool WalkAST::containsBadStrlcpyStrlcatPattern(const CallExpr *CE) { bool WalkAST::containsBadStrlcpyStrlcatPattern(const CallExpr *CE) {
if (CE->getNumArgs() != 3) if (CE->getNumArgs() != 3)
return false; return false;
const Expr *DstArg = CE->getArg(0); const Expr *DstArg = CE->getArg(0);
const Expr *LenArg = CE->getArg(2); const Expr *LenArg = CE->getArg(2);
const auto *DstArgDecl = dyn_cast<DeclRefExpr>(DstArg->IgnoreParenImpCasts()); const auto *DstArgDRE = dyn_cast<DeclRefExpr>(DstArg->IgnoreParenImpCasts());
const auto *LenArgDecl = dyn_cast<DeclRefExpr>(LenArg->IgnoreParenLValueCasts()); const auto *LenArgDRE =
dyn_cast<DeclRefExpr>(LenArg->IgnoreParenLValueCasts());
uint64_t DstOff = 0; uint64_t DstOff = 0;
if (isSizeof(LenArg, DstArg)) if (isSizeof(LenArg, DstArg))
return false; return false;
// - size_t dstlen = sizeof(dst) // - size_t dstlen = sizeof(dst)
if (LenArgDecl) { if (LenArgDRE) {
const auto *LenArgVal = dyn_cast<VarDecl>(LenArgDecl->getDecl()); const auto *LenArgVal = dyn_cast<VarDecl>(LenArgDRE->getDecl());
// If it's an EnumConstantDecl instead, then we're missing out on something.
if (!LenArgVal) {
assert(isa<EnumConstantDecl>(LenArgDRE->getDecl()));
return false;
}
if (LenArgVal->getInit()) if (LenArgVal->getInit())
LenArg = LenArgVal->getInit(); LenArg = LenArgVal->getInit();
} }
// - integral value // - integral value
// We try to figure out if the last argument is possibly longer // We try to figure out if the last argument is possibly longer
// than the destination can possibly handle if its size can be defined. // than the destination can possibly handle if its size can be defined.
if (const auto *IL = dyn_cast<IntegerLiteral>(LenArg->IgnoreParenImpCasts())) { if (const auto *IL = dyn_cast<IntegerLiteral>(LenArg->IgnoreParenImpCasts())) {
uint64_t ILRawVal = IL->getValue().getZExtValue(); uint64_t ILRawVal = IL->getValue().getZExtValue();
// Case when there is pointer arithmetic on the destination buffer // Case when there is pointer arithmetic on the destination buffer
// especially when we offset from the base decreasing the // especially when we offset from the base decreasing the
// buffer length accordingly. // buffer length accordingly.
if (!DstArgDecl) { if (!DstArgDRE) {
if (const auto *BE = dyn_cast<BinaryOperator>(DstArg->IgnoreParenImpCasts())) { if (const auto *BE =
DstArgDecl = dyn_cast<DeclRefExpr>(BE->getLHS()->IgnoreParenImpCasts()); dyn_cast<BinaryOperator>(DstArg->IgnoreParenImpCasts())) {
DstArgDRE = dyn_cast<DeclRefExpr>(BE->getLHS()->IgnoreParenImpCasts());
if (BE->getOpcode() == BO_Add) { if (BE->getOpcode() == BO_Add) {
if ((IL = dyn_cast<IntegerLiteral>(BE->getRHS()->IgnoreParenImpCasts()))) { if ((IL = dyn_cast<IntegerLiteral>(BE->getRHS()->IgnoreParenImpCasts()))) {
DstOff = IL->getValue().getZExtValue(); DstOff = IL->getValue().getZExtValue();
} }
} }
} }
} }
if (DstArgDecl) { if (DstArgDRE) {
if (const auto *Buffer = dyn_cast<ConstantArrayType>(DstArgDecl->getType())) { if (const auto *Buffer =
dyn_cast<ConstantArrayType>(DstArgDRE->getType())) {
ASTContext &C = BR.getContext(); ASTContext &C = BR.getContext();
uint64_t BufferLen = C.getTypeSize(Buffer) / 8; uint64_t BufferLen = C.getTypeSize(Buffer) / 8;
auto RemainingBufferLen = BufferLen - DstOff; auto RemainingBufferLen = BufferLen - DstOff;
if (RemainingBufferLen < ILRawVal) if (RemainingBufferLen < ILRawVal)
return true; return true;
} }
} }
} }
▲ Show 20 LinesShow All 88 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp

