infer_clone/infer/tests/codetoanalyze/c/bufferoverrun/models.c

/*
 * Copyright (c) 2017-present, Facebook, Inc.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 */
#include <stdio.h>
#include <stdlib.h>

void exit_bo_good_unreachable_bad() {
  int arr[1];
  exit(1);
  // unreachable so no buffer overrun
  arr[42] = 42;
}

void fgetc_m1_bad(FILE* f) {
  int arr[10000];
  int c = fgetc(f);
  arr[c] = 42;
}

void fgetc_255_bad(FILE* f) {
  int arr[255];
  int c = fgetc(f);
  if (c >= 0) {
    arr[c] = 42;
  }
}

void fgetc_256_good(FILE* f) {
  int arr[256];
  int c = fgetc(f);
  if (c >= 0) {
    arr[c] = 42;
  }
}

void fgetc_256_bad(FILE* f) {
  int arr[256];
  int c = fgetc(f);
  arr[c + 1] = 42;
}

void fgetc_257_good(FILE* f) {
  int arr[257];
  int c = fgetc(f);
  arr[c + 1] = 42;
}

void memcpy_bad1() {
  int arr1[10];
  int arr2[20];
  memcpy(arr1, arr2, 44);
}

void memcpy_bad2() {
  int arr1[10];
  int arr2[20];
  memcpy(arr2, arr1, 44);
}

void memcpy_bad3() {
  int arr1[10];
  int arr2[20];
  memcpy(arr1, arr2, -1);
}

void memcpy_bad4() {
  int src[1];
  int buff[1];
  int* dst = &buff[0];
  memcpy(dst, src, sizeof(dst));
}

void memcpy_good1() {
  int arr1[10];
  int arr2[20];
  memcpy(arr2, arr1, 40);
}

void memcpy_good2() {
  int arr1[10];
  int arr2[20];
  memcpy(arr2, arr1, 0);
}

void memcpy_good3() {
  int arr1[10];
  int arr2[20];
  memcpy(arr2, arr1, 20);
}

void memcpy_good4() {
  int src[3];
  int dst[3];
  memcpy(dst, src, sizeof(dst));
}

void memcpy_len(size_t len) {
  char dst[len];
  char src[len];
  memcpy(dst, src, len);
}

void call_memcpy_len1_Good() { memcpy_len(40); }

extern size_t unknown_uint();

void call_memcpy_len2_Good_FP() {
  size_t x = unknown();
  memcpy_len(x);
}

void memmove_bad1() {
  int arr1[10];
  int arr2[20];
  memmove(arr1, arr2, 44);
}

void memmove_bad2() {
  int arr1[10];
  int arr2[20];
  memmove(arr2, arr1, 44);
}

void memmove_bad3() {
  int arr1[10];
  int arr2[20];
  memmove(arr1, arr2, -1);
}

void memmove_bad4() {
  int src[1];
  int buff[1];
  int* dst = &buff[0];
  memmove(dst, src, sizeof(dst));
}

void memmove_good1() {
  int arr1[10];
  int arr2[20];
  memmove(arr2, arr1, 40);
}

void memmove_good2() {
  int arr1[10];
  int arr2[20];
  memmove(arr2, arr1, 0);
}

void memmove_good3() {
  int arr1[10];
  int arr2[20];
  memmove(arr2, arr1, 20);
}

void memmove_good4() {
  int src[3];
  int dst[3];
  memmove(dst, src, sizeof(dst));
}

void memset_bad1() {
  int arr[10];
  memset(arr, 0, 44);
}

void memset_bad2() {
  int arr[10];
  memset(arr, 0, -1);
}

void memset_bad3() {
  int arr[1];
  int* dst = &arr[0];
  memset(dst, 0, sizeof(dst));
}

void memset_good1() {
  int arr[10];
  memset(arr, 0, 40);
}

void memset_good2() {
  int arr[10];
  memset(arr, 0, 0);
}

void memset_good3() {
  int arr[10];
  memset(arr, 0, 20);
}

void memset_good4() {
  int arr[10];
  memset(arr, 0, sizeof(arr));
}

void strncpy_bad1() {
  int arr1[10];
  int arr2[20];
  strncpy(arr1, arr2, 44);
}

