/*
* Cppcheck - A tool for static C/C++ code analysis
* Copyright (C) 2007-2022 Cppcheck team.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "errortypes.h"
#include "exprengine.h"
#include "library.h"
#include "platform.h"
#include "settings.h"
#include "tokenize.h"
#include "testsuite.h"
#include <iosfwd>
class TestBughuntingChecks : public TestFixture {
public:
TestBughuntingChecks() : TestFixture("TestBughuntingChecks") {
settings.platform(cppcheck::Platform::Unix64);
}
private:
Settings settings;
void run() override {
#ifdef USE_Z3
settings.certainty.setEnabled(Certainty::inconclusive, true);
LOAD_LIB_2(settings.library, "std.cfg");
TEST_CASE(checkAssignment);
TEST_CASE(arrayIndexOutOfBounds1);
TEST_CASE(arrayIndexOutOfBounds2);
TEST_CASE(arrayIndexOutOfBounds3);
TEST_CASE(arrayIndexOutOfBounds4);
TEST_CASE(arrayIndexOutOfBounds5);
TEST_CASE(arrayIndexOutOfBounds6);
TEST_CASE(arrayIndexOutOfBoundsDim1);
TEST_CASE(bufferOverflowMemCmp1);
TEST_CASE(bufferOverflowMemCmp2);
TEST_CASE(bufferOverflowStrcpy1);
TEST_CASE(bufferOverflowStrcpy2);
TEST_CASE(divisionByZeroNoReturn);
TEST_CASE(uninit);
TEST_CASE(uninit_array);
TEST_CASE(uninit_function_par);
TEST_CASE(uninit_malloc);
TEST_CASE(uninit_struct);
TEST_CASE(uninit_bailout);
TEST_CASE(uninit_fp_smartptr);
TEST_CASE(uninit_fp_struct);
TEST_CASE(uninit_fp_struct_member_init_2);
TEST_CASE(uninit_fp_template_var);
TEST_CASE(ctu);
#endif
}
void check(const char code[]) {
settings.bugHunting = settings.library.bugHunting = true;
Tokenizer tokenizer(&settings, this);
std::istringstream istr(code);
tokenizer.tokenize(istr, "test.cpp");
errout.str("");
ExprEngine::runChecks(this, &tokenizer, &settings);
}
void checkAssignment() {
check("void foo(int any) { __cppcheck_low__(0) int x; x = any; }");
ASSERT_EQUALS("[test.cpp:1]: (error) There is assignment, cannot determine that value is greater or equal with 0\n", errout.str());
check("struct S { __cppcheck_low__(0) int x; };\n"
"void foo(S *s, int any) { s->x = any; }");
ASSERT_EQUALS("[test.cpp:2]: (error) There is assignment, cannot determine that value is greater or equal with 0\n", errout.str());
}
void arrayIndexOutOfBounds1() {
check("void foo(int x) {\n"
" int p[8];"
" p[x] = 0;\n"
"}");
ASSERT_EQUALS("[test.cpp:2]: (error) Array index out of bounds, cannot determine that x is less than 8\n"
"[test.cpp:2]: (error) Array index out of bounds, cannot determine that x is not negative\n",
errout.str());
}
void arrayIndexOutOfBounds2() { // loop
check("void foo(int n) {\n"
" int p[8];\n"
" for (int i = 0; i < n; i++)\n"
" p[i] = 0;\n"
"}");
ASSERT_EQUALS("[test.cpp:4]: (error) Array index out of bounds, cannot determine that i is less than 8\n"
"[test.cpp:4]: (error) Array index out of bounds, cannot determine that i is not negative\n",
errout.str());
// .. with unknown expression
check("void foo(int n) {\n"
" int p[8];\n"
" crx_data_header_t *d =\n"
" &libraw_internal_data.unpacker_data.crx_header[framei];\n"
" for (int i = 0; i < n; i++)\n"
" p[i] = 0;\n"
"}");
ASSERT_EQUALS("[test.cpp:6]: (error) Array index out of bounds, cannot determine that i is less than 8\n"
"[test.cpp:6]: (error) Array index out of bounds, cannot determine that i is not negative\n",
