string.c revision 067bbd0e11c71a33b51832532e836971be697699 
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,cplusplus.experimental.CString,deadcode.experimental.UnreachableCode -analyzer-store=region -verify %s
2// RUN: %clang_cc1 -analyze -DUSE_BUILTINS -analyzer-checker=core,cplusplus.experimental.CString,deadcode.experimental.UnreachableCode -analyzer-store=region -verify %s
3// RUN: %clang_cc1 -analyze -DVARIANT -analyzer-checker=core,cplusplus.experimental.CString,deadcode.experimental.UnreachableCode -analyzer-store=region -verify %s
4// RUN: %clang_cc1 -analyze -DUSE_BUILTINS -DVARIANT -analyzer-checker=core,cplusplus.experimental.CString,deadcode.experimental.UnreachableCode -analyzer-store=region -verify %s
5
6//===----------------------------------------------------------------------===
7// Declarations
8//===----------------------------------------------------------------------===
9
10// Some functions are so similar to each other that they follow the same code
11// path, such as memcpy and __memcpy_chk, or memcmp and bcmp. If VARIANT is
12// defined, make sure to use the variants instead to make sure they are still
13// checked by the analyzer.
14
15// Some functions are implemented as builtins. These should be #defined as
16// BUILTIN(f), which will prepend "__builtin_" if USE_BUILTINS is defined.
17
18// Functions that have variants and are also availabe as builtins should be
19// declared carefully! See memcpy() for an example.
20
21#ifdef USE_BUILTINS
22# define BUILTIN(f) __builtin_ ## f
23#else /* USE_BUILTINS */
24# define BUILTIN(f) f
25#endif /* USE_BUILTINS */
26
27#define NULL 0
28typedef typeof(sizeof(int)) size_t;
29
30//===----------------------------------------------------------------------===
31// strlen()
32//===----------------------------------------------------------------------===
33
34#define strlen BUILTIN(strlen)
35size_t strlen(const char *s);
36
37void strlen_constant0() {
38  if (strlen("123") != 3)
39    (void)*(char*)0; // no-warning
40}
41
42void strlen_constant1() {
43  const char *a = "123";
44  if (strlen(a) != 3)
45    (void)*(char*)0; // no-warning
46}
47
48void strlen_constant2(char x) {
49  char a[] = "123";
50  if (strlen(a) != 3)
51    (void)*(char*)0; // no-warning
52  a[0] = x;
53  if (strlen(a) != 3)
54    (void)*(char*)0; // expected-warning{{null}}
55}
56
57size_t strlen_null() {
58  return strlen(0); // expected-warning{{Null pointer argument in call to byte string function}}
59}
60
61size_t strlen_fn() {
62  return strlen((char*)&strlen_fn); // expected-warning{{Argument to byte string function is the address of the function 'strlen_fn', which is not a null-terminated string}}
63}
64
65size_t strlen_nonloc() {
66label:
67  return strlen((char*)&&label); // expected-warning{{Argument to byte string function is the address of the label 'label', which is not a null-terminated string}}
68}
69
70void strlen_subregion() {
71  struct two_strings { char a[2], b[2]; };
72  extern void use_two_strings(struct two_strings *);
73
74  struct two_strings z;
75  use_two_strings(&z);
76
77  size_t a = strlen(z.a);
78  z.b[0] = 5;
79  size_t b = strlen(z.a);
80  if (a == 0 && b != 0)
81    (void)*(char*)0; // expected-warning{{never executed}}
82
83  use_two_strings(&z);
84
85  size_t c = strlen(z.a);
86  if (a == 0 && c != 0)
87    (void)*(char*)0; // expected-warning{{null}}
88}
89
90extern void use_string(char *);
91void strlen_argument(char *x) {
92  size_t a = strlen(x);
93  size_t b = strlen(x);
94  if (a == 0 && b != 0)
95    (void)*(char*)0; // expected-warning{{never executed}}
96
97  use_string(x);
98
99  size_t c = strlen(x);
100  if (a == 0 && c != 0)
101    (void)*(char*)0; // expected-warning{{null}}
102}
103
104extern char global_str[];
105void strlen_global() {
106  size_t a = strlen(global_str);
107  size_t b = strlen(global_str);
108  if (a == 0 && b != 0)
109    (void)*(char*)0; // expected-warning{{never executed}}
110
111  // Call a function with unknown effects, which should invalidate globals.
