clang/test/Analysis/ArrayBound/assumptions.c - llvm-project - Git at Google

 // RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,security.ArrayBound,debug.ExprInspection \
 // RUN:   -analyzer-config eagerly-assume=false -verify %s

 // When the checker security.ArrayBound encounters an array subscript operation
 // that _may be_ in bounds, it assumes that indexing _is_ in bound. This test
 // file validates these assumptions.

 void clang_analyzer_value(int);

 // Simple case: memory area with a static extent.

 extern int FiveInts[5];

 void int_plus_one(int len) {
   (void)FiveInts[len + 1]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [-1, 3] }}}
 }

 void int_neutral(int len) {
   (void)FiveInts[len]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
 }

 void int_minus_one(int len) {
   (void)FiveInts[len - 1]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
 }

 void unsigned_plus_one(unsigned len) {
   (void)FiveInts[len + 1]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 3] }}}
 }

 void unsigned_neutral(unsigned len) {
   (void)FiveInts[len]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
 }

 void unsigned_minus_one(unsigned len) {
   (void)FiveInts[len - 1]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
 }

 void ll_plus_one(long long len) {
   (void)FiveInts[len + 1]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [-1, 3] }}}
 }

 void ll_neutral(long long len) {
   (void)FiveInts[len]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
 }

 void ll_minus_one(long long len) {
   (void)FiveInts[len - 1]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
 }

 void ull_plus_one(unsigned long long len) {
   (void)FiveInts[len + 1]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 3] }}}
 }

 void ull_neutral(unsigned long long len) {
   (void)FiveInts[len]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
 }

 void ull_minus_one(unsigned long long len) {
   (void)FiveInts[len - 1]; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
 }

 // Also try the same with a dynamically allocated memory block, because in the
 // past there were issues with the type/signedness of dynamic extent symbols.

 typedef __typeof(sizeof(int)) size_t;
 void *malloc(size_t);
 void free(void *);

 void dyn_int_plus_one(int len) {
   char *p = malloc(5);
   p[len + 1] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [-1, 3] }}}
   free(p);
 }

 void dyn_int_neutral(int len) {
   char *p = malloc(5);
   p[len] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
   free(p);
 }

 void dyn_int_minus_one(int len) {
   char *p = malloc(5);
   p[len - 1] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
   free(p);
 }

 void dyn_unsigned_plus_one(unsigned len) {
   char *p = malloc(5);
   p[len + 1] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 3] }}}
   free(p);
 }

 void dyn_unsigned_neutral(unsigned len) {
   char *p = malloc(5);
   p[len] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
   free(p);
 }

 void dyn_unsigned_minus_one(unsigned len) {
   char *p = malloc(5);
   p[len - 1] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
   free(p);
 }

 void dyn_ll_plus_one(long long len) {
   char *p = malloc(5);
   p[len + 1] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [-1, 3] }}}
   free(p);
 }

 void dyn_ll_neutral(long long len) {
   char *p = malloc(5);
   p[len] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
   free(p);
 }

 void dyn_ll_minus_one(long long len) {
   char *p = malloc(5);
   p[len - 1] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
   free(p);
 }

 void dyn_ull_plus_one(unsigned long long len) {
   char *p = malloc(5);
   p[len + 1] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 3] }}}
   free(p);
 }

 void dyn_ull_neutral(unsigned long long len) {
   char *p = malloc(5);
   p[len] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
   free(p);
 }

 void dyn_ull_minus_one(unsigned long long len) {
   char *p = malloc(5);
   p[len - 1] = 1; // no-warning
   clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
   free(p);
 }
	// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,security.ArrayBound,debug.ExprInspection \
	// RUN: -analyzer-config eagerly-assume=false -verify %s

	// When the checker security.ArrayBound encounters an array subscript operation
	// that _may be_ in bounds, it assumes that indexing _is_ in bound. This test
	// file validates these assumptions.

	void clang_analyzer_value(int);

	// Simple case: memory area with a static extent.

	extern int FiveInts[5];

	void int_plus_one(int len) {
	(void)FiveInts[len + 1]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [-1, 3] }}}
	}

	void int_neutral(int len) {
	(void)FiveInts[len]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
	}

	void int_minus_one(int len) {
	(void)FiveInts[len - 1]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
	}

	void unsigned_plus_one(unsigned len) {
	(void)FiveInts[len + 1]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 3] }}}
	}

	void unsigned_neutral(unsigned len) {
	(void)FiveInts[len]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
	}

	void unsigned_minus_one(unsigned len) {
	(void)FiveInts[len - 1]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
	}

	void ll_plus_one(long long len) {
	(void)FiveInts[len + 1]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [-1, 3] }}}
	}

	void ll_neutral(long long len) {
	(void)FiveInts[len]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
	}

	void ll_minus_one(long long len) {
	(void)FiveInts[len - 1]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
	}

	void ull_plus_one(unsigned long long len) {
	(void)FiveInts[len + 1]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 3] }}}
	}

	void ull_neutral(unsigned long long len) {
	(void)FiveInts[len]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
	}

	void ull_minus_one(unsigned long long len) {
	(void)FiveInts[len - 1]; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
	}

	// Also try the same with a dynamically allocated memory block, because in the
	// past there were issues with the type/signedness of dynamic extent symbols.

	typedef __typeof(sizeof(int)) size_t;
	void *malloc(size_t);
	void free(void *);

	void dyn_int_plus_one(int len) {
	char *p = malloc(5);
	p[len + 1] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [-1, 3] }}}
	free(p);
	}

	void dyn_int_neutral(int len) {
	char *p = malloc(5);
	p[len] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
	free(p);
	}

	void dyn_int_minus_one(int len) {
	char *p = malloc(5);
	p[len - 1] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
	free(p);
	}

	void dyn_unsigned_plus_one(unsigned len) {
	char *p = malloc(5);
	p[len + 1] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 3] }}}
	free(p);
	}

	void dyn_unsigned_neutral(unsigned len) {
	char *p = malloc(5);
	p[len] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
	free(p);
	}

	void dyn_unsigned_minus_one(unsigned len) {
	char *p = malloc(5);
	p[len - 1] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
	free(p);
	}

	void dyn_ll_plus_one(long long len) {
	char *p = malloc(5);
	p[len + 1] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [-1, 3] }}}
	free(p);
	}

	void dyn_ll_neutral(long long len) {
	char *p = malloc(5);
	p[len] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
	free(p);
	}

	void dyn_ll_minus_one(long long len) {
	char *p = malloc(5);
	p[len - 1] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
	free(p);
	}

	void dyn_ull_plus_one(unsigned long long len) {
	char *p = malloc(5);
	p[len + 1] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 3] }}}
	free(p);
	}

	void dyn_ull_neutral(unsigned long long len) {
	char *p = malloc(5);
	p[len] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [0, 4] }}}
	free(p);
	}

	void dyn_ull_minus_one(unsigned long long len) {
	char *p = malloc(5);
	p[len - 1] = 1; // no-warning
	clang_analyzer_value(len); // expected-warning {{{ [1, 5] }}}
	free(p);
	}