Enhance the array bounds checking to work for several other constructs,

especially C++ code, and generally expand the test coverage. Logic adapted from a patch by Kaelyn Uhrain <rikka@google.com> and another Googler. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@125775 91177308-0d34-0410-b5e6-96231b3b80d8
2011-02-17 21:10:52 +00:00 · 2011-02-17 21:10:52 +00:00 · 35001ca261
--- a/lib/Sema/SemaChecking.cpp
+++ b/lib/Sema/SemaChecking.cpp
@ -3095,17 +3095,12 @@ void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) {
 }

 void Sema::CheckArrayAccess(const clang::ArraySubscriptExpr *E) {
-  const DeclRefExpr *DRE =
-    dyn_cast<DeclRefExpr>(E->getBase()->IgnoreParenImpCasts());
-  if (!DRE)
-    return;
-  const VarDecl *Variable = dyn_cast<VarDecl>(DRE->getDecl());
-  if (!Variable)
-    return;
+  const Expr *BaseExpr = E->getBase()->IgnoreParenImpCasts();
  const ConstantArrayType *ArrayTy =
-    Context.getAsConstantArrayType(Variable->getType());
+    Context.getAsConstantArrayType(BaseExpr->getType());
  if (!ArrayTy)
    return;
+
  const Expr *IndexExpr = E->getIdx();
  if (IndexExpr->isValueDependent())
    return;
@ -3115,6 +3110,8 @@ void Sema::CheckArrayAccess(const clang::ArraySubscriptExpr *E) {

  if (!index.isNegative()) {
    const llvm::APInt &size = ArrayTy->getSize();
+    if (!size.isStrictlyPositive())
+      return;
    if (size.getBitWidth() > index.getBitWidth())
      index = index.sext(size.getBitWidth());
    if (index.slt(size))
@ -3127,7 +3124,14 @@ void Sema::CheckArrayAccess(const clang::ArraySubscriptExpr *E) {
    Diag(E->getBase()->getLocStart(), diag::warn_array_index_precedes_bounds)
      << index.toString(10, true) << IndexExpr->getSourceRange();
  }
-  Diag(Variable->getLocStart(), diag::note_array_index_out_of_bounds)
-    << Variable->getDeclName();
+
+  const NamedDecl *ND = NULL;
+  if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
+    ND = dyn_cast<NamedDecl>(DRE->getDecl());
+  if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr))
+    ND = dyn_cast<NamedDecl>(ME->getMemberDecl());
+  if (ND)
+    Diag(ND->getLocStart(), diag::note_array_index_out_of_bounds)
+      << ND->getDeclName();
 }

--- a/lib/Sema/SemaExprCXX.cpp
+++ b/lib/Sema/SemaExprCXX.cpp
@ -2005,6 +2005,10 @@ Sema::PerformImplicitConversion(Expr *&From, QualType ToType,
      if (!From->isGLValue()) break;
    }

+    // Check for trivial buffer overflows.
+    if (const ArraySubscriptExpr *AE = dyn_cast<ArraySubscriptExpr>(From))
+      CheckArrayAccess(AE);
+
    FromType = FromType.getUnqualifiedType();
    From = ImplicitCastExpr::Create(Context, FromType, CK_LValueToRValue,
                                    From, 0, VK_RValue);
--- a/test/Analysis/outofbound.c
+++ b/test/Analysis/outofbound.c
@ -1,4 +1,4 @@
-// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -analyzer-experimental-checks -analyzer-check-objc-mem -analyzer-store=region -verify %s
+// RUN: %clang_cc1 -Wno-array-bounds -analyze -analyzer-experimental-internal-checks -analyzer-experimental-checks -analyzer-check-objc-mem -analyzer-store=region -verify %s

 typedef __typeof(sizeof(int)) size_t;
 void *malloc(size_t);
--- a/test/Parser/encode.m
+++ b/test/Parser/encode.m
@ -1,8 +1,8 @@
 // RUN: %clang_cc1 -fsyntax-only -verify %s

 int main(void) {
-  const char ch = @encode(char *)[2];
-  char c = @encode(char *)[2] + 4;
+  const char ch = @encode(char *)[0];
+  char c = @encode(char *)[0] + 4;
  return c;
 }