112  use_string(0);
113
114  size_t c = strlen(global_str);
115  if (a == 0 && c != 0)
116    (void)*(char*)0; // expected-warning{{null}}
117}
118
119void strlen_indirect(char *x) {
120  size_t a = strlen(x);
121  char *p = x;
122  char **p2 = &p;
123  size_t b = strlen(x);
124  if (a == 0 && b != 0)
125    (void)*(char*)0; // expected-warning{{never executed}}
126
127  extern void use_string_ptr(char*const*);
128  use_string_ptr(p2);
129
130  size_t c = strlen(x);
131  if (a == 0 && c != 0)
132    (void)*(char*)0; // expected-warning{{null}}
133}
134
135void strlen_liveness(const char *x) {
136  if (strlen(x) < 5)
137    return;
138  if (strlen(x) < 5)
139    (void)*(char*)0; // no-warning
140}
141
142//===----------------------------------------------------------------------===
143// strnlen()
144//===----------------------------------------------------------------------===
145
146#define strnlen BUILTIN(strnlen)
147size_t strnlen(const char *s, size_t maxlen);
148
149void strnlen_constant0() {
150  if (strnlen("123", 10) != 3)
151    (void)*(char*)0; // no-warning
152}
153
154void strnlen_constant1() {
155  const char *a = "123";
156  if (strnlen(a, 10) != 3)
157    (void)*(char*)0; // no-warning
158}
159
160void strnlen_constant2(char x) {
161  char a[] = "123";
162  if (strnlen(a, 10) != 3)
163    (void)*(char*)0; // no-warning
164  a[0] = x;
165  if (strnlen(a, 10) != 3)
166    (void)*(char*)0; // expected-warning{{null}}
167}
168
169void strnlen_constant4() {
170  if (strnlen("123456", 3) != 3)
171    (void)*(char*)0; // no-warning
172}
173
174void strnlen_constant5() {
175  const char *a = "123456";
176  if (strnlen(a, 3) != 3)
177    (void)*(char*)0; // no-warning
178}
179
180void strnlen_constant6(char x) {
181  char a[] = "123456";
182  if (strnlen(a, 3) != 3)
183    (void)*(char*)0; // no-warning
184  a[0] = x;
185  if (strnlen(a, 3) != 3)
186    (void)*(char*)0; // expected-warning{{null}}
187}
188
189size_t strnlen_null() {
190  return strnlen(0, 3); // expected-warning{{Null pointer argument in call to byte string function}}
191}
192
193size_t strnlen_fn() {
194  return strnlen((char*)&strlen_fn, 3); // expected-warning{{Argument to byte string function is the address of the function 'strlen_fn', which is not a null-terminated string}}
195}
196
197size_t strnlen_nonloc() {
198label:
199  return strnlen((char*)&&label, 3); // expected-warning{{Argument to byte string function is the address of the label 'label', which is not a null-terminated string}}
200}
201
202void strnlen_subregion() {
203  struct two_stringsn { char a[2], b[2]; };
204  extern void use_two_stringsn(struct two_stringsn *);
205
206  struct two_stringsn z;
207  use_two_stringsn(&z);
208
209  size_t a = strnlen(z.a, 10);
210  z.b[0] = 5;
211  size_t b = strnlen(z.a, 10);
212  if (a == 0 && b != 0)
213    (void)*(char*)0; // expected-warning{{never executed}}
214
215  use_two_stringsn(&z);
216
217  size_t c = strnlen(z.a, 10);
218  if (a == 0 && c != 0)
219    (void)*(char*)0; // expected-warning{{null}}
220}
221
222extern void use_stringn(char *);
223void strnlen_argument(char *x) {
224  size_t a = strnlen(x, 10);
225  size_t b = strnlen(x, 10);
226  if (a == 0 && b != 0)
227    (void)*(char*)0; // expected-warning{{never executed}}
228
229  use_stringn(x);
230
231  size_t c = strnlen(x, 10);
232  if (a == 0 && c != 0)
233    (void)*(char*)0; // expected-warning{{null}}
234}
235
236extern char global_strn[];
237void strnlen_global() {
238  size_t a = strnlen(global_strn, 10);
239  size_t b = strnlen(global_strn, 10);
240  if (a == 0 && b != 0)
241    (void)*(char*)0; // expected-warning{{never executed}}
242
243  // Call a function with unknown effects, which should invalidate globals.
