Reviewed By: skcho Differential Revision: D5265505 fbshipit-source-id: 5fc05f9master
parent
108c865b20
commit
aad66bc6f6
@ -0,0 +1,57 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2017 - present Facebook, Inc.
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* This source code is licensed under the BSD style license found in the
|
||||||
|
* LICENSE file in the root directory of this source tree. An additional grant
|
||||||
|
* of patent rights can be found in the PATENTS file in the same directory.
|
||||||
|
*/
|
||||||
|
|
||||||
|
void modulo_signed_Bad(int i) {
|
||||||
|
char arr[5];
|
||||||
|
arr[i % 5] = 123;
|
||||||
|
}
|
||||||
|
|
||||||
|
void modulo_signed_Good_FP(int i) {
|
||||||
|
char arr[5];
|
||||||
|
if (i >= 0) {
|
||||||
|
arr[i % 5] = 123;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void modulo_signed_Good2_FP(int i) {
|
||||||
|
char arr[5];
|
||||||
|
int j = i % 5;
|
||||||
|
if (j >= 0) {
|
||||||
|
arr[j] = 123;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void modulo_unsigned_Good_FP(unsigned int i) {
|
||||||
|
char arr[5];
|
||||||
|
arr[i % 5] = 123;
|
||||||
|
}
|
||||||
|
|
||||||
|
void modulo_signed_var_Bad_FN(unsigned int len, int i) {
|
||||||
|
char arr[len];
|
||||||
|
arr[i % len] = 123;
|
||||||
|
}
|
||||||
|
|
||||||
|
void modulo_unsigned_var_Good(unsigned int len, unsigned int i) {
|
||||||
|
char arr[len];
|
||||||
|
arr[i % len] = 123;
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned int modulo_unsigned(unsigned int a, unsigned int b) { return a % b; }
|
||||||
|
|
||||||
|
void modulo_call_Good(unsigned int len, unsigned int i) {
|
||||||
|
char arr[len];
|
||||||
|
arr[modulo_unsigned(i, len)] = 123;
|
||||||
|
}
|
||||||
|
|
||||||
|
int modulo_signed(int a, int b) { return a % b; }
|
||||||
|
|
||||||
|
void modulo_call_Bad_FN(unsigned int len, int i) {
|
||||||
|
char arr[len];
|
||||||
|
arr[modulo_signed(i, len)] = 123;
|
||||||
|
}
|
@ -0,0 +1,25 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2017 - present Facebook, Inc.
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* This source code is licensed under the BSD style license found in the
|
||||||
|
* LICENSE file in the root directory of this source tree. An additional grant
|
||||||
|
* of patent rights can be found in the PATENTS file in the same directory.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
void cast_Good() {
|
||||||
|
char arr[5];
|
||||||
|
*(int32_t*)(arr + 1) = 123;
|
||||||
|
}
|
||||||
|
|
||||||
|
void cast_Bad_FN() {
|
||||||
|
char arr[1];
|
||||||
|
*(int32_t*)arr = 123;
|
||||||
|
}
|
||||||
|
|
||||||
|
void cast2_Good_FP() {
|
||||||
|
int32_t arr[4];
|
||||||
|
*(((char*)arr) + 4) = 123;
|
||||||
|
}
|
@ -1,7 +1,14 @@
|
|||||||
codetoanalyze/cpp/bufferoverrun/function_call.cpp, call_by_ref_bad, 4, BUFFER_OVERRUN, [Offset: [-1, -1] Size: [10, 10]]
|
codetoanalyze/cpp/bufferoverrun/function_call.cpp, call_by_ref_bad, 4, BUFFER_OVERRUN, [Offset: [-1, -1] Size: [10, 10]]
|
||||||
|
codetoanalyze/cpp/bufferoverrun/repro1.cpp, LM<TFM>_lI, 2, BUFFER_OVERRUN, [Offset: [-oo, +oo] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<LMB<TFM>*,std::allocator<LMB<TFM>*>>_operator[]()` ]
|
||||||
|
codetoanalyze/cpp/bufferoverrun/repro1.cpp, am_Good_FP, 5, BUFFER_OVERRUN, [Offset: [-oo, +oo] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `ral()` ]
|
||||||
codetoanalyze/cpp/bufferoverrun/simple_vector.cpp, instantiate_my_vector_oob_Ok, 3, BUFFER_OVERRUN, [Offset: [-oo, +oo] Size: [0, +oo] @ codetoanalyze/cpp/bufferoverrun/simple_vector.cpp:21:23 by call `my_vector_oob_Bad()` ]
