1*67e74705SXin Li // RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
2*67e74705SXin Li // RUN: %clang_cc1 -analyze -DUSE_BUILTINS -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
3*67e74705SXin Li // RUN: %clang_cc1 -analyze -DVARIANT -analyzer-checker=core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
4*67e74705SXin Li // RUN: %clang_cc1 -analyze -DUSE_BUILTINS -DVARIANT -analyzer-checker=alpha.security.taint,core,unix.cstring,alpha.unix.cstring,debug.ExprInspection -analyzer-store=region -Wno-null-dereference -verify %s
5*67e74705SXin Li
6*67e74705SXin Li //===----------------------------------------------------------------------===
7*67e74705SXin Li // Declarations
8*67e74705SXin Li //===----------------------------------------------------------------------===
9*67e74705SXin Li
10*67e74705SXin Li // Some functions are so similar to each other that they follow the same code
11*67e74705SXin Li // path, such as memcpy and __memcpy_chk, or memcmp and bcmp. If VARIANT is
12*67e74705SXin Li // defined, make sure to use the variants instead to make sure they are still
13*67e74705SXin Li // checked by the analyzer.
14*67e74705SXin Li
15*67e74705SXin Li // Some functions are implemented as builtins. These should be #defined as
16*67e74705SXin Li // BUILTIN(f), which will prepend "__builtin_" if USE_BUILTINS is defined.
17*67e74705SXin Li
18*67e74705SXin Li // Functions that have variants and are also available as builtins should be
19*67e74705SXin Li // declared carefully! See memcpy() for an example.
20*67e74705SXin Li
21*67e74705SXin Li #ifdef USE_BUILTINS
22*67e74705SXin Li # define BUILTIN(f) __builtin_ ## f
23*67e74705SXin Li #else /* USE_BUILTINS */
24*67e74705SXin Li # define BUILTIN(f) f
25*67e74705SXin Li #endif /* USE_BUILTINS */
26*67e74705SXin Li
27*67e74705SXin Li #define NULL 0
28*67e74705SXin Li typedef typeof(sizeof(int)) size_t;
29*67e74705SXin Li
30*67e74705SXin Li void clang_analyzer_eval(int);
31*67e74705SXin Li
32*67e74705SXin Li int scanf(const char *restrict format, ...);
33*67e74705SXin Li
34*67e74705SXin Li //===----------------------------------------------------------------------===
35*67e74705SXin Li // strlen()
36*67e74705SXin Li //===----------------------------------------------------------------------===
37*67e74705SXin Li
38*67e74705SXin Li #define strlen BUILTIN(strlen)
39*67e74705SXin Li size_t strlen(const char *s);
40*67e74705SXin Li
strlen_constant0()41*67e74705SXin Li void strlen_constant0() {
42*67e74705SXin Li clang_analyzer_eval(strlen("123") == 3); // expected-warning{{TRUE}}
43*67e74705SXin Li }
44*67e74705SXin Li
strlen_constant1()45*67e74705SXin Li void strlen_constant1() {
46*67e74705SXin Li const char *a = "123";
47*67e74705SXin Li clang_analyzer_eval(strlen(a) == 3); // expected-warning{{TRUE}}
48*67e74705SXin Li }
49*67e74705SXin Li
strlen_constant2(char x)50*67e74705SXin Li void strlen_constant2(char x) {
51*67e74705SXin Li char a[] = "123";
52*67e74705SXin Li clang_analyzer_eval(strlen(a) == 3); // expected-warning{{TRUE}}
53*67e74705SXin Li
54*67e74705SXin Li a[0] = x;
55*67e74705SXin Li clang_analyzer_eval(strlen(a) == 3); // expected-warning{{UNKNOWN}}
56*67e74705SXin Li }
57*67e74705SXin Li
strlen_null()58*67e74705SXin Li size_t strlen_null() {
59*67e74705SXin Li return strlen(0); // expected-warning{{Null pointer argument in call to string length function}}
60*67e74705SXin Li }
61*67e74705SXin Li
strlen_fn()62*67e74705SXin Li size_t strlen_fn() {
63*67e74705SXin Li return strlen((char*)&strlen_fn); // expected-warning{{Argument to string length function is the address of the function 'strlen_fn', which is not a null-terminated string}}
64*67e74705SXin Li }
65*67e74705SXin Li
strlen_nonloc()66*67e74705SXin Li size_t strlen_nonloc() {
67*67e74705SXin Li label:
68*67e74705SXin Li return strlen((char*)&&label); // expected-warning{{Argument to string length function is the address of the label 'label', which is not a null-terminated string}}
69*67e74705SXin Li }
70*67e74705SXin Li
strlen_subregion()71*67e74705SXin Li void strlen_subregion() {
72*67e74705SXin Li struct two_strings { char a[2], b[2]; };
73*67e74705SXin Li extern void use_two_strings(struct two_strings *);
74*67e74705SXin Li
75*67e74705SXin Li struct two_strings z;
76*67e74705SXin Li use_two_strings(&z);
77*67e74705SXin Li
78*67e74705SXin Li size_t a = strlen(z.a);
79*67e74705SXin Li z.b[0] = 5;
80*67e74705SXin Li size_t b = strlen(z.a);
81*67e74705SXin Li if (a == 0)
82*67e74705SXin Li clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
83*67e74705SXin Li
84*67e74705SXin Li use_two_strings(&z);
85*67e74705SXin Li
86*67e74705SXin Li size_t c = strlen(z.a);
87*67e74705SXin Li if (a == 0)
88*67e74705SXin Li clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
89*67e74705SXin Li }
90*67e74705SXin Li
91*67e74705SXin Li extern void use_string(char *);
strlen_argument(char * x)92*67e74705SXin Li void strlen_argument(char *x) {
93*67e74705SXin Li size_t a = strlen(x);
94*67e74705SXin Li size_t b = strlen(x);
95*67e74705SXin Li if (a == 0)
96*67e74705SXin Li clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
97*67e74705SXin Li
98*67e74705SXin Li use_string(x);
99*67e74705SXin Li
100*67e74705SXin Li size_t c = strlen(x);
101*67e74705SXin Li if (a == 0)
102*67e74705SXin Li clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
103*67e74705SXin Li }
104*67e74705SXin Li
105*67e74705SXin Li extern char global_str[];
strlen_global()106*67e74705SXin Li void strlen_global() {
107*67e74705SXin Li size_t a = strlen(global_str);
108*67e74705SXin Li size_t b = strlen(global_str);
109*67e74705SXin Li if (a == 0) {
110*67e74705SXin Li clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
111*67e74705SXin Li // Make sure clang_analyzer_eval does not invalidate globals.
112*67e74705SXin Li clang_analyzer_eval(strlen(global_str) == 0); // expected-warning{{TRUE}}
113*67e74705SXin Li }
114*67e74705SXin Li
115*67e74705SXin Li // Call a function with unknown effects, which should invalidate globals.
