Fixed #3933 (Negative array index issue (because sizeof struct is assumed to be 100))
This commit is contained in:
Daniel Marjamäki
parent
3368514e7e
commit
a99515ca91
|
|
@ -3035,14 +3035,6 @@ void Tokenizer::createLinks2()
|
|||
|
||||
bool Tokenizer::simplifySizeof()
|
||||
{
|
||||
for (Token *tok = list.front(); tok; tok = tok->next()) {
|
||||
if (Token::Match(tok, "class|struct %var%")) {
|
||||
// we assume that the size of structs and classes are always
|
||||
// 100 bytes.
|
||||
_typeSize[tok->next()->str()] = 100;
|
||||
}
|
||||
}
|
||||
|
||||
// Locate variable declarations and calculate the size
|
||||
std::map<unsigned int, std::string> sizeOfVar;
|
||||
for (Token *tok = list.front(); tok; tok = tok->next()) {
|
||||
|
|
@ -3060,10 +3052,6 @@ bool Tokenizer::simplifySizeof()
|
|||
sizeOfVar[varId] = MathLib::longToString(size);
|
||||
}
|
||||
|
||||
else if (Token::Match(tok->tokAt(-3), "[;{}(,] struct %type% %var% [;,)]")) {
|
||||
sizeOfVar[varId] = "100";
|
||||
}
|
||||
|
||||
else if (Token::Match(tok->previous(), "%type% %var% [ %num% ] [;=]") ||
|
||||
Token::Match(tok->tokAt(-2), "%type% * %var% [ %num% ] [;=]")) {
|
||||
const unsigned int size = sizeOfType(tok->previous());
|
||||
|
|
|
|||
|
|
@ -563,7 +563,7 @@ private:
|
|||
"}\n");
|
||||
TODO_ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' accessed at index 11, which is out of bounds.\n", "", errout.str());
|
||||
|
||||
// This is out of bounds because it is outside the memory allocated.
|
||||
// This is out of bounds if 'sizeof(ABC)' is 1 (No padding)
|
||||
check("struct ABC\n"
|
||||
"{\n"
|
||||
" char str[1];\n"
|
||||
|
|
@ -574,7 +574,7 @@ private:
|
|||
" struct ABC* x = (struct ABC *)malloc(sizeof(ABC) + 10);\n"
|
||||
" x->str[11] = 0;"
|
||||
"}\n");
|
||||
ASSERT_EQUALS("[test.cpp:9]: (error) Array 'x.str[11]' accessed at index 11, which is out of bounds.\n", errout.str());
|
||||
TODO_ASSERT_EQUALS("error", "", errout.str());
|
||||
|
||||
// This is out of bounds because it is outside the memory allocated
|
||||
/** @todo this doesn't work because of a bug in sizeof(struct) */
|
||||
|
|
@ -591,6 +591,7 @@ private:
|
|||
TODO_ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' accessed at index 1, which is out of bounds.\n", "", errout.str());
|
||||
|
||||
// This is out of bounds because it is outside the memory allocated
|
||||
// But only if 'sizeof(ABC)' is 1 (No padding)
|
||||
check("struct ABC\n"
|
||||
"{\n"
|
||||
" char str[1];\n"
|
||||
|
|
@ -601,7 +602,7 @@ private:
|
|||
" struct ABC* x = (struct ABC *)malloc(sizeof(ABC));\n"
|
||||
" x->str[1] = 0;"
|
||||
"}\n");
|
||||
ASSERT_EQUALS("[test.cpp:9]: (error) Array 'x.str[1]' accessed at index 1, which is out of bounds.\n", errout.str());
|
||||
TODO_ASSERT_EQUALS("error", "", errout.str());
|
||||
|
||||
// This is out of bounds because it is not a variable array
|
||||
