From 5cf66f6da89e96eed6b5f3a038e19db948482a10 Mon Sep 17 00:00:00 2001
From: Julian Sutherland <jsutherland@fb.com>
Date: Tue, 18 Sep 2018 07:37:16 -0700
Subject: [PATCH] InferBO strncpy model

Reviewed By: mbouaziz

Differential Revision: D9861910

fbshipit-source-id: ab7914743
---
 .../src/bufferoverrun/bufferOverrunModels.ml  |  1 +
 .../codetoanalyze/c/bufferoverrun/issues.exp  |  5 ++
 .../codetoanalyze/c/bufferoverrun/models.c    | 55 +++++++++++++++++++
 3 files changed, 61 insertions(+)

diff --git a/infer/src/bufferoverrun/bufferOverrunModels.ml b/infer/src/bufferoverrun/bufferOverrunModels.ml
index c9e3c05e0..3d96cfbe1 100644
--- a/infer/src/bufferoverrun/bufferOverrunModels.ml
+++ b/infer/src/bufferoverrun/bufferOverrunModels.ml
@@ -492,6 +492,7 @@ module Call = struct
       ; -"memcpy" <>$ capt_exp $+ capt_exp $+ capt_exp $+...$--> memcpy
       ; -"memmove" <>$ capt_exp $+ capt_exp $+ capt_exp $+...$--> memcpy
       ; -"memset" <>$ capt_exp $+ any_arg $+ capt_exp $!--> memset
+      ; -"strncpy" <>$ capt_exp $+ capt_exp $+ capt_exp $+...$--> memcpy
       ; -"boost" &:: "split"
         $ capt_arg_of_typ (-"std" &:: "vector")
         $+ any_arg $+ any_arg $+? any_arg $--> Boost.Split.std_vector
diff --git a/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp b/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp
index 6d7a4406c..560917cc3 100644
--- a/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp
+++ b/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp
@@ -79,6 +79,11 @@ codetoanalyze/c/bufferoverrun/models.c, memmove_bad4, 4, BUFFER_OVERRUN_L1, no_b
 codetoanalyze/c/bufferoverrun/models.c, memset_bad1, 2, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,ArrayAccess: Offset: 44 Size: 40]
 codetoanalyze/c/bufferoverrun/models.c, memset_bad2, 2, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,ArrayAccess: Offset: -1 Size: 40]
 codetoanalyze/c/bufferoverrun/models.c, memset_bad3, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,Assignment,ArrayAccess: Offset: 8 Size: 4]
+codetoanalyze/c/bufferoverrun/models.c, strncpy_bad1, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,ArrayAccess: Offset: 44 Size: 40]
+codetoanalyze/c/bufferoverrun/models.c, strncpy_bad2, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,ArrayAccess: Offset: 44 Size: 40]
+codetoanalyze/c/bufferoverrun/models.c, strncpy_bad3, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,ArrayAccess: Offset: -1 Size: 40]
+codetoanalyze/c/bufferoverrun/models.c, strncpy_bad4, 4, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,ArrayAccess: Offset: 8 Size: 4]
+codetoanalyze/c/bufferoverrun/models.c, strncpy_good5_FP, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,ArrayAccess: Offset: 10 Size: 5]
 codetoanalyze/c/bufferoverrun/nested_loop.c, nested_loop, 7, BUFFER_OVERRUN_L2, no_bucket, ERROR, [ArrayDeclaration,Assignment,ArrayAccess: Offset: [0, 10] Size: 10]
 codetoanalyze/c/bufferoverrun/nested_loop_with_label.c, nested_loop_with_label, 6, BUFFER_OVERRUN_L4, no_bucket, ERROR, [ArrayDeclaration,Assignment,ArrayAccess: Offset: [0, +oo] Size: 10]
 codetoanalyze/c/bufferoverrun/pointer_arith.c, FP_pointer_arith5_Ok, 5, BUFFER_OVERRUN_L2, no_bucket, ERROR, [ArrayDeclaration,Assignment,ArrayAccess: Offset: [3, 2043] Size: 1024]
diff --git a/infer/tests/codetoanalyze/c/bufferoverrun/models.c b/infer/tests/codetoanalyze/c/bufferoverrun/models.c
index 1333f1874..da101fe3d 100644
--- a/infer/tests/codetoanalyze/c/bufferoverrun/models.c
+++ b/infer/tests/codetoanalyze/c/bufferoverrun/models.c
@@ -181,3 +181,58 @@ void memset_good4() {
   int arr[10];
   memset(arr, 0, sizeof(arr));
 }
+
+void strncpy_bad1() {
+  int arr1[10];
+  int arr2[20];
+  strncpy(arr1, arr2, 44);
+}
+
+void strncpy_bad2() {
+  int arr1[10];
+  int arr2[20];
+  strncpy(arr2, arr1, 44);
+}
+
+void strncpy_bad3() {
+  int arr1[10];
+  int arr2[20];
+  strncpy(arr1, arr2, -1);
+}
+
+void strncpy_bad4() {
+  int src[1];
+  int buff[1];
+  int* dst = &buff[0];
+  strncpy(dst, src, sizeof(dst));
+}
+
+void strncpy_good1() {
+  int arr1[10];
+  int arr2[20];
+  strncpy(arr2, arr1, 40);
+}
+
+void strncpy_good2() {
+  int arr1[10];
+  int arr2[20];
+  strncpy(arr2, arr1, 0);
+}
+
+void strncpy_good3() {
+  int arr1[10];
+  int arr2[20];
+  strncpy(arr2, arr1, 20);
+}
+
+void strncpy_good4() {
+  int src[3];
+  int dst[3];
+  strncpy(dst, src, sizeof(dst));
+}
+
+void strncpy_good5_FP() {
+  char src[5] = "test";
+  char dst[5];
+  strncpy(dst, src, 10);
+}