116*67e74705SXin Li use_string(0);
117*67e74705SXin Li
118*67e74705SXin Li size_t c = strlen(global_str);
119*67e74705SXin Li if (a == 0)
120*67e74705SXin Li clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
121*67e74705SXin Li }
122*67e74705SXin Li
strlen_indirect(char * x)123*67e74705SXin Li void strlen_indirect(char *x) {
124*67e74705SXin Li size_t a = strlen(x);
125*67e74705SXin Li char *p = x;
126*67e74705SXin Li char **p2 = &p;
127*67e74705SXin Li size_t b = strlen(x);
128*67e74705SXin Li if (a == 0)
129*67e74705SXin Li clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
130*67e74705SXin Li
131*67e74705SXin Li extern void use_string_ptr(char*const*);
132*67e74705SXin Li use_string_ptr(p2);
133*67e74705SXin Li
134*67e74705SXin Li size_t c = strlen(x);
135*67e74705SXin Li if (a == 0)
136*67e74705SXin Li clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
137*67e74705SXin Li }
138*67e74705SXin Li
strlen_indirect2(char * x)139*67e74705SXin Li void strlen_indirect2(char *x) {
140*67e74705SXin Li size_t a = strlen(x);
141*67e74705SXin Li char *p = x;
142*67e74705SXin Li char **p2 = &p;
143*67e74705SXin Li extern void use_string_ptr2(char**);
144*67e74705SXin Li use_string_ptr2(p2);
145*67e74705SXin Li
146*67e74705SXin Li size_t c = strlen(x);
147*67e74705SXin Li if (a == 0)
148*67e74705SXin Li clang_analyzer_eval(c == 0); // expected-warning{{UNKNOWN}}
149*67e74705SXin Li }
150*67e74705SXin Li
strlen_liveness(const char * x)151*67e74705SXin Li void strlen_liveness(const char *x) {
152*67e74705SXin Li if (strlen(x) < 5)
153*67e74705SXin Li return;
154*67e74705SXin Li clang_analyzer_eval(strlen(x) < 5); // expected-warning{{FALSE}}
155*67e74705SXin Li }
156*67e74705SXin Li
157*67e74705SXin Li //===----------------------------------------------------------------------===
158*67e74705SXin Li // strnlen()
159*67e74705SXin Li //===----------------------------------------------------------------------===
160*67e74705SXin Li
161*67e74705SXin Li size_t strnlen(const char *s, size_t maxlen);
162*67e74705SXin Li
strnlen_constant0()163*67e74705SXin Li void strnlen_constant0() {
164*67e74705SXin Li clang_analyzer_eval(strnlen("123", 10) == 3); // expected-warning{{TRUE}}
165*67e74705SXin Li }
166*67e74705SXin Li
strnlen_constant1()167*67e74705SXin Li void strnlen_constant1() {
168*67e74705SXin Li const char *a = "123";
169*67e74705SXin Li clang_analyzer_eval(strnlen(a, 10) == 3); // expected-warning{{TRUE}}
170*67e74705SXin Li }
171*67e74705SXin Li
strnlen_constant2(char x)172*67e74705SXin Li void strnlen_constant2(char x) {
173*67e74705SXin Li char a[] = "123";
174*67e74705SXin Li clang_analyzer_eval(strnlen(a, 10) == 3); // expected-warning{{TRUE}}
175*67e74705SXin Li a[0] = x;
176*67e74705SXin Li clang_analyzer_eval(strnlen(a, 10) == 3); // expected-warning{{UNKNOWN}}
177*67e74705SXin Li }
178*67e74705SXin Li
strnlen_constant4()179*67e74705SXin Li void strnlen_constant4() {
180*67e74705SXin Li clang_analyzer_eval(strnlen("123456", 3) == 3); // expected-warning{{TRUE}}
181*67e74705SXin Li }
182*67e74705SXin Li
strnlen_constant5()183*67e74705SXin Li void strnlen_constant5() {
184*67e74705SXin Li const char *a = "123456";
185*67e74705SXin Li clang_analyzer_eval(strnlen(a, 3) == 3); // expected-warning{{TRUE}}
186*67e74705SXin Li }
187*67e74705SXin Li
strnlen_constant6(char x)188*67e74705SXin Li void strnlen_constant6(char x) {
189*67e74705SXin Li char a[] = "123456";
190*67e74705SXin Li clang_analyzer_eval(strnlen(a, 3) == 3); // expected-warning{{TRUE}}
191*67e74705SXin Li a[0] = x;
192*67e74705SXin Li clang_analyzer_eval(strnlen(a, 3) == 3); // expected-warning{{UNKNOWN}}
193*67e74705SXin Li }
194*67e74705SXin Li
strnlen_null()195*67e74705SXin Li size_t strnlen_null() {
196*67e74705SXin Li return strnlen(0, 3); // expected-warning{{Null pointer argument in call to string length function}}
197*67e74705SXin Li }
198*67e74705SXin Li
strnlen_fn()199*67e74705SXin Li size_t strnlen_fn() {
200*67e74705SXin Li return strnlen((char*)&strlen_fn, 3); // expected-warning{{Argument to string length function is the address of the function 'strlen_fn', which is not a null-terminated string}}
201*67e74705SXin Li }
202*67e74705SXin Li
strnlen_nonloc()203*67e74705SXin Li size_t strnlen_nonloc() {
204*67e74705SXin Li label:
205*67e74705SXin Li return strnlen((char*)&&label, 3); // expected-warning{{Argument to string length function is the address of the label 'label', which is not a null-terminated string}}
206*67e74705SXin Li }
207*67e74705SXin Li
strnlen_zero()208*67e74705SXin Li void strnlen_zero() {
209*67e74705SXin Li clang_analyzer_eval(strnlen("abc", 0) == 0); // expected-warning{{TRUE}}
210*67e74705SXin Li clang_analyzer_eval(strnlen(NULL, 0) == 0); // expected-warning{{TRUE}}
211*67e74705SXin Li }
212*67e74705SXin Li
strnlen_compound_literal()213*67e74705SXin Li size_t strnlen_compound_literal() {
214*67e74705SXin Li // This used to crash because we don't model the string lengths of
215*67e74705SXin Li // compound literals.
216*67e74705SXin Li return strnlen((char[]) { 'a', 'b', 0 }, 1);
217*67e74705SXin Li }
218*67e74705SXin Li
strnlen_unknown_limit(float f)219*67e74705SXin Li size_t strnlen_unknown_limit(float f) {
220*67e74705SXin Li // This used to crash because we don't model the integer values of floats.
221*67e74705SXin Li return strnlen("abc", (int)f);
222*67e74705SXin Li }
223*67e74705SXin Li
strnlen_is_not_strlen(char * x)224*67e74705SXin Li void strnlen_is_not_strlen(char *x) {
225*67e74705SXin Li clang_analyzer_eval(strnlen(x, 10) == strlen(x)); // expected-warning{{UNKNOWN}}
226*67e74705SXin Li }
227*67e74705SXin Li
strnlen_at_limit(char * x)228*67e74705SXin Li void strnlen_at_limit(char *x) {
229*67e74705SXin Li size_t len = strnlen(x, 10);
230*67e74705SXin Li clang_analyzer_eval(len <= 10); // expected-warning{{TRUE}}
231*67e74705SXin Li clang_analyzer_eval(len == 10); // expected-warning{{UNKNOWN}}
232*67e74705SXin Li clang_analyzer_eval(len < 10); // expected-warning{{UNKNOWN}}
233*67e74705SXin Li }
234*67e74705SXin Li
strnlen_at_actual(size_t limit)235*67e74705SXin Li void strnlen_at_actual(size_t limit) {
236*67e74705SXin Li size_t len = strnlen("abc", limit);
237*67e74705SXin Li clang_analyzer_eval(len <= 3); // expected-warning{{TRUE}}
238*67e74705SXin Li // This is due to eager assertion in strnlen.
239*67e74705SXin Li if (limit == 0) {
240*67e74705SXin Li clang_analyzer_eval(len == 0); // expected-warning{{TRUE}}
241*67e74705SXin Li } else {
242*67e74705SXin Li clang_analyzer_eval(len == 3); // expected-warning{{UNKNOWN}}
243*67e74705SXin Li clang_analyzer_eval(len < 3); // expected-warning{{UNKNOWN}}
244*67e74705SXin Li }
245*67e74705SXin Li }
246*67e74705SXin Li
247*67e74705SXin Li //===----------------------------------------------------------------------===
248*67e74705SXin Li // strcpy()
249*67e74705SXin Li //===----------------------------------------------------------------------===
250*67e74705SXin Li
251*67e74705SXin Li #ifdef VARIANT
252*67e74705SXin Li
253*67e74705SXin Li #define __strcpy_chk BUILTIN(__strcpy_chk)
254*67e74705SXin Li char *__strcpy_chk(char *restrict s1, const char *restrict s2, size_t destlen);
255*67e74705SXin Li
256*67e74705SXin Li #define strcpy(a,b) __strcpy_chk(a,b,(size_t)-1)
257*67e74705SXin Li
258*67e74705SXin Li #else /* VARIANT */
259*67e74705SXin Li
260*67e74705SXin Li #define strcpy BUILTIN(strcpy)
261*67e74705SXin Li char *strcpy(char *restrict s1, const char *restrict s2);
262*67e74705SXin Li
263*67e74705SXin Li #endif /* VARIANT */
264*67e74705SXin Li
265*67e74705SXin Li
strcpy_null_dst(char * x)266*67e74705SXin Li void strcpy_null_dst(char *x) {
267*67e74705SXin Li strcpy(NULL, x); // expected-warning{{Null pointer argument in call to string copy function}}
268*67e74705SXin Li }
269*67e74705SXin Li
strcpy_null_src(char * x)270*67e74705SXin Li void strcpy_null_src(char *x) {
271*67e74705SXin Li strcpy(x, NULL); // expected-warning{{Null pointer argument in call to string copy function}}
272*67e74705SXin Li }
273*67e74705SXin Li
strcpy_fn(char * x)274*67e74705SXin Li void strcpy_fn(char *x) {
