pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[inferbo] Add tests of integer overflow and unsafe casting

Browse Source 
Reviewed By: mbouaziz

Differential Revision: D9986087

fbshipit-source-id: ab0563b82
master
Sungkeun Cho 7 years ago committed by Facebook Github Bot
parent 1989ef7e28
commit 86d1560984
3 changed files with 93 additions and 0 deletions
Show Stats Download Patch File Download Diff File

30
infer/tests/codetoanalyze/c/bufferoverrun/arith.c
Unescape View File

@ -110,3 +110,33 @@ void plus_linear_min3_Good_FP() {
int a[20];
a[plus_linear_min(15)] = 1;
}
void integer_overflow_by_addition_Bad_FN() {
char arr[10];
int32_t x = 2000000000;
int32_t y = 2000000000;
int32_t z = x + y; // z is a negative number.
if (z < 10) {
arr[z] = 0;
}
}
void integer_overflow_by_subtraction_Bad_FN() {
char arr[10];
int32_t x = -2000000000;
int32_t y = 2000000000;
int32_t z = x - y; // z is a big positive number.
if (z >= 0) {
arr[z] = 0;
}
}
void integer_overflow_by_multiplication_Bad_FN() {
char arr[10];
int32_t x = 300000;
int32_t y = 300000;
int32_t z = x * y; // z is a negative number.
if (z < 10) {
arr[z] = 0;
}
}

54
infer/tests/codetoanalyze/c/bufferoverrun/cast.c
Unescape View File

@ -21,3 +21,57 @@ void cast2_Good_FP() {
int32_t arr[4];
*(((char*)arr) + 4) = 123;
}
void cast_unsigned_to_signed_Good() {
char arr[10];
uint32_t x = 15;
int32_t y = (int32_t)x;
if (y < 10) {
arr[y] = 0;
}
}
void cast_unsigned_to_signed_Bad_FN() {
char arr[10];
uint32_t x = 4294967295;
int32_t y = (int32_t)x; // y is -1.
if (y < 10) {
arr[y] = 0;
}
}
void cast_signed_to_unsigned_Good() {
char arr[10];
int32_t x = 15;
uint32_t y = (uint32_t)x;
if (y < 10) {
arr[y] = 0;
}
}
void cast_signed_to_unsigned_Bad_FN() {
char arr[10];
int32_t x = -1;
uint32_t y = (uint32_t)x;
if (y > 0) {
arr[y] = 0;
}
}
void cast_float_to_int_Good() {
char arr[10];
float x = 15.0;
int32_t y = (int32_t)x;
if (y < 10) {
arr[y] = 0;
}
}
void cast_float_to_int_Bad_FN() {
char arr[10];
float x = 15000000000.0;
int32_t y = (int32_t)x; // y is -2147483648.
if (y < 10) {
arr[y] = 0;
}
}

9
infer/tests/codetoanalyze/c/bufferoverrun/issues.exp
Unescape View File

@ -1,3 +1,6 @@
codetoanalyze/c/bufferoverrun/arith.c, integer_overflow_by_addition_Bad_FN, 5, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, []
codetoanalyze/c/bufferoverrun/arith.c, integer_overflow_by_multiplication_Bad_FN, 5, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, []
codetoanalyze/c/bufferoverrun/arith.c, integer_overflow_by_subtraction_Bad_FN, 5, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, []
codetoanalyze/c/bufferoverrun/arith.c, modulo_signed_Bad, 2, BUFFER_OVERRUN_L3, no_bucket, ERROR, [ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [-4, 4] Size: 5]
codetoanalyze/c/bufferoverrun/arith.c, modulo_signed_neg_Bad, 2, BUFFER_OVERRUN_L3, no_bucket, ERROR, [ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [-4, 4] Size: 5]
codetoanalyze/c/bufferoverrun/arith.c, plus_linear_min2_Good_FP, 2, BUFFER_OVERRUN_L2, no_bucket, ERROR, [ArrayDeclaration,Call,Assignment,Return,ArrayAccess: Offset: [0, 14] Size: 10]
@ -12,6 +15,12 @@ codetoanalyze/c/bufferoverrun/break_continue_return.c, break_continue_return, 16
codetoanalyze/c/bufferoverrun/calloc.c, calloc_bad1, 2, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,Assignment,ArrayAccess: Offset: -1 Size: 10]
codetoanalyze/c/bufferoverrun/calloc.c, calloc_bad1, 3, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,Assignment,ArrayAccess: Offset: 10 Size: 10]
codetoanalyze/c/bufferoverrun/cast.c, cast2_Good_FP, 2, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,ArrayAccess: Offset: 4 Size: 4]
codetoanalyze/c/bufferoverrun/cast.c, cast_float_to_int_Bad_FN, 4, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, []
codetoanalyze/c/bufferoverrun/cast.c, cast_float_to_int_Good, 4, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, []
codetoanalyze/c/bufferoverrun/cast.c, cast_signed_to_unsigned_Bad_FN, 4, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, []
codetoanalyze/c/bufferoverrun/cast.c, cast_signed_to_unsigned_Good, 4, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, []
codetoanalyze/c/bufferoverrun/cast.c, cast_unsigned_to_signed_Bad_FN, 4, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, []
codetoanalyze/c/bufferoverrun/cast.c, cast_unsigned_to_signed_Good, 4, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, []
codetoanalyze/c/bufferoverrun/do_while.c, do_while, 2, BUFFER_OVERRUN_L4, no_bucket, ERROR, [ArrayDeclaration,Assignment,Call,Parameter: a,Assignment,ArrayAccess: Offset: [0, +oo] Size: 10 by call to `do_while_sub` ]
codetoanalyze/c/bufferoverrun/duplicates.c, one_alarm_is_enough, 2, BUFFER_OVERRUN_L1, no_bucket, ERROR, [ArrayDeclaration,Call,Parameter: arr,ArrayAccess: Offset: 1 Size: 1 by call to `two_accesses` ]
codetoanalyze/c/bufferoverrun/duplicates.c, tsa_one_alarm_Bad, 0, BUFFER_OVERRUN_L1, no_bucket, ERROR, [Call,ArrayDeclaration,Parameter: n,ArrayAccess: Offset: 3 Size: 1 by call to `two_symbolic_accesses` ]

Write Preview
Loading…
Cancel
Save