1// RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-checker=core,alpha.unix,alpha.security.ArrayBound -analyzer-store=region -verify %s 2 3typedef __typeof(sizeof(int)) size_t; 4void *malloc(size_t); 5void *calloc(size_t, size_t); 6 7char f1() { 8 char* s = "abcd"; 9 char c = s[4]; // no-warning 10 return s[5] + c; // expected-warning{{Access out-of-bound array element (buffer overflow)}} 11} 12 13void f2() { 14 int *p = malloc(12); 15 p[3] = 4; // expected-warning{{Access out-of-bound array element (buffer overflow)}} 16} 17 18struct three_words { 19 int c[3]; 20}; 21 22struct seven_words { 23 int c[7]; 24}; 25 26void f3() { 27 struct three_words a, *p; 28 p = &a; 29 p[0] = a; // no-warning 30 p[1] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}} 31} 32 33void f4() { 34 struct seven_words c; 35 struct three_words a, *p = (struct three_words *)&c; 36 p[0] = a; // no-warning 37 p[1] = a; // no-warning 38 p[2] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}} 39} 40 41void f5() { 42 char *p = calloc(2,2); 43 p[3] = '.'; // no-warning 44 p[4] = '!'; // expected-warning{{out-of-bound}} 45} 46 47void f6() { 48 char a[2]; 49 int *b = (int*)a; 50 b[1] = 3; // expected-warning{{out-of-bound}} 51} 52 53void f7() { 54 struct three_words a; 55 a.c[3] = 1; // expected-warning{{out-of-bound}} 56} 57 58void vla(int a) { 59 if (a == 5) { 60 int x[a]; 61 x[4] = 4; // no-warning 62 x[5] = 5; // expected-warning{{out-of-bound}} 63 } 64} 65 66void alloca_region(int a) { 67 if (a == 5) { 68 char *x = __builtin_alloca(a); 69 x[4] = 4; // no-warning 70 x[5] = 5; // expected-warning{{out-of-bound}} 71 } 72} 73 74int symbolic_index(int a) { 75 int x[2] = {1, 2}; 76 if (a == 2) { 77 return x[a]; // expected-warning{{out-of-bound}} 78 } 79 return 0; 80} 81 82int symbolic_index2(int a) { 83 int x[2] = {1, 2}; 84 if (a < 0) { 85 return x[a]; // expected-warning{{out-of-bound}} 86 } 87 return 0; 88} 89 90int overflow_binary_search(double in) { 91 int eee = 16; 92 if (in < 1e-8 || in > 1e23) { 93 return 0; 94 } else { 95 static const double ins[] = {1e-8, 1e-7, 1e-6, 1e-5, 1e-4, 1e-3, 1e-2, 1e-1, 96 1e0, 1e1, 1e2, 1e3, 1e4, 1e5, 1e6, 1e7, 97 1e8, 1e9, 1e10, 1e11, 1e12, 1e13, 1e14, 1e15, 98 1e16, 1e17, 1e18, 1e19, 1e20, 1e21, 1e22}; 99 if (in < ins[eee]) { 100 eee -= 8; 101 } else { 102 eee += 8; 103 } 104 if (in < ins[eee]) { 105 eee -= 4; 106 } else { 107 eee += 4; 108 } 109 if (in < ins[eee]) { 110 eee -= 2; 111 } else { 112 eee += 2; 113 } 114 if (in < ins[eee]) { 115 eee -= 1; 116 } else { 117 eee += 1; 118 } 119 if (in < ins[eee]) { // expected-warning {{Access out-of-bound array element (buffer overflow)}} 120 eee -= 1; 121 } 122 } 123 return eee; 124} 125