275*67e74705SXin Li strcpy(x, (char*)&strcpy_fn); // expected-warning{{Argument to string copy function is the address of the function 'strcpy_fn', which is not a null-terminated string}}
276*67e74705SXin Li }
277*67e74705SXin Li
strcpy_fn_const(char * x)278*67e74705SXin Li void strcpy_fn_const(char *x) {
279*67e74705SXin Li strcpy(x, (const char*)&strcpy_fn); // expected-warning{{Argument to string copy function is the address of the function 'strcpy_fn', which is not a null-terminated string}}
280*67e74705SXin Li }
281*67e74705SXin Li
282*67e74705SXin Li extern int globalInt;
strcpy_effects(char * x,char * y)283*67e74705SXin Li void strcpy_effects(char *x, char *y) {
284*67e74705SXin Li char a = x[0];
285*67e74705SXin Li if (globalInt != 42)
286*67e74705SXin Li return;
287*67e74705SXin Li
288*67e74705SXin Li clang_analyzer_eval(strcpy(x, y) == x); // expected-warning{{TRUE}}
289*67e74705SXin Li clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{TRUE}}
290*67e74705SXin Li clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}
291*67e74705SXin Li clang_analyzer_eval(globalInt == 42); // expected-warning{{TRUE}}
292*67e74705SXin Li }
293*67e74705SXin Li
strcpy_overflow(char * y)294*67e74705SXin Li void strcpy_overflow(char *y) {
295*67e74705SXin Li char x[4];
296*67e74705SXin Li if (strlen(y) == 4)
297*67e74705SXin Li strcpy(x, y); // expected-warning{{String copy function overflows destination buffer}}
298*67e74705SXin Li }
299*67e74705SXin Li
strcpy_no_overflow(char * y)300*67e74705SXin Li void strcpy_no_overflow(char *y) {
301*67e74705SXin Li char x[4];
302*67e74705SXin Li if (strlen(y) == 3)
303*67e74705SXin Li strcpy(x, y); // no-warning
304*67e74705SXin Li }
305*67e74705SXin Li
306*67e74705SXin Li //===----------------------------------------------------------------------===
307*67e74705SXin Li // stpcpy()
308*67e74705SXin Li //===----------------------------------------------------------------------===
309*67e74705SXin Li
310*67e74705SXin Li #ifdef VARIANT
311*67e74705SXin Li
312*67e74705SXin Li #define __stpcpy_chk BUILTIN(__stpcpy_chk)
313*67e74705SXin Li char *__stpcpy_chk(char *restrict s1, const char *restrict s2, size_t destlen);
314*67e74705SXin Li
315*67e74705SXin Li #define stpcpy(a,b) __stpcpy_chk(a,b,(size_t)-1)
316*67e74705SXin Li
317*67e74705SXin Li #else /* VARIANT */
318*67e74705SXin Li
319*67e74705SXin Li #define stpcpy BUILTIN(stpcpy)
320*67e74705SXin Li char *stpcpy(char *restrict s1, const char *restrict s2);
321*67e74705SXin Li
322*67e74705SXin Li #endif /* VARIANT */
323*67e74705SXin Li
324*67e74705SXin Li
stpcpy_effect(char * x,char * y)325*67e74705SXin Li void stpcpy_effect(char *x, char *y) {
326*67e74705SXin Li char a = x[0];
327*67e74705SXin Li
328*67e74705SXin Li clang_analyzer_eval(stpcpy(x, y) == &x[strlen(y)]); // expected-warning{{TRUE}}
329*67e74705SXin Li clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{TRUE}}
330*67e74705SXin Li clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}
331*67e74705SXin Li }
332*67e74705SXin Li
stpcpy_overflow(char * y)333*67e74705SXin Li void stpcpy_overflow(char *y) {
334*67e74705SXin Li char x[4];
335*67e74705SXin Li if (strlen(y) == 4)
336*67e74705SXin Li stpcpy(x, y); // expected-warning{{String copy function overflows destination buffer}}
337*67e74705SXin Li }
338*67e74705SXin Li
stpcpy_no_overflow(char * y)339*67e74705SXin Li void stpcpy_no_overflow(char *y) {
340*67e74705SXin Li char x[4];
341*67e74705SXin Li if (strlen(y) == 3)
342*67e74705SXin Li stpcpy(x, y); // no-warning
343*67e74705SXin Li }
344*67e74705SXin Li
345*67e74705SXin Li //===----------------------------------------------------------------------===
346*67e74705SXin Li // strcat()
347*67e74705SXin Li //===----------------------------------------------------------------------===
348*67e74705SXin Li
349*67e74705SXin Li #ifdef VARIANT
350*67e74705SXin Li
351*67e74705SXin Li #define __strcat_chk BUILTIN(__strcat_chk)
352*67e74705SXin Li char *__strcat_chk(char *restrict s1, const char *restrict s2, size_t destlen);
353*67e74705SXin Li
354*67e74705SXin Li #define strcat(a,b) __strcat_chk(a,b,(size_t)-1)
355*67e74705SXin Li
356*67e74705SXin Li #else /* VARIANT */
357*67e74705SXin Li
358*67e74705SXin Li #define strcat BUILTIN(strcat)
359*67e74705SXin Li char *strcat(char *restrict s1, const char *restrict s2);
360*67e74705SXin Li
361*67e74705SXin Li #endif /* VARIANT */
362*67e74705SXin Li
363*67e74705SXin Li
strcat_null_dst(char * x)364*67e74705SXin Li void strcat_null_dst(char *x) {
365*67e74705SXin Li strcat(NULL, x); // expected-warning{{Null pointer argument in call to string copy function}}
366*67e74705SXin Li }
367*67e74705SXin Li
strcat_null_src(char * x)368*67e74705SXin Li void strcat_null_src(char *x) {
369*67e74705SXin Li strcat(x, NULL); // expected-warning{{Null pointer argument in call to string copy function}}
370*67e74705SXin Li }
371*67e74705SXin Li
strcat_fn(char * x)372*67e74705SXin Li void strcat_fn(char *x) {
373*67e74705SXin Li strcat(x, (char*)&strcat_fn); // expected-warning{{Argument to string copy function is the address of the function 'strcat_fn', which is not a null-terminated string}}
374*67e74705SXin Li }
375*67e74705SXin Li
strcat_effects(char * y)376*67e74705SXin Li void strcat_effects(char *y) {
377*67e74705SXin Li char x[8] = "123";
378*67e74705SXin Li size_t orig_len = strlen(x);
379*67e74705SXin Li char a = x[0];
380*67e74705SXin Li
381*67e74705SXin Li if (strlen(y) != 4)
382*67e74705SXin Li return;
383*67e74705SXin Li
384*67e74705SXin Li clang_analyzer_eval(strcat(x, y) == x); // expected-warning{{TRUE}}
385*67e74705SXin Li clang_analyzer_eval((int)strlen(x) == (orig_len + strlen(y))); // expected-warning{{TRUE}}
386*67e74705SXin Li }
387*67e74705SXin Li
strcat_overflow_0(char * y)388*67e74705SXin Li void strcat_overflow_0(char *y) {
389*67e74705SXin Li char x[4] = "12";
390*67e74705SXin Li if (strlen(y) == 4)
391*67e74705SXin Li strcat(x, y); // expected-warning{{String copy function overflows destination buffer}}
392*67e74705SXin Li }
393*67e74705SXin Li
strcat_overflow_1(char * y)394*67e74705SXin Li void strcat_overflow_1(char *y) {
395*67e74705SXin Li char x[4] = "12";
396*67e74705SXin Li if (strlen(y) == 3)
397*67e74705SXin Li strcat(x, y); // expected-warning{{String copy function overflows destination buffer}}
398*67e74705SXin Li }
399*67e74705SXin Li
strcat_overflow_2(char * y)400*67e74705SXin Li void strcat_overflow_2(char *y) {
401*67e74705SXin Li char x[4] = "12";
402*67e74705SXin Li if (strlen(y) == 2)
403*67e74705SXin Li strcat(x, y); // expected-warning{{String copy function overflows destination buffer}}
404*67e74705SXin Li }
405*67e74705SXin Li
strcat_no_overflow(char * y)406*67e74705SXin Li void strcat_no_overflow(char *y) {
407*67e74705SXin Li char x[5] = "12";
408*67e74705SXin Li if (strlen(y) == 2)
409*67e74705SXin Li strcat(x, y); // no-warning
410*67e74705SXin Li }
411*67e74705SXin Li
strcat_symbolic_dst_length(char * dst)412*67e74705SXin Li void strcat_symbolic_dst_length(char *dst) {
413*67e74705SXin Li strcat(dst, "1234");
414*67e74705SXin Li clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
415*67e74705SXin Li }
416*67e74705SXin Li
strcat_symbolic_dst_length_taint(char * dst)417*67e74705SXin Li void strcat_symbolic_dst_length_taint(char *dst) {
418*67e74705SXin Li scanf("%s", dst); // Taint data.
419*67e74705SXin Li strcat(dst, "1234");
420*67e74705SXin Li clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
421*67e74705SXin Li }
422*67e74705SXin Li
strcat_unknown_src_length(char * src,int offset)423*67e74705SXin Li void strcat_unknown_src_length(char *src, int offset) {
424*67e74705SXin Li char dst[8] = "1234";
425*67e74705SXin Li strcat(dst, &src[offset]);
426*67e74705SXin Li clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
427*67e74705SXin Li }
428*67e74705SXin Li
429*67e74705SXin Li // There is no strcat_unknown_dst_length because if we can't get a symbolic
430*67e74705SXin Li // length for the "before" strlen, we won't be able to set one for "after".
431*67e74705SXin Li
strcat_too_big(char * dst,char * src)432*67e74705SXin Li void strcat_too_big(char *dst, char *src) {
433*67e74705SXin Li // We assume this can never actually happen, so we don't get a warning.
