clang/test/Analysis/bstring_UninitRead.c - llvm-project - Git at Google

 // RUN: %clang_analyze_cc1 -verify %s \
 // RUN: -analyzer-checker=core,alpha.unix.cstring

 //===----------------------------------------------------------------------===//
 // mempcpy() using character array. This is the easiest case, as memcpy
 // intepretrs the dst and src buffers as character arrays (regardless of their
 // actual type).
 //===----------------------------------------------------------------------===//

 typedef typeof(sizeof(int)) size_t;

 void clang_analyzer_eval(int);

 void *memcpy(void *restrict s1, const void *restrict s2, size_t n);

 void memcpy_array_fully_uninit(char *dst) {
   char buf[10];
   memcpy(dst, buf, 10); // expected-warning{{The first element of the 2nd argument is undefined}}
                         // expected-note@-1{{Other elements might also be undefined}}
   (void)buf;
 }

 void memcpy_array_partially_uninit(char *dst) {
   char buf[10];
   buf[0] = 'i';
   memcpy(dst, buf, 10); // expected-warning{{The last accessed element (at index 9) in the 2nd argument is undefined}}
                         // expected-note@-1{{Other elements might also be undefined}}
   (void)buf;
 }

 void memcpy_array_only_init_portion(char *dst) {
   char buf[10];
   buf[0] = 'i';
   memcpy(dst, buf, 1);
   (void)buf;
 }

 void memcpy_array_partially_init_error(char *dst) {
   char buf[10];
   buf[0] = 'i';
   memcpy(dst, buf, 2); // expected-warning{{The last accessed element (at index 1) in the 2nd argument is undefined}}
                       // expected-note@-1{{Other elements might also be undefined}}
   (void)buf;
 }

 // The interesting case here is that the portion we're copying is initialized,
 // but not the whole matrix. We need to be careful to extract buf[1], and not
 // buf when trying to peel region layers off from the source argument.
 void memcpy_array_from_matrix(char *dst) {
   char buf[2][2];
   buf[1][0] = 'i';
   buf[1][1] = 'j';
   // FIXME: This is a FP -- we mistakenly retrieve the first element of buf,
   // instead of the first element of buf[1]. getLValueElement simply peels off
   // another ElementRegion layer, when in this case it really shouldn't.
   memcpy(dst, buf[1], 2); // expected-warning{{The first element of the 2nd argument is undefined}}
                           // expected-note@-1{{Other elements might also be undefined}}
   (void)buf;
 }

 //===----------------------------------------------------------------------===//
 // mempcpy() using non-character arrays.
 //===----------------------------------------------------------------------===//

 void *mempcpy(void *restrict s1, const void *restrict s2, size_t n);

 void memcpy_int_array_fully_init() {
   int src[] = {1, 2, 3, 4};
   int dst[5] = {0};
   int *p;

   p = mempcpy(dst, src, 4 * sizeof(int));
   clang_analyzer_eval(p == &dst[4]);
 }

 void memcpy_int_array_fully_init2(int *dest) {
   int t[] = {1, 2, 3};
   memcpy(dest, t, sizeof(t));
 }

 //===----------------------------------------------------------------------===//
 // mempcpy() using nonarrays.
 //===----------------------------------------------------------------------===//

 struct st {
   int i;
   int j;
 };

 void mempcpy_struct_partially_uninit() {
   struct st s1 = {0};
   struct st s2;
   struct st *p1;
   struct st *p2;

   p1 = (&s2) + 1;

   // FIXME: Maybe ask UninitializedObjectChecker whether s1 is fully
   // initialized?
   p2 = mempcpy(&s2, &s1, sizeof(struct st));

   clang_analyzer_eval(p1 == p2);
 }

 void mempcpy_struct_fully_uninit() {
   struct st s1;
   struct st s2;

   // FIXME: Maybe ask UninitializedObjectChecker whether s1 is fully
   // initialized?
   mempcpy(&s2, &s1, sizeof(struct st));
 }

 // Creduced crash. In this case, an symbolicregion is wrapped in an
 // elementregion for the src argument.
 void *ga_copy_strings_from_0;
 void *memmove();
 void alloc();
 void ga_copy_strings() {
   int i = 0;
   for (;; ++i)
     memmove(alloc, ((char **)ga_copy_strings_from_0)[i], 1);
 }

 // Creduced crash. In this case, retrieving the Loc for the first element failed.
 char mov_mdhd_language_map[][4] = {};
 int ff_mov_lang_to_iso639_code;
 char *ff_mov_lang_to_iso639_to;
 void ff_mov_lang_to_iso639() {
   memcpy(ff_mov_lang_to_iso639_to,
          mov_mdhd_language_map[ff_mov_lang_to_iso639_code], 4);
 }
	// RUN: %clang_analyze_cc1 -verify %s \
	// RUN: -analyzer-checker=core,alpha.unix.cstring