244  use_stringn(0);
245
246  size_t c = strnlen(global_str, 10);
247  if (a == 0 && c != 0)
248    (void)*(char*)0; // expected-warning{{null}}
249}
250
251void strnlen_indirect(char *x) {
252  size_t a = strnlen(x, 10);
253  char *p = x;
254  char **p2 = &p;
255  size_t b = strnlen(x, 10);
256  if (a == 0 && b != 0)
257    (void)*(char*)0; // expected-warning{{never executed}}
258
259  extern void use_stringn_ptr(char*const*);
260  use_stringn_ptr(p2);
261
262  size_t c = strnlen(x, 10);
263  if (a == 0 && c != 0)
264    (void)*(char*)0; // expected-warning{{null}}
265}
266
267void strnlen_liveness(const char *x) {
268  if (strnlen(x, 10) < 5)
269    return;
270  if (strnlen(x, 10) < 5)
271    (void)*(char*)0; // no-warning
272}
273
274//===----------------------------------------------------------------------===
275// strcpy()
276//===----------------------------------------------------------------------===
277
278#ifdef VARIANT
279
280#define __strcpy_chk BUILTIN(__strcpy_chk)
281char *__strcpy_chk(char *restrict s1, const char *restrict s2, size_t destlen);
282
283#define strcpy(a,b) __strcpy_chk(a,b,(size_t)-1)
284
285#else /* VARIANT */
286
287#define strcpy BUILTIN(strcpy)
288char *strcpy(char *restrict s1, const char *restrict s2);
289
290#endif /* VARIANT */
291
292
293void strcpy_null_dst(char *x) {
294  strcpy(NULL, x); // expected-warning{{Null pointer argument in call to byte string function}}
295}
296
297void strcpy_null_src(char *x) {
298  strcpy(x, NULL); // expected-warning{{Null pointer argument in call to byte string function}}
299}
300
301void strcpy_fn(char *x) {
302  strcpy(x, (char*)&strcpy_fn); // expected-warning{{Argument to byte string function is the address of the function 'strcpy_fn', which is not a null-terminated string}}
303}
304
305void strcpy_effects(char *x, char *y) {
306  char a = x[0];
307
308  if (strcpy(x, y) != x)
309    (void)*(char*)0; // no-warning
310
311  if (strlen(x) != strlen(y))
312    (void)*(char*)0; // no-warning
313
314  if (a != x[0])
315    (void)*(char*)0; // expected-warning{{null}}
316}
317
318void strcpy_overflow(char *y) {
319  char x[4];
320  if (strlen(y) == 4)
321    strcpy(x, y); // expected-warning{{Byte string function overflows destination buffer}}
322}
323
324void strcpy_no_overflow(char *y) {
325  char x[4];
326  if (strlen(y) == 3)
327    strcpy(x, y); // no-warning
328}
329
330//===----------------------------------------------------------------------===
331// strncpy()
332//===----------------------------------------------------------------------===
333
334#ifdef VARIANT
335
336#define __strncpy_chk BUILTIN(__strncpy_chk)
337char *__strncpy_chk(char *restrict s1, const char *restrict s2, size_t n, size_t destlen);
338
339#define strncpy(a,b,c) __strncpy_chk(a,b,c, (size_t)-1)
340
341#else /* VARIANT */
342
343#define strncpy BUILTIN(strncpy)
344char *strncpy(char *restrict s1, const char *restrict s2, size_t n);
345
346#endif /* VARIANT */
347
348
349void strncpy_null_dst(char *x) {
350  strncpy(NULL, x, 1); // expected-warning{{Null pointer argument in call to byte string function}}
351}
352
353void strncpy_null_src(char *x) {
354  strncpy(x, NULL, 1); // expected-warning{{Null pointer argument in call to byte string function}}
355}
356
357void strncpy_fn(char *x) {
358  strncpy(x, (char*)&strncpy_fn, 1); // expected-warning{{Argument to byte string function is the address of the function 'strncpy_fn', which is not a null-terminated string}}