434*67e74705SXin Li if (strlen(dst) != (((size_t)0) - 2))
435*67e74705SXin Li return;
436*67e74705SXin Li if (strlen(src) != 2)
437*67e74705SXin Li return;
438*67e74705SXin Li strcat(dst, src);
439*67e74705SXin Li }
440*67e74705SXin Li
441*67e74705SXin Li
442*67e74705SXin Li //===----------------------------------------------------------------------===
443*67e74705SXin Li // strncpy()
444*67e74705SXin Li //===----------------------------------------------------------------------===
445*67e74705SXin Li
446*67e74705SXin Li #ifdef VARIANT
447*67e74705SXin Li
448*67e74705SXin Li #define __strncpy_chk BUILTIN(__strncpy_chk)
449*67e74705SXin Li char *__strncpy_chk(char *restrict s1, const char *restrict s2, size_t n, size_t destlen);
450*67e74705SXin Li
451*67e74705SXin Li #define strncpy(a,b,n) __strncpy_chk(a,b,n,(size_t)-1)
452*67e74705SXin Li
453*67e74705SXin Li #else /* VARIANT */
454*67e74705SXin Li
455*67e74705SXin Li #define strncpy BUILTIN(strncpy)
456*67e74705SXin Li char *strncpy(char *restrict s1, const char *restrict s2, size_t n);
457*67e74705SXin Li
458*67e74705SXin Li #endif /* VARIANT */
459*67e74705SXin Li
460*67e74705SXin Li
strncpy_null_dst(char * x)461*67e74705SXin Li void strncpy_null_dst(char *x) {
462*67e74705SXin Li strncpy(NULL, x, 5); // expected-warning{{Null pointer argument in call to string copy function}}
463*67e74705SXin Li }
464*67e74705SXin Li
strncpy_null_src(char * x)465*67e74705SXin Li void strncpy_null_src(char *x) {
466*67e74705SXin Li strncpy(x, NULL, 5); // expected-warning{{Null pointer argument in call to string copy function}}
467*67e74705SXin Li }
468*67e74705SXin Li
strncpy_fn(char * x)469*67e74705SXin Li void strncpy_fn(char *x) {
470*67e74705SXin Li strncpy(x, (char*)&strcpy_fn, 5); // expected-warning{{Argument to string copy function is the address of the function 'strcpy_fn', which is not a null-terminated string}}
471*67e74705SXin Li }
472*67e74705SXin Li
strncpy_effects(char * x,char * y)473*67e74705SXin Li void strncpy_effects(char *x, char *y) {
474*67e74705SXin Li char a = x[0];
475*67e74705SXin Li
476*67e74705SXin Li clang_analyzer_eval(strncpy(x, y, 5) == x); // expected-warning{{TRUE}}
477*67e74705SXin Li clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{UNKNOWN}}
478*67e74705SXin Li clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}
479*67e74705SXin Li }
480*67e74705SXin Li
strncpy_overflow(char * y)481*67e74705SXin Li void strncpy_overflow(char *y) {
482*67e74705SXin Li char x[4];
483*67e74705SXin Li if (strlen(y) == 4)
484*67e74705SXin Li strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}}
485*67e74705SXin Li }
486*67e74705SXin Li
strncpy_no_overflow(char * y)487*67e74705SXin Li void strncpy_no_overflow(char *y) {
488*67e74705SXin Li char x[4];
489*67e74705SXin Li if (strlen(y) == 3)
490*67e74705SXin Li strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}}
491*67e74705SXin Li }
492*67e74705SXin Li
strncpy_no_overflow2(char * y,int n)493*67e74705SXin Li void strncpy_no_overflow2(char *y, int n) {
494*67e74705SXin Li if (n <= 4)
495*67e74705SXin Li return;
496*67e74705SXin Li
497*67e74705SXin Li char x[4];
498*67e74705SXin Li if (strlen(y) == 3)
499*67e74705SXin Li strncpy(x, y, n); // expected-warning{{Size argument is greater than the length of the destination buffer}}
500*67e74705SXin Li }
501*67e74705SXin Li
strncpy_truncate(char * y)502*67e74705SXin Li void strncpy_truncate(char *y) {
503*67e74705SXin Li char x[4];
504*67e74705SXin Li if (strlen(y) == 4)
505*67e74705SXin Li strncpy(x, y, 3); // no-warning
506*67e74705SXin Li }
507*67e74705SXin Li
strncpy_no_truncate(char * y)508*67e74705SXin Li void strncpy_no_truncate(char *y) {
509*67e74705SXin Li char x[4];
510*67e74705SXin Li if (strlen(y) == 3)
511*67e74705SXin Li strncpy(x, y, 3); // no-warning
512*67e74705SXin Li }
513*67e74705SXin Li
strncpy_exactly_matching_buffer(char * y)514*67e74705SXin Li void strncpy_exactly_matching_buffer(char *y) {
515*67e74705SXin Li char x[4];
516*67e74705SXin Li strncpy(x, y, 4); // no-warning
517*67e74705SXin Li
518*67e74705SXin Li // strncpy does not null-terminate, so we have no idea what the strlen is
519*67e74705SXin Li // after this.
520*67e74705SXin Li clang_analyzer_eval(strlen(x) > 4); // expected-warning{{UNKNOWN}}
521*67e74705SXin Li }
522*67e74705SXin Li
strncpy_zero(char * src)523*67e74705SXin Li void strncpy_zero(char *src) {
524*67e74705SXin Li char dst[] = "123";
525*67e74705SXin Li strncpy(dst, src, 0); // no-warning
526*67e74705SXin Li }
527*67e74705SXin Li
strncpy_empty()528*67e74705SXin Li void strncpy_empty() {
529*67e74705SXin Li char dst[] = "123";
530*67e74705SXin Li char src[] = "";
531*67e74705SXin Li strncpy(dst, src, 4); // no-warning
532*67e74705SXin Li }
533*67e74705SXin Li
534*67e74705SXin Li //===----------------------------------------------------------------------===
535*67e74705SXin Li // strncat()
536*67e74705SXin Li //===----------------------------------------------------------------------===
537*67e74705SXin Li
538*67e74705SXin Li #ifdef VARIANT
539*67e74705SXin Li
540*67e74705SXin Li #define __strncat_chk BUILTIN(__strncat_chk)
541*67e74705SXin Li char *__strncat_chk(char *restrict s1, const char *restrict s2, size_t n, size_t destlen);
542*67e74705SXin Li
543*67e74705SXin Li #define strncat(a,b,c) __strncat_chk(a,b,c, (size_t)-1)
544*67e74705SXin Li
545*67e74705SXin Li #else /* VARIANT */
546*67e74705SXin Li
547*67e74705SXin Li #define strncat BUILTIN(strncat)
548*67e74705SXin Li char *strncat(char *restrict s1, const char *restrict s2, size_t n);
549*67e74705SXin Li
550*67e74705SXin Li #endif /* VARIANT */
551*67e74705SXin Li
552*67e74705SXin Li
strncat_null_dst(char * x)553*67e74705SXin Li void strncat_null_dst(char *x) {
554*67e74705SXin Li strncat(NULL, x, 4); // expected-warning{{Null pointer argument in call to string copy function}}
555*67e74705SXin Li }
556*67e74705SXin Li
strncat_null_src(char * x)557*67e74705SXin Li void strncat_null_src(char *x) {
558*67e74705SXin Li strncat(x, NULL, 4); // expected-warning{{Null pointer argument in call to string copy function}}
559*67e74705SXin Li }
560*67e74705SXin Li
strncat_fn(char * x)561*67e74705SXin Li void strncat_fn(char *x) {
562*67e74705SXin Li strncat(x, (char*)&strncat_fn, 4); // expected-warning{{Argument to string copy function is the address of the function 'strncat_fn', which is not a null-terminated string}}
563*67e74705SXin Li }
564*67e74705SXin Li
strncat_effects(char * y)565*67e74705SXin Li void strncat_effects(char *y) {
566*67e74705SXin Li char x[8] = "123";
567*67e74705SXin Li size_t orig_len = strlen(x);
568*67e74705SXin Li char a = x[0];
569*67e74705SXin Li
570*67e74705SXin Li if (strlen(y) != 4)
571*67e74705SXin Li return;
572*67e74705SXin Li
573*67e74705SXin Li clang_analyzer_eval(strncat(x, y, strlen(y)) == x); // expected-warning{{TRUE}}
574*67e74705SXin Li clang_analyzer_eval(strlen(x) == (orig_len + strlen(y))); // expected-warning{{TRUE}}
575*67e74705SXin Li }
576*67e74705SXin Li
strncat_overflow_0(char * y)577*67e74705SXin Li void strncat_overflow_0(char *y) {
578*67e74705SXin Li char x[4] = "12";
579*67e74705SXin Li if (strlen(y) == 4)
580*67e74705SXin Li strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
581*67e74705SXin Li }
582*67e74705SXin Li
strncat_overflow_1(char * y)583*67e74705SXin Li void strncat_overflow_1(char *y) {
584*67e74705SXin Li char x[4] = "12";
585*67e74705SXin Li if (strlen(y) == 3)
586*67e74705SXin Li strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
587*67e74705SXin Li }
