Model the effects of strcpy() and stpcpy() in CStringChecker. Other changes:

- Fix memcpy() and friends to actually invalidate the destination buffer. - Emit a different message for out-of-bounds buffer accesses if the buffer is being written to. - When conjuring symbols, let ValueManager figure out the type. llvm-svn: 111120
author: Jordy Rose <jediknil@belkadan.com> 2010-08-16 07:51:42 +0000
committer: Jordy Rose <jediknil@belkadan.com> 2010-08-16 07:51:42 +0000
commit: 722f558f0773d99fd6e8c12939bcfedb9b10c319 (patch)
tree: 158a16039fe357a3b9879c9f671016319cadd700 /clang/test/Analysis
parent: ebab1ed5d30c96e1dc22c2521befd33aab743867 (diff)
download: bcm5719-llvm-722f558f0773d99fd6e8c12939bcfedb9b10c319.tar.gz
bcm5719-llvm-722f558f0773d99fd6e8c12939bcfedb9b10c319.zip
2 files changed, 119 insertions, 9 deletions
diff --git a/clang/test/Analysis/bstring.c b/clang/test/Analysis/bstring.c
index ae9ba4f973e..ffe420f7251 100644
--- a/clang/test/Analysis/bstring.c
+++ b/clang/test/Analysis/bstring.c
@@ -48,27 +48,30 @@ void *memcpy(void *restrict s1, const void *restrict s2, size_t n);
 
 void memcpy0 () {
   char src[] = {1, 2, 3, 4};
-  char dst[4];
+  char dst[4] = {0};
 
   memcpy(dst, src, 4); // no-warning
 
   if (memcpy(dst, src, 4) != dst) {
     (void)*(char*)0; // no-warning
   }
+
+  if (dst[0] != 0)
+    (void)*(char*)0; // expected-warning{{null}}
 }
 
 void memcpy1 () {
   char src[] = {1, 2, 3, 4};
   char dst[10];
 
-  memcpy(dst, src, 5); // expected-warning{{out-of-bound}}
+  memcpy(dst, src, 5); // expected-warning{{Byte string function accesses out-of-bound array element}}
 }
 
 void memcpy2 () {
   char src[] = {1, 2, 3, 4};
   char dst[1];
 
-  memcpy(dst, src, 4); // expected-warning{{out-of-bound}}
+  memcpy(dst, src, 4); // expected-warning{{Byte string function overflows destination buffer}}
 }
 
 void memcpy3 () {
@@ -82,14 +85,14 @@ void memcpy4 () {
   char src[] = {1, 2, 3, 4};
   char dst[10];
 
-  memcpy(dst+2, src+2, 3); // expected-warning{{out-of-bound}}
+  memcpy(dst+2, src+2, 3); // expected-warning{{Byte string function accesses out-of-bound array element}}
 }
 
 void memcpy5() {
   char src[] = {1, 2, 3, 4};
   char dst[3];
 
-  memcpy(dst+2, src+2, 2); // expected-warning{{out-of-bound}}
+  memcpy(dst+2, src+2, 2); // expected-warning{{Byte string function overflows destination buffer}}
 }
 
 void memcpy6() {
@@ -150,13 +153,16 @@ void *memmove(void *s1, const void *s2, size_t n);
 
 void memmove0 () {
   char src[] = {1, 2, 3, 4};
-  char dst[4];
+  char dst[4] = {0};
 
   memmove(dst, src, 4); // no-warning
 
   if (memmove(dst, src, 4) != dst) {
     (void)*(char*)0; // no-warning
   }
+
+  if (dst[0] != 0)
+    (void)*(char*)0; // expected-warning{{null}}
 }
 
 void memmove1 () {
@@ -170,7 +176,7 @@ void memmove2 () {
   char src[] = {1, 2, 3, 4};
   char dst[1];
 
-  memmove(dst, src, 4); // expected-warning{{out-of-bound}}
+  memmove(dst, src, 4); // expected-warning{{overflow}}
 }
 
 //===----------------------------------------------------------------------===
@@ -263,9 +269,12 @@ void bcopy(/*const*/ void *s1, void *s2, size_t n);
 
 void bcopy0 () {
   char src[] = {1, 2, 3, 4};
-  char dst[4];
+  char dst[4] = {0};
 
   bcopy(src, dst, 4); // no-warning
+
+  if (dst[0] != 0)
+    (void)*(char*)0; // expected-warning{{null}}
 }
 
 void bcopy1 () {
@@ -279,5 +288,5 @@ void bcopy2 () {
   char src[] = {1, 2, 3, 4};
   char dst[1];
 
