string.c revision 067bbd0e11c71a33b51832532e836971be697699
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,cplusplus.experimental.CString,deadcode.experimental.UnreachableCode -analyzer-store=region -verify %s 2// RUN: %clang_cc1 -analyze -DUSE_BUILTINS -analyzer-checker=core,cplusplus.experimental.CString,deadcode.experimental.UnreachableCode -analyzer-store=region -verify %s 3// RUN: %clang_cc1 -analyze -DVARIANT -analyzer-checker=core,cplusplus.experimental.CString,deadcode.experimental.UnreachableCode -analyzer-store=region -verify %s 4// RUN: %clang_cc1 -analyze -DUSE_BUILTINS -DVARIANT -analyzer-checker=core,cplusplus.experimental.CString,deadcode.experimental.UnreachableCode -analyzer-store=region -verify %s 5 6//===----------------------------------------------------------------------=== 7// Declarations 8//===----------------------------------------------------------------------=== 9 10// Some functions are so similar to each other that they follow the same code 11// path, such as memcpy and __memcpy_chk, or memcmp and bcmp. If VARIANT is 12// defined, make sure to use the variants instead to make sure they are still 13// checked by the analyzer. 14 15// Some functions are implemented as builtins. These should be #defined as 16// BUILTIN(f), which will prepend "__builtin_" if USE_BUILTINS is defined. 17 18// Functions that have variants and are also availabe as builtins should be 19// declared carefully! See memcpy() for an example. 20 21#ifdef USE_BUILTINS 22# define BUILTIN(f) __builtin_ ## f 23#else /* USE_BUILTINS */ 24# define BUILTIN(f) f 25#endif /* USE_BUILTINS */ 26 27#define NULL 0 28typedef typeof(sizeof(int)) size_t; 29 30//===----------------------------------------------------------------------=== 31// strlen() 32//===----------------------------------------------------------------------=== 33 34#define strlen BUILTIN(strlen) 35size_t strlen(const char *s); 36 37void strlen_constant0() { 38 if (strlen("123") != 3) 39 (void)*(char*)0; // no-warning 40} 41 42void strlen_constant1() { 43 const char *a = "123"; 44 if (strlen(a) != 3) 45 (void)*(char*)0; // no-warning 46} 47 48void strlen_constant2(char x) { 49 char a[] = "123"; 50 if (strlen(a) != 3) 51 (void)*(char*)0; // no-warning 52 a[0] = x; 53 if (strlen(a) != 3) 54 (void)*(char*)0; // expected-warning{{null}} 55} 56 57size_t strlen_null() { 58 return strlen(0); // expected-warning{{Null pointer argument in call to byte string function}} 59} 60 61size_t strlen_fn() { 62 return strlen((char*)&strlen_fn); // expected-warning{{Argument to byte string function is the address of the function 'strlen_fn', which is not a null-terminated string}} 63} 64 65size_t strlen_nonloc() { 66label: 67 return strlen((char*)&&label); // expected-warning{{Argument to byte string function is the address of the label 'label', which is not a null-terminated string}} 68} 69 70void strlen_subregion() { 71 struct two_strings { char a[2], b[2]; }; 72 extern void use_two_strings(struct two_strings *); 73 74 struct two_strings z; 75 use_two_strings(&z); 76 77 size_t a = strlen(z.a); 78 z.b[0] = 5; 79 size_t b = strlen(z.a); 80 if (a == 0 && b != 0) 81 (void)*(char*)0; // expected-warning{{never executed}} 82 83 use_two_strings(&z); 84 85 size_t c = strlen(z.a); 86 if (a == 0 && c != 0) 87 (void)*(char*)0; // expected-warning{{null}} 88} 89 90extern void use_string(char *); 91void strlen_argument(char *x) { 92 size_t a = strlen(x); 93 size_t b = strlen(x); 94 if (a == 0 && b != 0) 95 (void)*(char*)0; // expected-warning{{never executed}} 96 97 use_string(x); 98 99 size_t c = strlen(x); 100 if (a == 0 && c != 0) 101 (void)*(char*)0; // expected-warning{{null}} 102} 103 104extern char global_str[]; 105void strlen_global() { 106 size_t a = strlen(global_str); 107 size_t b = strlen(global_str); 108 if (a == 0 && b != 0) 109 (void)*(char*)0; // expected-warning{{never executed}} 110 111 // Call a function with unknown effects, which should invalidate globals. 