void strncpy_bad2() {
  int arr1[10];
  int arr2[20];
  strncpy(arr2, arr1, 44);
}

void strncpy_bad3() {
  int arr1[10];
  int arr2[20];
  strncpy(arr1, arr2, -1);
}

void strncpy_bad4() {
  int src[1];
  int buff[1];
  int* dst = &buff[0];
  strncpy(dst, src, sizeof(dst));
}

void strncpy_good1() {
  int arr1[10];
  int arr2[20];
  strncpy(arr2, arr1, 40);
}

void strncpy_good2() {
  int arr1[10];
  int arr2[20];
  strncpy(arr2, arr1, 0);
}

void strncpy_good3() {
  int arr1[10];
  int arr2[20];
  strncpy(arr2, arr1, 20);
}

void strncpy_good4() {
  int src[3];
  int dst[3];
  strncpy(dst, src, sizeof(dst));
}

void strncpy_good5_FP() {
  char src[5] = "test";
  char dst[5];
  strncpy(dst, src, 10);
}
[inferbo] Models for exit, fgetc Summary: - model `exit` as `Bottom` - model `fgetc` as returning `[-1; 255]` rather than `[-1; +oo]` - reduced the number of model functions for simple models Reviewed By: KihongHeo Differential Revision: D5137485 fbshipit-source-id: 943eeeb 8 years ago			`/*`
Change license to MIT Summary: Change the license of the source code from BSD + PATENTS to MIT. Change `checkCopyright` to reflect the new license and learn some new file types. Generated with: ``` git grep BSD \| xargs -n 1 ./scripts/checkCopyright -i ``` Reviewed By: jeremydubreil, mbouaziz, jberdine Differential Revision: D8071249 fbshipit-source-id: 97ca23a 7 years ago			`* Copyright (c) 2017-present, Facebook, Inc.`
[inferbo] Models for exit, fgetc Summary: - model `exit` as `Bottom` - model `fgetc` as returning `[-1; 255]` rather than `[-1; +oo]` - reduced the number of model functions for simple models Reviewed By: KihongHeo Differential Revision: D5137485 fbshipit-source-id: 943eeeb 8 years ago			`*`
Change license to MIT Summary: Change the license of the source code from BSD + PATENTS to MIT. Change `checkCopyright` to reflect the new license and learn some new file types. Generated with: ``` git grep BSD \| xargs -n 1 ./scripts/checkCopyright -i ``` Reviewed By: jeremydubreil, mbouaziz, jberdine Differential Revision: D8071249 fbshipit-source-id: 97ca23a 7 years ago			`* This source code is licensed under the MIT license found in the`
			`* LICENSE file in the root directory of this source tree.`
[inferbo] Models for exit, fgetc Summary: - model `exit` as `Bottom` - model `fgetc` as returning `[-1; 255]` rather than `[-1; +oo]` - reduced the number of model functions for simple models Reviewed By: KihongHeo Differential Revision: D5137485 fbshipit-source-id: 943eeeb 8 years ago			`*/`
			`#include <stdio.h>`
			`#include <stdlib.h>`

[inferbo] Add warnings and errors for unreachable code Summary: Warnings for conditions always true/false Errors for other unreachable statements (should help debugging inferbo) Reviewed By: sblackshear Differential Revision: D5047883 fbshipit-source-id: 65a78ca 8 years ago			`void exit_bo_good_unreachable_bad() {`
[inferbo] Models for exit, fgetc Summary: - model `exit` as `Bottom` - model `fgetc` as returning `[-1; 255]` rather than `[-1; +oo]` - reduced the number of model functions for simple models Reviewed By: KihongHeo Differential Revision: D5137485 fbshipit-source-id: 943eeeb 8 years ago			`int arr[1];`
			`exit(1);`
[inferbo] Add warnings and errors for unreachable code Summary: Warnings for conditions always true/false Errors for other unreachable statements (should help debugging inferbo) Reviewed By: sblackshear Differential Revision: D5047883 fbshipit-source-id: 65a78ca 8 years ago			`// unreachable so no buffer overrun`
[inferbo] Models for exit, fgetc Summary: - model `exit` as `Bottom` - model `fgetc` as returning `[-1; 255]` rather than `[-1; +oo]` - reduced the number of model functions for simple models Reviewed By: KihongHeo Differential Revision: D5137485 fbshipit-source-id: 943eeeb 8 years ago			`arr[42] = 42;`
			`}`

