2020-06-19 13:38:56 +02:00
/*
* Cppcheck - A tool for static C / C + + code analysis
* Copyright ( C ) 2007 - 2020 Cppcheck team .
*
* This program is free software : you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation , either version 3 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "config.h"
# include "exprengine.h"
# include "settings.h"
# include "tokenize.h"
# include "testsuite.h"
class TestBughuntingChecks : public TestFixture {
public :
TestBughuntingChecks ( ) : TestFixture ( " TestBughuntingChecks " ) {
2020-06-28 21:20:59 +02:00
settings . platform ( cppcheck : : Platform : : Unix64 ) ;
2020-06-19 13:38:56 +02:00
}
private :
2020-06-28 21:20:59 +02:00
Settings settings ;
2020-06-19 13:38:56 +02:00
void run ( ) OVERRIDE {
# ifdef USE_Z3
2021-02-24 22:20:11 +01:00
settings . certainty . setEnabled ( Certainty : : inconclusive , true ) ;
2020-06-28 21:20:59 +02:00
LOAD_LIB_2 ( settings . library , " std.cfg " ) ;
2020-08-22 11:37:44 +02:00
TEST_CASE ( checkAssignment ) ;
2020-12-05 11:46:07 +01:00
TEST_CASE ( arrayIndexOutOfBounds1 ) ;
2020-12-05 20:39:54 +01:00
TEST_CASE ( arrayIndexOutOfBounds2 ) ;
2020-12-06 17:44:07 +01:00
TEST_CASE ( arrayIndexOutOfBounds3 ) ;
2020-12-07 06:27:14 +01:00
TEST_CASE ( arrayIndexOutOfBounds4 ) ;
2020-12-07 19:58:19 +01:00
TEST_CASE ( arrayIndexOutOfBounds5 ) ;
2021-01-01 08:57:35 +01:00
TEST_CASE ( arrayIndexOutOfBounds6 ) ;
2020-12-18 21:32:23 +01:00
TEST_CASE ( arrayIndexOutOfBoundsDim1 ) ;
2020-12-05 11:47:57 +01:00
TEST_CASE ( bufferOverflowMemCmp1 ) ;
TEST_CASE ( bufferOverflowMemCmp2 ) ;
TEST_CASE ( bufferOverflowStrcpy1 ) ;
TEST_CASE ( bufferOverflowStrcpy2 ) ;
2020-12-28 19:59:51 +01:00
TEST_CASE ( divisionByZeroNoReturn ) ;
2020-06-19 13:38:56 +02:00
TEST_CASE ( uninit ) ;
2020-06-27 18:09:43 +02:00
TEST_CASE ( uninit_array ) ;
2020-06-27 12:17:11 +02:00
TEST_CASE ( uninit_function_par ) ;
2020-06-28 21:20:59 +02:00
TEST_CASE ( uninit_malloc ) ;
2020-07-18 18:54:21 +02:00
TEST_CASE ( uninit_struct ) ;
2020-07-19 16:54:44 +02:00
TEST_CASE ( uninit_bailout ) ;
2020-09-07 21:19:07 +02:00
TEST_CASE ( uninit_fp_smartptr ) ;
TEST_CASE ( uninit_fp_struct ) ;
2020-09-09 18:26:04 +02:00
TEST_CASE ( uninit_fp_struct_member_init_2 ) ;
2020-09-07 16:25:37 +02:00
TEST_CASE ( uninit_fp_template_var ) ;
2020-06-20 23:00:39 +02:00
TEST_CASE ( ctu ) ;
2020-06-19 13:38:56 +02:00
# endif
}
void check ( const char code [ ] ) {
2020-12-28 19:59:51 +01:00
settings . bugHunting = settings . library . bugHunting = true ;
2020-06-19 13:38:56 +02:00
Tokenizer tokenizer ( & settings , this ) ;
std : : istringstream istr ( code ) ;
tokenizer . tokenize ( istr , " test.cpp " ) ;
errout . str ( " " ) ;
ExprEngine : : runChecks ( this , & tokenizer , & settings ) ;
}
2020-08-22 11:37:44 +02:00
void checkAssignment ( ) {
check ( " void foo(int any) { __cppcheck_low__(0) int x; x = any; } " ) ;
ASSERT_EQUALS ( " [test.cpp:1]: (error) There is assignment, cannot determine that value is greater or equal with 0 \n " , errout . str ( ) ) ;
check ( " struct S { __cppcheck_low__(0) int x; }; \n "
" void foo(S *s, int any) { s->x = any; } " ) ;
ASSERT_EQUALS ( " [test.cpp:2]: (error) There is assignment, cannot determine that value is greater or equal with 0 \n " , errout . str ( ) ) ;
}
2020-12-05 11:46:07 +01:00
void arrayIndexOutOfBounds1 ( ) {
check ( " void foo(int x) { \n "
" int p[8]; "
" p[x] = 0; \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:2]: (error) Array index out of bounds, cannot determine that x is less than 8 \n "