112 use_string(0); 113 114 size_t c = strlen(global_str); 115 if (a == 0 && c != 0) 116 (void)*(char*)0; // expected-warning{{null}} 117} 118 119void strlen_indirect(char *x) { 120 size_t a = strlen(x); 121 char *p = x; 122 char **p2 = &p; 123 size_t b = strlen(x); 124 if (a == 0 && b != 0) 125 (void)*(char*)0; // expected-warning{{never executed}} 126 127 extern void use_string_ptr(char*const*); 128 use_string_ptr(p2); 129 130 size_t c = strlen(x); 131 if (a == 0 && c != 0) 132 (void)*(char*)0; // expected-warning{{null}} 133} 134 135void strlen_liveness(const char *x) { 136 if (strlen(x) < 5) 137 return; 138 if (strlen(x) < 5) 139 (void)*(char*)0; // no-warning 140} 141 142//===----------------------------------------------------------------------=== 143// strnlen() 144//===----------------------------------------------------------------------=== 145 146#define strnlen BUILTIN(strnlen) 147size_t strnlen(const char *s, size_t maxlen); 148 149void strnlen_constant0() { 150 if (strnlen("123", 10) != 3) 151 (void)*(char*)0; // no-warning 152} 153 154void strnlen_constant1() { 155 const char *a = "123"; 156 if (strnlen(a, 10) != 3) 157 (void)*(char*)0; // no-warning 158} 159 160void strnlen_constant2(char x) { 161 char a[] = "123"; 162 if (strnlen(a, 10) != 3) 163 (void)*(char*)0; // no-warning 164 a[0] = x; 165 if (strnlen(a, 10) != 3) 166 (void)*(char*)0; // expected-warning{{null}} 167} 168 169void strnlen_constant4() { 170 if (strnlen("123456", 3) != 3) 171 (void)*(char*)0; // no-warning 172} 173 174void strnlen_constant5() { 175 const char *a = "123456"; 176 if (strnlen(a, 3) != 3) 177 (void)*(char*)0; // no-warning 178} 179 180void strnlen_constant6(char x) { 181 char a[] = "123456"; 182 if (strnlen(a, 3) != 3) 183 (void)*(char*)0; // no-warning 184 a[0] = x; 185 if (strnlen(a, 3) != 3) 186 (void)*(char*)0; // expected-warning{{null}} 187} 188 189size_t strnlen_null() { 190 return strnlen(0, 3); // expected-warning{{Null pointer argument in call to byte string function}} 191} 192 193size_t strnlen_fn() { 194 return strnlen((char*)&strlen_fn, 3); // expected-warning{{Argument to byte string function is the address of the function 'strlen_fn', which is not a null-terminated string}} 195} 196 197size_t strnlen_nonloc() { 198label: 199 return strnlen((char*)&&label, 3); // expected-warning{{Argument to byte string function is the address of the label 'label', which is not a null-terminated string}} 200} 201 202void strnlen_subregion() { 203 struct two_stringsn { char a[2], b[2]; }; 204 extern void use_two_stringsn(struct two_stringsn *); 205 206 struct two_stringsn z; 207 use_two_stringsn(&z); 208 209 size_t a = strnlen(z.a, 10); 210 z.b[0] = 5; 211 size_t b = strnlen(z.a, 10); 212 if (a == 0 && b != 0) 213 (void)*(char*)0; // expected-warning{{never executed}} 214 215 use_two_stringsn(&z); 216 217 size_t c = strnlen(z.a, 10); 218 if (a == 0 && c != 0) 219 (void)*(char*)0; // expected-warning{{null}} 220} 221 222extern void use_stringn(char *); 223void strnlen_argument(char *x) { 224 size_t a = strnlen(x, 10); 225 size_t b = strnlen(x, 10); 226 if (a == 0 && b != 0) 227 (void)*(char*)0; // expected-warning{{never executed}} 228 229 use_stringn(x); 230 231 size_t c = strnlen(x, 10); 232 if (a == 0 && c != 0) 233 (void)*(char*)0; // expected-warning{{null}} 234} 235 236extern char global_strn[]; 237void strnlen_global() { 238 size_t a = strnlen(global_strn, 10); 239 size_t b = strnlen(global_strn, 10); 240 if (a == 0 && b != 0) 241 (void)*(char*)0; // expected-warning{{never executed}} 242 243 // Call a function with unknown effects, which should invalidate globals. 