[inferbo] Revise memcpy model

Summary: `memcpy` should copy the contents of the source to the destination. Depends on D13634754 Reviewed By: ezgicicek, mbouaziz Differential Revision: D13668414 fbshipit-source-id: cb0ff2010
6 years ago · 6e04a9469b
parent 09a5671ef4
commit 6e04a9469b
3 changed files with 38 additions and 1 deletions
--- a/infer/src/bufferoverrun/bufferOverrunModels.ml
+++ b/infer/src/bufferoverrun/bufferOverrunModels.ml
@ -120,7 +120,10 @@ let calloc size_exp stride_exp =


 let memcpy dest_exp src_exp size_exp =
-  let exec _ ~ret:_ mem = mem
+  let exec _ ~ret:_ mem =
+    let dest_loc = Sem.eval_locs dest_exp mem in
+    let v = Dom.Mem.find_set (Sem.eval_locs src_exp mem) mem in
+    Dom.Mem.update_mem dest_loc v mem
  and check {location; integer_type_widths} mem cond_set =
    BoUtils.Check.lindex_byte integer_type_widths ~array_exp:dest_exp ~byte_index_exp:size_exp
      ~last_included:true mem location cond_set
--- a/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp
+++ b/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp
@ -186,6 +186,8 @@ codetoanalyze/c/bufferoverrun/models.c, memcpy_bad1, 3, BUFFER_OVERRUN_L1, no_bu
 codetoanalyze/c/bufferoverrun/models.c, memcpy_bad2, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [<Length trace>,Array declaration,Array access: Offset added: 44 Size: 40]
 codetoanalyze/c/bufferoverrun/models.c, memcpy_bad3, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [<Length trace>,Array declaration,Array access: Offset added: 18446744073709551615 Size: 40]
 codetoanalyze/c/bufferoverrun/models.c, memcpy_bad4, 4, BUFFER_OVERRUN_L1, no_bucket, ERROR, [<Length trace>,Array declaration,Array access: Offset added: 8 Size: 4]
+codetoanalyze/c/bufferoverrun/models.c, memcpy_contents_Bad, 5, BUFFER_OVERRUN_L1, no_bucket, ERROR, [<Offset trace>,Assignment,<Length trace>,Array declaration,Array access: Offset: 5 Size: 5]
+codetoanalyze/c/bufferoverrun/models.c, memcpy_integer_Bad, 5, BUFFER_OVERRUN_L1, no_bucket, ERROR, [<Offset trace>,Assignment,<Length trace>,Array declaration,Array access: Offset: 5 Size: 5]
 codetoanalyze/c/bufferoverrun/models.c, memmove_bad1, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [<Length trace>,Array declaration,Array access: Offset added: 44 Size: 40]
 codetoanalyze/c/bufferoverrun/models.c, memmove_bad2, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [<Length trace>,Array declaration,Array access: Offset added: 44 Size: 40]
 codetoanalyze/c/bufferoverrun/models.c, memmove_bad3, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [<Length trace>,Array declaration,Array access: Offset added: 18446744073709551615 Size: 40]
--- a/infer/tests/codetoanalyze/c/bufferoverrun/models.c
+++ b/infer/tests/codetoanalyze/c/bufferoverrun/models.c
@ -251,3 +251,35 @@ void strncpy_good5_FP() {
  char dst[5];
  strncpy(dst, src, 10);
 }
+
+void memcpy_contents_Good() {
+  int src[3] = {5, 5, 5};
+  int dst[3];
+  memcpy(dst, src, sizeof(dst));
+  int a[6];
+  a[dst[0]] = 0;
+}
+
+void memcpy_contents_Bad() {
+  int src[3] = {5, 5, 5};
+  int dst[3];
+  memcpy(dst, src, sizeof(dst));
+  int a[5];
+  a[dst[0]] = 0;
+}
+
+void memcpy_integer_Good() {
+  int src = 5;
+  int dst;
+  memcpy(&dst, &src, sizeof(int));
+  int a[10];
+  a[dst] = 0;
+}
+
+void memcpy_integer_Bad() {
+  int src = 5;
+  int dst;
+  memcpy(&dst, &src, sizeof(int));
+  int a[5];
+  a[dst] = 0;
+}