From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dmalcolm@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2209)
	id E8B793858429; Fri,  9 Sep 2022 21:11:01 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E8B793858429
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1662757861;
	bh=9yQ2c6ZYNQYeXg80lU2EMMpjK+MjaMPrt7cxKozuuzw=;
	h=From:To:Subject:Date:From;
	b=WtPlXjX9v8xG8rF1vq7ESvVaRE809TT6xKS6G56pFLK5SbR74AItIjCBUVwJ6JIjJ
	 W7X3ru9EX6teb/IwoFky9xckNg65USQv3zigxVDC3UdJFyMwUVyDFTAvdqC0VlZk2Z
	 o/xSXFIGNisK0L+hS8PWn7Kak+p4NQY5BrrP8EJk=
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
From: David Malcolm <dmalcolm@gcc.gnu.org>
To: gcc-cvs@gcc.gnu.org
Subject: [gcc r13-2571] analyzer: add test coverage for flexible array members
 [PR98247]
X-Act-Checkin: gcc
X-Git-Author: David Malcolm <dmalcolm@redhat.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: 007680f946eaffa3c6321624129e1ec18e673091
X-Git-Newrev: 084dc9a0c6cec14596093ad077fc3e25c6b99bc3
Message-Id: <20220909211101.E8B793858429@sourceware.org>
Date: Fri,  9 Sep 2022 21:11:01 +0000 (GMT)
List-Id: <gcc-cvs.sourceware.org>

https://gcc.gnu.org/g:084dc9a0c6cec14596093ad077fc3e25c6b99bc3

commit r13-2571-g084dc9a0c6cec14596093ad077fc3e25c6b99bc3
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Sep 9 17:10:08 2022 -0400

    analyzer: add test coverage for flexible array members [PR98247]
    
    gcc/testsuite/ChangeLog:
            PR analyzer/98247
            * gcc.dg/analyzer/flexible-array-member-1.c: New test.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

Diff:
---
 .../gcc.dg/analyzer/flexible-array-member-1.c      | 100 +++++++++++++++++++++
 1 file changed, 100 insertions(+)

diff --git a/gcc/testsuite/gcc.dg/analyzer/flexible-array-member-1.c b/gcc/testsuite/gcc.dg/analyzer/flexible-array-member-1.c
new file mode 100644
index 00000000000..2df085a43f2
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/flexible-array-member-1.c
@@ -0,0 +1,100 @@
+#include <stdlib.h>
+#include <string.h>
+
+struct str {
+  size_t len;
+  char data[];
+};
+
+struct str *
+test_const_size (void)
+{
+  struct str *str = malloc(sizeof(str) + 10);
+  if (str) {
+    str->len = 10;
+    memset(str->data, 'x', 10);
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_const_size_oob_1 (void)
+{
+  /* Forgetting to add space for the trailing array.  */
+  struct str *str = malloc(sizeof(str));
+  if (str) {
+    str->len = 10;
+    memset(str->data, 'x', 10); /* { dg-warning "heap-based buffer overflow" "Wanalyzer-out-of-bounds" } */
+    /* { dg-warning "'memset' writing 10 bytes into a region of size 0 overflows the destination" "Wstringop-overflow" { target *-*-* } .-1 } */
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_const_size_oob_2 (void)
+{
+  struct str *str = malloc(sizeof(str) + 10);
+  if (str) {
+    str->len = 10;
+    /* Using the wrong size here.  */
+    memset(str->data, 'x', 11); /* { dg-warning "heap-based buffer overflow" "Wanalyzer-out-of-bounds" } */
+    /* { dg-warning "'memset' writing 11 bytes into a region of size 10 overflows the destination" "Wstringop-overflow" { target *-*-* } .-1 } */
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_symbolic_size (size_t len)
+{
+  struct str *str = malloc(sizeof(str) + len);
+  if (str) {
+    str->len = len;
+    memset(str->data, 'x', len);
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_symbolic_size_oob (size_t len)
+{
+  /* Forgetting to add space for the trailing array.  */
+  struct str *str = malloc(sizeof(str));
+  if (str) {
+    str->len = len;
+    memset(str->data, 'x', len); /* { dg-warning "heap-based buffer overflow" "PR analyzer/98247" { xfail *-*-* } } */
+    // TODO(xfail): we don't yet complain about this case, which occurs when len > 0
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_symbolic_size_with_terminator (size_t len)
+{
+  struct str *str = malloc(sizeof(str) + len + 1);
+  if (str) {
+    str->len = len;
+    memset(str->data, 'x', len);
+    str->data[len] = '\0';
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_symbolic_size_with_terminator_oob (size_t len)
+{
+  /* Forgetting to add 1 for the terminator.  */
+  struct str *str = malloc(sizeof(str) + len);
+  if (str) {
+    str->len = len;
+    memset(str->data, 'x', len);
+    str->data[len] = '\0'; /* { dg-warning "heap-based buffer overflow" } */
+    return str;
+  }
+  return NULL;
+}