244 use_stringn(0); 245 246 size_t c = strnlen(global_str, 10); 247 if (a == 0 && c != 0) 248 (void)*(char*)0; // expected-warning{{null}} 249} 250 251void strnlen_indirect(char *x) { 252 size_t a = strnlen(x, 10); 253 char *p = x; 254 char **p2 = &p; 255 size_t b = strnlen(x, 10); 256 if (a == 0 && b != 0) 257 (void)*(char*)0; // expected-warning{{never executed}} 258 259 extern void use_stringn_ptr(char*const*); 260 use_stringn_ptr(p2); 261 262 size_t c = strnlen(x, 10); 263 if (a == 0 && c != 0) 264 (void)*(char*)0; // expected-warning{{null}} 265} 266 267void strnlen_liveness(const char *x) { 268 if (strnlen(x, 10) < 5) 269 return; 270 if (strnlen(x, 10) < 5) 271 (void)*(char*)0; // no-warning 272} 273 274//===----------------------------------------------------------------------=== 275// strcpy() 276//===----------------------------------------------------------------------=== 277 278#ifdef VARIANT 279 280#define __strcpy_chk BUILTIN(__strcpy_chk) 281char *__strcpy_chk(char *restrict s1, const char *restrict s2, size_t destlen); 282 283#define strcpy(a,b) __strcpy_chk(a,b,(size_t)-1) 284 285#else /* VARIANT */ 286 287#define strcpy BUILTIN(strcpy) 288char *strcpy(char *restrict s1, const char *restrict s2); 289 290#endif /* VARIANT */ 291 292 293void strcpy_null_dst(char *x) { 294 strcpy(NULL, x); // expected-warning{{Null pointer argument in call to byte string function}} 295} 296 297void strcpy_null_src(char *x) { 298 strcpy(x, NULL); // expected-warning{{Null pointer argument in call to byte string function}} 299} 300 301void strcpy_fn(char *x) { 302 strcpy(x, (char*)&strcpy_fn); // expected-warning{{Argument to byte string function is the address of the function 'strcpy_fn', which is not a null-terminated string}} 303} 304 305void strcpy_effects(char *x, char *y) { 306 char a = x[0]; 307 308 if (strcpy(x, y) != x) 309 (void)*(char*)0; // no-warning 310 311 if (strlen(x) != strlen(y)) 312 (void)*(char*)0; // no-warning 313 314 if (a != x[0]) 315 (void)*(char*)0; // expected-warning{{null}} 316} 317 318void strcpy_overflow(char *y) { 319 char x[4]; 320 if (strlen(y) == 4) 321 strcpy(x, y); // expected-warning{{Byte string function overflows destination buffer}} 322} 323 324void strcpy_no_overflow(char *y) { 325 char x[4]; 326 if (strlen(y) == 3) 327 strcpy(x, y); // no-warning 328} 329 330//===----------------------------------------------------------------------=== 331// strncpy() 332//===----------------------------------------------------------------------=== 333 334#ifdef VARIANT 335 336#define __strncpy_chk BUILTIN(__strncpy_chk) 337char *__strncpy_chk(char *restrict s1, const char *restrict s2, size_t n, size_t destlen); 338 339#define strncpy(a,b,c) __strncpy_chk(a,b,c, (size_t)-1) 340 341#else /* VARIANT */ 342 343#define strncpy BUILTIN(strncpy) 344char *strncpy(char *restrict s1, const char *restrict s2, size_t n); 345 346#endif /* VARIANT */ 347 348 349void strncpy_null_dst(char *x) { 350 strncpy(NULL, x, 1); // expected-warning{{Null