diff --git a/infer/src/bufferoverrun/bufferOverrunModels.ml b/infer/src/bufferoverrun/bufferOverrunModels.ml index 008808a92..f06c5c5ff 100644 --- a/infer/src/bufferoverrun/bufferOverrunModels.ml +++ b/infer/src/bufferoverrun/bufferOverrunModels.ml @@ -1411,6 +1411,8 @@ module Call = struct $--> StdVector.push_back ; -"std" &:: "vector" < any_typ &+ any_typ >:: "reserve" $ any_arg $+ any_arg $--> no_model ; -"std" &:: "vector" < capt_typ &+ any_typ >:: "size" $ capt_arg $--> StdVector.size + ; -"std" &:: "shared_ptr" &:: "operator->" $ capt_exp $--> id + ; -"std" &:: "__shared_ptr_access" &:: "operator->" $ capt_exp $--> id ; +PatternMatch.implements_collection &:: "" <>$ capt_var_exn $+ capt_exp_of_typ (+PatternMatch.implements_collection) diff --git a/infer/tests/codetoanalyze/cpp/bufferoverrun/issues.exp b/infer/tests/codetoanalyze/cpp/bufferoverrun/issues.exp index d98b0f3e4..b6b263df3 100644 --- a/infer/tests/codetoanalyze/cpp/bufferoverrun/issues.exp +++ b/infer/tests/codetoanalyze/cpp/bufferoverrun/issues.exp @@ -72,6 +72,7 @@ codetoanalyze/cpp/bufferoverrun/repro1.cpp, LM::lI_FP, 2, INTEGER_OVERFLOW_ codetoanalyze/cpp/bufferoverrun/repro1.cpp, LM::uI, 0, BUFFER_OVERRUN_U5, no_bucket, ERROR, [,Unknown value from: std::unique_ptr,std::default_delete>>::operator->,Array access: Offset: [-oo, +oo] Size: [0, +oo]] codetoanalyze/cpp/bufferoverrun/repro1.cpp, am_Good_FP, 5, INTEGER_OVERFLOW_L5, no_bucket, ERROR, [Call,Call,Call,Assignment,Assignment,Call,Parameter `t->bI`,Call,Assignment,Call,,Parameter `bi`,Binary operation: ([-oo, +oo] - 1):signed32 by call to `ral_good` ] codetoanalyze/cpp/bufferoverrun/simple_vector.cpp, my_vector_oob_Bad, 2, BUFFER_OVERRUN_L2, no_bucket, ERROR, [Parameter `v->_size`,Call,,Parameter `i`,,Parameter `this->_size`,Array declaration,Assignment,Array access: Offset: v->_size Size: v->_size by call to `int_vector::access_at` ] +codetoanalyze/cpp/bufferoverrun/smart_ptr.cpp, smart_ptr::call_method_Bad, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [Call,Parameter `n`,Assignment,Call,,Parameter `this->i`,,Array declaration,Array access: Offset: 8 Size: 5 by call to `smart_ptr::my_class::array_access` ] codetoanalyze/cpp/bufferoverrun/smart_ptr.cpp, smart_ptr::shared_ptr_with_const_int_Bad, 2, BUFFER_OVERRUN_L1, no_bucket, ERROR, [Assignment,Call,,Parameter `i`,,Array declaration,Array access: Offset: 8 Size: 5 by call to `smart_ptr::my_class::my_class` ] codetoanalyze/cpp/bufferoverrun/smart_ptr.cpp, smart_ptr::shared_ptr_with_std_string_Bad, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [Assignment,Call,,Parameter `i`,,Array declaration,Array access: Offset: 8 Size: 5 by call to `smart_ptr::my_class::my_class` ] codetoanalyze/cpp/bufferoverrun/smart_ptr.cpp, smart_ptr::use_shared_ptr1_Bad, 2, BUFFER_OVERRUN_L1, no_bucket, ERROR, [Assignment,Call,,Parameter `i`,,Array declaration,Array access: Offset: 8 Size: 5 by call to `smart_ptr::my_class::my_class` ] diff --git a/infer/tests/codetoanalyze/cpp/bufferoverrun/smart_ptr.cpp b/infer/tests/codetoanalyze/cpp/bufferoverrun/smart_ptr.cpp index 827d7dd1b..492ce619a 100644 --- a/infer/tests/codetoanalyze/cpp/bufferoverrun/smart_ptr.cpp +++ b/infer/tests/codetoanalyze/cpp/bufferoverrun/smart_ptr.cpp @@ -26,6 +26,15 @@ class smart_ptr { int a[5]; a[i] = 0; } + + int i; + + void set_i(int n) { i = n; } + + void array_access() { + int a[5]; + a[i] = 0; + } }; void use_shared_ptr1_Good() { @@ -71,4 +80,16 @@ class smart_ptr { const int i = 8; std::shared_ptr p = std::make_shared(i); } + + void call_method_Good() { + std::shared_ptr p = std::make_shared(0); + p->set_i(3); + p->array_access(); + } + + void call_method_Bad() { + std::shared_ptr p = std::make_shared(0); + p->set_i(8); + p->array_access(); + } };