			`void fgetc_m1_bad(FILE* f) {`
			`int arr[10000];`
			`int c = fgetc(f);`
			`arr[c] = 42;`
			`}`

			`void fgetc_255_bad(FILE* f) {`
			`int arr[255];`
			`int c = fgetc(f);`
			`if (c >= 0) {`
			`arr[c] = 42;`
			`}`
			`}`

			`void fgetc_256_good(FILE* f) {`
			`int arr[256];`
			`int c = fgetc(f);`
			`if (c >= 0) {`
			`arr[c] = 42;`
			`}`
			`}`

[inferbo] Replace buckets with issue types Reviewed By: skcho Differential Revision: D5975948 fbshipit-source-id: 92a7188 7 years ago			`void fgetc_256_bad(FILE* f) {`
			`int arr[256];`
			`int c = fgetc(f);`
			`arr[c + 1] = 42;`
			`}`

[inferbo] Models for exit, fgetc Summary: - model `exit` as `Bottom` - model `fgetc` as returning `[-1; 255]` rather than `[-1; +oo]` - reduced the number of model functions for simple models Reviewed By: KihongHeo Differential Revision: D5137485 fbshipit-source-id: 943eeeb 8 years ago			`void fgetc_257_good(FILE* f) {`
			`int arr[257];`
			`int c = fgetc(f);`
			`arr[c + 1] = 42;`
			`}`
Added model for memcpy C function to inferBO Reviewed By: mbouaziz Differential Revision: D9768893 fbshipit-source-id: b0e2ed894 6 years ago
			`void memcpy_bad1() {`
			`int arr1[10];`
			`int arr2[20];`
			`memcpy(arr1, arr2, 44);`
			`}`

			`void memcpy_bad2() {`
			`int arr1[10];`
			`int arr2[20];`
			`memcpy(arr2, arr1, 44);`
			`}`

			`void memcpy_bad3() {`
			`int arr1[10];`
			`int arr2[20];`
			`memcpy(arr1, arr2, -1);`
			`}`

			`void memcpy_bad4() {`
			`int src[1];`
			`int buff[1];`
			`int* dst = &buff[0];`
			`memcpy(dst, src, sizeof(dst));`
			`}`

			`void memcpy_good1() {`
			`int arr1[10];`
			`int arr2[20];`
			`memcpy(arr2, arr1, 40);`
			`}`

			`void memcpy_good2() {`
			`int arr1[10];`
			`int arr2[20];`
			`memcpy(arr2, arr1, 0);`
			`}`

			`void memcpy_good3() {`
			`int arr1[10];`
			`int arr2[20];`
			`memcpy(arr2, arr1, 20);`
			`}`

			`void memcpy_good4() {`
			`int src[3];`
			`int dst[3];`
			`memcpy(dst, src, sizeof(dst));`
			`}`
Wired up model for memmove which is identical to memcopy Reviewed By: skcho Differential Revision: D9810324 fbshipit-source-id: d06d411db 6 years ago
[inferbo] Fix check function for is_collection_add Summary: It fixes the conditions of the `check` function to address `is_collection_add` cases correctly. Reviewed By: mbouaziz Differential Revision: D13081281 fbshipit-source-id: 39ae5ef03 6 years ago			`void memcpy_len(size_t len) {`
			`char dst[len];`
			`char src[len];`
			`memcpy(dst, src, len);`
			`}`

			`void call_memcpy_len1_Good() { memcpy_len(40); }`

			`extern size_t unknown_uint();`

			`void call_memcpy_len2_Good_FP() {`
			`size_t x = unknown();`
			`memcpy_len(x);`
			`}`