Show First 20 LinesShow All 198 Lines▼ Show 20 Lines
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Check: floating point variable used as loop counter. // Check: floating point variable used as loop counter.
// Originally: <rdar://problem/6336718> // Originally: <rdar://problem/6336718>
// Implements: CERT security coding advisory FLP-30. // Implements: CERT security coding advisory FLP-30.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Returns either 'x' or 'y', depending on which one of them is incremented
// in 'expr', or nullptr if none of them is incremented.
static const DeclRefExpr* static const DeclRefExpr*
getIncrementedVar(const Expr *expr, const VarDecl *x, const VarDecl *y) { getIncrementedVar(const Expr *expr, const VarDecl *x, const VarDecl *y) {
expr = expr->IgnoreParenCasts(); expr = expr->IgnoreParenCasts();
if (const BinaryOperator *B = dyn_cast<BinaryOperator>(expr)) { if (const BinaryOperator *B = dyn_cast<BinaryOperator>(expr)) {
if (!(B->isAssignmentOp() || B->isCompoundAssignmentOp() || if (!(B->isAssignmentOp() || B->isCompoundAssignmentOp() ||
B->getOpcode() == BO_Comma)) B->getOpcode() == BO_Comma))
return nullptr; return nullptr;
▲ Show 20 LinesShow All 69 Lines▼ Show 20 Linesvoid WalkAST::checkLoopConditionForFloat(const ForStmt *FS) {
const VarDecl *vdLHS = drLHS ? dyn_cast<VarDecl>(drLHS->getDecl()) : nullptr; const VarDecl *vdLHS = drLHS ? dyn_cast<VarDecl>(drLHS->getDecl()) : nullptr;
const VarDecl *vdRHS = drRHS ? dyn_cast<VarDecl>(drRHS->getDecl()) : nullptr; const VarDecl *vdRHS = drRHS ? dyn_cast<VarDecl>(drRHS->getDecl()) : nullptr;
if (!vdLHS && !vdRHS) if (!vdLHS && !vdRHS)
return; return;
// Does either variable appear in increment? // Does either variable appear in increment?
const DeclRefExpr *drInc = getIncrementedVar(increment, vdLHS, vdRHS); const DeclRefExpr *drInc = getIncrementedVar(increment, vdLHS, vdRHS);
if (!drInc) if (!drInc)
return; return;
const VarDecl *vdInc = cast<VarDecl>(drInc->getDecl());
assert(vdInc && (vdInc == vdLHS || vdInc == vdRHS));
// Emit the error. First figure out which DeclRefExpr in the condition // Emit the error. First figure out which DeclRefExpr in the condition
// referenced the compared variable. // referenced the compared variable.
assert(drInc->getDecl()); const DeclRefExpr *drCond = vdLHS == vdInc ? drLHS : drRHS;
const DeclRefExpr *drCond = vdLHS == drInc->getDecl() ? drLHS : drRHS;
SmallVector<SourceRange, 2> ranges; SmallVector<SourceRange, 2> ranges;
SmallString<256> sbuf; SmallString<256> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
os << "Variable '" << drCond->getDecl()->getName() os << "Variable '" << drCond->getDecl()->getName()
<< "' with floating point type '" << drCond->getType().getAsString() << "' with floating point type '" << drCond->getType().getAsString()
<< "' should not be used as a loop counter"; << "' should not be used as a loop counter";
▲ Show 20 LinesShow All 729 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp

Show First 20 LinesShow All 388 Lines▼ Show 20 Linesstatic const ObjCObjectPointerType *getMostInformativeDerivedClassImpl(
if (To->getObjectType()->getSuperClassType().isNull()) { if (To->getObjectType()->getSuperClassType().isNull()) {
// If To has no super class and From and To aren't the same then // If To has no super class and From and To aren't the same then
// To was not actually a descendent of From. In this case the best we can // To was not actually a descendent of From. In this case the best we can
// do is 'From'. // do is 'From'.
return From; return From;
} }
const auto *SuperOfTo = const auto *SuperOfTo =
To->getObjectType()->getSuperClassType()->getAs<ObjCObjectType>(); To->getObjectType()->getSuperClassType()->castAs<ObjCObjectType>();
assert(SuperOfTo); assert(SuperOfTo);
QualType SuperPtrOfToQual = QualType SuperPtrOfToQual =
C.getObjCObjectPointerType(QualType(SuperOfTo, 0)); C.getObjCObjectPointerType(QualType(SuperOfTo, 0));
const auto *SuperPtrOfTo = SuperPtrOfToQual->getAs<ObjCObjectPointerType>(); const auto *SuperPtrOfTo = SuperPtrOfToQual->castAs<ObjCObjectPointerType>();
if (To->isUnspecialized()) if (To->isUnspecialized())
return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo, SuperPtrOfTo, return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo, SuperPtrOfTo,
C); C);
else else
return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo, return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo,
MostInformativeCandidate, C); MostInformativeCandidate, C);
} }
▲ Show 20 LinesShow All 412 Lines▼ Show 20 Linesvoid DynamicTypePropagation::checkPostObjCMessage(const ObjCMethodCall &M,
Selector Sel = MessageExpr->getSelector(); Selector Sel = MessageExpr->getSelector();
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// Inference for class variables. // Inference for class variables.
// We are only interested in cases where the class method is invoked on a // We are only interested in cases where the class method is invoked on a
// class. This method is provided by the runtime and available on all classes. // class. This method is provided by the runtime and available on all classes.
if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Class && if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Class &&
Sel.getAsString() == "class") { Sel.getAsString() == "class") {
QualType ReceiverType = MessageExpr->getClassReceiver(); QualType ReceiverType = MessageExpr->getClassReceiver();
const auto *ReceiverClassType = ReceiverType->getAs<ObjCObjectType>(); const auto *ReceiverClassType = ReceiverType->castAs<ObjCObjectType>();
if (!ReceiverClassType->isSpecialized())
return;
QualType ReceiverClassPointerType = QualType ReceiverClassPointerType =
C.getASTContext().getObjCObjectPointerType( C.getASTContext().getObjCObjectPointerType(
QualType(ReceiverClassType, 0)); QualType(ReceiverClassType, 0));
if (!ReceiverClassType->isSpecialized())
return;
const auto *InferredType = const auto *InferredType =
ReceiverClassPointerType->getAs<ObjCObjectPointerType>(); ReceiverClassPointerType->castAs<ObjCObjectPointerType>();
assert(InferredType);
State = State->set<MostSpecializedTypeArgsMap>(RetSym, InferredType); State = State->set<MostSpecializedTypeArgsMap>(RetSym, InferredType);
C.addTransition(State); C.addTransition(State);
return; return;
} }
// Tracking for return types. // Tracking for return types.
SymbolRef RecSym = M.getReceiverSVal().getAsSymbol(); SymbolRef RecSym = M.getReceiverSVal().getAsSymbol();
▲ Show 20 LinesShow All 148 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/IteratorChecker.cpp