588*67e74705SXin Li
strncat_overflow_2(char * y)589*67e74705SXin Li void strncat_overflow_2(char *y) {
590*67e74705SXin Li char x[4] = "12";
591*67e74705SXin Li if (strlen(y) == 2)
592*67e74705SXin Li strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
593*67e74705SXin Li }
594*67e74705SXin Li
strncat_overflow_3(char * y)595*67e74705SXin Li void strncat_overflow_3(char *y) {
596*67e74705SXin Li char x[4] = "12";
597*67e74705SXin Li if (strlen(y) == 4)
598*67e74705SXin Li strncat(x, y, 2); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
599*67e74705SXin Li }
strncat_no_overflow_1(char * y)600*67e74705SXin Li void strncat_no_overflow_1(char *y) {
601*67e74705SXin Li char x[5] = "12";
602*67e74705SXin Li if (strlen(y) == 2)
603*67e74705SXin Li strncat(x, y, strlen(y)); // no-warning
604*67e74705SXin Li }
605*67e74705SXin Li
strncat_no_overflow_2(char * y)606*67e74705SXin Li void strncat_no_overflow_2(char *y) {
607*67e74705SXin Li char x[4] = "12";
608*67e74705SXin Li if (strlen(y) == 4)
609*67e74705SXin Li strncat(x, y, 1); // no-warning
610*67e74705SXin Li }
611*67e74705SXin Li
strncat_symbolic_dst_length(char * dst)612*67e74705SXin Li void strncat_symbolic_dst_length(char *dst) {
613*67e74705SXin Li strncat(dst, "1234", 5);
614*67e74705SXin Li clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
615*67e74705SXin Li }
616*67e74705SXin Li
strncat_symbolic_src_length(char * src)617*67e74705SXin Li void strncat_symbolic_src_length(char *src) {
618*67e74705SXin Li char dst[8] = "1234";
619*67e74705SXin Li strncat(dst, src, 3);
620*67e74705SXin Li clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
621*67e74705SXin Li
622*67e74705SXin Li char dst2[8] = "1234";
623*67e74705SXin Li strncat(dst2, src, 4); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
624*67e74705SXin Li }
625*67e74705SXin Li
strncat_unknown_src_length(char * src,int offset)626*67e74705SXin Li void strncat_unknown_src_length(char *src, int offset) {
627*67e74705SXin Li char dst[8] = "1234";
628*67e74705SXin Li strncat(dst, &src[offset], 3);
629*67e74705SXin Li clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
630*67e74705SXin Li
631*67e74705SXin Li char dst2[8] = "1234";
632*67e74705SXin Li strncat(dst2, &src[offset], 4); // expected-warning{{Size argument is greater than the free space in the destination buffer}}
633*67e74705SXin Li }
634*67e74705SXin Li
635*67e74705SXin Li // There is no strncat_unknown_dst_length because if we can't get a symbolic
636*67e74705SXin Li // length for the "before" strlen, we won't be able to set one for "after".
637*67e74705SXin Li
strncat_symbolic_limit(unsigned limit)638*67e74705SXin Li void strncat_symbolic_limit(unsigned limit) {
639*67e74705SXin Li char dst[6] = "1234";
640*67e74705SXin Li char src[] = "567";
641*67e74705SXin Li strncat(dst, src, limit); // no-warning
642*67e74705SXin Li
643*67e74705SXin Li clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
644*67e74705SXin Li clang_analyzer_eval(strlen(dst) == 4); // expected-warning{{UNKNOWN}}
645*67e74705SXin Li }
646*67e74705SXin Li
strncat_unknown_limit(float limit)647*67e74705SXin Li void strncat_unknown_limit(float limit) {
648*67e74705SXin Li char dst[6] = "1234";
649*67e74705SXin Li char src[] = "567";
650*67e74705SXin Li strncat(dst, src, (size_t)limit); // no-warning
651*67e74705SXin Li
652*67e74705SXin Li clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
653*67e74705SXin Li clang_analyzer_eval(strlen(dst) == 4); // expected-warning{{UNKNOWN}}
654*67e74705SXin Li }
655*67e74705SXin Li
strncat_too_big(char * dst,char * src)656*67e74705SXin Li void strncat_too_big(char *dst, char *src) {
657*67e74705SXin Li // We assume this will never actually happen, so we don't get a warning.
658*67e74705SXin Li if (strlen(dst) != (((size_t)0) - 2))
659*67e74705SXin Li return;
660*67e74705SXin Li if (strlen(src) != 2)
661*67e74705SXin Li return;
662*67e74705SXin Li strncat(dst, src, 2);
663*67e74705SXin Li }
664*67e74705SXin Li
strncat_zero(char * src)665*67e74705SXin Li void strncat_zero(char *src) {
666*67e74705SXin Li char dst[] = "123";
667*67e74705SXin Li strncat(dst, src, 0); // no-warning
668*67e74705SXin Li }
669*67e74705SXin Li
strncat_empty()670*67e74705SXin Li void strncat_empty() {
671*67e74705SXin Li char dst[8] = "123";
672*67e74705SXin Li char src[] = "";
673*67e74705SXin Li strncat(dst, src, 4); // no-warning
674*67e74705SXin Li }
675*67e74705SXin Li
676*67e74705SXin Li //===----------------------------------------------------------------------===
677*67e74705SXin Li // strcmp()
678*67e74705SXin Li //===----------------------------------------------------------------------===
679*67e74705SXin Li
680*67e74705SXin Li #define strcmp BUILTIN(strcmp)
681*67e74705SXin Li int strcmp(const char * s1, const char * s2);
682*67e74705SXin Li
strcmp_check_modelling()683*67e74705SXin Li void strcmp_check_modelling() {
684*67e74705SXin Li char *x = "aa";
685*67e74705SXin Li char *y = "a";
686*67e74705SXin Li clang_analyzer_eval(strcmp(x, y) > 0); // expected-warning{{TRUE}}
687*67e74705SXin Li clang_analyzer_eval(strcmp(x, y) <= 0); // expected-warning{{FALSE}}
688*67e74705SXin Li clang_analyzer_eval(strcmp(x, y) > 1); // expected-warning{{UNKNOWN}}
689*67e74705SXin Li
690*67e74705SXin Li clang_analyzer_eval(strcmp(y, x) < 0); // expected-warning{{TRUE}}
691*67e74705SXin Li clang_analyzer_eval(strcmp(y, x) >= 0); // expected-warning{{FALSE}}
692*67e74705SXin Li clang_analyzer_eval(strcmp(y, x) < -1); // expected-warning{{UNKNOWN}}
693*67e74705SXin Li }
694*67e74705SXin Li
strcmp_constant0()695*67e74705SXin Li void strcmp_constant0() {
696*67e74705SXin Li clang_analyzer_eval(strcmp("123", "123") == 0); // expected-warning{{TRUE}}
697*67e74705SXin Li }
698*67e74705SXin Li
strcmp_constant_and_var_0()699*67e74705SXin Li void strcmp_constant_and_var_0() {
700*67e74705SXin Li char *x = "123";
701*67e74705SXin Li clang_analyzer_eval(strcmp(x, "123") == 0); // expected-warning{{TRUE}}
702*67e74705SXin Li }
703*67e74705SXin Li
strcmp_constant_and_var_1()704*67e74705SXin Li void strcmp_constant_and_var_1() {
705*67e74705SXin Li char *x = "123";
706*67e74705SXin Li clang_analyzer_eval(strcmp("123", x) == 0); // expected-warning{{TRUE}}
707*67e74705SXin Li }
708*67e74705SXin Li
strcmp_0()709*67e74705SXin Li void strcmp_0() {
710*67e74705SXin Li char *x = "123";
711*67e74705SXin Li char *y = "123";
712*67e74705SXin Li clang_analyzer_eval(strcmp(x, y) == 0); // expected-warning{{TRUE}}
713*67e74705SXin Li }
714*67e74705SXin Li
strcmp_1()715*67e74705SXin Li void strcmp_1() {
716*67e74705SXin Li char *x = "234";
717*67e74705SXin Li char *y = "123";
718*67e74705SXin Li clang_analyzer_eval(strcmp(x, y) > 0); // expected-warning{{TRUE}}
719*67e74705SXin Li }
720*67e74705SXin Li
strcmp_2()721*67e74705SXin Li void strcmp_2() {
722*67e74705SXin Li char *x = "123";
723*67e74705SXin Li char *y = "234";
724*67e74705SXin Li clang_analyzer_eval(strcmp(x, y) < 0); // expected-warning{{TRUE}}
725*67e74705SXin Li }
726*67e74705SXin Li
strcmp_null_0()727*67e74705SXin Li void strcmp_null_0() {
728*67e74705SXin Li char *x = NULL;
729*67e74705SXin Li char *y = "123";
730*67e74705SXin Li strcmp(x, y); // expected-warning{{Null pointer argument in call to string comparison function}}
731*67e74705SXin Li }
732*67e74705SXin Li
strcmp_null_1()733*67e74705SXin Li void strcmp_null_1() {
734*67e74705SXin Li char *x = "123";
735*67e74705SXin Li char *y = NULL;
736*67e74705SXin Li strcmp(x, y); // expected-warning{{Null pointer argument in call to string comparison function}}
