// RUN: %clang_analyze_cc1 -verify %s \ // RUN: -analyzer-checker=core,alpha.unix.cstring //===----------------------------------------------------------------------===// // mempcpy() using character array. This is the easiest case, as memcpy // intepretrs the dst and src buffers as character arrays (regardless of their // actual type). //===----------------------------------------------------------------------===// typedef typeof(sizeof(int)) size_t; void clang_analyzer_eval(int); void *memcpy(void *restrict s1, const void *restrict s2, size_t n); void memcpy_array_fully_uninit(char *dst) { char buf[10]; memcpy(dst, buf, 10); // expected-warning{{The first element of the 2nd argument is undefined}} // expected-note@-1{{Other elements might also be undefined}} (void)buf; } void memcpy_array_partially_uninit(char *dst) { char buf[10]; buf[0] = 'i'; memcpy(dst, buf, 10); // expected-warning{{The last accessed element (at index 9) in the 2nd argument is undefined}} // expected-note@-1{{Other elements might also be undefined}} (void)buf; } void memcpy_array_only_init_portion(char *dst) { char buf[10]; buf[0] = 'i'; memcpy(dst, buf, 1); (void)buf; } void memcpy_array_partially_init_error(char *dst) { char buf[10]; buf[0] = 'i'; memcpy(dst, buf, 2); // expected-warning{{The last accessed element (at index 1) in the 2nd argument is undefined}} // expected-note@-1{{Other elements might also be undefined}} (void)buf; } // The interesting case here is that the portion we're copying is initialized, // but not the whole matrix. We need to be careful to extract buf[1], and not // buf when trying to peel region layers off from the source argument. void memcpy_array_from_matrix(char *dst) { char buf[2][2]; buf[1][0] = 'i'; buf[1][1] = 'j'; // FIXME: This is a FP -- we mistakenly retrieve the first element of buf, // instead of the first element of buf[1]. getLValueElement simply peels off // another ElementRegion layer, when in this case it really shouldn't. memcpy(dst, buf[1], 2); // expected-warning{{The first element of the 2nd argument is undefined}} // expected-note@-1{{Other elements might also be undefined}} (void)buf; } //===----------------------------------------------------------------------===// // mempcpy() using non-character arrays. //===----------------------------------------------------------------------===// void *mempcpy(void *restrict s1, const void *restrict s2, size_t n); void memcpy_int_array_fully_init() { int src[] = {1, 2, 3, 4}; int dst[5] = {0}; int *p; p = mempcpy(dst, src, 4 * sizeof(int)); clang_analyzer_eval(p == &dst[4]); } void memcpy_int_array_fully_init2(int *dest) { int t[] = {1, 2, 3}; memcpy(dest, t, sizeof(t)); } //===----------------------------------------------------------------------===// // mempcpy() using nonarrays. //===----------------------------------------------------------------------===// struct st { int i; int j; }; void mempcpy_struct_partially_uninit() { struct st s1 = {0}; struct st s2; struct st *p1; struct st *p2; p1 = (&s2) + 1; // FIXME: Maybe ask UninitializedObjectChecker whether s1 is fully // initialized? p2 = mempcpy(&s2, &s1, sizeof(struct st)); clang_analyzer_eval(p1 == p2); } void mempcpy_struct_fully_uninit() { struct st s1; struct st s2; // FIXME: Maybe ask UninitializedObjectChecker whether s1 is fully // initialized? mempcpy(&s2, &s1, sizeof(struct st)); } // Creduced crash. In this case, an symbolicregion is wrapped in an // elementregion for the src argument. void *ga_copy_strings_from_0; void *memmove(); void alloc(); void ga_copy_strings() { int i = 0; for (;; ++i) memmove(alloc, ((char **)ga_copy_strings_from_0)[i], 1); } // Creduced crash. In this case, retrieving the Loc for the first element failed. char mov_mdhd_language_map[][4] = {}; int ff_mov_lang_to_iso639_code; char *ff_mov_lang_to_iso639_to; void ff_mov_lang_to_iso639() { memcpy(ff_mov_lang_to_iso639_to, mov_mdhd_language_map[ff_mov_lang_to_iso639_code], 4); }