test/Analysis/out-of-bounds.c

   1 // RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-check-objc-mem -analyzer-check-buffer-overflows -verify %s
   2
   3 // Tests doing an out-of-bounds access after the end of an array using:
   4 // - constant integer index
   5 // - constant integer size for buffer
   6 void test1(int x) {
   7   int buf[100];
   8   buf[100] = 1; // expected-warning{{Out of bound memory access}}
   9 }
  10
  11 void test1_ok(int x) {
  12   int buf[100];
  13   buf[99] = 1; // no-warning
  14 }
  15
  16 const char test1_strings_underrun(int x) {
  17   const char *mystr = "mary had a little lamb";
  18   return mystr[-1]; // expected-warning{{Out of bound memory access}}
  19 }
  20
  21 const char test1_strings_overrun(int x) {
  22   const char *mystr = "mary had a little lamb";
  23   return mystr[1000];  // expected-warning{{Out of bound memory access}}
  24 }
  25
  26 const char test1_strings_ok(int x) {
  27   const char *mystr = "mary had a little lamb";
  28   return mystr[5]; // no-warning
  29 }
  30
  31 // Tests doing an out-of-bounds access after the end of an array using:
  32 // - indirect pointer to buffer
  33 // - constant integer index
  34 // - constant integer size for buffer
  35 void test1_ptr(int x) {
  36   int buf[100];
  37   int *p = buf;
  38   p[101] = 1; // expected-warning{{Out of bound memory access}}
  39 }
  40
  41 void test1_ptr_ok(int x) {
  42   int buf[100];
  43   int *p = buf;
  44   p[99] = 1; // no-warning
  45 }
  46
  47 // Tests doing an out-of-bounds access before the start of an array using:
  48 // - indirect pointer to buffer, manipulated using simple pointer arithmetic
  49 // - constant integer index
  50 // - constant integer size for buffer
  51 void test1_ptr_arith(int x) {
  52   int buf[100];
  53   int *p = buf;
  54   p = p + 100;
  55   p[0] = 1; // expected-warning{{Out of bound memory access}}
  56 }
  57
  58 void test1_ptr_arith_ok(int x) {
  59   int buf[100];
  60   int *p = buf;
  61   p = p + 99;
  62   p[0] = 1; // no-warning
  63 }
  64
  65 void test1_ptr_arith_bad(int x) {
  66   int buf[100];
  67   int *p = buf;
  68   p = p + 99;
  69   p[1] = 1; // expected-warning{{Out of bound memory access}}
  70 }
  71
  72 void test1_ptr_arith_ok2(int x) {
  73   int buf[100];
  74   int *p = buf;
  75   p = p + 99;
  76   p[-1] = 1; // no-warning
  77 }
  78
  79 // Tests doing an out-of-bounds access before the start of an array using:
  80 // - constant integer index
  81 // - constant integer size for buffer
  82 void test2(int x) {
  83   int buf[100];
  84   buf[-1] = 1; // expected-warning{{Out of bound memory access}}
  85 }
  86
  87 // Tests doing an out-of-bounds access before the start of an array using:
  88 // - indirect pointer to buffer
  89 // - constant integer index
  90 // - constant integer size for buffer
  91 void test2_ptr(int x) {
  92   int buf[100];
  93   int *p = buf;
  94   p[-1] = 1; // expected-warning{{Out of bound memory access}}
  95 }
  96
  97 // ** FIXME ** Doesn't work yet because we don't support pointer arithmetic.
  98 // Tests doing an out-of-bounds access before the start of an array using:
  99 // - indirect pointer to buffer, manipulated using simple pointer arithmetic
 100 // - constant integer index
 101 // - constant integer size for buffer
 102 void test2_ptr_arith(int x) {
 103   int buf[100];
 104   int *p = buf;
 105   --p;
 106   p[0] = 1; // no-warning
 107 }
 108
 109 // Tests doing an out-of-bounds access before the start of a multi-dimensional
 110 // array using:
 111 // - constant integer indices
 112 // - constant integer sizes for the array
 113 void test2_multi(int x) {
 114   int buf[100][100];
 115   buf[0][-1] = 1; // expected-warning{{Out of bound memory access}}
 116 }
 117
 118 // Tests doing an out-of-bounds access before the start of a multi-dimensional
 119 // array using:
 120 // - constant integer indices
 121 // - constant integer sizes for the array
 122 void test2_multi_b(int x) {
 123   int buf[100][100];
 124   buf[-1][0] = 1; // expected-warning{{Out of bound memory access}}
 125 }
 126
 127 void test2_multi_ok(int x) {
 128   int buf[100][100];
 129   buf[0][0] = 1; // no-warning
 130 }
 131
 132 // *** FIXME ***
 133 // We don't get a warning here yet because our symbolic constraint solving
 134 // doesn't handle:  (symbol * constant) < constant
 135 void test3(int x) {
 136   int buf[100];
 137   if (x < 0)
 138     buf[x] = 1;
 139 }
 140
 141 // *** FIXME ***
 142 // We don't get a warning here yet because our symbolic constraint solving
 143 // doesn't handle:  (symbol * constant) < constant
 144 void test4(int x) {
 145   int buf[100];
 146   if (x > 99)
 147     buf[x] = 1;
 148 }