errout.str());
}
void arrayIndexOutOfBounds3() { // struct
check("struct S { int x; };\n"
"void foo(short i) {\n"
" S s[8];\n"
" if (s[i].x == 0) {}\n"
"}");
ASSERT_EQUALS("[test.cpp:4]: (error) Array index out of bounds, cannot determine that i is less than 8\n"
"[test.cpp:4]: (error) Array index out of bounds, cannot determine that i is not negative\n"
"[test.cpp:4]: (error) Cannot determine that 's[i]' is initialized\n",
errout.str());
}
void arrayIndexOutOfBounds4() { // ensure there are warnings for bailout value
check("void foo(short i) {\n"
" int buf[8];\n"
"\n"
" data *d = x;\n"
" switch (d->layout) { case 0: break; }\n"
"\n"
" if (buf[i] > 0) {}\n"
"}");
ASSERT_EQUALS("[test.cpp:7]: (error) Array index out of bounds, cannot determine that i is less than 8\n"
"[test.cpp:7]: (error) Array index out of bounds, cannot determine that i is not negative\n"
"[test.cpp:7]: (error) Cannot determine that 'buf[i]' is initialized\n",
errout.str());
}
void arrayIndexOutOfBounds5() {
check("struct {\n"
" struct { int z; } y;\n"
"} x;\n"
"\n"
"void foo(int i) {\n"
" for (int c = 0; c <= i; c++)\n"
" x.y.z = 13;\n"
" int buf[10];\n"
" if (buf[i] > 0) { }\n"
"}");
ASSERT_EQUALS("[test.cpp:9]: (error) Array index out of bounds, cannot determine that i is less than 10\n"
"[test.cpp:9]: (error) Array index out of bounds, cannot determine that i is not negative\n"
"[test.cpp:9]: (error) Cannot determine that 'buf[i]' is initialized\n",
errout.str());
}
void arrayIndexOutOfBounds6() {
check("int buf[5];\n"
"uint16_t foo(size_t offset) {\n"
" uint8_t c = (offset & 0xc0) >> 6;\n"
" return 2 * buf[c];\n"
"}");
ASSERT_EQUALS("[test.cpp:4]: (error) Array index out of bounds, cannot determine that c is less than 5\n", errout.str());
}
void arrayIndexOutOfBoundsDim1() { // itc test case
check("void overrun_st_008 () {\n"
" int buf[5][6];\n"
" buf[5][5] = 1;\n"
"}");
ASSERT_EQUALS("[test.cpp:3]: (error) Array index out of bounds, cannot determine that 5 is less than 5\n", errout.str());
}
void bufferOverflowMemCmp1() {
// CVE-2020-24265
check("void foo(const char *pktdata, int datalen) {\n"
" if (memcmp(pktdata, \"MGC\", 3)) {}\n"
"}");
ASSERT_EQUALS("[test.cpp:2]: (error) Buffer read/write, when calling 'memcmp' it cannot be determined that 1st argument is not overflowed\n", errout.str());
}
void bufferOverflowMemCmp2() {
check("void foo(const char *pktdata, unsigned int datalen) {\n"
" if (memcmp(pktdata, \"MGC\", datalen)) {}\n"
"}");
ASSERT_EQUALS("[test.cpp:2]: (error) Buffer read/write, when calling 'memcmp' it cannot be determined that 1st argument is not overflowed\n", errout.str());
}
void bufferOverflowStrcpy1() {
check("void foo(char *p) {\n"
" strcpy(p, \"hello\");\n"
"}");
ASSERT_EQUALS("[test.cpp:2]: (error) Buffer read/write, when calling 'strcpy' it cannot be determined that 1st argument is not overflowed\n", errout.str());
}
void bufferOverflowStrcpy2() {
check("void foo(char *p, const char *q) {\n"
" strcpy(p, q);\n"
"}");
ASSERT_EQUALS("[test.cpp:2]: (error) Buffer read/write, when calling 'strcpy' it cannot be determined that 1st argument is not overflowed\n", errout.str());
}
void divisionByZeroNoReturn() {
// Don't know if function is noreturn or not..
