diff options
| author | Artem Dergachev <artem.dergachev@gmail.com> | 2017-10-13 20:11:00 +0000 |
|---|---|---|
| committer | Artem Dergachev <artem.dergachev@gmail.com> | 2017-10-13 20:11:00 +0000 |
| commit | db65f969f233b0f8c5aebb5067d4eeb80d050b56 (patch) | |
| tree | 12efdbfe5678fb80b41eaeccfe99998bc6b1f347 /clang/test/Analysis/bstring.cpp | |
| parent | 52dbdc04fe6eaa91cc3c7b0966b242b673e0e823 (diff) | |
| download | bcm5719-llvm-db65f969f233b0f8c5aebb5067d4eeb80d050b56.tar.gz bcm5719-llvm-db65f969f233b0f8c5aebb5067d4eeb80d050b56.zip | |
[analyzer] CStringChecker: pr34460: Avoid a crash when a cast is not modeled.
The checker used to crash when a mempcpy's length argument is symbolic. In this
case the cast from 'void *' to 'char *' failed because the respective
ElementRegion that represents cast is hard to add on top of the existing
ElementRegion that represents the offset to the last copied byte, while
preseving a sane memory region structure.
Additionally, a few test cases are added (to casts.c) which demonstrate problems
caused by existing sloppy work we do with multi-layer ElementRegions. If said
cast would be modeled properly in the future, these tests would need to be
taken into account.
Differential Revision: https://reviews.llvm.org/D38797
llvm-svn: 315742
Diffstat (limited to 'clang/test/Analysis/bstring.cpp')
| -rw-r--r-- | clang/test/Analysis/bstring.cpp | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/clang/test/Analysis/bstring.cpp b/clang/test/Analysis/bstring.cpp index a6d7b401627..fea76cc082f 100644 --- a/clang/test/Analysis/bstring.cpp +++ b/clang/test/Analysis/bstring.cpp @@ -1,8 +1,35 @@ // RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s +// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s +// RUN: %clang_analyze_cc1 -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s +// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s #include "Inputs/system-header-simulator-cxx.h" #include "Inputs/system-header-simulator-for-malloc.h" +// This provides us with four possible mempcpy() definitions. +// See also comments in bstring.c. + +#ifdef USE_BUILTINS +#define BUILTIN(f) __builtin_##f +#else /* USE_BUILTINS */ +#define BUILTIN(f) f +#endif /* USE_BUILTINS */ + +#ifdef VARIANT + +#define __mempcpy_chk BUILTIN(__mempcpy_chk) +void *__mempcpy_chk(void *__restrict__ s1, const void *__restrict__ s2, + size_t n, size_t destlen); + +#define mempcpy(a,b,c) __mempcpy_chk(a,b,c,(size_t)-1) + +#else /* VARIANT */ + +#define mempcpy BUILTIN(mempcpy) +void *mempcpy(void *__restrict__ s1, const void *__restrict__ s2, size_t n); + +#endif /* VARIANT */ + void clang_analyzer_eval(int); int *testStdCopyInvalidatesBuffer(std::vector<int> v) { @@ -36,3 +63,17 @@ int *testStdCopyBackwardInvalidatesBuffer(std::vector<int> v) { return buf; } + +namespace pr34460 { +short a; +class b { + int c; + long g; + void d() { + int e = c; + f += e; + mempcpy(f, &a, g); + } + unsigned *f; +}; +} |
