pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '057efb2893'
${ noResults }
infer_clone/infer/tests/codetoanalyze/cpp/bufferoverrun/class.cpp

188 lines
3.8 KiB
Raw Normal View History Unescape

[Bufferoverrun] symbolic value for parameter Reviewed By: mbouaziz Differential Revision: D5002459 fbshipit-source-id: a6261ae
8 years ago
/*
* Copyright (c) 2017 - present Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD style license found in the
* LICENSE file in the root directory of this source tree. An additional grant
* of patent rights can be found in the PATENTS file in the same directory.
*/
class my_class {
int idx;
int arr[10];
void set_a(int n) { idx = n; }
int id(int n) { return n; }
public:
int access_Bad() {
set_a(10);
return arr[idx];
}
int access2_Bad() {
int n = 10;
return arr[id(n)];
}
[inferbo] Add new operator model Reviewed By: jvillard Differential Revision: D6960369 fbshipit-source-id: 55d74f5
7 years ago
int access_nth(int n) { return arr[n]; }
[Bufferoverrun] symbolic value for parameter Reviewed By: mbouaziz Differential Revision: D5002459 fbshipit-source-id: a6261ae
8 years ago
};
[inferbo] Add new operator model Reviewed By: jvillard Differential Revision: D6960369 fbshipit-source-id: 55d74f5
7 years ago
void access_after_new_Good() {
my_class* x = new my_class();
x->access_nth(5);
}
void access_after_new_Bad() {
my_class* x = new my_class();
x->access_nth(15);
}
[inferbo] Initialize array member in class Reviewed By: mbouaziz Differential Revision: D7053775 fbshipit-source-id: c451d46
7 years ago
#include <stdlib.h>
class my_class2 {
public:
int a[5];
};
void array_member_malloc_Good() {
my_class2* x = (my_class2*)malloc(sizeof(my_class2));
x->a[0] = 0;
}
void array_member_malloc_Bad() {
my_class2* x = (my_class2*)malloc(sizeof(my_class2));
x->a[10] = 0;
}
class my_class3 {
public:
my_class2 b;
};
void array_member_malloc2_Bad() {
my_class3* x = (my_class3*)malloc(sizeof(my_class3));
x->b.a[10] = 0;
}
[inferbo] Add a model for "placement new" Summary: The semantics of "placement new" is defined simply as an assignment. For example, `C* x = new (y) C();` is analyzed as if `C* x = y;`. Reviewed By: mbouaziz Differential Revision: D7054007 fbshipit-source-id: 1c6754f
7 years ago
#include <new>
void placement_new_Good() {
char* mem = (char*)malloc(sizeof(my_class2));
my_class2* x = new (mem) my_class2();
x->a[0] = 0;
}
void placement_new_Bad() {
char* mem = (char*)malloc(sizeof(my_class2));
my_class2* x = new (mem) my_class2();
x->a[10] = 0;
}
[inferbo] Support flexible array member Summary: It supports flexible array member using the following heuristic: - a memory for a class is allocated by `malloc(sizeof(C) + n * sizeof(T))` format - the last field of the class is an array - the static size of the last field is one, i.e., `T field_name[1]` When allocating and initializing members of classes, it sets the size of flexible array to `n+1` if the above conditions are met. Reviewed By: mbouaziz Differential Revision: D7056291 fbshipit-source-id: 31c5868
7 years ago
class my_class4 {
public:
int a[3];
int c[3];
int b[1];
};
void flexible_array1_Good() {
char* mem = (char*)malloc(sizeof(my_class4) + 4 * sizeof(int));
my_class4* x = new (mem) my_class4();
x->b[4] = 0;
}
void flexible_array1_Bad() {
char* mem = (char*)malloc(sizeof(my_class4) + 4 * sizeof(int));
my_class4* x = new (mem) my_class4();
x->b[5] = 0;
}
void flexible_array2_Bad_FN() {
char* mem = (char*)malloc(4 * sizeof(int) + sizeof(my_class4));
my_class4* x = new (mem) my_class4();
x->b[5] = 0;
}
void flexible_array3_Bad_FN() {
char* mem = (char*)malloc(sizeof(my_class4) + sizeof(int) * 4);
my_class4* x = new (mem) my_class4();
x->b[5] = 0;
}
class my_class5 {
public:
int d[3];
int f[3];
my_class4 e;
};
void flexible_array4_Good() {
char* mem = (char*)malloc(sizeof(my_class5) + 4 * sizeof(int));
my_class5* x = new (mem) my_class5();
x->e.b[4] = 0;
}
void flexible_array4_Bad() {
char* mem = (char*)malloc(sizeof(my_class5) + 4 * sizeof(int));
my_class5* x = new (mem) my_class5();
x->e.b[5] = 0;
}
class Tree {
private:
unsigned int children_num;
Tree(unsigned int children_num) : children_num(children_num) {}
public:
void set_child(Tree* child, unsigned int nth) { children[nth] = child; }
static Tree* NewNode(unsigned int children_num) {
char* mem =
(char*)malloc(sizeof(Tree) + (children_num - 1) * sizeof(Tree*));
return new (mem) Tree(children_num);
}
static Tree* NewLeaf() { return new Tree(0); }
private:
Tree* children[1];
};