|
codetoanalyze/cpp/bufferoverrun/simple_vector.cpp, instantiate_my_vector_oob_Ok, 3, BUFFER_OVERRUN, [Offset: [-oo, +oo] Size: [0, +oo] @ codetoanalyze/cpp/bufferoverrun/simple_vector.cpp:21:23 by call `my_vector_oob_Bad()` ]
|
||||||
codetoanalyze/cpp/bufferoverrun/simple_vector.cpp, my_vector_oob_Bad, 2, BUFFER_OVERRUN, [Offset: [s$6, s$7] Size: [s$6, s$7] @ codetoanalyze/cpp/bufferoverrun/simple_vector.cpp:21:23 by call `int_vector_access_at()` ]
|
codetoanalyze/cpp/bufferoverrun/simple_vector.cpp, my_vector_oob_Bad, 2, BUFFER_OVERRUN, [Offset: [s$6, s$7] Size: [s$6, s$7] @ codetoanalyze/cpp/bufferoverrun/simple_vector.cpp:21:23 by call `int_vector_access_at()` ]
|
||||||
codetoanalyze/cpp/bufferoverrun/trivial.cpp, trivial, 2, BUFFER_OVERRUN, [Offset: [10, 10] Size: [10, 10]]
|
codetoanalyze/cpp/bufferoverrun/trivial.cpp, trivial, 2, BUFFER_OVERRUN, [Offset: [10, 10] Size: [10, 10]]
|
||||||
|
codetoanalyze/cpp/bufferoverrun/vector.cpp, constructor_Good_FP, 2, BUFFER_OVERRUN, [Offset: [0, 0] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<int,std::allocator<int>>_operator[]()` ]
|
||||||
codetoanalyze/cpp/bufferoverrun/vector.cpp, just_test_model_FP, 11, BUFFER_OVERRUN, [Offset: [0, 0] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<Int_no_copy,std::allocator<Int_no_copy>>_operator[]()` ]
|
codetoanalyze/cpp/bufferoverrun/vector.cpp, just_test_model_FP, 11, BUFFER_OVERRUN, [Offset: [0, 0] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<Int_no_copy,std::allocator<Int_no_copy>>_operator[]()` ]
|
||||||
codetoanalyze/cpp/bufferoverrun/vector.cpp, just_test_model_FP, 18, BUFFER_OVERRUN, [Offset: [1, 1] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<int,std::allocator<int>>_at()` ]
|
codetoanalyze/cpp/bufferoverrun/vector.cpp, just_test_model_FP, 18, BUFFER_OVERRUN, [Offset: [1, 1] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<int,std::allocator<int>>_at()` ]
|
||||||
codetoanalyze/cpp/bufferoverrun/vector.cpp, out_of_bound_Bad, 2, BUFFER_OVERRUN, [Offset: [s$14, s$15] Size: [s$14, s$15] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<int,std::allocator<int>>_operator[]()` ]
|
codetoanalyze/cpp/bufferoverrun/vector.cpp, out_of_bound_Bad, 2, BUFFER_OVERRUN, [Offset: [s$14, s$15] Size: [s$14, s$15] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<int,std::allocator<int>>_operator[]()` ]
|
||||||
|
codetoanalyze/cpp/bufferoverrun/vector.cpp, push_back_Bad, 3, BUFFER_OVERRUN, [Offset: [1, 1] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<int,std::allocator<int>>_operator[]()` ]
|
||||||
|
codetoanalyze/cpp/bufferoverrun/vector.cpp, push_back_Good_FP, 3, BUFFER_OVERRUN, [Offset: [0, 0] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<int,std::allocator<int>>_operator[]()` ]
|
||||||
|
codetoanalyze/cpp/bufferoverrun/vector.cpp, reserve_Bad, 3, BUFFER_OVERRUN, [Offset: [0, 0] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<int,std::allocator<int>>_operator[]()` ]
|
||||||
|
codetoanalyze/cpp/bufferoverrun/vector.cpp, reserve_Good_FP, 4, BUFFER_OVERRUN, [Offset: [0, 0] Size: [0, +oo] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:94:5 by call `std::vector<int,std::allocator<int>>_operator[]()` ]
|
||||||
|
@ -0,0 +1,144 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2017 - present Facebook, Inc.
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* This source code is licensed under the BSD style license found in the
|
||||||
|
* LICENSE file in the root directory of this source tree. An additional grant
|
||||||
|
* of patent rights can be found in the PATENTS file in the same directory.
