[analyzer] Improve the modeling of memset().
Since there is no perfect way bind the non-zero value with the default binding, this patch only considers the case where buffer's offset is zero and the char value is 0. And according to the value for overwriting, decide how to update the string length.
Reviewers: dcoughlin, NoQ, xazax.hun, a.sidorin, george.karpenkov
Reviewed By: NoQ
Differential Revision: https://reviews.llvm.org/D44934
llvm-svn: 332463
diff --git a/clang/test/Analysis/bstring.cpp b/clang/test/Analysis/bstring.cpp
index fea76cc..19978f9 100644
--- a/clang/test/Analysis/bstring.cpp
+++ b/clang/test/Analysis/bstring.cpp
@@ -1,7 +1,8 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
-// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
-// RUN: %clang_analyze_cc1 -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
-// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.cstring,unix.Malloc,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
+// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -analyzer-checker=core,unix.cstring,unix.Malloc,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -verify %s
+// RUN: %clang_analyze_cc1 -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
+// RUN: %clang_analyze_cc1 -DUSE_BUILTINS -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
+// RUN: %clang_analyze_cc1 -DSUPPRESS_OUT_OF_BOUND -analyzer-checker=core,unix.cstring,unix.Malloc,alpha.unix.cstring.BufferOverlap,alpha.unix.cstring.NotNullTerminated,debug.ExprInspection -analyzer-store=region -verify %s
#include "Inputs/system-header-simulator-cxx.h"
#include "Inputs/system-header-simulator-for-malloc.h"
@@ -77,3 +78,118 @@
unsigned *f;
};
}
+
+void *memset(void *dest, int ch, std::size_t count);
+namespace memset_non_pod {
+class Base {
+public:
+ int b_mem;
+ Base() : b_mem(1) {}
+};
+
+class Derived : public Base {
+public:
+ int d_mem;
+ Derived() : d_mem(2) {}
+};
+
+void memset1_inheritance() {
+ Derived d;
+ memset(&d, 0, sizeof(Derived));
+ clang_analyzer_eval(d.b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d.d_mem == 0); // expected-warning{{TRUE}}
+}
+
+#ifdef SUPPRESS_OUT_OF_BOUND
+void memset2_inheritance_field() {
+ Derived d;
+ memset(&d.d_mem, 0, sizeof(Derived));
+ clang_analyzer_eval(d.b_mem == 0); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(d.d_mem == 0); // expected-warning{{UNKNOWN}}
+}
+
+void memset3_inheritance_field() {
+ Derived d;
+ memset(&d.b_mem, 0, sizeof(Derived));
+ clang_analyzer_eval(d.b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d.d_mem == 0); // expected-warning{{TRUE}}
+}
+#endif
+
+void memset4_array_nonpod_object() {
+ Derived array[10];
+ clang_analyzer_eval(array[1].b_mem == 1); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(array[1].d_mem == 2); // expected-warning{{UNKNOWN}}
+ memset(&array[1], 0, sizeof(Derived));
+ clang_analyzer_eval(array[1].b_mem == 0); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(array[1].d_mem == 0); // expected-warning{{UNKNOWN}}
+}
+
+void memset5_array_nonpod_object() {
+ Derived array[10];
+ clang_analyzer_eval(array[1].b_mem == 1); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(array[1].d_mem == 2); // expected-warning{{UNKNOWN}}
+ memset(array, 0, sizeof(array));
+ clang_analyzer_eval(array[1].b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(array[1].d_mem == 0); // expected-warning{{TRUE}}
+}
+
+void memset6_new_array_nonpod_object() {
+ Derived *array = new Derived[10];
+ clang_analyzer_eval(array[2].b_mem == 1); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(array[2].d_mem == 2); // expected-warning{{UNKNOWN}}
+ memset(array, 0, 10 * sizeof(Derived));
+ clang_analyzer_eval(array[2].b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(array[2].d_mem == 0); // expected-warning{{TRUE}}
+ delete[] array;
+}
+
+void memset7_placement_new() {
+ Derived *d = new Derived();
+ clang_analyzer_eval(d->b_mem == 1); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d->d_mem == 2); // expected-warning{{TRUE}}
+
+ memset(d, 0, sizeof(Derived));
+ clang_analyzer_eval(d->b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d->d_mem == 0); // expected-warning{{TRUE}}
+
+ Derived *d1 = new (d) Derived();
+ clang_analyzer_eval(d1->b_mem == 1); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d1->d_mem == 2); // expected-warning{{TRUE}}
+
+ memset(d1, 0, sizeof(Derived));
+ clang_analyzer_eval(d->b_mem == 0); // expected-warning{{TRUE}}
+ clang_analyzer_eval(d->d_mem == 0); // expected-warning{{TRUE}}
+}
+
+class BaseVirtual {
+public:
+ int b_mem;
+ virtual int get() { return 1; }
+};
+
+class DerivedVirtual : public BaseVirtual {
+public:
+ int d_mem;
+};
+
+#ifdef SUPPRESS_OUT_OF_BOUND
+void memset8_virtual_inheritance_field() {
+ DerivedVirtual d;
+ memset(&d.b_mem, 0, sizeof(Derived));
+ clang_analyzer_eval(d.b_mem == 0); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(d.d_mem == 0); // expected-warning{{UNKNOWN}}
+}
+#endif
+} // namespace memset_non_pod
+
+#ifdef SUPPRESS_OUT_OF_BOUND
+void memset1_new_array() {
+ int *array = new int[10];
+ memset(array, 0, 10 * sizeof(int));
+ clang_analyzer_eval(array[2] == 0); // expected-warning{{TRUE}}
+ memset(array + 1, 'a', 10 * sizeof(9));
+ clang_analyzer_eval(array[2] == 0); // expected-warning{{UNKNOWN}}
+ delete[] array;
+}
+#endif