[committed] analyzer: add test coverage for string ops

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

From: David Malcolm <dmalcolm@redhat.com>
To: gcc-patches@gcc.gnu.org
Cc: David Malcolm <dmalcolm@redhat.com>
Subject: [committed] analyzer: add test coverage for string ops
Date: Thu,  1 Dec 2022 21:35:41 -0500	[thread overview]
Message-ID: <20221202023541.3778122-1-dmalcolm@redhat.com> (raw)

Tested on x86_64-pc-linux-gnu.
Pushed to trunk as r13-4455-g5cb7d28dcfb11a.

gcc/testsuite/ChangeLog:
	* gcc.dg/analyzer/string-ops-concat-pair.c: New test.
	* gcc.dg/analyzer/string-ops-dup.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---
 .../gcc.dg/analyzer/string-ops-concat-pair.c  | 67 +++++++++++++++++++
 .../gcc.dg/analyzer/string-ops-dup.c          | 61 +++++++++++++++++
 2 files changed, 128 insertions(+)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/string-ops-concat-pair.c
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/string-ops-dup.c

diff --git a/gcc/testsuite/gcc.dg/analyzer/string-ops-concat-pair.c b/gcc/testsuite/gcc.dg/analyzer/string-ops-concat-pair.c
new file mode 100644
index 00000000000..f5bcd67594f
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/string-ops-concat-pair.c
@@ -0,0 +1,67 @@
+typedef __SIZE_TYPE__ size_t;
+#define NULL ((void *)0)
+
+/* Concatenating a pair of strings.  */
+
+/* Correct but poor implementation with repeated __builtin_strlen calls.  */
+
+char *
+alloc_dup_of_concatenated_pair_1_correct (const char *x, const char *y)
+{
+  size_t sz = __builtin_strlen (x) + __builtin_strlen (y) + 1;
+  char *result = __builtin_malloc (sz);
+  if (!result)
+    return NULL;
+  __builtin_memcpy (result, x, __builtin_strlen (x));
+  __builtin_memcpy (result + __builtin_strlen (x), y, __builtin_strlen (y));
+  result[__builtin_strlen(x) + __builtin_strlen (y)] = '\0';
+  return result;
+}
+
+/* Incorrect version: forgetting to add space for terminator.  */
+
+char *
+alloc_dup_of_concatenated_pair_1_incorrect (const char *x, const char *y)
+{
+  /* Forgetting to add space for the terminator here.  */
+  size_t sz = __builtin_strlen (x) + __builtin_strlen (y);
+  char *result = __builtin_malloc (sz);
+  if (!result)
+    return NULL;
+  __builtin_memcpy (result, x, __builtin_strlen (x));
+  __builtin_memcpy (result + __builtin_strlen (x), y, __builtin_strlen (y));
+  result[__builtin_strlen(x) + __builtin_strlen (y)] = '\0'; /* { dg-warning "heap-based buffer overflow" "PR analyzer/105899" { xfail *-*-* } } */
+  return result;
+}
+
+/* As above, but only calling __builtin_strlen once on each input.  */
+
+char *
+alloc_dup_of_concatenated_pair_2_correct (const char *x, const char *y)
+{
+  size_t len_x = __builtin_strlen (x);
+  size_t len_y = __builtin_strlen (y);
+  size_t sz = len_x + len_y + 1;
+  char *result = __builtin_malloc (sz);
+  if (!result)
+    return NULL;
+  __builtin_memcpy (result, x, len_x);
+  __builtin_memcpy (result + len_x, y, len_y);
+  result[len_x + len_y] = '\0';
+  return result;
+}
+
+char *
+alloc_dup_of_concatenated_pair_2_incorrect (const char *x, const char *y)
+{
+  size_t len_x = __builtin_strlen (x);
+  size_t len_y = __builtin_strlen (y);
+  size_t sz = len_x + len_y; /* Forgetting to add space for the terminator.  */
+  char *result = __builtin_malloc (sz); /* { dg-message "capacity: 'len_x \\+ len_y' bytes" } */
+  if (!result)
+    return NULL;
+  __builtin_memcpy (result, x, len_x);
+  __builtin_memcpy (result + len_x, y, len_y);
+  result[len_x + len_y] = '\0'; /* { dg-warning "heap-based buffer overflow" } */
+  return result;
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/string-ops-dup.c b/gcc/testsuite/gcc.dg/analyzer/string-ops-dup.c
new file mode 100644
index 00000000000..44c4e9dc67e
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/string-ops-dup.c
@@ -0,0 +1,61 @@
+typedef __SIZE_TYPE__ size_t;
+#define NULL ((void *)0)
+
+/* Duplicating a string.  */
+
+/* Correct but poor implementation with repeated __builtin_strlen calls.  */
+
+char *
+alloc_dup_1_correct (const char *x)
+{
+  size_t sz = __builtin_strlen (x) + 1;
+  char *result = __builtin_malloc (sz);
+  if (!result)
+    return NULL;
+  __builtin_memcpy (result, x, __builtin_strlen (x));
+  result[__builtin_strlen(x)] = '\0';
+  return result;
+}
+
+/* Incorrect version: forgetting to add space for terminator.  */
+
+char *
+alloc_dup_1_incorrect (const char *x, const char *y)
+{
+  /* Forgetting to add space for the terminator here.  */
+  size_t sz = __builtin_strlen (x) + 1;
+  char *result = __builtin_malloc (sz);
+  if (!result)
+    return NULL;
+  __builtin_memcpy (result, x, __builtin_strlen (x));
+  result[__builtin_strlen(x)] = '\0'; /* { dg-warning "heap-based buffer overflow" "PR analyzer/105899" { xfail *-*-* } } */
+  return result;
+}
+
+/* As above, but only calling __builtin_strlen once.  */
+
+char *
+alloc_dup_2_correct (const char *x)
+{
+  size_t len_x = __builtin_strlen (x);
+  size_t sz = len_x + 1;
+  char *result = __builtin_malloc (sz);
+  if (!result)
+    return NULL;
+  __builtin_memcpy (result, x, len_x);
+  result[len_x] = '\0';
+  return result;
+}
+
+char *
+alloc_dup_of_concatenated_pair_2_incorrect (const char *x, const char *y)
+{
+  size_t len_x = __builtin_strlen (x);
+  size_t sz = len_x; /* Forgetting to add space for the terminator.  */
+  char *result = __builtin_malloc (sz); /* { dg-message "capacity: 'len_x' bytes" } */
+  if (!result)
+    return NULL;
+  __builtin_memcpy (result, x, len_x);
+  result[len_x] = '\0'; /* { dg-warning "heap-based buffer overflow" } */
+  return result;
+}
-- 
2.26.3

                 reply	other threads:[~2022-12-02  2:35 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221202023541.3778122-1-dmalcolm@redhat.com \
    --to=dmalcolm@redhat.com \
    --cc=gcc-patches@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).