" [test.cpp:2]: (error) Array index out of bounds, cannot determine that x is not negative \n " ,
errout . str ( ) ) ;
}
2020-12-06 17:44:07 +01:00
void arrayIndexOutOfBounds2 ( ) { // loop
2020-12-05 20:39:54 +01:00
check ( " void foo(int n) { \n "
2020-12-06 10:13:10 +01:00
" int p[8]; \n "
" for (int i = 0; i < n; i++) \n "
" p[i] = 0; \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:4]: (error) Array index out of bounds, cannot determine that i is less than 8 \n "
" [test.cpp:4]: (error) Array index out of bounds, cannot determine that i is not negative \n " ,
errout . str ( ) ) ;
// .. with unknown expression
check ( " void foo(int n) { \n "
" int p[8]; \n "
" crx_data_header_t *d = \n "
" &libraw_internal_data.unpacker_data.crx_header[framei]; \n "
" for (int i = 0; i < n; i++) \n "
2020-12-05 20:39:54 +01:00
" p[i] = 0; \n "
" } " ) ;
2020-12-06 10:13:10 +01:00
ASSERT_EQUALS ( " [test.cpp:6]: (error) Array index out of bounds, cannot determine that i is less than 8 \n "
" [test.cpp:6]: (error) Array index out of bounds, cannot determine that i is not negative \n " ,
2020-12-05 20:39:54 +01:00
errout . str ( ) ) ;
}
2020-12-06 17:44:07 +01:00
void arrayIndexOutOfBounds3 ( ) { // struct
check ( " struct S { int x; }; \n "
" void foo(short i) { \n "
" S s[8]; \n "
" if (s[i].x == 0) {} \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:4]: (error) Array index out of bounds, cannot determine that i is less than 8 \n "
" [test.cpp:4]: (error) Array index out of bounds, cannot determine that i is not negative \n "
" [test.cpp:4]: (error) Cannot determine that 's[i]' is initialized \n " ,
errout . str ( ) ) ;
}
2020-12-07 06:27:14 +01:00
void arrayIndexOutOfBounds4 ( ) { // ensure there are warnings for bailout value
check ( " void foo(short i) { \n "
" int buf[8]; \n "
" \n "
" data *d = x; \n "
" switch (d->layout) { case 0: break; } \n "
" \n "
" if (buf[i] > 0) {} \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:7]: (error) Array index out of bounds, cannot determine that i is less than 8 \n "
" [test.cpp:7]: (error) Array index out of bounds, cannot determine that i is not negative \n "
" [test.cpp:7]: (error) Cannot determine that 'buf[i]' is initialized \n " ,
errout . str ( ) ) ;
}
2020-12-07 19:58:19 +01:00
void arrayIndexOutOfBounds5 ( ) {
check ( " struct { \n "
" struct { int z; } y; \n "
" } x; \n "
" \n "
" void foo(int i) { \n "
" for (int c = 0; c <= i; c++) \n "
" x.y.z = 13; \n "
" int buf[10]; \n "
" if (buf[i] > 0) { } \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:9]: (error) Array index out of bounds, cannot determine that i is less than 10 \n "
" [test.cpp:9]: (error) Array index out of bounds, cannot determine that i is not negative \n "
" [test.cpp:9]: (error) Cannot determine that 'buf[i]' is initialized \n " ,
errout . str ( ) ) ;
}
2021-01-01 08:58:54 +01:00
2021-01-01 08:57:35 +01:00
void arrayIndexOutOfBounds6 ( ) {
check ( " int buf[5]; \n "
" uint16_t foo(size_t offset) { \n "
" uint8_t c = (offset & 0xc0) >> 6; \n "
" return 2 * buf[c]; \n "
" } " ) ;
2021-01-01 08:58:54 +01:00
ASSERT_EQUALS ( " [test.cpp:4]: (error) Array index out of bounds, cannot determine that c is less than 5 \n " , errout . str ( ) ) ;
2021-01-01 08:57:35 +01:00
}
2020-12-07 19:58:19 +01:00
2020-12-18 21:32:23 +01:00
void arrayIndexOutOfBoundsDim1 ( ) { // itc test case
check ( " void overrun_st_008 () { \n "
" int buf[5][6]; \n "
" buf[5][5] = 1; \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:3]: (error) Array index out of bounds, cannot determine that 5 is less than 5 \n " , errout . str ( ) ) ;