Show First 20 LinesShow All 561 Lines▼ Show 20 Linesvoid IteratorChecker::checkPostCall(const CallEvent &Call,
// Record new iterator positions and iterator position changes // Record new iterator positions and iterator position changes
const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl()); const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!Func) if (!Func)
return; return;
if (Func->isOverloadedOperator()) { if (Func->isOverloadedOperator()) {
const auto Op = Func->getOverloadedOperator(); const auto Op = Func->getOverloadedOperator();
if (isAssignmentOperator(Op)) { if (isAssignmentOperator(Op)) {
const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call); // Overloaded 'operator=' must be a non-static member function.
const auto *InstCall = cast<CXXInstanceCall>(&Call);
if (cast<CXXMethodDecl>(Func)->isMoveAssignmentOperator()) { if (cast<CXXMethodDecl>(Func)->isMoveAssignmentOperator()) {
handleAssign(C, InstCall->getCXXThisVal(), Call.getOriginExpr(), handleAssign(C, InstCall->getCXXThisVal(), Call.getOriginExpr(),
Call.getArgSVal(0)); Call.getArgSVal(0));
return; return;
} }
handleAssign(C, InstCall->getCXXThisVal()); handleAssign(C, InstCall->getCXXThisVal());
return; return;
▲ Show 20 LinesShow All 1,811 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/LocalizationChecker.cpp

Show First 20 LinesShow All 876 Lines▼ Show 20 Linesvoid NonLocalizedStringChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
if (isNonLocalized) { if (isNonLocalized) {
reportLocalizationError(svTitle, msg, C, argumentNumber + 1); reportLocalizationError(svTitle, msg, C, argumentNumber + 1);
} }
} }
void NonLocalizedStringChecker::checkPreCall(const CallEvent &Call, void NonLocalizedStringChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const Decl *D = Call.getDecl(); const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (D && isa<FunctionDecl>(D)) { if (!FD)
const FunctionDecl *FD = dyn_cast<FunctionDecl>(D); return;
auto formals = FD->parameters(); auto formals = FD->parameters();
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Note: this was a false positive.

NoQ: Note: this was a false positive.
for (unsigned i = 0, for (unsigned i = 0, ei = std::min(static_cast<unsigned>(formals.size()),
ei = std::min(unsigned(formals.size()), Call.getNumArgs()); Call.getNumArgs()); i != ei; ++i) {
i != ei; ++i) {
if (isAnnotatedAsTakingLocalized(formals[i])) { if (isAnnotatedAsTakingLocalized(formals[i])) {
auto actual = Call.getArgSVal(i); auto actual = Call.getArgSVal(i);
if (hasNonLocalizedState(actual, C)) { if (hasNonLocalizedState(actual, C)) {
reportLocalizationError(actual, Call, C, i + 1); reportLocalizationError(actual, Call, C, i + 1);
} }
} }
} }
} }
}
static inline bool isNSStringType(QualType T, ASTContext &Ctx) { static inline bool isNSStringType(QualType T, ASTContext &Ctx) {
const ObjCObjectPointerType *PT = T->getAs<ObjCObjectPointerType>(); const ObjCObjectPointerType *PT = T->getAs<ObjCObjectPointerType>();
if (!PT) if (!PT)
return false; return false;
ObjCInterfaceDecl *Cls = PT->getObjectType()->getInterface(); ObjCInterfaceDecl *Cls = PT->getObjectType()->getInterface();
▲ Show 20 LinesShow All 514 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MPI-Checker/MPIBugReporter.cpp