check("int f(int leftarg, int rightarg) {\n"
" if (rightarg == 0)\n"
" raise (SIGFPE);\n" // <- maybe noreturn
" return leftarg / rightarg;\n"
"}");
ASSERT_EQUALS("[test.cpp:4]: (error) There is division, cannot determine that there can't be a division by zero.\n", errout.str());
}
void uninit() {
check("void foo() { int x; x = x + 1; }");
ASSERT_EQUALS("[test.cpp:1]: (error) Cannot determine that 'x' is initialized\n", errout.str());
check("void foo() { int x; int y = x + 1; }");
ASSERT_EQUALS("[test.cpp:1]: (error) Cannot determine that 'x' is initialized\n", errout.str());
check("void foo() { int x; x++; }");
ASSERT_EQUALS("[test.cpp:1]: (error) Cannot determine that 'x' is initialized\n", errout.str());
}
void uninit_array() {
check("void foo(int x) {\n"
" int a[10];\n"
" if (x > 0) a[0] = 32;\n"
" return a[0];\n"
"}");
ASSERT_EQUALS("[test.cpp:4]: (error) Cannot determine that 'a[0]' is initialized\n", errout.str());
}
void uninit_function_par() {
// non constant parameters may point at uninitialized data
// constant parameters should point at initialized data
check("char foo(char id[]) { return id[0]; }");
ASSERT_EQUALS("[test.cpp:1]: (error) Cannot determine that 'id[0]' is initialized (you can use 'const' to say data must be initialized)\n", errout.str());
check("char foo(const char id[]) { return id[0]; }");
ASSERT_EQUALS("", errout.str());
check("char foo(const char id[]);\n"
"void bar() { char data[10]; foo(data); }");
ASSERT_EQUALS("[test.cpp:2]: (error) Cannot determine that 'data[0]' is initialized\n", errout.str());
check("char foo(char id[]);\n"
"void bar() { char data[10]; foo(data); }");
ASSERT_EQUALS("[test.cpp:2]: (error, inconclusive) Cannot determine that 'data[0]' is initialized. It is inconclusive if there would be a problem in the function call.\n", errout.str());
check("void foo(int *p) { if (p) *p=0; }");
ASSERT_EQUALS("", errout.str());
check("class C {\n"
"public:\n"
" C();\n"
" int x;\n"
"};\n"
"\n"
"void foo(const C &c) { int x = c.x; }");
ASSERT_EQUALS("", errout.str());
}
void uninit_malloc() {
check("void foo() { char *p = malloc(10); return *p; }");
ASSERT_EQUALS("[test.cpp:1]: (error) Cannot determine that '*p' is initialized\n", errout.str());
}
void uninit_struct() {
// Assume that constructors initialize all members
// TODO whole program analysis
check("struct Data { Data(); int x; }\n"
"void foo() {\n"
" Data data;\n"
" x = data.x;\n"
"}");
ASSERT_EQUALS("", errout.str());
}
void uninit_bailout() {
check("void foo() {\n"
" __CPPCHECK_BAILOUT__;\n"
" int values[5];\n"
" values[i] = 123;\n"
"}");
ASSERT_EQUALS("", errout.str());
check("void foo() {\n"
" __CPPCHECK_BAILOUT__;\n"
" std::ostringstream comm;\n"
" comm << 123;\n"
"}");
ASSERT_EQUALS("", errout.str());
}
void ctu() {
check("void init(int &x) {\n"
" x = 1;\n"
"}\n"
"\n"
"void foo() {\n"
" int x;\n"
" init(x);\n"
" x++;\n"
"}");
ASSERT_EQUALS("", errout.str());
check("void init(int a, int &x) {\n"
" if (a < 10)\n"
" x = 1;\n"
"}\n"
"\n"
"void foo(int a) {\n"
" int x;\n"
" init(a, x);\n"
" x++;\n"
"}");
ASSERT_EQUALS("[test.cpp:9]: (error) Cannot determine that 'x' is initialized\n", errout.str());
check("void init(int a, int &x) {\n"
" if (a < 10)\n"
" x = 1;\n"
" else\n"
" x = 3;\n"
"}\n"
"\n"
"void foo(int a) {\n"
" int x;\n"
" init(a, x);\n"
" x++;\n"
"}");
ASSERT_EQUALS("", errout.str());
}
void uninit_fp_smartptr() {
check("void foo() {\n"
" std::unique_ptr<std::string> buffer;\n"
" try { } catch (std::exception& e) { }\n"
" doneCallback(std::move(buffer));\n"
"}");
ASSERT_EQUALS("", errout.str());
}
void uninit_fp_struct() {
check("struct Pos {\n"
" int x {0};\n"
" int y {0};\n"
"};\n"
"\n"
"void dostuff() {\n"
" auto obj = C {};\n"
" Pos xy;\n"
" foo(xy);\n"
"}");
ASSERT_EQUALS("", errout.str());
}
void uninit_fp_struct_member_init_2() {
check("struct A {\n"
" int x {0}; int y {0};\n"
"};\n"
"void foo(const A& a) {\n"
" bar(a);\n"
"}");
ASSERT_EQUALS("", errout.str());
}
void uninit_fp_template_var() {
check("void foo() {\n"
" X*x = DYNAMIC_CAST(X, p);\n"
" C<int> c;\n"
" f(c);\n"
"}");
ASSERT_EQUALS("", errout.str());
}
};
REGISTER_TEST(TestBughuntingChecks)