pointer argument in call to byte string function}} 351} 352 353void strncpy_null_src(char *x) { 354 strncpy(x, NULL, 1); // expected-warning{{Null pointer argument in call to byte string function}} 355} 356 357void strncpy_fn(char *x) { 358 strncpy(x, (char*)&strncpy_fn, 1); // expected-warning{{Argument to byte string function is the address of the function 'strncpy_fn', which is not a null-terminated string}} 359} 360 361void strncpy_effects(char *x, char *y) { 362 char a = x[0]; 363 364 if (strncpy(x, y, strlen(y)) != x) 365 (void)*(char*)0; // no-warning 366 367 if (strlen(x) != strlen(y)) 368 (void)*(char*)0; // no-warning 369 370 if (a != x[0]) 371 (void)*(char*)0; // expected-warning{{null}} 372} 373 374void strncpy_overflow(char *y) { 375 char x[4]; 376 if (strlen(y) == 4) 377 strncpy(x, y, strlen(y)); // expected-warning{{Byte string function overflows destination buffer}} 378} 379 380void strncpy_len_overflow(char *y) { 381 char x[4]; 382 if (strlen(y) == 3) 383 strncpy(x, y, sizeof(x)); // no-warning 384} 385 386void strncpy_no_overflow(char *y) { 387 char x[4]; 388 if (strlen(y) == 3) 389 strncpy(x, y, strlen(y)); // no-warning 390} 391 392void strncpy_no_len_overflow(char *y) { 393 char x[4]; 394 if (strlen(y) == 4) 395 strncpy(x, y, sizeof(x)-1); // no-warning 396} 397 398//===----------------------------------------------------------------------=== 399// stpcpy() 400//===----------------------------------------------------------------------=== 401 402#ifdef VARIANT 403 404#define __stpcpy_chk BUILTIN(__stpcpy_chk) 405char *__stpcpy_chk(char *restrict s1, const char *restrict s2, size_t destlen); 406 407#define stpcpy(a,b) __stpcpy_chk(a,b,(size_t)-1) 408 409#else /* VARIANT */ 410 411#define stpcpy BUILTIN(stpcpy) 412char *stpcpy(char *restrict s1, const char *restrict s2); 413 414#endif /* VARIANT */ 415 416 417void stpcpy_effect(char *x, char *y) { 418 char a = x[0]; 419 420 if (stpcpy(x, y) != &x[strlen(y)]) 421 (void)*(char*)0; // no-warning 422 423 if (strlen(x) != strlen(y)) 424 (void)*(char*)0; // no-warning 425 426 if (a != x[0]) 427 (void)*(char*)0; // expected-warning{{null}} 428} 429 430void stpcpy_overflow(char *y) { 431 char x[4]; 432 if (strlen(y) == 4) 433 stpcpy(x, y); // expected-warning{{Byte string function overflows destination buffer}} 434} 435 436void stpcpy_no_overflow(char *y) { 437 char x[4]; 438 if (strlen(y) == 3) 439 stpcpy(x, y); // no-warning 440} 441 442//===----------------------------------------------------------------------=== 443// strcat() 444//===----------------------------------------------------------------------=== 445 446#ifdef VARIANT 447 448#define __strcat_chk BUILTIN(__strcat_chk) 449char *__strcat_chk(char *restrict s1, const char *restrict s2, size_t destlen); 450 451#define strcat(a,b) __strcat_chk(a,b,(size_t)-1) 452 453#else /* VARIANT */ 454 455#define strcat BUILTIN(strcat) 456char *strcat(char *restrict s1, const char *restrict s2); 457 458#endif /* VARIANT */ 459 460 461void strcat_null_dst(char *x) { 462 strcat(NULL, x); // expected-warning{{Null pointer argument in call to byte string function}} 463} 464 465void strcat_null_src(char *x) { 466 strcat(x, NULL); // expected-warning{{Null pointer argument in call to byte string function}} 467} 468 469void strcat_fn(char *x) { 470 strcat(x, (char*)&strcat_fn); // expected-warning{{Argument to byte string function is the address of the function 'strcat_fn', which is not a null-terminated string}} 471} 472 473void strcat_effects(char *y) { 474 char x[8] = "123"; 