	//===----------------------------------------------------------------------===//
	// mempcpy() using character array. This is the easiest case, as memcpy
	// intepretrs the dst and src buffers as character arrays (regardless of their
	// actual type).
	//===----------------------------------------------------------------------===//

	typedef typeof(sizeof(int)) size_t;

	void clang_analyzer_eval(int);

	void memcpy(void restrict s1, const void *restrict s2, size_t n);

	void memcpy_array_fully_uninit(char *dst) {
	char buf[10];
	memcpy(dst, buf, 10); // expected-warning{{The first element of the 2nd argument is undefined}}
	// expected-note@-1{{Other elements might also be undefined}}
	(void)buf;
	}

	void memcpy_array_partially_uninit(char *dst) {
	char buf[10];
	buf[0] = 'i';
	memcpy(dst, buf, 10); // expected-warning{{The last accessed element (at index 9) in the 2nd argument is undefined}}
	// expected-note@-1{{Other elements might also be undefined}}
	(void)buf;
	}

	void memcpy_array_only_init_portion(char *dst) {
	char buf[10];
	buf[0] = 'i';
	memcpy(dst, buf, 1);
	(void)buf;
	}

	void memcpy_array_partially_init_error(char *dst) {
	char buf[10];
	buf[0] = 'i';
	memcpy(dst, buf, 2); // expected-warning{{The last accessed element (at index 1) in the 2nd argument is undefined}}
	// expected-note@-1{{Other elements might also be undefined}}
	(void)buf;
	}

	// The interesting case here is that the portion we're copying is initialized,
	// but not the whole matrix. We need to be careful to extract buf[1], and not
	// buf when trying to peel region layers off from the source argument.
	void memcpy_array_from_matrix(char *dst) {
	char buf[2][2];
	buf[1][0] = 'i';
	buf[1][1] = 'j';
	// FIXME: This is a FP -- we mistakenly retrieve the first element of buf,
	// instead of the first element of buf[1]. getLValueElement simply peels off
	// another ElementRegion layer, when in this case it really shouldn't.
	memcpy(dst, buf[1], 2); // expected-warning{{The first element of the 2nd argument is undefined}}
	// expected-note@-1{{Other elements might also be undefined}}
	(void)buf;
	}

	//===----------------------------------------------------------------------===//
	// mempcpy() using non-character arrays.
	//===----------------------------------------------------------------------===//

	void mempcpy(void restrict s1, const void *restrict s2, size_t n);

	void memcpy_int_array_fully_init() {
	int src[] = {1, 2, 3, 4};
	int dst[5] = {0};
	int *p;

	p = mempcpy(dst, src, 4 * sizeof(int));
	clang_analyzer_eval(p == &dst[4]);
	}

	void memcpy_int_array_fully_init2(int *dest) {
	int t[] = {1, 2, 3};
	memcpy(dest, t, sizeof(t));
	}

	//===----------------------------------------------------------------------===//
	// mempcpy() using nonarrays.
	//===----------------------------------------------------------------------===//

	struct st {
	int i;
	int j;
	};

	void mempcpy_struct_partially_uninit() {
	struct st s1 = {0};
	struct st s2;
	struct st *p1;
	struct st *p2;

	p1 = (&s2) + 1;

	// FIXME: Maybe ask UninitializedObjectChecker whether s1 is fully
	// initialized?
	p2 = mempcpy(&s2, &s1, sizeof(struct st));

	clang_analyzer_eval(p1 == p2);
	}

	void mempcpy_struct_fully_uninit() {
	struct st s1;
	struct st s2;

	// FIXME: Maybe ask UninitializedObjectChecker whether s1 is fully
	// initialized?
	mempcpy(&s2, &s1, sizeof(struct st));
	}

	// Creduced crash. In this case, an symbolicregion is wrapped in an
	// elementregion for the src argument.
	void *ga_copy_strings_from_0;
	void *memmove();
	void alloc();
	void ga_copy_strings() {
	int i = 0;
	for (;; ++i)
	memmove(alloc, ((char **)ga_copy_strings_from_0)[i], 1);
	}

	// Creduced crash. In this case, retrieving the Loc for the first element failed.
	char mov_mdhd_language_map[][4] = {};
	int ff_mov_lang_to_iso639_code;
	char *ff_mov_lang_to_iso639_to;
	void ff_mov_lang_to_iso639() {
	memcpy(ff_mov_lang_to_iso639_to,
	mov_mdhd_language_map[ff_mov_lang_to_iso639_code], 4);
	}