r332463 - [analyzer] Improve the modeling of memset().
Henry Wong via cfe-commits
cfe-commits at lists.llvm.org
Wed May 16 05:37:53 PDT 2018
Author: henrywong
Date: Wed May 16 05:37:53 2018
New Revision: 332463
URL: http://llvm.org/viewvc/llvm-project?rev=332463&view=rev
Log:
[analyzer] Improve the modeling of memset().
Since there is no perfect way bind the non-zero value with the default binding, this patch only considers the case where buffer's offset is zero and the char value is 0. And according to the value for overwriting, decide how to update the string length.
Reviewers: dcoughlin, NoQ, xazax.hun, a.sidorin, george.karpenkov
Reviewed By: NoQ
Differential Revision: https://reviews.llvm.org/D44934
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
cfe/trunk/test/Analysis/bstring.cpp
cfe/trunk/test/Analysis/null-deref-ps-region.c
cfe/trunk/test/Analysis/string.c
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp?rev=332463&r1=332462&r2=332463&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp Wed May 16 05:37:53 2018
@@ -158,6 +158,10 @@ public:
static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
const MemRegion *MR);
+ static bool memsetAux(const Expr *DstBuffer, const Expr *CharE,
+ const Expr *Size, CheckerContext &C,
+ ProgramStateRef &State);
+
// Re-usable checks
ProgramStateRef checkNonNull(CheckerContext &C,
ProgramStateRef state,
@@ -999,6 +1003,95 @@ bool CStringChecker::SummarizeRegion(raw
}
}
+bool CStringChecker::memsetAux(const Expr *DstBuffer, const Expr *CharE,
+ const Expr *Size, CheckerContext &C,
+ ProgramStateRef &State) {
+ SVal MemVal = C.getSVal(DstBuffer);
+ SVal CharVal = C.getSVal(CharE);
+ SVal SizeVal = C.getSVal(Size);
+ const MemRegion *MR = MemVal.getAsRegion();
+ if (!MR)
+ return false;
+
+ // We're about to model memset by producing a "default binding" in the Store.
+ // Our current implementation - RegionStore - doesn't support default bindings
+ // that don't cover the whole base region. So we should first get the offset
+ // and the base region to figure out whether the offset of buffer is 0.
+ RegionOffset Offset = MR->getAsOffset();
+ const MemRegion *BR = Offset.getRegion();
+
+ Optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
+ if (!SizeNL)
+ return false;
+
+ SValBuilder &svalBuilder = C.getSValBuilder();
+ ASTContext &Ctx = C.getASTContext();
+
+ // void *memset(void *dest, int ch, size_t count);
+ // For now we can only handle the case of offset is 0 and concrete char value.
+ if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
+ Offset.getOffset() == 0) {
+ // Get the base region's extent.
+ auto *SubReg = cast<SubRegion>(BR);
+ DefinedOrUnknownSVal Extent = SubReg->getExtent(svalBuilder);
+
+ ProgramStateRef StateWholeReg, StateNotWholeReg;
+ std::tie(StateWholeReg, StateNotWholeReg) =
+ State->assume(svalBuilder.evalEQ(State, Extent, *SizeNL));
+
+ // With the semantic of 'memset()', we should convert the CharVal to
+ // unsigned char.
+ CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
+
+ ProgramStateRef StateNullChar, StateNonNullChar;
+ std::tie(StateNullChar, StateNonNullChar) =
+ assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
+
+ if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
+ !StateNonNullChar) {
+ // If the 'memset()' acts on the whole region of destination buffer and
+ // the value of the second argument of 'memset()' is zero, bind the second
+ // argument's value to the destination buffer with 'default binding'.
+ // FIXME: Since there is no perfect way to bind the non-zero character, we
+ // can only deal with zero value here. In the future, we need to deal with
+ // the binding of non-zero value in the case of whole region.
+ State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
+ C.getLocationContext());
+ } else {
+ // If the destination buffer's extent is not equal to the value of
+ // third argument, just invalidate buffer.