[inferbo][bugfix] Declare parameter of flexible array member Summary: The `may_last_field` boolean value in the `decl_sym_val` function presents that the location *may* (not *must*) be a flexible array member. By the modular analysis nature, it is impossible to determine whether a given argument is a flexible array member or not---because of lack of calling context. For example, there are two function calls of `foo` below: (2) passes a flexible array member as an argument and (1) passes a non-flexible array, however it is hard to notice when analyzing the `foo` function. ``` struct T { int c[1]; }; struct S { struct T a; struct T b; }; void foo(struct T x) { ... } void goo () { struct S* x = (struct S*)malloc(sizeof(struct S) + 10 * sizeof(int)); foo(&(x->a)); // (1) foo(&(x->b)); // (2) } ``` We assume that any given arguments may stem from the last field of struct, i.e., flexible array member. (This is why `decl_sym_val` is called with `may_last_field:true` at the first time.) With some tests, we noticed that the assumption does not harm the analysis precision, because whether regarding a parameter as a flexible array member or not is about using a symbolic array size instead of a constant array size written in the type during the analysis of callee. Therefore still it can raise correct alarms if the actual parameter is given in its caller. Reviewed By: mbouaziz Differential Revision: D7081295 fbshipit-source-id: a4d57a0
7 years ago
void flexible_array5_Good() {
[inferbo] Support flexible array member Summary: It supports flexible array member using the following heuristic: - a memory for a class is allocated by `malloc(sizeof(C) + n * sizeof(T))` format - the last field of the class is an array - the static size of the last field is one, i.e., `T field_name[1]` When allocating and initializing members of classes, it sets the size of flexible array to `n+1` if the above conditions are met. Reviewed By: mbouaziz Differential Revision: D7056291 fbshipit-source-id: 31c5868
7 years ago
Tree* t = Tree::NewNode(3);
t->set_child(Tree::NewLeaf(), 0);
t->set_child(Tree::NewLeaf(), 1);
t->set_child(Tree::NewLeaf(), 2);
}
[inferbo] Return newly allocated locations in callees Summary: At function calls, it copies a subset of heap memory that is newly allocated by callees and is reachable from the return value. Reviewed By: mbouaziz Differential Revision: D7081425 fbshipit-source-id: 1ce777a
7 years ago
void flexible_array5_Bad() {
[inferbo] Support flexible array member Summary: It supports flexible array member using the following heuristic: - a memory for a class is allocated by `malloc(sizeof(C) + n * sizeof(T))` format - the last field of the class is an array - the static size of the last field is one, i.e., `T field_name[1]` When allocating and initializing members of classes, it sets the size of flexible array to `n+1` if the above conditions are met. Reviewed By: mbouaziz Differential Revision: D7056291 fbshipit-source-id: 31c5868
7 years ago
Tree* t = Tree::NewNode(3);
t->set_child(Tree::NewLeaf(), 5);
}
[inferbo][bugfix] Declare parameter of flexible array member Summary: The `may_last_field` boolean value in the `decl_sym_val` function presents that the location *may* (not *must*) be a flexible array member. By the modular analysis nature, it is impossible to determine whether a given argument is a flexible array member or not---because of lack of calling context. For example, there are two function calls of `foo` below: (2) passes a flexible array member as an argument and (1) passes a non-flexible array, however it is hard to notice when analyzing the `foo` function. ``` struct T { int c[1]; }; struct S { struct T a; struct T b; }; void foo(struct T x) { ... } void goo () { struct S* x = (struct S*)malloc(sizeof(struct S) + 10 * sizeof(int)); foo(&(x->a)); // (1) foo(&(x->b)); // (2) } ``` We assume that any given arguments may stem from the last field of struct, i.e., flexible array member. (This is why `decl_sym_val` is called with `may_last_field:true` at the first time.) With some tests, we noticed that the assumption does not harm the analysis precision, because whether regarding a parameter as a flexible array member or not is about using a symbolic array size instead of a constant array size written in the type during the analysis of callee. Therefore still it can raise correct alarms if the actual parameter is given in its caller. Reviewed By: mbouaziz Differential Revision: D7081295 fbshipit-source-id: a4d57a0
7 years ago
void flexible_array_param_access(my_class4* x) { x->b[3] = 0; }
void flexible_array_param_Good() {
my_class4* x = (my_class4*)malloc(sizeof(my_class4) + 4 * sizeof(int));
flexible_array_param_access(x);
}
void flexible_array_param_Bad() {
my_class4* x = (my_class4*)malloc(sizeof(my_class4) + 2 * sizeof(int));
flexible_array_param_access(x);
}
[inferbo] Return newly allocated locations in callees Summary: At function calls, it copies a subset of heap memory that is newly allocated by callees and is reachable from the return value. Reviewed By: mbouaziz Differential Revision: D7081425 fbshipit-source-id: 1ce777a
7 years ago
char* my_malloc() { return (char*)malloc(sizeof(my_class4) + 4 * sizeof(int)); }
void return_class_Good() {
my_class4* x = (my_class4*)my_malloc();
x->b[3] = 0;
}
void return_class_Bad() {
my_class4* x = (my_class4*)my_malloc();
x->b[5] = 0;
}