From: Ted Kremenek <kremenek@apple.com>
Date: Wed, 16 Feb 2011 01:57:07 +0000 (+0000)
Subject: Add trivial buffer overflow checking in Sema.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a0125d8520f65aca581378c235384e7affefa1fc;p=clang

Add trivial buffer overflow checking in Sema.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@125640 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/include/clang/Basic/DiagnosticSemaKinds.td b/include/clang/Basic/DiagnosticSemaKinds.td
index 84f87f423a..2c82dcb5fd 100644
--- a/include/clang/Basic/DiagnosticSemaKinds.td
+++ b/include/clang/Basic/DiagnosticSemaKinds.td
@@ -3379,6 +3379,10 @@ def warn_not_compound_assign : Warning<
 def warn_explicit_conversion_functions : Warning<
   "explicit conversion functions are a C++0x extension">, InGroup<CXX0x>;
 
+def warn_array_index_out_of_bounds : Warning<
+  "array index %select{precedes first|excedes last}0 array element">,
+  InGroup<DiagGroup<"array-bounds">>;
+
 def warn_printf_write_back : Warning<
   "use of '%%n' in format string discouraged (potentially insecure)">,
   InGroup<FormatSecurity>;
diff --git a/include/clang/Sema/Sema.h b/include/clang/Sema/Sema.h
index e76bd67a3c..23bcb94976 100644
--- a/include/clang/Sema/Sema.h
+++ b/include/clang/Sema/Sema.h
@@ -5056,7 +5056,8 @@ public:
   SourceLocation getLocationOfStringLiteralByte(const StringLiteral *SL,
                                                 unsigned ByteNo) const;
 
-private:
+private:  
+  void CheckArrayAccess(const ArraySubscriptExpr *ae);
   bool CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall);
   bool CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall);
 
diff --git a/lib/Sema/SemaChecking.cpp b/lib/Sema/SemaChecking.cpp
index 03ce7f3708..ea1f07d783 100644
--- a/lib/Sema/SemaChecking.cpp
+++ b/lib/Sema/SemaChecking.cpp
@@ -3080,3 +3080,33 @@ void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) {
     << TRange << Op->getSourceRange();
 }
 
+void Sema::CheckArrayAccess(const clang::ArraySubscriptExpr *ae) {
+  const DeclRefExpr *dr =
+    dyn_cast<DeclRefExpr>(ae->getBase()->IgnoreParenImpCasts());
+  if (!dr)
+    return;
+  const VarDecl *vd = cast<VarDecl>(dr->getDecl());
+  const ConstantArrayType *cat = Context.getAsConstantArrayType(vd->getType());
+  if (!cat)
+    return;
+  const Expr *idx = ae->getIdx();
+  if (idx->isValueDependent())
+    return;
+  llvm::APSInt result;
+  if (!idx->isIntegerConstantExpr(result, Context))
+    return;
+  unsigned kind = 2;
+  if (result.slt(0))
+    kind = /* precedes */ 0;
+  else {
+    const llvm::APInt &size = cat->getSize();
+    if (size.getBitWidth() > result.getBitWidth())
+      result = result.sext(size.getBitWidth());
+    if (result.sge(size))
+      kind = /* excedes */ 1;
+  }
+  if (kind < 2)
+    Diag(ae->getBase()->getLocEnd(), diag::warn_array_index_out_of_bounds)
+      << kind << idx->getSourceRange();
+}
+
diff --git a/lib/Sema/SemaExpr.cpp b/lib/Sema/SemaExpr.cpp
index b0c337149d..760d5d58bc 100644
--- a/lib/Sema/SemaExpr.cpp
+++ b/lib/Sema/SemaExpr.cpp
@@ -294,6 +294,9 @@ void Sema::DefaultLvalueConversion(Expr *&E) {
   if (T.hasQualifiers())
     T = T.getUnqualifiedType();
 
+  if (const ArraySubscriptExpr *ae = dyn_cast<ArraySubscriptExpr>(E))
+    CheckArrayAccess(ae);
+  
   E = ImplicitCastExpr::Create(Context, T, CK_LValueToRValue,
                                E, 0, VK_RValue);
 }
@@ -7242,6 +7245,11 @@ QualType Sema::CheckAssignmentOperands(Expr *LHS, Expr *&RHS,
     Diag(UO->getOperatorLoc(), diag::note_indirection_through_null);
   }
   
+  // Check for trivial buffer overflows.
+  if (const ArraySubscriptExpr *ae
+      = dyn_cast<ArraySubscriptExpr>(LHS->IgnoreParenCasts()))
+    CheckArrayAccess(ae);
+  
   // C99 6.5.16p3: The type of an assignment expression is the type of the
   // left operand unless the left operand has qualified type, in which case
   // it is the unqualified version of the type of the left operand.
diff --git a/test/Analysis/out-of-bounds.c b/test/Analysis/out-of-bounds.c
index d8e4ad915a..b8d6e442ff 100644
--- a/test/Analysis/out-of-bounds.c
+++ b/test/Analysis/out-of-bounds.c
@@ -1,4 +1,4 @@
-// RUN: %clang_cc1 -analyze -analyzer-check-objc-mem -analyzer-check-buffer-overflows -verify %s
+// RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-check-objc-mem -analyzer-check-buffer-overflows -verify %s
 
 // Tests doing an out-of-bounds access after the end of an array using:
 // - constant integer index
diff --git a/test/Sema/array-bounds.c b/test/Sema/array-bounds.c
new file mode 100644
index 0000000000..b540885547
--- /dev/null
+++ b/test/Sema/array-bounds.c
@@ -0,0 +1,16 @@
+// RUN: %clang_cc1 -verify %s
+
+int foo() {
+  int x[2];
+  int y[2];
+  int *p = &y[2]; // no-warning
+  (void) sizeof(x[2]); // no-warning
+  y[2] = 2; // expected-warning{{array index excedes last array element}}
+  return x[2] +  // expected-warning{{array index excedes last array element}}
+         y[-1] + // expected-warning{{array index precedes first array element}}
+         x[sizeof(x)] +  // expected-warning{{array index excedes last array element}}
+         x[sizeof(x) / sizeof(x[0])] +  // expected-warning{{array index excedes last array element}}
+         x[sizeof(x) / sizeof(x[0]) - 1] + // no-warning
+         x[sizeof(x[2])]; // expected-warning{{array index excedes last array element}}
+}
+