diff --git a/infer/src/bufferoverrun/symb.ml b/infer/src/bufferoverrun/symb.ml index aa211fa78..bda3f55ed 100644 --- a/infer/src/bufferoverrun/symb.ml +++ b/infer/src/bufferoverrun/symb.ml @@ -16,7 +16,9 @@ module BoundEnd = struct end module SymbolPath = struct - type deref_kind = Deref_ArrayIndex | Deref_CPointer | Deref_JavaPointer [@@deriving compare] + type deref_kind = Deref_ArrayIndex | Deref_CPointer | Deref_JavaPointer + + let compare_deref_kind _ _ = 0 type partial = | Pvar of Pvar.t diff --git a/infer/tests/codetoanalyze/c/bufferoverrun/function_call.c b/infer/tests/codetoanalyze/c/bufferoverrun/function_call.c index faf2727ef..ca4914045 100644 --- a/infer/tests/codetoanalyze/c/bufferoverrun/function_call.c +++ b/infer/tests/codetoanalyze/c/bufferoverrun/function_call.c @@ -90,3 +90,54 @@ void call_function_ptr_bad1() { arr[10] = 1; } } + +void access_index_1(int* arr) { arr[1] = 0; } +void access_index_4(int* arr) { arr[4] = 0; } + +void call_access_index_1_on_local_array_Good() { + int arr[4]; + access_index_1(arr); +} + +void call_access_index_4_on_local_array_Bad() { + int arr[4]; + access_index_4(arr); +} + +void call_access_index_1_on_malloced_array_Good() { + int* ptr = malloc(sizeof(int) * 4); + access_index_1(ptr); +} + +void call_access_index_4_on_malloced_array_Bad() { + int* ptr = malloc(sizeof(int) * 4); + access_index_4(ptr); +} + +struct S2 { + int arr[4]; +}; + +void call_access_index_1_on_S2_Good(struct S2* s) { access_index_1(s->arr); } + +void FN_call_access_index_4_on_S2_Bad(struct S2* s) { access_index_4(s->arr); } + +struct S3 { + int* ptr; +}; + +void call_access_index_1_on_S3(struct S3* s) { access_index_1(s->ptr); } + +void call_access_index_4_on_S3(struct S3* s) { access_index_4(s->ptr); } + +void call_call_access_index_1_on_S3_Good() { + struct S3 s; + s.ptr = malloc(sizeof(int) * 4); + call_access_index_1_on_S3(&s); +} + +void call_call_access_index_4_on_S3_Bad() { + struct S3 s; + s.ptr = malloc(sizeof(int) * 4); + call_access_index_4_on_S3(&s); +} diff --git a/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp b/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp index 75f636d59..a8574f09d 100644 --- a/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp +++ b/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp @@ -91,9 +91,12 @@ codetoanalyze/c/bufferoverrun/external.c, extern_bad, 10, BUFFER_OVERRUN_L1, no_ codetoanalyze/c/bufferoverrun/for_loop.c, call_initialize_arr_Bad, 2, BUFFER_OVERRUN_L2, no_bucket, ERROR, [Array declaration,Call,,Assignment,,Parameter `*arr`,Array access: Offset: [0, 19] Size: 10 by call to `initialize_arr` ] codetoanalyze/c/bufferoverrun/for_loop.c, call_two_loops_Bad, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [,Assignment,Call,Parameter `m`,Assignment,,Array declaration,Array access: Offset: 15 Size: 10] codetoanalyze/c/bufferoverrun/for_loop.c, for_loop, 10, BUFFER_OVERRUN_L3, no_bucket, ERROR, [,Assignment,,Call,Array declaration,Assignment,Assignment,Assignment,Array access: Offset: [0, 9] Size: [5, 10]] +codetoanalyze/c/bufferoverrun/function_call.c, call_access_index_4_on_local_array_Bad, 2, BUFFER_OVERRUN_L1, no_bucket, ERROR, [Array declaration,Call,,Parameter `*arr`,Array access: Offset: 4 Size: 4 by call to `access_index_4` ] +codetoanalyze/c/bufferoverrun/function_call.c, call_access_index_4_on_malloced_array_Bad, 2, BUFFER_OVERRUN_L1, no_bucket, ERROR, [Array declaration,Assignment,Call,,Parameter `*arr`,Array access: Offset: 4 Size: 4 by call to `access_index_4` ] codetoanalyze/c/bufferoverrun/function_call.c, call_by_arr_bad, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [,Call,Assignment,,Array declaration,Array access: Offset: -1 Size: 10] codetoanalyze/c/bufferoverrun/function_call.c, call_by_ptr_bad, 4, BUFFER_OVERRUN_L1, no_bucket, ERROR, [,Call,Assignment,,Array declaration,Array access: Offset: -1 Size: 10] codetoanalyze/c/bufferoverrun/function_call.c, call_by_struct_ptr_bad, 5, BUFFER_OVERRUN_L1, no_bucket, ERROR, [,Call,Assignment,,Array declaration,Array access: Offset: -1 Size: 10] +codetoanalyze/c/bufferoverrun/function_call.c, call_call_access_index_4_on_S3_Bad, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [Array declaration,Assignment,Call,Parameter `*s->ptr`,Call,,Parameter `*arr`,Array access: Offset: 4 Size: 4 by call to `call_access_index_4_on_S3` ] codetoanalyze/c/bufferoverrun/function_call.c, call_function_ptr_bad1, 3, CONDITION_ALWAYS_TRUE, no_bucket, WARNING, [Here] codetoanalyze/c/bufferoverrun/function_call.c, call_function_ptr_bad1, 4, BUFFER_OVERRUN_L1, no_bucket, ERROR, [,Array declaration,Array access: Offset: 10 Size: 10] codetoanalyze/c/bufferoverrun/function_call.c, call_function_ptr_good, 3, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, [Here]