-  bcopy(src, dst, 4); // expected-warning{{out-of-bound}}
+  bcopy(src, dst, 4); // expected-warning{{overflow}}
 }
diff --git a/clang/test/Analysis/string.c b/clang/test/Analysis/string.c
index af43c4b03c0..35ed7106f74 100644
--- a/clang/test/Analysis/string.c
+++ b/clang/test/Analysis/string.c
@@ -24,6 +24,7 @@
 # define BUILTIN(f) f
 #endif /* USE_BUILTINS */
 
+#define NULL 0
 typedef typeof(sizeof(int)) size_t;
 
 //===----------------------------------------------------------------------===
@@ -137,3 +138,103 @@ void strlen_liveness(const char *x) {
   if (strlen(x) < 5)
     (void)*(char*)0; // no-warning
 }
+
+//===----------------------------------------------------------------------===
+// strcpy()
+//===----------------------------------------------------------------------===
+
+#ifdef VARIANT
+
+#define __strcpy_chk BUILTIN(__strcpy_chk)
+char *__strcpy_chk(char *restrict s1, const char *restrict s2, size_t destlen);
+
+#define strcpy(a,b) __strcpy_chk(a,b,(size_t)-1)
+
+#else /* VARIANT */
+
+#define strcpy BUILTIN(strcpy)
+char *strcpy(char *restrict s1, const char *restrict s2);
+
+#endif /* VARIANT */
+
+
+void strcpy_null_dst(char *x) {
+  strcpy(NULL, x); // expected-warning{{Null pointer argument in call to byte string function}}
+}
+
+void strcpy_null_src(char *x) {
+  strcpy(x, NULL); // expected-warning{{Null pointer argument in call to byte string function}}
+}
+
+void strcpy_fn(char *x) {
+  strcpy(x, (char*)&strcpy_fn); // expected-warning{{Argument to byte string function is the address of the function 'strcpy_fn', which is not a null-terminated string}}
+}
+
+void strcpy_effects(char *x, char *y) {
+  char a = x[0];
+
+  if (strcpy(x, y) != x)
+    (void)*(char*)0; // no-warning
+
+  if (strlen(x) != strlen(y))
+    (void)*(char*)0; // no-warning
+
+  if (a != x[0])
+    (void)*(char*)0; // expected-warning{{null}}
+}
+
+void strcpy_overflow(char *y) {
+  char x[4];
+  if (strlen(y) == 4)
+    strcpy(x, y); // expected-warning{{Byte string function overflows destination buffer}}
+}
+
+void strcpy_no_overflow(char *y) {
+  char x[4];
+  if (strlen(y) == 3)
+    strcpy(x, y); // no-warning
+}
+
+//===----------------------------------------------------------------------===
+// stpcpy()
+//===----------------------------------------------------------------------===
+
+#ifdef VARIANT
+
+#define __stpcpy_chk BUILTIN(__stpcpy_chk)
+char *__stpcpy_chk(char *restrict s1, const char *restrict s2, size_t destlen);
+
+#define stpcpy(a,b) __stpcpy_chk(a,b,(size_t)-1)
+
+#else /* VARIANT */
+
+#define stpcpy BUILTIN(stpcpy)
+char *stpcpy(char *restrict s1, const char *restrict s2);
+
+#endif /* VARIANT */
+
+
+void stpcpy_effect(char *x, char *y) {
+  char a = x[0];
+
+  if (stpcpy(x, y) != &x[strlen(y)])
+    (void)*(char*)0; // no-warning
+
+  if (strlen(x) != strlen(y))
+    (void)*(char*)0; // no-warning
+
+  if (a != x[0])
+    (void)*(char*)0; // expected-warning{{null}}
+}
+
+void stpcpy_overflow(char *y) {
+  char x[4];
+  if (strlen(y) == 4)
+    stpcpy(x, y); // expected-warning{{Byte string function overflows destination buffer}}
+}
+
+void stpcpy_no_overflow(char *y) {
+  char x[4];
+  if (strlen(y) == 3)
+    stpcpy(x, y); // no-warning
+}
author	Jordy Rose <jediknil@belkadan.com>	2010-08-16 07:51:42 +0000
committer	Jordy Rose <jediknil@belkadan.com>	2010-08-16 07:51:42 +0000
commit	722f558f0773d99fd6e8c12939bcfedb9b10c319 (patch)
tree	158a16039fe357a3b9879c9f671016319cadd700 /clang/test/Analysis
parent	ebab1ed5d30c96e1dc22c2521befd33aab743867 (diff)
download	bcm5719-llvm-722f558f0773d99fd6e8c12939bcfedb9b10c319.tar.gz bcm5719-llvm-722f558f0773d99fd6e8c12939bcfedb9b10c319.zip