+ State = InvalidateBuffer(C, State, DstBuffer, MemVal,
+ /*IsSourceBuffer*/ false, Size);
+ }
+
+ if (StateNullChar && !StateNonNullChar) {
+ // If the value of the second argument of 'memset()' is zero, set the
+ // string length of destination buffer to 0 directly.
+ State = setCStringLength(State, MR,
+ svalBuilder.makeZeroVal(Ctx.getSizeType()));
+ } else if (!StateNullChar && StateNonNullChar) {
+ SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
+ CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
+ C.getLocationContext(), C.blockCount());
+
+ // If the value of second argument is not zero, then the string length
+ // is at least the size argument.
+ SVal NewStrLenGESize = svalBuilder.evalBinOp(
+ State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
+
+ State = setCStringLength(
+ State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
+ MR, NewStrLen);
+ }
+ } else {
+ // If the offset is not zero and char value is not concrete, we can do
+ // nothing but invalidate the buffer.
+ State = InvalidateBuffer(C, State, DstBuffer, MemVal,
+ /*IsSourceBuffer*/ false, Size);
+ }
+ return true;
+}
+
//===----------------------------------------------------------------------===//
// evaluation of individual function calls.
//===----------------------------------------------------------------------===//
@@ -2048,6 +2141,7 @@ void CStringChecker::evalMemset(CheckerC
CurrentFunctionDescription = "memory set function";
const Expr *Mem = CE->getArg(0);
+ const Expr *CharE = CE->getArg(1);
const Expr *Size = CE->getArg(2);
ProgramStateRef State = C.getState();
@@ -2080,9 +2174,11 @@ void CStringChecker::evalMemset(CheckerC
State = CheckBufferAccess(C, State, Size, Mem);
if (!State)
return;
- State = InvalidateBuffer(C, State, Mem, C.getSVal(Mem),
- /*IsSourceBuffer*/false, Size);
- if (!State)
+
+ // According to the values of the arguments, bind the value of the second
+ // argument to the destination buffer and set string length, or just
+ // invalidate the destination buffer.
+ if (!memsetAux(Mem, CharE, Size, C, State))
return;
State = State->BindExpr(CE, LCtx, MemVal);
Modified: cfe/trunk/test/Analysis/bstring.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/bstring.cpp?rev=332463&r1=332462&r2=332463&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/bstring.cpp (original)
+++ cfe/trunk/test/Analysis/bstring.cpp Wed May 16 05:37:53 2018
@@ -1,7 +1,8 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
-// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
-// RUN: %clang_analyze_cc1 -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
-// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.cstring,unix.Malloc,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
+// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -analyzer-checker=core,unix.cstring,unix.Malloc,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
+// RUN: %clang_analyze_cc1 -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
+// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
+// RUN: %clang_analyze_cc1 -DSUPPRESS_OUT_OF_BOUND -analyzer-checker=core,unix.cstring,unix.Malloc,alpha.unix.cstring.BufferOverlap,alpha.unix.cstring.NotNullTerminated,debug.ExprInspection -analyzer-store=region -verify %s
#include "Inputs/system-header-simulator-cxx.h"
#include "Inputs/system-header-simulator-for-malloc.h"
@@ -77,3 +78,118 @@ class b {
unsigned *f;
};
}
+
+void *memset(void *dest, int ch, std::size_t count);
+namespace memset_non_pod {
+class Base {
+public:
+ int b_mem;
+ Base() : b_mem(1) {}
+};
+
+class Derived : public Base {
+public:
+ int d_mem;
+ Derived() : d_mem(2) {}
+};
+
+void memset1_inheritance() {
+ Derived d;
+ memset(&d, 0, sizeof(Derived));
+ clang_analyzer_eval(d.b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d.d_mem == 0); // expected-warning{{TRUE}}
+}
+
+#ifdef SUPPRESS_OUT_OF_BOUND
+void memset2_inheritance_field() {
+ Derived d;
+ memset(&d.d_mem, 0, sizeof(Derived));
+ clang_analyzer_eval(d.b_mem == 0); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(d.d_mem == 0); // expected-warning{{UNKNOWN}}
+}
+
+void memset3_inheritance_field() {
+ Derived d;
+ memset(&d.b_mem, 0, sizeof(Derived));