737*67e74705SXin Li }
738*67e74705SXin Li
strcmp_diff_length_0()739*67e74705SXin Li void strcmp_diff_length_0() {
740*67e74705SXin Li char *x = "12345";
741*67e74705SXin Li char *y = "234";
742*67e74705SXin Li clang_analyzer_eval(strcmp(x, y) < 0); // expected-warning{{TRUE}}
743*67e74705SXin Li }
744*67e74705SXin Li
strcmp_diff_length_1()745*67e74705SXin Li void strcmp_diff_length_1() {
746*67e74705SXin Li char *x = "123";
747*67e74705SXin Li char *y = "23456";
748*67e74705SXin Li clang_analyzer_eval(strcmp(x, y) < 0); // expected-warning{{TRUE}}
749*67e74705SXin Li }
750*67e74705SXin Li
strcmp_diff_length_2()751*67e74705SXin Li void strcmp_diff_length_2() {
752*67e74705SXin Li char *x = "12345";
753*67e74705SXin Li char *y = "123";
754*67e74705SXin Li clang_analyzer_eval(strcmp(x, y) > 0); // expected-warning{{TRUE}}
755*67e74705SXin Li }
756*67e74705SXin Li
strcmp_diff_length_3()757*67e74705SXin Li void strcmp_diff_length_3() {
758*67e74705SXin Li char *x = "123";
759*67e74705SXin Li char *y = "12345";
760*67e74705SXin Li clang_analyzer_eval(strcmp(x, y) < 0); // expected-warning{{TRUE}}
761*67e74705SXin Li }
762*67e74705SXin Li
strcmp_embedded_null()763*67e74705SXin Li void strcmp_embedded_null () {
764*67e74705SXin Li clang_analyzer_eval(strcmp("\0z", "\0y") == 0); // expected-warning{{TRUE}}
765*67e74705SXin Li }
766*67e74705SXin Li
strcmp_unknown_arg(char * unknown)767*67e74705SXin Li void strcmp_unknown_arg (char *unknown) {
768*67e74705SXin Li clang_analyzer_eval(strcmp(unknown, unknown) == 0); // expected-warning{{TRUE}}
769*67e74705SXin Li }
770*67e74705SXin Li
771*67e74705SXin Li union argument {
772*67e74705SXin Li char *f;
773*67e74705SXin Li };
774*67e74705SXin Li
function_pointer_cast_helper(char ** a)775*67e74705SXin Li void function_pointer_cast_helper(char **a) {
776*67e74705SXin Li strcmp("Hi", *a); // PR24951 crash
777*67e74705SXin Li }
778*67e74705SXin Li
strcmp_union_function_pointer_cast(union argument a)779*67e74705SXin Li void strcmp_union_function_pointer_cast(union argument a) {
780*67e74705SXin Li void (*fPtr)(union argument *) = (void (*)(union argument *))function_pointer_cast_helper;
781*67e74705SXin Li
782*67e74705SXin Li fPtr(&a);
783*67e74705SXin Li }
784*67e74705SXin Li
785*67e74705SXin Li //===----------------------------------------------------------------------===
786*67e74705SXin Li // strncmp()
787*67e74705SXin Li //===----------------------------------------------------------------------===
788*67e74705SXin Li
789*67e74705SXin Li #define strncmp BUILTIN(strncmp)
790*67e74705SXin Li int strncmp(const char *s1, const char *s2, size_t n);
791*67e74705SXin Li
strncmp_check_modelling()792*67e74705SXin Li void strncmp_check_modelling() {
793*67e74705SXin Li char *x = "aa";
794*67e74705SXin Li char *y = "a";
795*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 2) > 0); // expected-warning{{TRUE}}
796*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 2) <= 0); // expected-warning{{FALSE}}
797*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 2) > 1); // expected-warning{{UNKNOWN}}
798*67e74705SXin Li
799*67e74705SXin Li clang_analyzer_eval(strncmp(y, x, 2) < 0); // expected-warning{{TRUE}}
800*67e74705SXin Li clang_analyzer_eval(strncmp(y, x, 2) >= 0); // expected-warning{{FALSE}}
801*67e74705SXin Li clang_analyzer_eval(strncmp(y, x, 2) < -1); // expected-warning{{UNKNOWN}}
802*67e74705SXin Li }
803*67e74705SXin Li
strncmp_constant0()804*67e74705SXin Li void strncmp_constant0() {
805*67e74705SXin Li clang_analyzer_eval(strncmp("123", "123", 3) == 0); // expected-warning{{TRUE}}
806*67e74705SXin Li }
807*67e74705SXin Li
strncmp_constant_and_var_0()808*67e74705SXin Li void strncmp_constant_and_var_0() {
809*67e74705SXin Li char *x = "123";
810*67e74705SXin Li clang_analyzer_eval(strncmp(x, "123", 3) == 0); // expected-warning{{TRUE}}
811*67e74705SXin Li }
812*67e74705SXin Li
strncmp_constant_and_var_1()813*67e74705SXin Li void strncmp_constant_and_var_1() {
814*67e74705SXin Li char *x = "123";
815*67e74705SXin Li clang_analyzer_eval(strncmp("123", x, 3) == 0); // expected-warning{{TRUE}}
816*67e74705SXin Li }
817*67e74705SXin Li
strncmp_0()818*67e74705SXin Li void strncmp_0() {
819*67e74705SXin Li char *x = "123";
820*67e74705SXin Li char *y = "123";
821*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 3) == 0); // expected-warning{{TRUE}}
822*67e74705SXin Li }
823*67e74705SXin Li
strncmp_1()824*67e74705SXin Li void strncmp_1() {
825*67e74705SXin Li char *x = "234";
826*67e74705SXin Li char *y = "123";
827*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 3) > 0); // expected-warning{{TRUE}}
828*67e74705SXin Li }
829*67e74705SXin Li
strncmp_2()830*67e74705SXin Li void strncmp_2() {
831*67e74705SXin Li char *x = "123";
832*67e74705SXin Li char *y = "234";
833*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 3) < 0); // expected-warning{{TRUE}}
834*67e74705SXin Li }
835*67e74705SXin Li
strncmp_null_0()836*67e74705SXin Li void strncmp_null_0() {
837*67e74705SXin Li char *x = NULL;
838*67e74705SXin Li char *y = "123";
839*67e74705SXin Li strncmp(x, y, 3); // expected-warning{{Null pointer argument in call to string comparison function}}
840*67e74705SXin Li }
841*67e74705SXin Li
strncmp_null_1()842*67e74705SXin Li void strncmp_null_1() {
843*67e74705SXin Li char *x = "123";
844*67e74705SXin Li char *y = NULL;
845*67e74705SXin Li strncmp(x, y, 3); // expected-warning{{Null pointer argument in call to string comparison function}}
846*67e74705SXin Li }
847*67e74705SXin Li
strncmp_diff_length_0()848*67e74705SXin Li void strncmp_diff_length_0() {
849*67e74705SXin Li char *x = "12345";
850*67e74705SXin Li char *y = "234";
851*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 5) < 0); // expected-warning{{TRUE}}
852*67e74705SXin Li }
853*67e74705SXin Li
strncmp_diff_length_1()854*67e74705SXin Li void strncmp_diff_length_1() {
855*67e74705SXin Li char *x = "123";
856*67e74705SXin Li char *y = "23456";
857*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 5) < 0); // expected-warning{{TRUE}}
858*67e74705SXin Li }
859*67e74705SXin Li
strncmp_diff_length_2()860*67e74705SXin Li void strncmp_diff_length_2() {
861*67e74705SXin Li char *x = "12345";
862*67e74705SXin Li char *y = "123";
863*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 5) > 0); // expected-warning{{TRUE}}
864*67e74705SXin Li }
865*67e74705SXin Li
strncmp_diff_length_3()866*67e74705SXin Li void strncmp_diff_length_3() {
867*67e74705SXin Li char *x = "123";
868*67e74705SXin Li char *y = "12345";
869*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 5) < 0); // expected-warning{{TRUE}}
870*67e74705SXin Li }
871*67e74705SXin Li
strncmp_diff_length_4()872*67e74705SXin Li void strncmp_diff_length_4() {
873*67e74705SXin Li char *x = "123";
874*67e74705SXin Li char *y = "12345";
875*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 3) == 0); // expected-warning{{TRUE}}
876*67e74705SXin Li }
877*67e74705SXin Li
strncmp_diff_length_5()878*67e74705SXin Li void strncmp_diff_length_5() {
879*67e74705SXin Li char *x = "012";
880*67e74705SXin Li char *y = "12345";
881*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 3) < 0); // expected-warning{{TRUE}}
882*67e74705SXin Li }
883*67e74705SXin Li
strncmp_diff_length_6()884*67e74705SXin Li void strncmp_diff_length_6() {
885*67e74705SXin Li char *x = "234";
886*67e74705SXin Li char *y = "12345";
887*67e74705SXin Li clang_analyzer_eval(strncmp(x, y, 3) > 0); // expected-warning{{TRUE}}
888*67e74705SXin Li }
889*67e74705SXin Li