}
2020-12-05 11:47:57 +01:00
void bufferOverflowMemCmp1 ( ) {
// CVE-2020-24265
check ( " void foo(const char *pktdata, int datalen) { \n "
" if (memcmp(pktdata, \" MGC \" , 3)) {} \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:2]: (error) Buffer read/write, when calling 'memcmp' it cannot be determined that 1st argument is not overflowed \n " , errout . str ( ) ) ;
}
void bufferOverflowMemCmp2 ( ) {
check ( " void foo(const char *pktdata, unsigned int datalen) { \n "
" if (memcmp(pktdata, \" MGC \" , datalen)) {} \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:2]: (error) Buffer read/write, when calling 'memcmp' it cannot be determined that 1st argument is not overflowed \n " , errout . str ( ) ) ;
}
void bufferOverflowStrcpy1 ( ) {
check ( " void foo(char *p) { \n "
" strcpy(p, \" hello \" ); \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:2]: (error) Buffer read/write, when calling 'strcpy' it cannot be determined that 1st argument is not overflowed \n " , errout . str ( ) ) ;
}
void bufferOverflowStrcpy2 ( ) {
check ( " void foo(char *p, const char *q) { \n "
" strcpy(p, q); \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:2]: (error) Buffer read/write, when calling 'strcpy' it cannot be determined that 1st argument is not overflowed \n " , errout . str ( ) ) ;
}
2020-12-28 19:59:51 +01:00
void divisionByZeroNoReturn ( ) {
// Don't know if function is noreturn or not..
check ( " int f(int leftarg, int rightarg) { \n "
" if (rightarg == 0) \n "
" raise (SIGFPE); \n " // <- maybe noreturn
" return leftarg / rightarg; \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:4]: (error) There is division, cannot determine that there can't be a division by zero. \n " , errout . str ( ) ) ;
}
2020-06-19 13:38:56 +02:00
void uninit ( ) {
check ( " void foo() { int x; x = x + 1; } " ) ;
2020-06-19 14:05:19 +02:00
ASSERT_EQUALS ( " [test.cpp:1]: (error) Cannot determine that 'x' is initialized \n " , errout . str ( ) ) ;
2020-06-19 13:38:56 +02:00
check ( " void foo() { int x; int y = x + 1; } " ) ;
ASSERT_EQUALS ( " [test.cpp:1]: (error) Cannot determine that 'x' is initialized \n " , errout . str ( ) ) ;
check ( " void foo() { int x; x++; } " ) ;
2020-06-19 17:35:35 +02:00
ASSERT_EQUALS ( " [test.cpp:1]: (error) Cannot determine that 'x' is initialized \n " , errout . str ( ) ) ;
2020-06-19 13:38:56 +02:00
}
2020-06-27 18:09:43 +02:00
void uninit_array ( ) {
check ( " void foo(int x) { \n "
" int a[10]; \n "
" if (x > 0) a[0] = 32; \n "
" return a[0]; \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:4]: (error) Cannot determine that 'a[0]' is initialized \n " , errout . str ( ) ) ;
}
2020-06-20 23:00:39 +02:00
2020-06-27 12:17:11 +02:00
void uninit_function_par ( ) {
// non constant parameters may point at uninitialized data
// constant parameters should point at initialized data
check ( " char foo(char id[]) { return id[0]; } " ) ;
2020-12-08 11:16:26 +01:00
ASSERT_EQUALS ( " [test.cpp:1]: (error) Cannot determine that 'id[0]' is initialized (you can use 'const' to say data must be initialized) \n " , errout . str ( ) ) ;
2020-06-27 12:17:11 +02:00
check ( " char foo(const char id[]) { return id[0]; } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
check ( " char foo(const char id[]); \n "
" void bar() { char data[10]; foo(data); } " ) ;
2020-06-27 14:59:02 +02:00
ASSERT_EQUALS ( " [test.cpp:2]: (error) Cannot determine that 'data[0]' is initialized \n " , errout . str ( ) ) ;