+ clang_analyzer_eval(d.b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d.d_mem == 0); // expected-warning{{TRUE}}
+}
+#endif
+
+void memset4_array_nonpod_object() {
+ Derived array[10];
+ clang_analyzer_eval(array[1].b_mem == 1); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(array[1].d_mem == 2); // expected-warning{{UNKNOWN}}
+ memset(&array[1], 0, sizeof(Derived));
+ clang_analyzer_eval(array[1].b_mem == 0); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(array[1].d_mem == 0); // expected-warning{{UNKNOWN}}
+}
+
+void memset5_array_nonpod_object() {
+ Derived array[10];
+ clang_analyzer_eval(array[1].b_mem == 1); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(array[1].d_mem == 2); // expected-warning{{UNKNOWN}}
+ memset(array, 0, sizeof(array));
+ clang_analyzer_eval(array[1].b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(array[1].d_mem == 0); // expected-warning{{TRUE}}
+}
+
+void memset6_new_array_nonpod_object() {
+ Derived *array = new Derived[10];
+ clang_analyzer_eval(array[2].b_mem == 1); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(array[2].d_mem == 2); // expected-warning{{UNKNOWN}}
+ memset(array, 0, 10 * sizeof(Derived));
+ clang_analyzer_eval(array[2].b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(array[2].d_mem == 0); // expected-warning{{TRUE}}
+ delete[] array;
+}
+
+void memset7_placement_new() {
+ Derived *d = new Derived();
+ clang_analyzer_eval(d->b_mem == 1); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d->d_mem == 2); // expected-warning{{TRUE}}
+
+ memset(d, 0, sizeof(Derived));
+ clang_analyzer_eval(d->b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d->d_mem == 0); // expected-warning{{TRUE}}
+
+ Derived *d1 = new (d) Derived();
+ clang_analyzer_eval(d1->b_mem == 1); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d1->d_mem == 2); // expected-warning{{TRUE}}
+
+ memset(d1, 0, sizeof(Derived));
+ clang_analyzer_eval(d->b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d->d_mem == 0); // expected-warning{{TRUE}}
+}
+
+class BaseVirtual {
+public:
+ int b_mem;
+ virtual int get() { return 1; }
+};
+
+class DerivedVirtual : public BaseVirtual {
+public:
+ int d_mem;
+};
+
+#ifdef SUPPRESS_OUT_OF_BOUND
+void memset8_virtual_inheritance_field() {
+ DerivedVirtual d;
+ memset(&d.b_mem, 0, sizeof(Derived));
+ clang_analyzer_eval(d.b_mem == 0); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(d.d_mem == 0); // expected-warning{{UNKNOWN}}
+}
+#endif
+} // namespace memset_non_pod
+
+#ifdef SUPPRESS_OUT_OF_BOUND
+void memset1_new_array() {
+ int *array = new int[10];
+ memset(array, 0, 10 * sizeof(int));
+ clang_analyzer_eval(array[2] == 0); // expected-warning{{TRUE}}
+ memset(array + 1, 'a', 10 * sizeof(9));
+ clang_analyzer_eval(array[2] == 0); // expected-warning{{UNKNOWN}}
+ delete[] array;
+}
+#endif
Modified: cfe/trunk/test/Analysis/null-deref-ps-region.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/null-deref-ps-region.c?rev=332463&r1=332462&r2=332463&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/null-deref-ps-region.c (original)
+++ cfe/trunk/test/Analysis/null-deref-ps-region.c Wed May 16 05:37:53 2018
@@ -22,7 +22,7 @@ void f14(int *a) {
void foo() {
int *x = malloc(sizeof(int));
memset(x, 0, sizeof(int));
- int n = 1 / *x; // FIXME: no-warning
+ int n = 1 / *x; // expected-warning {{Division by zero}}
free(x);
}
Modified: cfe/trunk/test/Analysis/string.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/string.c?rev=332463&r1=332462&r2=332463&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/string.c (original)
+++ cfe/trunk/test/Analysis/string.c Wed May 16 05:37:53 2018
@@ -1,7 +1,8 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
-// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
-// RUN: %clang_analyze_cc1 -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
-// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -DVARIANT -analyzer-checker=alpha.security.taint,core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.cstring,unix.Malloc,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
+// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -analyzer-checker=core,unix.cstring,unix.Malloc,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
+// RUN: %clang_analyze_cc1 -DVARIANT -analyzer-checker=core,unix.cstring,unix.Malloc,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
+// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -DVARIANT -analyzer-checker=alpha.security.taint,core,unix.cstring,unix.Malloc,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
+// RUN: %clang_analyze_cc1 -DSUPPRESS_OUT_OF_BOUND -analyzer-checker=core,unix.cstring,unix.Malloc,alpha.unix.cstring.BufferOverlap,alpha.unix.cstring.NotNullTerminated,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
//===----------------------------------------------------------------------===
// Declarations
@@ -1160,6 +1161,206 @@ void strsep_changes_input_string() {
}
//===----------------------------------------------------------------------===
+// memset()
+//===----------------------------------------------------------------------===
+
+void *memset(void *dest, int ch, size_t count);
+
+void *malloc(size_t size);
+void free(void *);
+
+void memset1_char_array_null() {
+ char str[] = "abcd";
+ clang_analyzer_eval(strlen(str) == 4); // expected-warning{{TRUE}}
+ memset(str, '\0', 2);
+ clang_analyzer_eval(strlen(str) == 0); // expected-warning{{TRUE}}
+}
+
+void memset2_char_array_null() {
+ char str[] = "abcd";
+ clang_analyzer_eval(strlen(str) == 4); // expected-warning{{TRUE}}
+ memset(str, '\0', strlen(str) + 1);
+ clang_analyzer_eval(strlen(str) == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(str[2] == 0); // expected-warning{{TRUE}}
+}
+
+void memset3_char_malloc_null() {
+ char *str = (char *)malloc(10 * sizeof(char));
+ memset(str + 1, '\0', 8);
+ clang_analyzer_eval(str[1] == 0); // expected-warning{{UNKNOWN}}
+ free(str);
+}
+
+void memset4_char_malloc_null() {
+ char *str = (char *)malloc(10 * sizeof(char));
+ //void *str = malloc(10 * sizeof(char));
+ memset(str, '\0', 10);
+ clang_analyzer_eval(str[1] == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(strlen(str) == 0); // expected-warning{{TRUE}}
+ free(str);
+}
+
+#ifdef SUPPRESS_OUT_OF_BOUND
+void memset5_char_malloc_overflow_null() {
+ char *str = (char *)malloc(10 * sizeof(char));
+ memset(str, '\0', 12);
+ clang_analyzer_eval(str[1] == 0); // expected-warning{{UNKNOWN}}
+ free(str);
+}
+#endif
+
+void memset6_char_array_nonnull() {
+ char str[] = "abcd";
+ clang_analyzer_eval(strlen(str) == 4); // expected-warning{{TRUE}}
+ memset(str, '0', 2);
+ clang_analyzer_eval(str[0] == 'a'); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(strlen(str) == 4); // expected-warning{{UNKNOWN}}
+}
+
+#ifdef SUPPRESS_OUT_OF_BOUND
+void memset8_char_array_nonnull() {
+ char str[5] = "abcd";
+ clang_analyzer_eval(strlen(str) == 4); // expected-warning{{TRUE}}
+ memset(str, '0', 10);
+ clang_analyzer_eval(str[0] != '0'); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(strlen(str) >= 10); // expected-warning{{TRUE}}
+ clang_analyzer_eval(strlen(str) < 10); // expected-warning{{FALSE}}
+}
+#endif
+
+struct POD_memset {
+ int num;
+ char c;
+};
+
+void memset10_struct() {
+ struct POD_memset pod;
+ char *str = (char *)&pod;
+ pod.num = 1;
+ pod.c = 1;
+ clang_analyzer_eval(pod.num == 0); // expected-warning{{FALSE}}
+ memset(str, 0, sizeof(struct POD_memset));
+ clang_analyzer_eval(pod.num == 0); // expected-warning{{TRUE}}
+}
+
+#ifdef SUPPRESS_OUT_OF_BOUND
+void memset11_struct_field() {
+ struct POD_memset pod;
+ pod.num = 1;
+ pod.c = '1';
+ memset(&pod.num, 0, sizeof(struct POD_memset));
+
+ clang_analyzer_eval(pod.num == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(pod.c == '\0'); // expected-warning{{TRUE}}
+}
+
+void memset12_struct_field() {
+ struct POD_memset pod;
+ pod.num = 1;
+ pod.c = '1';
+ memset(&pod.c, 0, sizeof(struct POD_memset));
+ clang_analyzer_eval(pod.num == 0); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(pod.c == 0); // expected-warning{{UNKNOWN}}
+}
+
+union U_memset {
+ int i;
+ double d;
+ char c;
+};
+
+void memset13_union_field() {
+ union U_memset u;
+ u.i = 5;
+ memset(&u.i, '\0', sizeof(union U_memset));
+ // Note: This should be TRUE, analyzer can't handle union perfectly now.