--- a/test/SemaCXX/array-bounds.cpp
+++ b/test/SemaCXX/array-bounds.cpp
@ -5,17 +5,72 @@ int foo() {
  int y[2]; // expected-note 2 {{array 'y' declared here}}
  int *p = &y[2]; // no-warning
  (void) sizeof(x[2]); // no-warning
-  y[2] = 2; // expected-warning{{array index of '2' indexes past the end of an array (that contains 2 elements)}}
-  return x[2] +  // expected-warning{{array index of '2' indexes past the end of an array (that contains 2 elements)}}
-         y[-1] + // expected-warning{{array index of '-1' indexes before the beginning of the array}}
-         x[sizeof(x)] +  // expected-warning{{array index of '8' indexes past the end of an array (that contains 2 elements)}}
-         x[sizeof(x) / sizeof(x[0])] +  // expected-warning{{array index of '2' indexes past the end of an array (that contains 2 elements)}}
+  y[2] = 2; // expected-warning {{array index of '2' indexes past the end of an array (that contains 2 elements)}}
+  return x[2] +  // expected-warning {{array index of '2' indexes past the end of an array (that contains 2 elements)}}
+         y[-1] + // expected-warning {{array index of '-1' indexes before the beginning of the array}}
+         x[sizeof(x)] +  // expected-warning {{array index of '8' indexes past the end of an array (that contains 2 elements)}}
+         x[sizeof(x) / sizeof(x[0])] +  // expected-warning {{array index of '2' indexes past the end of an array (that contains 2 elements)}}
         x[sizeof(x) / sizeof(x[0]) - 1] + // no-warning
-         x[sizeof(x[2])]; // expected-warning{{array index of '4' indexes past the end of an array (that contains 2 elements)}}
+         x[sizeof(x[2])]; // expected-warning {{array index of '4' indexes past the end of an array (that contains 2 elements)}}
 }

 // This code example tests that -Warray-bounds works with arrays that
 // are template parameters.
 template <char *sz> class Qux {
  bool test() { return sz[0] == 'a'; }
-};
+};
+
+void f1(int a[1]) {
+  int val = a[3]; // no warning for function argumnet
+}
+
+void f2(const int (&a)[1]) { // expected-note {{declared here}}
+  int val = a[3];  // expected-warning {{array index of '3' indexes past the end of an array (that contains 1 elements)}}
+}
+
+void test() {
+  struct {
+    int a[0];
+  } s2;
+  s2.a[3] = 0; // no warning for 0-sized array
+
+  union {
+    short a[2]; // expected-note {{declared here}}
+    char c[4];
+  } u;
+  u.a[3] = 1; // expected-warning {{array index of '3' indexes past the end of an array (that contains 2 elements)}}
+  u.c[3] = 1; // no warning
+
+  const int const_subscript = 3;
+  int array[1]; // expected-note {{declared here}}
+  array[const_subscript] = 0;  // expected-warning {{array index of '3' indexes past the end of an array (that contains 1 elements)}}
+
+  int *ptr;
+  ptr[3] = 0; // no warning for pointer references
+  int array2[] = { 0, 1, 2 }; // expected-note 2 {{declared here}}
+
+  array2[3] = 0; // expected-warning {{array index of '3' indexes past the end of an array (that contains 3 elements)}}
+  array2[2+2] = 0; // expected-warning {{array index of '4' indexes past the end of an array (that contains 3 elements)}}
+
+  const char *str1 = "foo";
+  char c1 = str1[5]; // no warning for pointers
+
+  const char str2[] = "foo"; // expected-note {{declared here}}
+  char c2 = str2[5]; // expected-warning {{array index of '5' indexes past the end of an array (that contains 4 elements)}}
+
+  int (*array_ptr)[1];
+  (*array_ptr)[3] = 1; // expected-warning {{array index of '3' indexes past the end of an array (that contains 1 elements)}}
+}
+
+template <int I> struct S {
+  char arr[I]; // expected-note 3 {{declared here}}
+};
+template <int I> void f() {
+  S<3> s;
+  s.arr[4] = 0; // expected-warning 2 {{array index of '4' indexes past the end of an array (that contains 3 elements)}}
+  s.arr[I] = 0; // expected-warning {{array index of '5' indexes past the end of an array (that contains 3 elements)}}
+}
+
+void test_templates() {
+  f<5>(); // expected-note {{in instantiation}}
+}