[NFC][analyzer] OOB test consolidation I: no-outofbounds.c (llvm#126539)

NagyDonat · web-flow · commit 73913275c414 · 2025-02-11T14:25:42.000+01:00
Before commit 6e17ed9 the test file `no-outofbounds.c` tested the behavior of the old alpha checker `alpha.security.ArrayBound` (V1); then that commit converted it into a test for the checker `security.ArrayBound` which was previously called `alpha.security.ArrayBoundV2`. This commit removes this small separate test file and adds some tests to the "native" test files of `security.ArrayBound` to ensure that the same functionality is still tested. This is intended as the first commit in a series that reorganizes the tests of `security.ArrayBound` to system that's easier to understand and maintain.
diff --git a/clang/test/Analysis/no-outofbounds.c b/clang/test/Analysis/no-outofbounds.c
diff --git a/clang/test/Analysis/out-of-bounds-diagnostics.c b/clang/test/Analysis/out-of-bounds-diagnostics.c
@@ -231,7 +231,16 @@ int arrayOfStructsArrow(void) {
   // expected-note@-2 {{Access of 'itemArray' at index 35, while it holds only 20 'struct item' elements}}
 }
 
+char convertedScalar(long long var) {
+  char *p = ((char*)&var);
+  (void) p[3]; // no-warning
+  return p[13];
+  // expected-warning@-1 {{Out of bound access to memory after the end of 'var'}}
+  // expected-note@-2 {{Access of 'var' at index 13, while it holds only 8 'char' elements}}
+}
+
 short convertedArray(void) {
+  (void) ((short*)TenElements)[17]; // no-warning
   return ((short*)TenElements)[47];
   // expected-warning@-1 {{Out of bound access to memory after the end of 'TenElements'}}
   // expected-note@-2 {{Access of 'TenElements' at index 47, while it holds only 20 'short' elements}}
@@ -268,23 +277,41 @@ int intFromStringDivisible(void) {
 
 typedef __typeof(sizeof(int)) size_t;
 void *malloc(size_t size);
+void free(void *mem);
 
 int *mallocRegion(void) {
   int *mem = (int*)malloc(2*sizeof(int));
 
+  mem[1] = 48; // no-warning
+
   mem[3] = -2;
   // expected-warning@-1 {{Out of bound access to memory after the end of the heap area}}
   // expected-note@-2 {{Access of the heap area at index 3, while it holds only 2 'int' elements}}
   return mem;
 }
 
+typedef struct { size_t len; int data[0]; } vec_t;
+
+void mallocFlexibleArray(void) {
+  vec_t *v = malloc(sizeof(vec_t) + 10 * sizeof(int));
+  v->len = 10;
+  v->data[1] = 5; // no-warning
+  v->data[11] = 99;
+  // TODO: Here ideally we would expect
+  //     {{Out of bound access to memory after the end of the heap area}}
+  //     {{Access of the heap area at index 11, while it holds only 10 'int' elements}}
+  // but the analyzer cannot (yet) deduce the size of the flexible array member
+  // from the size of the whole allocated area.
+  free(v);
+}
+
 int *custom_calloc(size_t a, size_t b) {
   size_t res;
 
   return __builtin_mul_overflow(a, b, &res) ? 0 : malloc(res);
 }
 
-int *mallocRegionOverflow(void) {
+int *mallocMulOverflow(void) {
   int *mem = (int*)custom_calloc(10, sizeof(int));
 
   mem[20] = 10;
diff --git a/clang/test/Analysis/out-of-bounds.c b/clang/test/Analysis/out-of-bounds.c
@@ -153,7 +153,7 @@ void test_assume_after_access(unsigned long x) {
 int *get_symbolic(void);
 void test_underflow_symbolic(void) {
   int *buf = get_symbolic();
-  buf[-1] = 0; // no-warning;
+  buf[-1] = 0; // no-warning
 }
 
 // But warn if we understand the internal memory layout of a symbolic region.

Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ void test_assume_after_access(unsigned long x) {`
`153`	`153`	`int *get_symbolic(void);`
`154`	`154`	`void test_underflow_symbolic(void) {`
`155`	`155`	`int *buf = get_symbolic();`
`156`		`- buf[-1] = 0; // no-warning;`
	`156`	`+ buf[-1] = 0; // no-warning`
`157`	`157`	`}`
`158`	`158`
`159`	`159`	`// But warn if we understand the internal memory layout of a symbolic region.`