+ clang_analyzer_eval(u.d == 0); // expected-warning{{UNKNOWN}}
+}
+#endif
+
+void memset14_region_cast() {
+ char *str = (char *)malloc(10 * sizeof(int));
+ int *array = (int *)str;
+ memset(array, 0, 10 * sizeof(int));
+ clang_analyzer_eval(str[10] == '\0'); // expected-warning{{TRUE}}
+ clang_analyzer_eval(strlen((char *)array) == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(strlen(str) == 0); // expected-warning{{TRUE}}
+ free(str);
+}
+
+void memset15_region_cast() {
+ char *str = (char *)malloc(10 * sizeof(int));
+ int *array = (int *)str;
+ memset(array, 0, 5 * sizeof(int));
+ clang_analyzer_eval(str[10] == '\0'); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(strlen((char *)array) == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(strlen(str) == 0); // expected-warning{{TRUE}}
+ free(str);
+}
+
+int memset20_scalar() {
+ int *x = malloc(sizeof(int));
+ *x = 10;
+ memset(x, 0, sizeof(int));
+ int num = 1 / *x; // expected-warning{{Division by zero}}
+ free(x);
+ return num;
+}
+
+int memset21_scalar() {
+ int *x = malloc(sizeof(int));
+ memset(x, 0, 1);
+ int num = 1 / *x;
+ free(x);
+ return num;
+}
+
+void memset22_array() {
+ int array[] = {1, 2, 3, 4, 5, 6, 7, 8, 9};
+ clang_analyzer_eval(array[1] == 2); // expected-warning{{TRUE}}
+ memset(array, 0, sizeof(array));
+ clang_analyzer_eval(array[1] == 0); // expected-warning{{TRUE}}
+}
+
+void memset23_array_pod_object() {
+ struct POD_memset array[10];
+ array[1].num = 10;
+ array[1].c = 'c';
+ clang_analyzer_eval(array[1].num == 10); // expected-warning{{TRUE}}
+ memset(&array[1], 0, sizeof(struct POD_memset));
+ clang_analyzer_eval(array[1].num == 0); // expected-warning{{UNKNOWN}}
+}
+
+void memset24_array_pod_object() {
+ struct POD_memset array[10];
+ array[1].num = 10;
+ array[1].c = 'c';
+ clang_analyzer_eval(array[1].num == 10); // expected-warning{{TRUE}}
+ memset(array, 0, sizeof(array));
+ clang_analyzer_eval(array[1].num == 0); // expected-warning{{TRUE}}
+}
+
+void memset25_symbol(char c) {
+ char array[10] = {1};
+ if (c != 0)
+ return;
+
+ memset(array, c, 10);
+
+ clang_analyzer_eval(strlen(array) == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(array[4] == 0); // expected-warning{{TRUE}}
+}
+
+void memset26_upper_UCHAR_MAX() {
+ char array[10] = {1};
+
+ memset(array, 1024, 10);
+
+ clang_analyzer_eval(strlen(array) == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(array[4] == 0); // expected-warning{{TRUE}}
+}
+
+//===----------------------------------------------------------------------===
// FIXMEs
//===----------------------------------------------------------------------===
@@ -1186,3 +1387,87 @@ void strncpy_exactly_matching_buffer2(ch
// This time, we know that y fits in x anyway.