2020-06-27 12:17:11 +02:00
check ( " char foo(char id[]); \n "
" void bar() { char data[10]; foo(data); } " ) ;
2020-07-13 11:43:11 +02:00
ASSERT_EQUALS ( " [test.cpp:2]: (error, inconclusive) Cannot determine that 'data[0]' is initialized. It is inconclusive if there would be a problem in the function call. \n " , errout . str ( ) ) ;
2020-06-27 14:59:02 +02:00
check ( " void foo(int *p) { if (p) *p=0; } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
2020-12-08 13:34:46 +01:00
check ( " class C { \n "
" public: \n "
" C(); \n "
" int x; \n "
" }; \n "
" \n "
" void foo(const C &c) { int x = c.x; } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
2020-06-27 12:17:11 +02:00
}
2020-06-28 21:20:59 +02:00
void uninit_malloc ( ) {
check ( " void foo() { char *p = malloc(10); return *p; } " ) ;
ASSERT_EQUALS ( " [test.cpp:1]: (error) Cannot determine that '*p' is initialized \n " , errout . str ( ) ) ;
}
2020-07-18 18:54:21 +02:00
void uninit_struct ( ) {
// Assume that constructors initialize all members
// TODO whole program analysis
check ( " struct Data { Data(); int x; } \n "
" void foo() { \n "
" Data data; \n "
" x = data.x; \n "
" } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
}
2020-07-19 16:54:44 +02:00
void uninit_bailout ( ) {
check ( " void foo() { \n "
" __CPPCHECK_BAILOUT__; \n "
" int values[5]; \n "
" values[i] = 123; \n "
" } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
check ( " void foo() { \n "
" __CPPCHECK_BAILOUT__; \n "
" std::ostringstream comm; \n "
" comm << 123; \n "
" } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
}
2020-06-20 23:00:39 +02:00
void ctu ( ) {
check ( " void init(int &x) { \n "
" x = 1; \n "
" } \n "
" \n "
" void foo() { \n "
" int x; \n "
" init(x); \n "
" x++; \n "
" } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
check ( " void init(int a, int &x) { \n "
" if (a < 10) \n "
" x = 1; \n "
" } \n "
" \n "
" void foo(int a) { \n "
" int x; \n "
" init(a, x); \n "
" x++; \n "
" } " ) ;
ASSERT_EQUALS ( " [test.cpp:9]: (error) Cannot determine that 'x' is initialized \n " , errout . str ( ) ) ;
check ( " void init(int a, int &x) { \n "
" if (a < 10) \n "
" x = 1; \n "
" else \n "
" x = 3; \n "
" } \n "
" \n "
" void foo(int a) { \n "
" int x; \n "
" init(a, x); \n "
" x++; \n "
" } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
}
2020-09-07 09:13:31 +02:00
2020-09-07 21:19:07 +02:00
void uninit_fp_smartptr ( ) {
2020-09-07 09:13:31 +02:00
check ( " void foo() { \n "
" std::unique_ptr<std::string> buffer; \n "
" try { } catch (std::exception& e) { } \n "
" doneCallback(std::move(buffer)); \n "
" } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
}
2020-09-07 16:25:37 +02:00
2020-09-07 21:19:07 +02:00
void uninit_fp_struct ( ) {
check ( " struct Pos { \n "
" int x {0}; \n "
" int y {0}; \n "
" }; \n "
" \n "
" void dostuff() { \n "
" auto obj = C {}; \n "
" Pos xy; \n "
" foo(xy); \n "
" } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
}
2020-09-09 18:26:04 +02:00
void uninit_fp_struct_member_init_2 ( ) {
check ( " struct A { \n "
" int x {0}; int y {0}; \n "
" }; \n "
" void foo(const A& a) { \n "
" bar(a); \n "
" } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
}
2020-09-07 16:25:37 +02:00
void uninit_fp_template_var ( ) {
check ( " void foo() { \n "
" X*x = DYNAMIC_CAST(X, p); \n "
" C<int> c; \n "
" f(c); \n "
" } " ) ;
ASSERT_EQUALS ( " " , errout . str ( ) ) ;
}
2020-06-19 13:38:56 +02:00
} ;
REGISTER_TEST ( TestBughuntingChecks )