Show First 20 LinesShow All 85 Lines▼ Show 20 Lines
PathDiagnosticPieceRef MPIBugReporter::RequestNodeVisitor::VisitNode( PathDiagnosticPieceRef MPIBugReporter::RequestNodeVisitor::VisitNode(
const ExplodedNode *N, BugReporterContext &BRC, BugReport &BR) { const ExplodedNode *N, BugReporterContext &BRC, BugReport &BR) {
if (IsNodeFound) if (IsNodeFound)
return nullptr; return nullptr;
const Request *const Req = N->getState()->get<RequestMap>(RequestRegion); const Request *const Req = N->getState()->get<RequestMap>(RequestRegion);
assert(Req && "The region must be tracked and alive, given that we've "
"just emitted a report against it");
const Request *const PrevReq = const Request *const PrevReq =
N->getFirstPred()->getState()->get<RequestMap>(RequestRegion); N->getFirstPred()->getState()->get<RequestMap>(RequestRegion);
// Check if request was previously unused or in a different state. // Check if request was previously unused or in a different state.
if ((Req && !PrevReq) || (Req->CurrentState != PrevReq->CurrentState)) { if (!PrevReq || (Req->CurrentState != PrevReq->CurrentState)) {
IsNodeFound = true; IsNodeFound = true;
ProgramPoint P = N->getFirstPred()->getLocation(); ProgramPoint P = N->getFirstPred()->getLocation();
PathDiagnosticLocation L = PathDiagnosticLocation L =
PathDiagnosticLocation::create(P, BRC.getSourceManager()); PathDiagnosticLocation::create(P, BRC.getSourceManager());
return std::make_shared<PathDiagnosticEventPiece>(L, ErrorText); return std::make_shared<PathDiagnosticEventPiece>(L, ErrorText);
} }
return nullptr; return nullptr;
} }
} // end of namespace: mpi } // end of namespace: mpi
} // end of namespace: ento } // end of namespace: ento
} // end of namespace: clang } // end of namespace: clang

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 1,126 Lines▼ Show 20 LinesProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
SVal ElementCount; SVal ElementCount;
const SubRegion *Region; const SubRegion *Region;
if (NE->isArray()) { if (NE->isArray()) {
const Expr *SizeExpr = *NE->getArraySize(); const Expr *SizeExpr = *NE->getArraySize();
ElementCount = C.getSVal(SizeExpr); ElementCount = C.getSVal(SizeExpr);
// Store the extent size for the (symbolic)region // Store the extent size for the (symbolic)region
// containing the elements. // containing the elements.
Region = Target.getAsRegion() Region = Target.getAsRegion()
->getAs<SubRegion>() ->castAs<SubRegion>()
->StripCasts() ->StripCasts()
->getAs<SubRegion>(); ->castAs<SubRegion>();
} else { } else {
ElementCount = svalBuilder.makeIntVal(1, true); ElementCount = svalBuilder.makeIntVal(1, true);
Region = Target.getAsRegion()->getAs<SubRegion>(); Region = Target.getAsRegion()->castAs<SubRegion>();
} }
assert(Region);
// Set the region's extent equal to the Size in Bytes. // Set the region's extent equal to the Size in Bytes.
QualType ElementType = NE->getAllocatedType(); QualType ElementType = NE->getAllocatedType();
ASTContext &AstContext = C.getASTContext(); ASTContext &AstContext = C.getASTContext();
CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType); CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType);
if (ElementCount.getAs<NonLoc>()) { if (ElementCount.getAs<NonLoc>()) {
DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder); DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder);
▲ Show 20 LinesShow All 1,910 Lines▼ Show 20 Lines if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
Msg = "Attempt to reallocate memory"; Msg = "Attempt to reallocate memory";
StackHint = new StackHintGeneratorForSymbol(Sym, StackHint = new StackHintGeneratorForSymbol(Sym,
"Returned reallocated memory"); "Returned reallocated memory");
FailedReallocSymbol = nullptr; FailedReallocSymbol = nullptr;
Mode = Normal; Mode = Normal;
} }
} }
if (Msg.empty()) if (Msg.empty()) {
// Silence a memory leak warning by MallocChecker in MallocChecker.cpp :)
assert(!StackHint && "Memory leak!");
return nullptr; return nullptr;
}
assert(StackHint); assert(StackHint);
// Generate the extra diagnostic. // Generate the extra diagnostic.
PathDiagnosticLocation Pos; PathDiagnosticLocation Pos;
if (!S) { if (!S) {
assert(RS->getAllocationFamily() == AF_InnerBuffer); assert(RS->getAllocationFamily() == AF_InnerBuffer);
auto PostImplCall = N->getLocation().getAs<PostImplicitCall>(); auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
if (!PostImplCall) if (!PostImplCall)
▲ Show 20 LinesShow All 83 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MallocSizeofChecker.cpp