359}
360
361void strncpy_effects(char *x, char *y) {
362  char a = x[0];
363
364  if (strncpy(x, y, strlen(y)) != x)
365    (void)*(char*)0; // no-warning
366
367  if (strlen(x) != strlen(y))
368    (void)*(char*)0; // no-warning
369
370  if (a != x[0])
371    (void)*(char*)0; // expected-warning{{null}}
372}
373
374void strncpy_overflow(char *y) {
375  char x[4];
376  if (strlen(y) == 4)
377    strncpy(x, y, strlen(y)); // expected-warning{{Byte string function overflows destination buffer}}
378}
379
380void strncpy_len_overflow(char *y) {
381  char x[4];
382  if (strlen(y) == 3)
383    strncpy(x, y, sizeof(x)); // no-warning
384}
385
386void strncpy_no_overflow(char *y) {
387  char x[4];
388  if (strlen(y) == 3)
389    strncpy(x, y, strlen(y)); // no-warning
390}
391
392void strncpy_no_len_overflow(char *y) {
393  char x[4];
394  if (strlen(y) == 4)
395    strncpy(x, y, sizeof(x)-1); // no-warning
396}
397
398//===----------------------------------------------------------------------===
399// stpcpy()
400//===----------------------------------------------------------------------===
401
402#ifdef VARIANT
403
404#define __stpcpy_chk BUILTIN(__stpcpy_chk)
405char *__stpcpy_chk(char *restrict s1, const char *restrict s2, size_t destlen);
406
407#define stpcpy(a,b) __stpcpy_chk(a,b,(size_t)-1)
408
409#else /* VARIANT */
410
411#define stpcpy BUILTIN(stpcpy)
412char *stpcpy(char *restrict s1, const char *restrict s2);
413
414#endif /* VARIANT */
415
416
417void stpcpy_effect(char *x, char *y) {
418  char a = x[0];
419
420  if (stpcpy(x, y) != &x[strlen(y)])
421    (void)*(char*)0; // no-warning
422
423  if (strlen(x) != strlen(y))
424    (void)*(char*)0; // no-warning
425
426  if (a != x[0])
427    (void)*(char*)0; // expected-warning{{null}}
428}
429
430void stpcpy_overflow(char *y) {
431  char x[4];
432  if (strlen(y) == 4)
433    stpcpy(x, y); // expected-warning{{Byte string function overflows destination buffer}}
434}
435
436void stpcpy_no_overflow(char *y) {
437  char x[4];
438  if (strlen(y) == 3)
439    stpcpy(x, y); // no-warning
440}
441
442//===----------------------------------------------------------------------===
443// strcat()
444//===----------------------------------------------------------------------===
445
446#ifdef VARIANT
447
448#define __strcat_chk BUILTIN(__strcat_chk)
449char *__strcat_chk(char *restrict s1, const char *restrict s2, size_t destlen);
450
451#define strcat(a,b) __strcat_chk(a,b,(size_t)-1)
452
453#else /* VARIANT */
454
455#define strcat BUILTIN(strcat)
456char *strcat(char *restrict s1, const char *restrict s2);
457
458#endif /* VARIANT */
459
460
461void strcat_null_dst(char *x) {
462  strcat(NULL, x); // expected-warning{{Null pointer argument in call to byte string function}}
463}
464
465void strcat_null_src(char *x) {
466  strcat(x, NULL); // expected-warning{{Null pointer argument in call to byte string function}}
467}
468
469void strcat_fn(char *x) {
470  strcat(x, (char*)&strcat_fn); // expected-warning{{Argument to byte string function is the address of the function 'strcat_fn', which is not a null-terminated string}}
471}
472
473void strcat_effects(char *y) {
474  char x[8] = "123";
475  size_t orig_len = strlen(x);
476  char a = x[0];
477
478  if (strlen(y) != 4)
479    return;
480
481  if (strcat(x, y) != x)
482    (void)*(char*)0; // no-warning
483