|
||||||
|
*/
|
||||||
|
#include <cassert>
|
||||||
|
#include <cstdlib>
|
||||||
|
#include <cstring>
|
||||||
|
#include <vector>
|
||||||
|
|
||||||
|
int __infer_nondet_int();
|
||||||
|
|
||||||
|
#define ASSERT(x) assert(x)
|
||||||
|
#define xh(h) \
|
||||||
|
({ \
|
||||||
|
const uint64_t* u1 = (const uint64_t*)(h); \
|
||||||
|
const uint64_t* u2 = (const uint64_t*)((h) + 8); \
|
||||||
|
*u1 ^ *u2; \
|
||||||
|
})
|
||||||
|
#define alo(a) aloi2(a, 0)
|
||||||
|
#define aloi2(a, i2) ((lo){i1tl(a.i), (i2)})
|
||||||
|
#define i1tl(i1) (__infer_nondet_int() ? xh((i1).h) : (i1).i)
|
||||||
|
#define HL (sizeof(char) * 16)
|
||||||
|
|
||||||
|
enum class TLOR { S, F };
|
||||||
|
|
||||||
|
uint32_t MH2(const void* k) { return (int64_t)k ^ __infer_nondet_int(); }
|
||||||
|
|
||||||
|
uint32_t th(const void* k) { return MH2(k); }
|
||||||
|
|
||||||
|
typedef int BI;
|
||||||
|
constexpr BI kBN = 0;
|
||||||
|
|
||||||
|
typedef uint64_t ft;
|
||||||
|
|
||||||
|
struct it {
|
||||||
|
ft i{0};
|
||||||
|
char h[HL];
|
||||||
|
it() : i(0) { ::memset(h, '\0', sizeof(h)); }
|
||||||
|
explicit it(ft f) : i(f) { ::memset(h, '\0', sizeof(h)); }
|
||||||
|
};
|
||||||
|
|
||||||
|
struct ai {
|
||||||
|
it i;
|
||||||
|
ai() {}
|
||||||
|
ai(it i_) : i(i_) {}
|
||||||
|
};
|
||||||
|
|
||||||
|
struct lo {
|
||||||
|
uint64_t i1;
|
||||||
|
uint64_t i2;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct lt {
|
||||||
|
BI bI;
|
||||||
|
};
|
||||||
|
|
||||||
|
template <typename T>
|
||||||
|
struct LMB {
|
||||||
|
TLOR lO(const lo& o) {
|
||||||
|
auto r = TLOR::S;
|
||||||
|
if (__infer_nondet_int()) {
|
||||||
|
r = TLOR::F;
|
||||||
|
}
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
void u(const lo& o) {}
|
||||||
|
};
|
||||||
|
|
||||||
|
template <typename T>
|
||||||
|
struct LM {
|
||||||
|
typedef LMB<T> B;
|
||||||
|
void l(lt& t, const lo& o) { lI(t, o); }
|
||||||
|
void tL(lt& t, const lo& o) { lI(t, o); }
|
||||||
|
void u(lt& t, const lo& o) {
|
||||||
|
ASSERT(fB(o) == t.bI);
|
||||||
|
if (t.bI == kBN) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
uI(t.bI, o);
|
||||||
|
t.bI = kBN;
|
||||||
|
}
|
||||||
|
|
||||||
|
private:
|
||||||
|
BI fB(const lo& o) { return (BI)th((const void*)&o) % b.size() + 1; }
|
||||||
|
void lI(lt& t, const lo& o) {
|
||||||
|
auto bi = fB(o);
|
||||||
|
auto r = b[bi - 1]->lO(o);
|
||||||
|
if (r != TLOR::S) {
|
||||||
|
t.bI = kBN;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
t.bI = bi;
|
||||||
|
}
|
||||||
|
void uI(BI bi, const lo& o) { b[bi - 1]->u(o); }
|
||||||
|
std::vector<std::unique_ptr<B>> b;
|
||||||
|
};
|
||||||
|
|
||||||
|
class TFM {};
|
||||||
|
|
||||||
|
typedef TFM LMDM;
|
||||||
|
|
||||||
|
static LM<LMDM>* al;
|
||||||
|
|
||||||
|
static inline void ral(lt* t, ai a) {
|
||||||
|
ASSERT(t);
|
||||||
|
lo o = alo(a);
|
||||||
|
al->u(*t, o);
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void gal(lt* t, ai a) {
|
||||||
|
ASSERT(t);
|
||||||
|
lo o = alo(a);
|
||||||
|
if (__infer_nondet_int()) {
|
||||||
|
al->tL(*t, o);
|
||||||
|
} else {
|
||||||
|
al->l(*t, o);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
inline ai aft(ft i) { return ai(it(i)); }
|
||||||
|
|
||||||
|
struct im {
|
||||||
|
private:
|
||||||
|
char e[];
|
||||||
|
|
||||||
|
public:
|
||||||
|
const char* gKPC() const noexcept { return e; }
|
||||||
|
};
|
||||||
|
|
||||||
|
struct arh {
|
||||||
|
ft i1;
|
||||||
|
};
|
||||||
|
|
||||||
|
static void am_Good_FP(im* it) {
|
||||||
|
const arh* ch = (const arh*)it->gKPC();
|
||||||
|
const ai a = aft(ch->i1);
|
||||||
|
lt at;
|
||||||
|
gal(&at, a);
|
||||||
|
ral(&at, a);
|
||||||
|
}
|
Loading…
Reference in new issue