Show First 20 LinesShow All 177 Lines▼ Show 20 Lines void checkASTCodeBody(const Decl *D, AnalysisManager& mgr,
AnalysisDeclContext *ADC = mgr.getAnalysisDeclContext(D); AnalysisDeclContext *ADC = mgr.getAnalysisDeclContext(D);
CastedAllocFinder Finder(&BR.getContext()); CastedAllocFinder Finder(&BR.getContext());
Finder.Visit(D->getBody()); Finder.Visit(D->getBody());
for (CastedAllocFinder::CallVec::iterator i = Finder.Calls.begin(), for (CastedAllocFinder::CallVec::iterator i = Finder.Calls.begin(),
e = Finder.Calls.end(); i != e; ++i) { e = Finder.Calls.end(); i != e; ++i) {
QualType CastedType = i->CastedExpr->getType(); QualType CastedType = i->CastedExpr->getType();
if (!CastedType->isPointerType()) if (!CastedType->isPointerType())
continue; continue;
QualType PointeeType = CastedType->getAs<PointerType>()->getPointeeType(); QualType PointeeType = CastedType->getPointeeType();
if (PointeeType->isVoidType()) if (PointeeType->isVoidType())
continue; continue;
for (CallExpr::const_arg_iterator ai = i->AllocCall->arg_begin(), for (CallExpr::const_arg_iterator ai = i->AllocCall->arg_begin(),
ae = i->AllocCall->arg_end(); ai != ae; ++ai) { ae = i->AllocCall->arg_end(); ai != ae; ++ai) {
if (!(*ai)->getType()->isIntegralOrUnscopedEnumerationType()) if (!(*ai)->getType()->isIntegralOrUnscopedEnumerationType())
continue; continue;
▲ Show 20 LinesShow All 61 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/PointerArithChecker.cpp

Show First 20 LinesShow All 113 Lines▼ Show 20 Lines
/// In case there is a derived to base cast above the array element, the /// In case there is a derived to base cast above the array element, the
/// Polymorphic output value is set to true. AKind output value is set to the /// Polymorphic output value is set to true. AKind output value is set to the
/// allocation kind of the inspected region. /// allocation kind of the inspected region.
const MemRegion *PointerArithChecker::getArrayRegion(const MemRegion *Region, const MemRegion *PointerArithChecker::getArrayRegion(const MemRegion *Region,
bool &Polymorphic, bool &Polymorphic,
AllocKind &AKind, AllocKind &AKind,
CheckerContext &C) const { CheckerContext &C) const {
assert(Region); assert(Region);
while (Region->getKind() == MemRegion::Kind::CXXBaseObjectRegionKind) { while (const auto *BaseRegion = dyn_cast<CXXBaseObjectRegion>(Region)) {
Region = Region->getAs<CXXBaseObjectRegion>()->getSuperRegion(); Region = BaseRegion->getSuperRegion();
Polymorphic = true; Polymorphic = true;
} }
if (Region->getKind() == MemRegion::Kind::ElementRegionKind) { if (const auto *ElemRegion = dyn_cast<ElementRegion>(Region)) {
Region = Region->getAs<ElementRegion>()->getSuperRegion(); Region = ElemRegion->getSuperRegion();
} }
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (const AllocKind *Kind = State->get<RegionState>(Region)) { if (const AllocKind *Kind = State->get<RegionState>(Region)) {
AKind = *Kind; AKind = *Kind;
if (*Kind == AllocKind::Array) if (*Kind == AllocKind::Array)
return Region; return Region;
else else
return nullptr; return nullptr;
} }
// When the region is symbolic and we do not have any information about it, // When the region is symbolic and we do not have any information about it,
// assume that this is an array to avoid false positives. // assume that this is an array to avoid false positives.
if (Region->getKind() == MemRegion::Kind::SymbolicRegionKind) if (isa<SymbolicRegion>(Region))
return Region; return Region;
// No AllocKind stored and not symbolic, assume that it points to a single // No AllocKind stored and not symbolic, assume that it points to a single
// object. // object.
return nullptr; return nullptr;
} }
void PointerArithChecker::reportPointerArithMisuse(const Expr *E, void PointerArithChecker::reportPointerArithMisuse(const Expr *E,
▲ Show 20 LinesShow All 200 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/UndefinedAssignmentChecker.cpp

Show First 20 LinesShow All 79 Lines▼ Show 20 Lines if (const BinaryOperator *B = dyn_cast<BinaryOperator>(StoreE)) {
} }
} }
ex = B->getRHS(); ex = B->getRHS();
break; break;
} }
if (const DeclStmt *DS = dyn_cast<DeclStmt>(StoreE)) { if (const DeclStmt *DS = dyn_cast<DeclStmt>(StoreE)) {
const VarDecl *VD = dyn_cast<VarDecl>(DS->getSingleDecl()); const VarDecl *VD = cast<VarDecl>(DS->getSingleDecl());
ex = VD->getInit(); ex = VD->getInit();
} }
if (const auto *CD = if (const auto *CD =
dyn_cast<CXXConstructorDecl>(C.getStackFrame()->getDecl())) { dyn_cast<CXXConstructorDecl>(C.getStackFrame()->getDecl())) {
if (CD->isImplicit()) { if (CD->isImplicit()) {
for (auto I : CD->inits()) { for (auto I : CD->inits()) {
if (I->getInit()->IgnoreImpCasts() == StoreE) { if (I->getInit()->IgnoreImpCasts() == StoreE) {
Show All 29 Lines

