[clang] [clang][analyzer] Add AllowWithoutC11 option to DeprecatedOrUnsafeBuf… (PR #168704)

[Balázs Benics via cfe-commits]

================
@@ -0,0 +1,48 @@
+// Test 1: Without C11 and without flag - should NOT warn
+// RUN: %clang_analyze_cc1 %s -verify -std=gnu99 \
+// RUN:   -analyzer-checker=security.insecureAPI.DeprecatedOrUnsafeBufferHandling \
+// RUN:   -DEXPECT_NO_WARNINGS
+
+// Test 2: Without C11 but with flag enabled - should warn
+// RUN: %clang_analyze_cc1 %s -verify -std=gnu99 \
+// RUN:   -analyzer-checker=security.insecureAPI.DeprecatedOrUnsafeBufferHandling \
+// RUN:   -analyzer-config security.insecureAPI.DeprecatedOrUnsafeBufferHandling:AllowWithoutC11=true \
+// RUN:   -DEXPECT_WARNINGS
+
+// Test 3: With C11 - should warn (existing behavior)
+// RUN: %clang_analyze_cc1 %s -verify -std=gnu11 \
+// RUN:   -analyzer-checker=security.insecureAPI.DeprecatedOrUnsafeBufferHandling \
+// RUN:   -DEXPECT_WARNINGS
+
+#include "Inputs/system-header-simulator.h"
+
+extern char buf[128];
+extern char src[128];
+
+void test_memcpy(void) {
+  memcpy(buf, src, 10);
+#ifdef EXPECT_WARNINGS
+  // expected-warning at -2{{Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard}}
+#else
+  // expected-no-diagnostics
+#endif
----------------
steakhal wrote:

This is somewhat complicated.
I usually solve this by following 2 tactics:
 - Have an unconditional example reporting a diagnostic. This will ensure that all RUN lines have at least 1 expectation. This side steps the need to conditionally add the  `expected-no-diagnostics` comment.
 - For the different RUN lines, use specific verify prefixes. This documents in a clean and macro-free way what expectations set at different places. So use `-verify=common,RUN1` and `-verify=common,RUN2` etc. Ofc, use something more descriptive, but I'm sure you got it now.

https://github.com/llvm/llvm-project/pull/168704