475 size_t orig_len = strlen(x); 476 char a = x[0]; 477 478 if (strlen(y) != 4) 479 return; 480 481 if (strcat(x, y) != x) 482 (void)*(char*)0; // no-warning 483 484 if ((int)strlen(x) != (orig_len + strlen(y))) 485 (void)*(char*)0; // no-warning 486 487 if (a != x[0]) 488 (void)*(char*)0; // expected-warning{{null}} 489} 490 491void strcat_overflow_0(char *y) { 492 char x[4] = "12"; 493 if (strlen(y) == 4) 494 strcat(x, y); // expected-warning{{Byte string function overflows destination buffer}} 495} 496 497void strcat_overflow_1(char *y) { 498 char x[4] = "12"; 499 if (strlen(y) == 3) 500 strcat(x, y); // expected-warning{{Byte string function overflows destination buffer}} 501} 502 503void strcat_overflow_2(char *y) { 504 char x[4] = "12"; 505 if (strlen(y) == 2) 506 strcat(x, y); // expected-warning{{Byte string function overflows destination buffer}} 507} 508 509void strcat_no_overflow(char *y) { 510 char x[5] = "12"; 511 if (strlen(y) == 2) 512 strcat(x, y); // no-warning 513} 514 515 516//===----------------------------------------------------------------------=== 517// strncat() 518//===----------------------------------------------------------------------=== 519 520#ifdef VARIANT 521 522#define __strncat_chk BUILTIN(__strncat_chk) 523char *__strncat_chk(char *restrict s1, const char *restrict s2, size_t n, size_t destlen); 524 525#define strncat(a,b,c) __strncat_chk(a,b,c, (size_t)-1) 526 527#else /* VARIANT */ 528 529#define strncat BUILTIN(strncat) 530char *strncat(char *restrict s1, const char *restrict s2, size_t n); 531 532#endif /* VARIANT */ 533 534 535void strncat_null_dst(char *x) { 536 strncat(NULL, x, 4); // expected-warning{{Null pointer argument in call to byte string function}} 537} 538 539void strncat_null_src(char *x) { 540 strncat(x, NULL, 4); // expected-warning{{Null pointer argument in call to byte string function}} 541} 542 543void strncat_fn(char *x) { 544 strncat(x, (char*)&strncat_fn, 4); // expected-warning{{Argument to byte string function is the address of the function 'strncat_fn', which is not a null-terminated string}} 545} 546 547void strncat_effects(char *y) { 548 char x[8] = "123"; 549 size_t orig_len = strlen(x); 550 char a = x[0]; 551 552 if (strlen(y) != 4) 553 return; 554 555 if (strncat(x, y, strlen(y)) != x) 556 (void)*(char*)0; // no-warning 557 558 if (strlen(x) != orig_len + strlen(y)) 559 (void)*(char*)0; // no-warning 560 561 if (a != x[0]) 562 (void)*(char*)0; // expected-warning{{null}} 563} 564 565void strncat_overflow_0(char *y) { 566 char x[4] = "12"; 567 if (strlen(y) == 4) 568 strncat(x, y, strlen(y)); // expected-warning{{Byte string function overflows destination buffer}} 569} 570 571void strncat_overflow_1(char *y) { 572 char x[4] = "12"; 573 if (strlen(y) == 3) 574 strncat(x, y, strlen(y)); // expected-warning{{Byte string function overflows destination buffer}} 575} 576 577void strncat_overflow_2(char *y) { 578 char x[4] = "12"; 579 if (strlen(y) == 2) 580 strncat(x, y, strlen(y)); // expected-warning{{Byte string function overflows destination buffer}} 581} 582 583void strncat_overflow_3(char *y) { 584 char x[4] = "12"; 585 if (strlen(y) == 4) 586 strncat(x, y, 2); // expected-warning{{Byte string function overflows destination buffer}} 587} 588void strncat_no_overflow_1(char *y) { 589 char x[5] = "12"; 590 if (strlen(y) == 2) 591 strncat(x, y, strlen(y)); // no-warning 592} 593 594void strncat_no_overflow_2(char *y) { 595 char x[4] = "12"; 596 if (strlen(y) == 4) 597 strncat(x, y, 1); // no-warning 598} 599