clang/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp

Show First 20 LinesShow All 254 Lines▼ Show 20 Lines while (const MemRegion *Tmp = State->getSVal(R, DynT).getAsRegion()) {
DynT = R->getLocationType(); DynT = R->getLocationType();
// In order to ensure that this loop terminates, we're also checking the // In order to ensure that this loop terminates, we're also checking the
// dynamic type of R, since type hierarchy is finite. // dynamic type of R, since type hierarchy is finite.
if (isDereferencableType(DynT->getPointeeType())) if (isDereferencableType(DynT->getPointeeType()))
break; break;
} }
while (R->getAs<CXXBaseObjectRegion>()) { while (isa<CXXBaseObjectRegion>(R)) {
NeedsCastBack = true; NeedsCastBack = true;
const auto *SuperR = dyn_cast<TypedValueRegion>(R->getSuperRegion());
if (!isa<TypedValueRegion>(R->getSuperRegion())) if (!SuperR)
break; break;
R = R->getSuperRegion()->getAs<TypedValueRegion>();
R = SuperR;
} }
return DereferenceInfo{R, NeedsCastBack, /*IsCyclic*/ false}; return DereferenceInfo{R, NeedsCastBack, /*IsCyclic*/ false};
} }
static bool isVoidPointer(QualType T) { static bool isVoidPointer(QualType T) {
while (!T.isNull()) { while (!T.isNull()) {
if (T->isVoidPointerType()) if (T->isVoidPointerType())
return true; return true;
T = T->getPointeeType(); T = T->getPointeeType();
} }
return false; return false;
} }

clang/lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp

Show First 20 LinesShow All 98 Lines▼ Show 20 Linesvoid VirtualCallChecker::checkPreCall(const CallEvent &Call,
if (!MC) if (!MC)
return; return;
const CXXMethodDecl *MD = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl()); const CXXMethodDecl *MD = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl());
if (!MD) if (!MD)
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); // Member calls are always represented by a call-expression.
const auto *CE = cast<CallExpr>(Call.getOriginExpr());
if (!isVirtualCall(CE)) if (!isVirtualCall(CE))
return; return;
const MemRegion *Reg = MC->getCXXThisVal().getAsRegion(); const MemRegion *Reg = MC->getCXXThisVal().getAsRegion();
const ObjectState *ObState = State->get<CtorDtorMap>(Reg); const ObjectState *ObState = State->get<CtorDtorMap>(Reg);
if (!ObState) if (!ObState)
return; return;
▲ Show 20 LinesShow All 106 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/CheckerHelpers.cpp

Show First 20 LinesShow All 85 Lines▼ Show 20 Lines if (Assign->isAssignmentOp()) {
// Ordinary assignment // Ordinary assignment
RHS = Assign->getRHS(); RHS = Assign->getRHS();
if (auto DE = dyn_cast_or_null<DeclRefExpr>(Assign->getLHS())) if (auto DE = dyn_cast_or_null<DeclRefExpr>(Assign->getLHS()))
VD = dyn_cast_or_null<VarDecl>(DE->getDecl()); VD = dyn_cast_or_null<VarDecl>(DE->getDecl());
} }
} else if (auto PD = dyn_cast_or_null<DeclStmt>(S)) { } else if (auto PD = dyn_cast_or_null<DeclStmt>(S)) {
// Initialization // Initialization
assert(PD->isSingleDecl() && "We process decls one by one"); assert(PD->isSingleDecl() && "We process decls one by one");
VD = dyn_cast_or_null<VarDecl>(PD->getSingleDecl()); VD = cast<VarDecl>(PD->getSingleDecl());
RHS = VD->getAnyInitializer(); RHS = VD->getAnyInitializer();
} }
return std::make_pair(VD, RHS); return std::make_pair(VD, RHS);
} }
Nullability getNullabilityAnnotation(QualType Type) { Nullability getNullabilityAnnotation(QualType Type) {
const auto *AttrType = Type->getAs<AttributedType>(); const auto *AttrType = Type->getAs<AttributedType>();
Show All 12 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp

Show First 20 LinesShow All 844 Lines▼ Show 20 Lines
void ExprEngine:: void ExprEngine::
VisitOffsetOfExpr(const OffsetOfExpr *OOE, VisitOffsetOfExpr(const OffsetOfExpr *OOE,
ExplodedNode *Pred, ExplodedNodeSet &Dst) { ExplodedNode *Pred, ExplodedNodeSet &Dst) {
StmtNodeBuilder B(Pred, Dst, *currBldrCtx); StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
Expr::EvalResult Result; Expr::EvalResult Result;
if (OOE->EvaluateAsInt(Result, getContext())) { if (OOE->EvaluateAsInt(Result, getContext())) {
APSInt IV = Result.Val.getInt(); APSInt IV = Result.Val.getInt();
assert(IV.getBitWidth() == getContext().getTypeSize(OOE->getType())); assert(IV.getBitWidth() == getContext().getTypeSize(OOE->getType()));
assert(OOE->getType()->isBuiltinType()); assert(OOE->getType()->castAs<BuiltinType>()->isInteger());
assert(OOE->getType()->getAs<BuiltinType>()->isInteger());
assert(IV.isSigned() == OOE->getType()->isSignedIntegerType()); assert(IV.isSigned() == OOE->getType()->isSignedIntegerType());
SVal X = svalBuilder.makeIntVal(IV); SVal X = svalBuilder.makeIntVal(IV);
B.generateNode(OOE, Pred, B.generateNode(OOE, Pred,
Pred->getState()->BindExpr(OOE, Pred->getLocationContext(), Pred->getState()->BindExpr(OOE, Pred->getLocationContext(),
X)); X));
} }
// FIXME: Handle the case where __builtin_offsetof is not a constant. // FIXME: Handle the case where __builtin_offsetof is not a constant.
} }
▲ Show 20 LinesShow All 301 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 797 Lines▼ Show 20 Linesvoid ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
SVal Result = symVal; SVal Result = symVal;
if (CNE->isArray()) { if (CNE->isArray()) {
// FIXME: allocating an array requires simulating the constructors. // FIXME: allocating an array requires simulating the constructors.
// For now, just return a symbolicated region. // For now, just return a symbolicated region.
if (const SubRegion *NewReg = if (const auto *NewReg = cast_or_null<SubRegion>(symVal.getAsRegion())) {
dyn_cast_or_null<SubRegion>(symVal.getAsRegion())) { QualType ObjTy = CNE->getType()->getPointeeType();
QualType ObjTy = CNE->getType()->getAs<PointerType>()->getPointeeType();
const ElementRegion *EleReg = const ElementRegion *EleReg =
getStoreManager().GetElementZeroRegion(NewReg, ObjTy); getStoreManager().GetElementZeroRegion(NewReg, ObjTy);
Result = loc::MemRegionVal(EleReg); Result = loc::MemRegionVal(EleReg);
} }
State = State->BindExpr(CNE, Pred->getLocationContext(), Result); State = State->BindExpr(CNE, Pred->getLocationContext(), Result);
Bldr.generateNode(CNE, Pred, State); Bldr.generateNode(CNE, Pred, State);
return; return;
} }
▲ Show 20 LinesShow All 123 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/MemRegion.cpp