484  if ((int)strlen(x) != (orig_len + strlen(y)))
485    (void)*(char*)0; // no-warning
486
487  if (a != x[0])
488    (void)*(char*)0; // expected-warning{{null}}
489}
490
491void strcat_overflow_0(char *y) {
492  char x[4] = "12";
493  if (strlen(y) == 4)
494    strcat(x, y); // expected-warning{{Byte string function overflows destination buffer}}
495}
496
497void strcat_overflow_1(char *y) {
498  char x[4] = "12";
499  if (strlen(y) == 3)
500    strcat(x, y); // expected-warning{{Byte string function overflows destination buffer}}
501}
502
503void strcat_overflow_2(char *y) {
504  char x[4] = "12";
505  if (strlen(y) == 2)
506    strcat(x, y); // expected-warning{{Byte string function overflows destination buffer}}
507}
508
509void strcat_no_overflow(char *y) {
510  char x[5] = "12";
511  if (strlen(y) == 2)
512    strcat(x, y); // no-warning
513}
514
515
516//===----------------------------------------------------------------------===
517// strncat()
518//===----------------------------------------------------------------------===
519
520#ifdef VARIANT
521
522#define __strncat_chk BUILTIN(__strncat_chk)
523char *__strncat_chk(char *restrict s1, const char *restrict s2, size_t n, size_t destlen);
524
525#define strncat(a,b,c) __strncat_chk(a,b,c, (size_t)-1)
526
527#else /* VARIANT */
528
529#define strncat BUILTIN(strncat)
530char *strncat(char *restrict s1, const char *restrict s2, size_t n);
531
532#endif /* VARIANT */
533
534
535void strncat_null_dst(char *x) {
536  strncat(NULL, x, 4); // expected-warning{{Null pointer argument in call to byte string function}}
537}
538
539void strncat_null_src(char *x) {
540  strncat(x, NULL, 4); // expected-warning{{Null pointer argument in call to byte string function}}
541}
542
543void strncat_fn(char *x) {
544  strncat(x, (char*)&strncat_fn, 4); // expected-warning{{Argument to byte string function is the address of the function 'strncat_fn', which is not a null-terminated string}}
545}
546
547void strncat_effects(char *y) {
548  char x[8] = "123";
549  size_t orig_len = strlen(x);
550  char a = x[0];
551
552  if (strlen(y) != 4)
553    return;
554
555  if (strncat(x, y, strlen(y)) != x)
556    (void)*(char*)0; // no-warning
557
558  if (strlen(x) != orig_len + strlen(y))
559    (void)*(char*)0; // no-warning
560
561  if (a != x[0])
562    (void)*(char*)0; // expected-warning{{null}}
563}
564
565void strncat_overflow_0(char *y) {
566  char x[4] = "12";
567  if (strlen(y) == 4)
568    strncat(x, y, strlen(y)); // expected-warning{{Byte string function overflows destination buffer}}
569}
570
571void strncat_overflow_1(char *y) {
572  char x[4] = "12";
573  if (strlen(y) == 3)
574    strncat(x, y, strlen(y)); // expected-warning{{Byte string function overflows destination buffer}}
575}
576
577void strncat_overflow_2(char *y) {
578  char x[4] = "12";
579  if (strlen(y) == 2)
580    strncat(x, y, strlen(y)); // expected-warning{{Byte string function overflows destination buffer}}
581}
582
583void strncat_overflow_3(char *y) {
584  char x[4] = "12";
585  if (strlen(y) == 4)
586    strncat(x, y, 2); // expected-warning{{Byte string function overflows destination buffer}}
587}
588void strncat_no_overflow_1(char *y) {
589  char x[5] = "12";
590  if (strlen(y) == 2)
591    strncat(x, y, strlen(y)); // no-warning
592}
593
594void strncat_no_overflow_2(char *y) {
595  char x[4] = "12";
596  if (strlen(y) == 4)
597    strncat(x, y, 1); // no-warning
598}
599