Wired up model for memmove which is identical to memcopy Reviewed By: skcho Differential Revision: D9810324 fbshipit-source-id: d06d411db 6 years ago			`void memmove_bad1() {`
			`int arr1[10];`
			`int arr2[20];`
			`memmove(arr1, arr2, 44);`
			`}`

			`void memmove_bad2() {`
			`int arr1[10];`
			`int arr2[20];`
			`memmove(arr2, arr1, 44);`
			`}`

			`void memmove_bad3() {`
			`int arr1[10];`
			`int arr2[20];`
			`memmove(arr1, arr2, -1);`
			`}`

			`void memmove_bad4() {`
			`int src[1];`
			`int buff[1];`
			`int* dst = &buff[0];`
			`memmove(dst, src, sizeof(dst));`
			`}`

			`void memmove_good1() {`
			`int arr1[10];`
			`int arr2[20];`
			`memmove(arr2, arr1, 40);`
			`}`

			`void memmove_good2() {`
			`int arr1[10];`
			`int arr2[20];`
			`memmove(arr2, arr1, 0);`
			`}`

			`void memmove_good3() {`
			`int arr1[10];`
			`int arr2[20];`
			`memmove(arr2, arr1, 20);`
			`}`

			`void memmove_good4() {`
			`int src[3];`
			`int dst[3];`
			`memmove(dst, src, sizeof(dst));`
			`}`
Added inferBO model for the C memset function. Reviewed By: mbouaziz Differential Revision: D9833430 fbshipit-source-id: 9ed377789 6 years ago
			`void memset_bad1() {`
			`int arr[10];`
			`memset(arr, 0, 44);`
			`}`

			`void memset_bad2() {`
			`int arr[10];`
			`memset(arr, 0, -1);`
			`}`

			`void memset_bad3() {`
			`int arr[1];`
			`int* dst = &arr[0];`
			`memset(dst, 0, sizeof(dst));`
			`}`

			`void memset_good1() {`
			`int arr[10];`
			`memset(arr, 0, 40);`
			`}`

			`void memset_good2() {`
			`int arr[10];`
			`memset(arr, 0, 0);`
			`}`

			`void memset_good3() {`
			`int arr[10];`
			`memset(arr, 0, 20);`
			`}`

			`void memset_good4() {`
			`int arr[10];`
			`memset(arr, 0, sizeof(arr));`
			`}`
InferBO strncpy model Reviewed By: mbouaziz Differential Revision: D9861910 fbshipit-source-id: ab7914743 6 years ago
			`void strncpy_bad1() {`
			`int arr1[10];`
			`int arr2[20];`
			`strncpy(arr1, arr2, 44);`
			`}`

			`void strncpy_bad2() {`
			`int arr1[10];`
			`int arr2[20];`
			`strncpy(arr2, arr1, 44);`
			`}`

			`void strncpy_bad3() {`
			`int arr1[10];`
			`int arr2[20];`
			`strncpy(arr1, arr2, -1);`
			`}`

			`void strncpy_bad4() {`
			`int src[1];`
			`int buff[1];`
			`int* dst = &buff[0];`
			`strncpy(dst, src, sizeof(dst));`
			`}`

			`void strncpy_good1() {`
			`int arr1[10];`
			`int arr2[20];`
			`strncpy(arr2, arr1, 40);`
			`}`

			`void strncpy_good2() {`
			`int arr1[10];`
			`int arr2[20];`
			`strncpy(arr2, arr1, 0);`
			`}`

			`void strncpy_good3() {`
			`int arr1[10];`
			`int arr2[20];`
			`strncpy(arr2, arr1, 20);`
			`}`

			`void strncpy_good4() {`
			`int src[3];`
			`int dst[3];`
			`strncpy(dst, src, sizeof(dst));`
			`}`

			`void strncpy_good5_FP() {`
			`char src[5] = "test";`
			`char dst[5];`
			`strncpy(dst, src, 10);`
			`}`