Show First 20 LinesShow All 1,069 Lines▼ Show 20 Linesstatic bool isValidBaseClass(const CXXRecordDecl *BaseClass,
return false; return false;
} }
const CXXBaseObjectRegion * const CXXBaseObjectRegion *
MemRegionManager::getCXXBaseObjectRegion(const CXXRecordDecl *RD, MemRegionManager::getCXXBaseObjectRegion(const CXXRecordDecl *RD,
const SubRegion *Super, const SubRegion *Super,
bool IsVirtual) { bool IsVirtual) {
if (isa<TypedValueRegion>(Super)) { if (isa<TypedValueRegion>(Super)) {
assert(isValidBaseClass(RD, dyn_cast<TypedValueRegion>(Super), IsVirtual)); assert(isValidBaseClass(RD, cast<TypedValueRegion>(Super), IsVirtual));
(void)&isValidBaseClass; (void)&isValidBaseClass;
if (IsVirtual) { if (IsVirtual) {
// Virtual base regions should not be layered, since the layout rules // Virtual base regions should not be layered, since the layout rules
// are different. // are different.
while (const auto *Base = dyn_cast<CXXBaseObjectRegion>(Super)) while (const auto *Base = dyn_cast<CXXBaseObjectRegion>(Super))
Super = cast<SubRegion>(Base->getSuperRegion()); Super = cast<SubRegion>(Base->getSuperRegion());
assert(Super && !isa<MemSpaceRegion>(Super)); assert(Super && !isa<MemSpaceRegion>(Super));
▲ Show 20 LinesShow All 334 Lines▼ Show 20 Lines case MemRegion::ElementRegionKind: {
// We cannot compute offset for non-concrete index. // We cannot compute offset for non-concrete index.
SymbolicOffsetBase = R; SymbolicOffsetBase = R;
} }
break; break;
} }
case MemRegion::FieldRegionKind: { case MemRegion::FieldRegionKind: {
const auto *FR = cast<FieldRegion>(R); const auto *FR = cast<FieldRegion>(R);
R = FR->getSuperRegion(); R = FR->getSuperRegion();
assert(R);
const RecordDecl *RD = FR->getDecl()->getParent(); const RecordDecl *RD = FR->getDecl()->getParent();
if (RD->isUnion() || !RD->isCompleteDefinition()) { if (RD->isUnion() || !RD->isCompleteDefinition()) {
// We cannot compute offset for incomplete type. // We cannot compute offset for incomplete type.
// For unions, we could treat everything as offset 0, but we'd rather // For unions, we could treat everything as offset 0, but we'd rather
// treat each field as a symbolic offset so they aren't stored on top // treat each field as a symbolic offset so they aren't stored on top
// of each other, since we depend on things in typed regions actually // of each other, since we depend on things in typed regions actually
// matching their types. // matching their types.
▲ Show 20 LinesShow All 184 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 LinesShow All 2,243 Lines▼ Show 20 LinesRegionStoreManager::bindArray(RegionBindingsConstRef B,
return NewB; return NewB;
} }
RegionBindingsRef RegionStoreManager::bindVector(RegionBindingsConstRef B, RegionBindingsRef RegionStoreManager::bindVector(RegionBindingsConstRef B,
const TypedValueRegion* R, const TypedValueRegion* R,
SVal V) { SVal V) {
QualType T = R->getValueType(); QualType T = R->getValueType();
assert(T->isVectorType()); const VectorType *VT = T->castAs<VectorType>(); // Use castAs for typedefs.
const VectorType *VT = T->getAs<VectorType>(); // Use getAs for typedefs.
// Handle lazy compound values and symbolic values. // Handle lazy compound values and symbolic values.
if (V.getAs<nonloc::LazyCompoundVal>() || V.getAs<nonloc::SymbolVal>()) if (V.getAs<nonloc::LazyCompoundVal>() || V.getAs<nonloc::SymbolVal>())
return bindAggregate(B, R, V); return bindAggregate(B, R, V);
// We may get non-CompoundVal accidentally due to imprecise cast logic or // We may get non-CompoundVal accidentally due to imprecise cast logic or
// that we are binding symbolic struct value. Kill the field values, and if // that we are binding symbolic struct value. Kill the field values, and if
// the value is symbolic go and bind it as a "default" binding. // the value is symbolic go and bind it as a "default" binding.
▲ Show 20 LinesShow All 68 Lines▼ Show 20 LinesRegionBindingsRef RegionStoreManager::bindStruct(RegionBindingsConstRef B,
const TypedValueRegion* R, const TypedValueRegion* R,
SVal V) { SVal V) {
if (!Features.supportsFields()) if (!Features.supportsFields())
return B; return B;
QualType T = R->getValueType(); QualType T = R->getValueType();
assert(T->isStructureOrClassType()); assert(T->isStructureOrClassType());
const RecordType* RT = T->getAs<RecordType>(); const RecordType* RT = T->castAs<RecordType>();
const RecordDecl *RD = RT->getDecl(); const RecordDecl *RD = RT->getDecl();
if (!RD->isCompleteDefinition()) if (!RD->isCompleteDefinition())
return B; return B;
// Handle lazy compound values and symbolic values. // Handle lazy compound values and symbolic values.
if (Optional<nonloc::LazyCompoundVal> LCV = if (Optional<nonloc::LazyCompoundVal> LCV =
V.getAs<nonloc::LazyCompoundVal>()) { V.getAs<nonloc::LazyCompoundVal>()) {
▲ Show 20 LinesShow All 302 LinesShow Last 20 Lines

