[PATCH] D86870: [analyzer] Add more tests for ArrayBoundCheckerV2

Balázs Benics via Phabricator via cfe-commits Mon, 31 Aug 2020 04:31:37 -0700

steakhal created this revision.
steakhal added reviewers: NoQ, vsavchenko, xazax.hun, Szelethus, martong.
Herald added subscribers: cfe-commits, ASDenysPetrov, Charusso, dkrupp, 
donat.nagy, mikhail.ramalho, a.sidorin, rnkovacs, szepet, baloghadamsoftware, 
whisperity.
Herald added a project: clang.
steakhal requested review of this revision.


According to a Bugzilla ticket <https://bugs.llvm.org/show_bug.cgi?id=45148> 
produces a false-positive report.
This patch adds a test demonstrating the current //flawed// behavior.
Also adds several similar test cases just to be on the safe side.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D86870

Files:
  clang/test/Analysis/out-of-bounds-false-positive.c

Index: clang/test/Analysis/out-of-bounds-false-positive.c
===================================================================
--- /dev/null
+++ clang/test/Analysis/out-of-bounds-false-positive.c
@@ -0,0 +1,101 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.security.ArrayBoundV2,debug.ExprInspection \
+// RUN:   -analyzer-config eagerly-assume=false -verify %s
+
+void clang_analyzer_eval(int);
+void clang_analyzer_printState();
+
+typedef unsigned long long size_t;
+const char a[] = "abcd"; // extent: 5 bytes
+
+void symbolic_size_t_and_int0(size_t len) {
+  // FIXME: Should not warn for this.
+  (void)a[len + 1]; // expected-warning {{Out of bound memory access}}
+  // We infered that the 'len' must be in a specific range to make the previous indexing valid.
+  // len: [0,3]
+  clang_analyzer_eval(len <= 3); // expected - warning {{TRUE}}
+  clang_analyzer_eval(len <= 2); // expected - warning {{UNKNOWN}}
+}
+
+void symbolic_size_t_and_int1(size_t len) {
+  (void)a[len]; // no-warning
+  // len: [0,4]
+  clang_analyzer_eval(len <= 4); // expected-warning {{TRUE}}
+  clang_analyzer_eval(len <= 3); // expected-warning {{UNKNOWN}}
+}
+
+void symbolic_size_t_and_int2(size_t len) {
+  (void)a[len - 1]; // no-warning
+  // len: [1,5]
+  clang_analyzer_eval(1 <= len && len <= 5); // expected-warning {{TRUE}}
+  clang_analyzer_eval(2 <= len);             // expected-warning {{UNKNOWN}}
+  clang_analyzer_eval(len <= 4);             // expected-warning {{UNKNOWN}}
+}
+
+void symbolic_uint_and_int0(unsigned len) {
+  (void)a[len + 1]; // no-warning
+  // len: [0,3]
+  clang_analyzer_eval(0 <= len && len <= 3); // expected-warning {{TRUE}}
+  clang_analyzer_eval(1 <= len);             // expected-warning {{UNKNOWN}}
+  clang_analyzer_eval(len <= 2);             // expected-warning {{UNKNOWN}}
+}
+
+void symbolic_uint_and_int1(unsigned len) {
+  (void)a[len]; // no-warning
+  // len: [0,4]
+  clang_analyzer_eval(0 <= len && len <= 4); // expected-warning {{TRUE}}
+  clang_analyzer_eval(1 <= len);             // expected-warning {{UNKNOWN}}
+  clang_analyzer_eval(len <= 3);             // expected-warning {{UNKNOWN}}
+}
+void symbolic_uint_and_int2(unsigned len) {
+  (void)a[len - 1]; // no-warning
+  // len: [1,5]
+  clang_analyzer_eval(1 <= len && len <= 5); // expected-warning {{TRUE}}
+  clang_analyzer_eval(2 <= len);             // expected-warning {{UNKNOWN}}
+  clang_analyzer_eval(len <= 4);             // expected-warning {{UNKNOWN}}
+}
+
+void symbolic_int_and_int0(int len) {
+  (void)a[len + 1]; // no-warning
+  // len: [-1,3]
+  clang_analyzer_eval(-1 <= len && len <= 3); // expected-warning {{TRUE}}
+  clang_analyzer_eval(0 <= len);              // expected-warning {{UNKNOWN}}
+  clang_analyzer_eval(len <= 2);              // expected-warning {{UNKNOWN}}
+}
+void symbolic_int_and_int1(int len) {
+  (void)a[len]; // no-warning
+  // len: [0,4]
+  clang_analyzer_eval(0 <= len && len <= 4); // expected-warning {{TRUE}}
+  clang_analyzer_eval(1 <= len);             // expected-warning {{UNKNOWN}}
+  clang_analyzer_eval(len <= 3);             // expected-warning {{UNKNOWN}}
+}
+void symbolic_int_and_int2(int len) {
+  (void)a[len - 1]; // no-warning
+  // len: [1,5]
+  clang_analyzer_eval(1 <= len && len <= 5); // expected-warning {{TRUE}}
+  clang_analyzer_eval(2 <= len);             // expected-warning {{UNKNOWN}}
+  clang_analyzer_eval(len <= 4);             // expected-warning {{UNKNOWN}}
+}
+
+void symbolic_longlong_and_int0(long long len) {
+  (void)a[len + 1]; // no-warning
+  // len: [-1,3]
+  clang_analyzer_eval(-1 <= len && len <= 3); // expected-warning {{TRUE}}
+  clang_analyzer_eval(0 <= len);              // expected-warning {{UNKNOWN}}
+  clang_analyzer_eval(len <= 2);              // expected-warning {{UNKNOWN}}
+}
+
+void symbolic_longlong_and_int1(long long len) {
+  (void)a[len]; // no-warning
+  // len: [0,4]
+  clang_analyzer_eval(0 <= len && len <= 4); // expected-warning {{TRUE}}
+  clang_analyzer_eval(1 <= len);             // expected-warning {{UNKNOWN}}
+  clang_analyzer_eval(len <= 3);             // expected-warning {{UNKNOWN}}
+}
+
+void symbolic_longlong_and_int2(long long len) {
+  (void)a[len - 1]; // no-warning
+  // len: [1,5]
+  clang_analyzer_eval(1 <= len && len <= 5); // expected-warning {{TRUE}}
+  clang_analyzer_eval(2 <= len);             // expected-warning {{UNKNOWN}}
+  clang_analyzer_eval(len <= 4);             // expected-warning {{UNKNOWN}}
+}

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D86870: [analyzer] Add more tests for ArrayBoundCheckerV2

Reply via email to