1 // RUN: %clang_analyze_cc1 -w -verify %s \
2 // RUN: -analyzer-checker=core \
3 // RUN: -analyzer-checker=unix.cstring.NullArg \
4 // RUN: -analyzer-checker=alpha.unix.cstring \
5 // RUN: -analyzer-checker=debug.ExprInspection
6
7 #define NULL ((void *)0)
8
9 typedef __typeof(sizeof(int)) size_t;
10 size_t strlcpy(char *dst, const char *src, size_t n);
11 size_t strlcat(char *dst, const char *src, size_t n);
12 size_t strlen(const char *s);
13 void clang_analyzer_eval(int);
14
f1()15 void f1() {
16 char overlap[] = "123456789";
17 strlcpy(overlap, overlap + 1, 3); // expected-warning{{Arguments must not be overlapping buffers}}
18 }
19
f2()20 void f2() {
21 char buf[5];
22 size_t len;
23 len = strlcpy(buf, "abcd", sizeof(buf)); // expected-no-warning
24 clang_analyzer_eval(len == 4); // expected-warning{{TRUE}}
25 len = strlcat(buf, "efgh", sizeof(buf)); // expected-no-warning
26 clang_analyzer_eval(len == 8); // expected-warning{{TRUE}}
27 }
28
f3()29 void f3() {
30 char dst[2];
31 const char *src = "abdef";
32 strlcpy(dst, src, 5); // expected-warning{{String copy function overflows the destination buffer}}
33 }
34
f4()35 void f4() {
36 strlcpy(NULL, "abcdef", 6); // expected-warning{{Null pointer passed as 1st argument to string copy function}}
37 }
38
f5()39 void f5() {
40 strlcat(NULL, "abcdef", 6); // expected-warning{{Null pointer passed as 1st argument to string concatenation function}}
41 }
42
f6()43 void f6() {
44 char buf[8];
45 strlcpy(buf, "abc", 3);
46 size_t len = strlcat(buf, "defg", 4);
47 clang_analyzer_eval(len == 7); // expected-warning{{TRUE}}
48 }
49
f7()50 int f7() {
51 char buf[8];
52 return strlcpy(buf, "1234567", 0); // no-crash
53 }
54
f8()55 void f8(){
56 char buf[5];
57 size_t len;
58
59 // basic strlcpy
60 len = strlcpy(buf,"123", sizeof(buf));
61 clang_analyzer_eval(len==3);// expected-warning{{TRUE}}
62 len = strlen(buf);
63 clang_analyzer_eval(len==3);// expected-warning{{TRUE}}
64
65 // testing bounded strlcat
66 len = strlcat(buf,"456", sizeof(buf));
67 clang_analyzer_eval(len==6);// expected-warning{{TRUE}}
68 len = strlen(buf);
69 clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
70
71 // testing strlcat with size==0
72 len = strlcat(buf,"789", 0);
73 clang_analyzer_eval(len==7);// expected-warning{{TRUE}}
74 len = strlen(buf);
75 clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
76
77 // testing strlcpy with size==0
78 len = strlcpy(buf,"123",0);
79 clang_analyzer_eval(len==3);// expected-warning{{TRUE}}
80 len = strlen(buf);
81 clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
82
83 }
84
f9(int unknown_size,char * unknown_src,char * unknown_dst)85 void f9(int unknown_size, char* unknown_src, char* unknown_dst){
86 char buf[8];
87 size_t len;
88
89 len = strlcpy(buf,"abba",sizeof(buf));
90
91 clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
92 clang_analyzer_eval(strlen(buf)==4);// expected-warning{{TRUE}}
93
94 //size is unknown
95 len = strlcat(buf,"cd", unknown_size);
96 clang_analyzer_eval(len==6);// expected-warning{{TRUE}}
97 clang_analyzer_eval(strlen(buf)>=4);// expected-warning{{TRUE}}
98
99 //dst is unknown
100 len = strlcpy(unknown_dst,"abbc",unknown_size);
101 clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
102 clang_analyzer_eval(strlen(unknown_dst));// expected-warning{{UNKNOWN}}
103
104 //src is unknown
105 len = strlcpy(buf,unknown_src, sizeof(buf));
106 clang_analyzer_eval(len);// expected-warning{{UNKNOWN}}
107 clang_analyzer_eval(strlen(buf));// expected-warning{{UNKNOWN}}
108
109 //src, dst is unknown
110 len = strlcpy(unknown_dst, unknown_src, unknown_size);
111 clang_analyzer_eval(len);// expected-warning{{UNKNOWN}}
112 clang_analyzer_eval(strlen(unknown_dst));// expected-warning{{UNKNOWN}}
113
114 //size is unknown
115 len = strlcat(buf + 2, unknown_src + 1, sizeof(buf));
116 // expected-warning@-1 {{String concatenation function overflows the destination buffer}}
117 }
118
f10()119 void f10(){
120 char buf[8];
121 size_t len;
122
123 len = strlcpy(buf,"abba",sizeof(buf));
124 clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
125 strlcat(buf, "efghi", 9);
126 // expected-warning@-1 {{String concatenation function overflows the destination buffer}}
127 }
128
f11()129 void f11() {
130 //test for Bug 41729
131 char a[256], b[256];
132 strlcpy(a, "world", sizeof(a));
133 strlcpy(b, "hello ", sizeof(b));
134 strlcat(b, a, sizeof(b)); // no-warning
135 }
136
137 int a, b;
unknown_val_crash()138 void unknown_val_crash() {
139 // We're unable to evaluate the integer-to-pointer cast.
140 strlcat(&b, a, 0); // no-crash
141 }
142