clang/test/Analysis/cstring-syntax-weird.c

  • This file was added.
// RUN: %clang_analyze_cc1 -w -analyzer-checker=unix.cstring.BadSizeArg \
// RUN: -verify %s
// expected-no-diagnostics
typedef __SIZE_TYPE__ size_t;
// The last parameter is normally size_t but the test is about the abnormal
// situation when it's not a size_t.
size_t strlcpy(char *, const char *, int);
enum WeirdDecl {
AStrangeWayToSpecifyStringLengthCorrectly = 10UL,
AStrangeWayToSpecifyStringLengthIncorrectly = 5UL
};
void testWeirdDecls(const char *src) {
char dst[10];
strlcpy(dst, src, AStrangeWayToSpecifyStringLengthCorrectly); // no-crash
strlcpy(dst, src, AStrangeWayToSpecifyStringLengthIncorrectly); // no-crash // no-warning
}

clang/test/Analysis/cstring-syntax-weird2.c

  • This file was added.
// RUN: %clang_analyze_cc1 -w -analyzer-checker=unix.cstring.BadSizeArg \
// RUN: -verify %s
// expected-no-diagnostics
typedef __SIZE_TYPE__ size_t;
// The last parameter is normally size_t but the test is about the abnormal
// situation when it's not a size_t.
size_t strlcpy(char *, const char *, void (*)());
void foo();
void testWeirdDecls(const char *src) {
char dst[10];
strlcpy(dst, src, foo); // no-crash
strlcpy(dst, src, &foo); // no-crash
}

clang/test/Analysis/cstring-syntax.c

// RUN: %clang_analyze_cc1 -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=unix.cstring.BadSizeArg -verify %s\
// RUN: %clang_analyze_cc1 -triple armv7-a15-linux -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s // RUN: -Wno-strncat-size -Wno-sizeof-pointer-memaccess \
// RUN: %clang_analyze_cc1 -triple aarch64_be-none-linux-gnu -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s // RUN: -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=unix.cstring.BadSizeArg -verify %s\
// RUN: -Wno-strncat-size -Wno-sizeof-pointer-memaccess \
// RUN: -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument\
// RUN: -triple armv7-a15-linux
// RUN: %clang_analyze_cc1 -analyzer-checker=unix.cstring.BadSizeArg -verify %s\
// RUN: -Wno-strncat-size -Wno-sizeof-pointer-memaccess \
// RUN: -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument\
// RUN: -triple aarch64_be-none-linux-gnu
// RUN: %clang_analyze_cc1 -analyzer-checker=unix.cstring.BadSizeArg -verify %s\
// RUN: -Wno-strncat-size -Wno-sizeof-pointer-memaccess \
// RUN: -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument\
// RUN: -triple i386-apple-darwin10
typedef __SIZE_TYPE__ size_t; typedef __SIZE_TYPE__ size_t;
char *strncat(char *, const char *, size_t); char *strncat(char *, const char *, size_t);
size_t strlen (const char *s); size_t strlen (const char *s);
size_t strlcpy(char *, const char *, size_t); size_t strlcpy(char *, const char *, size_t);
size_t strlcat(char *, const char *, size_t); size_t strlcat(char *, const char *, size_t);
void testStrncat(const char *src) { void testStrncat(const char *src) {
▲ Show 20 LinesShow All 44 LinesShow Last 20 Lines