clang_analyzer_eval(strlen(x) <= 3); // expected-warning{{UNKNOWN}}
}
+
+void memset7_char_array_nonnull() {
+ char str[5] = "abcd";
+ clang_analyzer_eval(strlen(str) == 4); // expected-warning{{TRUE}}
+ memset(str, '0', 5);
+ // FIXME: This should be TRUE.
+ clang_analyzer_eval(str[0] == '0'); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(strlen(str) >= 5); // expected-warning{{TRUE}}
+}
+
+void memset16_region_cast() {
+ char *str = (char *)malloc(10 * sizeof(int));
+ int *array = (int *)str;
+ memset(array, '0', 10 * sizeof(int));
+ // FIXME: This should be TRUE.
+ clang_analyzer_eval(str[10] == '0'); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(strlen((char *)array) >= 10 * sizeof(int)); // expected-warning{{TRUE}}
+ clang_analyzer_eval(strlen(str) >= 10 * sizeof(int)); // expected-warning{{TRUE}}
+ free(str);
+}
+
+#ifdef SUPPRESS_OUT_OF_BOUND
+void memset17_region_cast() {
+ char *str = (char *)malloc(10 * sizeof(int));
+ int *array = (int *)str;
+ memset(array, '0', 12 * sizeof(int));
+ clang_analyzer_eval(str[10] == '0'); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(strlen((char *)array) >= 12 * sizeof(int)); // expected-warning{{TRUE}}
+ clang_analyzer_eval(strlen(str) >= 12 * sizeof(int)); // expected-warning{{TRUE}}
+ free(str);
+}
+
+void memset18_memset_multiple_times() {
+ char *str = (char *)malloc(10 * sizeof(char));
+ clang_analyzer_eval(strlen(str) == 0); // expected-warning{{UNKNOWN}}
+
+ memset(str + 2, '\0', 10 * sizeof(char));
+ clang_analyzer_eval(strlen(str) == 0); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(str[1] == '\0'); // expected-warning{{UNKNOWN}}
+
+ memset(str, '0', 10 * sizeof(char));
+ clang_analyzer_eval(strlen(str) >= 10); // expected-warning{{TRUE}}
+ // FIXME: This should be TRUE.
+ clang_analyzer_eval(str[1] == '0'); // expected-warning{{UNKNOWN}}
+
+ free(str);
+}
+
+void memset19_memset_multiple_times() {
+ char *str = (char *)malloc(10 * sizeof(char));
+ clang_analyzer_eval(strlen(str) == 0); // expected-warning{{UNKNOWN}}
+
+ memset(str, '0', 10 * sizeof(char));
+ clang_analyzer_eval(strlen(str) >= 10); // expected-warning{{TRUE}}
+ // FIXME: This should be TRUE.
+ clang_analyzer_eval(str[1] == '0'); // expected-warning{{UNKNOWN}}
+
+ memset(str + 2, '\0', 10 * sizeof(char));
+ clang_analyzer_eval(strlen(str) >= 10); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(str[1] == '0'); // expected-warning{{UNKNOWN}}
+
+ free(str);
+}
+#endif
+
+// The analyzer does not support binding a symbol with default binding.
+void memset27_symbol(char c) {
+ char array[10] = {0};
+ if (c < 10)
+ return;
+
+ memset(array, c, 10);
+
+ clang_analyzer_eval(strlen(array) >= 10); // expected-warning{{TRUE}}
+ // FIXME: This should be TRUE.
+ clang_analyzer_eval(array[4] >= 10); // expected-warning{{UNKNOWN}}
+}
+
+void memset28() {
+ short x;
+ memset(&x, 1, sizeof(short));
+ // This should be true.
+ clang_analyzer_eval(x == 0x101); // expected-warning{{UNKNOWN}}
+}
More information about the cfe-commits
mailing list