strncmp_embedded_null()890*67e74705SXin Li void strncmp_embedded_null () {
891*67e74705SXin Li clang_analyzer_eval(strncmp("ab\0zz", "ab\0yy", 4) == 0); // expected-warning{{TRUE}}
892*67e74705SXin Li }
893*67e74705SXin Li
894*67e74705SXin Li //===----------------------------------------------------------------------===
895*67e74705SXin Li // strcasecmp()
896*67e74705SXin Li //===----------------------------------------------------------------------===
897*67e74705SXin Li
898*67e74705SXin Li #define strcasecmp BUILTIN(strcasecmp)
899*67e74705SXin Li int strcasecmp(const char *s1, const char *s2);
900*67e74705SXin Li
strcasecmp_check_modelling()901*67e74705SXin Li void strcasecmp_check_modelling() {
902*67e74705SXin Li char *x = "aa";
903*67e74705SXin Li char *y = "a";
904*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, y) > 0); // expected-warning{{TRUE}}
905*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, y) <= 0); // expected-warning{{FALSE}}
906*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, y) > 1); // expected-warning{{UNKNOWN}}
907*67e74705SXin Li
908*67e74705SXin Li clang_analyzer_eval(strcasecmp(y, x) < 0); // expected-warning{{TRUE}}
909*67e74705SXin Li clang_analyzer_eval(strcasecmp(y, x) >= 0); // expected-warning{{FALSE}}
910*67e74705SXin Li clang_analyzer_eval(strcasecmp(y, x) < -1); // expected-warning{{UNKNOWN}}
911*67e74705SXin Li }
912*67e74705SXin Li
strcasecmp_constant0()913*67e74705SXin Li void strcasecmp_constant0() {
914*67e74705SXin Li clang_analyzer_eval(strcasecmp("abc", "Abc") == 0); // expected-warning{{TRUE}}
915*67e74705SXin Li }
916*67e74705SXin Li
strcasecmp_constant_and_var_0()917*67e74705SXin Li void strcasecmp_constant_and_var_0() {
918*67e74705SXin Li char *x = "abc";
919*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, "Abc") == 0); // expected-warning{{TRUE}}
920*67e74705SXin Li }
921*67e74705SXin Li
strcasecmp_constant_and_var_1()922*67e74705SXin Li void strcasecmp_constant_and_var_1() {
923*67e74705SXin Li char *x = "abc";
924*67e74705SXin Li clang_analyzer_eval(strcasecmp("Abc", x) == 0); // expected-warning{{TRUE}}
925*67e74705SXin Li }
926*67e74705SXin Li
strcasecmp_0()927*67e74705SXin Li void strcasecmp_0() {
928*67e74705SXin Li char *x = "abc";
929*67e74705SXin Li char *y = "Abc";
930*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, y) == 0); // expected-warning{{TRUE}}
931*67e74705SXin Li }
932*67e74705SXin Li
strcasecmp_1()933*67e74705SXin Li void strcasecmp_1() {
934*67e74705SXin Li char *x = "Bcd";
935*67e74705SXin Li char *y = "abc";
936*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, y) > 0); // expected-warning{{TRUE}}
937*67e74705SXin Li }
938*67e74705SXin Li
strcasecmp_2()939*67e74705SXin Li void strcasecmp_2() {
940*67e74705SXin Li char *x = "abc";
941*67e74705SXin Li char *y = "Bcd";
942*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, y) < 0); // expected-warning{{TRUE}}
943*67e74705SXin Li }
944*67e74705SXin Li
strcasecmp_null_0()945*67e74705SXin Li void strcasecmp_null_0() {
946*67e74705SXin Li char *x = NULL;
947*67e74705SXin Li char *y = "123";
948*67e74705SXin Li strcasecmp(x, y); // expected-warning{{Null pointer argument in call to string comparison function}}
949*67e74705SXin Li }
950*67e74705SXin Li
strcasecmp_null_1()951*67e74705SXin Li void strcasecmp_null_1() {
952*67e74705SXin Li char *x = "123";
953*67e74705SXin Li char *y = NULL;
954*67e74705SXin Li strcasecmp(x, y); // expected-warning{{Null pointer argument in call to string comparison function}}
955*67e74705SXin Li }
956*67e74705SXin Li
strcasecmp_diff_length_0()957*67e74705SXin Li void strcasecmp_diff_length_0() {
958*67e74705SXin Li char *x = "abcde";
959*67e74705SXin Li char *y = "aBd";
960*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, y) < 0); // expected-warning{{TRUE}}
961*67e74705SXin Li }
962*67e74705SXin Li
strcasecmp_diff_length_1()963*67e74705SXin Li void strcasecmp_diff_length_1() {
964*67e74705SXin Li char *x = "abc";
965*67e74705SXin Li char *y = "aBdef";
966*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, y) < 0); // expected-warning{{TRUE}}
967*67e74705SXin Li }
968*67e74705SXin Li
strcasecmp_diff_length_2()969*67e74705SXin Li void strcasecmp_diff_length_2() {
970*67e74705SXin Li char *x = "aBcDe";
971*67e74705SXin Li char *y = "abc";
972*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, y) > 0); // expected-warning{{TRUE}}
973*67e74705SXin Li }
974*67e74705SXin Li
strcasecmp_diff_length_3()975*67e74705SXin Li void strcasecmp_diff_length_3() {
976*67e74705SXin Li char *x = "aBc";
977*67e74705SXin Li char *y = "abcde";
978*67e74705SXin Li clang_analyzer_eval(strcasecmp(x, y) < 0); // expected-warning{{TRUE}}
979*67e74705SXin Li }
980*67e74705SXin Li
strcasecmp_embedded_null()981*67e74705SXin Li void strcasecmp_embedded_null () {
982*67e74705SXin Li clang_analyzer_eval(strcasecmp("ab\0zz", "ab\0yy") == 0); // expected-warning{{TRUE}}
983*67e74705SXin Li }
984*67e74705SXin Li
985*67e74705SXin Li //===----------------------------------------------------------------------===
986*67e74705SXin Li // strncasecmp()
987*67e74705SXin Li //===----------------------------------------------------------------------===
988*67e74705SXin Li
989*67e74705SXin Li #define strncasecmp BUILTIN(strncasecmp)
990*67e74705SXin Li int strncasecmp(const char *s1, const char *s2, size_t n);
991*67e74705SXin Li
strncasecmp_check_modelling()992*67e74705SXin Li void strncasecmp_check_modelling() {
993*67e74705SXin Li char *x = "aa";
994*67e74705SXin Li char *y = "a";
995*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 2) > 0); // expected-warning{{TRUE}}
996*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 2) <= 0); // expected-warning{{FALSE}}
997*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 2) > 1); // expected-warning{{UNKNOWN}}
998*67e74705SXin Li
999*67e74705SXin Li clang_analyzer_eval(strncasecmp(y, x, 2) < 0); // expected-warning{{TRUE}}
1000*67e74705SXin Li clang_analyzer_eval(strncasecmp(y, x, 2) >= 0); // expected-warning{{FALSE}}
1001*67e74705SXin Li clang_analyzer_eval(strncasecmp(y, x, 2) < -1); // expected-warning{{UNKNOWN}}
1002*67e74705SXin Li }
1003*67e74705SXin Li
strncasecmp_constant0()1004*67e74705SXin Li void strncasecmp_constant0() {
1005*67e74705SXin Li clang_analyzer_eval(strncasecmp("abc", "Abc", 3) == 0); // expected-warning{{TRUE}}
1006*67e74705SXin Li }
1007*67e74705SXin Li
strncasecmp_constant_and_var_0()1008*67e74705SXin Li void strncasecmp_constant_and_var_0() {
1009*67e74705SXin Li char *x = "abc";
1010*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, "Abc", 3) == 0); // expected-warning{{TRUE}}
1011*67e74705SXin Li }
1012*67e74705SXin Li
strncasecmp_constant_and_var_1()1013*67e74705SXin Li void strncasecmp_constant_and_var_1() {
1014*67e74705SXin Li char *x = "abc";
1015*67e74705SXin Li clang_analyzer_eval(strncasecmp("Abc", x, 3) == 0); // expected-warning{{TRUE}}
1016*67e74705SXin Li }
1017*67e74705SXin Li
strncasecmp_0()1018*67e74705SXin Li void strncasecmp_0() {
1019*67e74705SXin Li char *x = "abc";
1020*67e74705SXin Li char *y = "Abc";
1021*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 3) == 0); // expected-warning{{TRUE}}
1022*67e74705SXin Li }
1023*67e74705SXin Li
strncasecmp_1()1024*67e74705SXin Li void strncasecmp_1() {
1025*67e74705SXin Li char *x = "Bcd";
1026*67e74705SXin Li char *y = "abc";
1027*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 3) > 0); // expected-warning{{TRUE}}
1028*67e74705SXin Li }
1029*67e74705SXin Li
strncasecmp_2()1030*67e74705SXin Li void strncasecmp_2() {