check("struct ABC\n"
|
||||
|
|
@ -2791,6 +2792,7 @@ private:
|
|||
"}\n");
|
||||
ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds.\n", errout.str());
|
||||
|
||||
// This is out of bounds if 'sizeof(ABC)' is 1 (No padding)
|
||||
check("struct Foo { char a[1]; };\n"
|
||||
"void f()\n"
|
||||
"{\n"
|
||||
|
|
@ -2798,7 +2800,7 @@ private:
|
|||
" sprintf(x.a, \"aa\");\n"
|
||||
" free(x);\n"
|
||||
"}\n");
|
||||
ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds.\n", errout.str());
|
||||
TODO_ASSERT_EQUALS("error", "", errout.str());
|
||||
|
||||
check("struct Foo { char a[1]; };\n"
|
||||
"void f()\n"
|
||||
|
|
@ -2883,6 +2885,7 @@ private:
|
|||
"}\n");
|
||||
ASSERT_EQUALS("[test.cpp:5]: (error) snprintf size is out of bounds: Supplied size 2 is larger than actual size 1.\n", errout.str());
|
||||
|
||||
// This is out of bounds if 'sizeof(ABC)' is 1 (No padding)
|
||||
check("struct Foo { char a[1]; };\n"
|
||||
"void f()\n"
|
||||
"{\n"
|
||||
|
|
@ -2890,7 +2893,7 @@ private:
|
|||
" snprintf(x.a, 2, \"aa\");\n"
|
||||
" free(x);\n"
|
||||
"}\n");
|
||||
ASSERT_EQUALS("[test.cpp:5]: (error) snprintf size is out of bounds: Supplied size 2 is larger than actual size 1.\n", errout.str());
|
||||
TODO_ASSERT_EQUALS("error", "", errout.str());
|
||||
|
||||
check("struct Foo { char a[1]; };\n"
|
||||
"void f()\n"
|
||||
|
|
|
|||
|
|
@ -65,7 +65,6 @@ private:
|
|||
TEST_CASE(elseif1);
|
||||
TEST_CASE(ifa_ifa); // "if (a) { if (a) .." => "if (a) { if (1) .."
|
||||
|
||||
TEST_CASE(sizeof1);
|
||||
TEST_CASE(sizeof2);
|
||||
TEST_CASE(sizeof3);
|
||||
TEST_CASE(sizeof4);
|
||||
|
|
@ -88,7 +87,6 @@ private:
|
|||
TEST_CASE(sizeof21); // #2232 - sizeof...(Args)
|
||||
TEST_CASE(sizeof22); // #2599
|
||||
TEST_CASE(sizeof23); // #2604
|
||||
TEST_CASE(sizeof24); // struct variable
|
||||
TEST_CASE(sizeofsizeof);
|
||||
TEST_CASE(casting);
|
||||
|
||||
|
|
@ -973,10 +971,6 @@ private:
|
|||
return tokenizer.sizeOfType(&tok1);
|
||||
}
|
||||
|
||||
void sizeof1() {
|
||||
ASSERT_EQUALS("struct ABC * abc ; abc = malloc ( 100 ) ;", tok("struct ABC *abc = malloc(sizeof(*abc));"));
|
||||
ASSERT_EQUALS("struct ABC * abc ; abc = malloc ( 100 ) ;", tok("struct ABC *abc = malloc(sizeof *abc );"));
|
||||
}
|
||||
|
||||
|
||||
void sizeof2() {
|
||||
|
|
@ -1505,7 +1499,7 @@ private:
|
|||
ASSERT_EQUALS("struct struct_a { char a [ 20 ] ; } ; "
|
||||
"void foo ( ) {"
|
||||
" struct_a a ;"
|
||||
" append ( 100 ) . append ( ) ; "
|
||||
" append ( sizeof ( a ) ) . append ( ) ; "
|
||||
"}", tok(code));
|
||||
}
|
||||
|
||||
|
|
@ -1544,11 +1538,6 @@ private:
|
|||
tok(code);
|
||||
}
|
||||
|
||||
void sizeof24() {
|
||||
const char code[] = "; struct AB ab; sizeof(ab)";
|
||||
ASSERT_EQUALS("; struct AB ab ; 100", tok(code));
|
||||
}
|
||||
|
||||
|
||||
void sizeofsizeof() {
|
||||
// ticket #1682
|
||||
|
|
|
|||
Loading…
Reference in New Issue