1031*67e74705SXin Li char *x = "abc";
1032*67e74705SXin Li char *y = "Bcd";
1033*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 3) < 0); // expected-warning{{TRUE}}
1034*67e74705SXin Li }
1035*67e74705SXin Li
strncasecmp_null_0()1036*67e74705SXin Li void strncasecmp_null_0() {
1037*67e74705SXin Li char *x = NULL;
1038*67e74705SXin Li char *y = "123";
1039*67e74705SXin Li strncasecmp(x, y, 3); // expected-warning{{Null pointer argument in call to string comparison function}}
1040*67e74705SXin Li }
1041*67e74705SXin Li
strncasecmp_null_1()1042*67e74705SXin Li void strncasecmp_null_1() {
1043*67e74705SXin Li char *x = "123";
1044*67e74705SXin Li char *y = NULL;
1045*67e74705SXin Li strncasecmp(x, y, 3); // expected-warning{{Null pointer argument in call to string comparison function}}
1046*67e74705SXin Li }
1047*67e74705SXin Li
strncasecmp_diff_length_0()1048*67e74705SXin Li void strncasecmp_diff_length_0() {
1049*67e74705SXin Li char *x = "abcde";
1050*67e74705SXin Li char *y = "aBd";
1051*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 5) < 0); // expected-warning{{TRUE}}
1052*67e74705SXin Li }
1053*67e74705SXin Li
strncasecmp_diff_length_1()1054*67e74705SXin Li void strncasecmp_diff_length_1() {
1055*67e74705SXin Li char *x = "abc";
1056*67e74705SXin Li char *y = "aBdef";
1057*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 5) < 0); // expected-warning{{TRUE}}
1058*67e74705SXin Li }
1059*67e74705SXin Li
strncasecmp_diff_length_2()1060*67e74705SXin Li void strncasecmp_diff_length_2() {
1061*67e74705SXin Li char *x = "aBcDe";
1062*67e74705SXin Li char *y = "abc";
1063*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 5) > 0); // expected-warning{{TRUE}}
1064*67e74705SXin Li }
1065*67e74705SXin Li
strncasecmp_diff_length_3()1066*67e74705SXin Li void strncasecmp_diff_length_3() {
1067*67e74705SXin Li char *x = "aBc";
1068*67e74705SXin Li char *y = "abcde";
1069*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 5) < 0); // expected-warning{{TRUE}}
1070*67e74705SXin Li }
1071*67e74705SXin Li
strncasecmp_diff_length_4()1072*67e74705SXin Li void strncasecmp_diff_length_4() {
1073*67e74705SXin Li char *x = "abcde";
1074*67e74705SXin Li char *y = "aBc";
1075*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 3) == 0); // expected-warning{{TRUE}}
1076*67e74705SXin Li }
1077*67e74705SXin Li
strncasecmp_diff_length_5()1078*67e74705SXin Li void strncasecmp_diff_length_5() {
1079*67e74705SXin Li char *x = "abcde";
1080*67e74705SXin Li char *y = "aBd";
1081*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 3) < 0); // expected-warning{{TRUE}}
1082*67e74705SXin Li }
1083*67e74705SXin Li
strncasecmp_diff_length_6()1084*67e74705SXin Li void strncasecmp_diff_length_6() {
1085*67e74705SXin Li char *x = "aBDe";
1086*67e74705SXin Li char *y = "abc";
1087*67e74705SXin Li clang_analyzer_eval(strncasecmp(x, y, 3) > 0); // expected-warning{{TRUE}}
1088*67e74705SXin Li }
1089*67e74705SXin Li
strncasecmp_embedded_null()1090*67e74705SXin Li void strncasecmp_embedded_null () {
1091*67e74705SXin Li clang_analyzer_eval(strncasecmp("ab\0zz", "ab\0yy", 4) == 0); // expected-warning{{TRUE}}
1092*67e74705SXin Li }
1093*67e74705SXin Li
1094*67e74705SXin Li //===----------------------------------------------------------------------===
1095*67e74705SXin Li // strsep()
1096*67e74705SXin Li //===----------------------------------------------------------------------===
1097*67e74705SXin Li
1098*67e74705SXin Li char *strsep(char **stringp, const char *delim);
1099*67e74705SXin Li
strsep_null_delim(char * s)1100*67e74705SXin Li void strsep_null_delim(char *s) {
1101*67e74705SXin Li strsep(&s, NULL); // expected-warning{{Null pointer argument in call to strsep()}}
1102*67e74705SXin Li }
1103*67e74705SXin Li
strsep_null_search()1104*67e74705SXin Li void strsep_null_search() {
1105*67e74705SXin Li strsep(NULL, ""); // expected-warning{{Null pointer argument in call to strsep()}}
1106*67e74705SXin Li }
1107*67e74705SXin Li
strsep_return_original_pointer(char * s)1108*67e74705SXin Li void strsep_return_original_pointer(char *s) {
1109*67e74705SXin Li char *original = s;
1110*67e74705SXin Li char *result = strsep(&s, ""); // no-warning
1111*67e74705SXin Li clang_analyzer_eval(original == result); // expected-warning{{TRUE}}
1112*67e74705SXin Li }
1113*67e74705SXin Li
strsep_null_string()1114*67e74705SXin Li void strsep_null_string() {
1115*67e74705SXin Li char *s = NULL;
1116*67e74705SXin Li char *result = strsep(&s, ""); // no-warning
1117*67e74705SXin Li clang_analyzer_eval(result == NULL); // expected-warning{{TRUE}}
1118*67e74705SXin Li }
1119*67e74705SXin Li
strsep_changes_input_pointer(char * s)1120*67e74705SXin Li void strsep_changes_input_pointer(char *s) {
1121*67e74705SXin Li char *original = s;
1122*67e74705SXin Li strsep(&s, ""); // no-warning
1123*67e74705SXin Li clang_analyzer_eval(s == original); // expected-warning{{UNKNOWN}}
1124*67e74705SXin Li clang_analyzer_eval(s == NULL); // expected-warning{{UNKNOWN}}
1125*67e74705SXin Li
1126*67e74705SXin Li // Check that the value is symbolic.
1127*67e74705SXin Li if (s == NULL) {
1128*67e74705SXin Li clang_analyzer_eval(s == NULL); // expected-warning{{TRUE}}
1129*67e74705SXin Li }
1130*67e74705SXin Li }
1131*67e74705SXin Li
strsep_changes_input_string()1132*67e74705SXin Li void strsep_changes_input_string() {
1133*67e74705SXin Li char str[] = "abc";
1134*67e74705SXin Li
1135*67e74705SXin Li clang_analyzer_eval(str[1] == 'b'); // expected-warning{{TRUE}}
1136*67e74705SXin Li
1137*67e74705SXin Li char *s = str;
1138*67e74705SXin Li strsep(&s, "b"); // no-warning
1139*67e74705SXin Li
1140*67e74705SXin Li // The real strsep will change the first delimiter it finds into a NUL
1141*67e74705SXin Li // character. For now, we just model the invalidation.
1142*67e74705SXin Li clang_analyzer_eval(str[1] == 'b'); // expected-warning{{UNKNOWN}}
1143*67e74705SXin Li }
1144*67e74705SXin Li
1145*67e74705SXin Li //===----------------------------------------------------------------------===
1146*67e74705SXin Li // FIXMEs
1147*67e74705SXin Li //===----------------------------------------------------------------------===
1148*67e74705SXin Li
1149*67e74705SXin Li // The analyzer_eval call below should evaluate to true. We are being too
1150*67e74705SXin Li // aggressive in marking the (length of) src symbol dead. The length of dst
1151*67e74705SXin Li // depends on src. This could be explicitely specified in the checker or the
1152*67e74705SXin Li // logic for handling MetadataSymbol in SymbolManager needs to change.
strcat_symbolic_src_length(char * src)1153*67e74705SXin Li void strcat_symbolic_src_length(char *src) {
1154*67e74705SXin Li char dst[8] = "1234";
1155*67e74705SXin Li strcat(dst, src);
1156*67e74705SXin Li clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{UNKNOWN}}
1157*67e74705SXin Li }
1158*67e74705SXin Li
1159*67e74705SXin Li // The analyzer_eval call below should evaluate to true. Most likely the same
1160*67e74705SXin Li // issue as the test above.
strncpy_exactly_matching_buffer2(char * y)1161*67e74705SXin Li void strncpy_exactly_matching_buffer2(char *y) {
1162*67e74705SXin Li if (strlen(y) >= 4)
1163*67e74705SXin Li return;
1164*67e74705SXin Li
1165*67e74705SXin Li char x[4];
1166*67e74705SXin Li strncpy(x, y, 4); // no-warning
1167*67e74705SXin Li
1168*67e74705SXin Li // This time, we know that y fits in x anyway.
1169*67e74705SXin Li clang_analyzer_eval(strlen(x) <= 3); // expected-warning{{UNKNOWN}}
1170*67e74705SXin Li }
1171