File: debug-exprinspection-istainted.c

package info (click to toggle)

llvm-toolchain-11 1%3A11.0.1-2

links: PTS, VCS
area: main
in suites: bullseye
size: 995,808 kB
sloc: cpp: 4,767,656; ansic: 760,916; asm: 477,436; python: 170,940; objc: 69,804; lisp: 29,914; sh: 23,855; f90: 18,173; pascal: 7,551; perl: 7,471; ml: 5,603; awk: 3,489; makefile: 2,573; xml: 915; cs: 573; fortran: 503; javascript: 452

file content (27 lines) | stat: -rw-r--r-- 996 bytes

parent folder | download | duplicates (8)

// RUN: %clang_analyze_cc1 -verify %s \
// RUN:   -analyzer-checker=core \
// RUN:   -analyzer-checker=debug.ExprInspection \
// RUN:   -analyzer-checker=alpha.security.taint

int scanf(const char *restrict format, ...);
void clang_analyzer_isTainted(char);
void clang_analyzer_isTainted_any_suffix(char);
void clang_analyzer_isTainted_many_arguments(char, int, int);

void foo() {
  char buf[32] = "";
  clang_analyzer_isTainted(buf[0]);            // expected-warning {{NO}}
  clang_analyzer_isTainted_any_suffix(buf[0]); // expected-warning {{NO}}
  scanf("%s", buf);
  clang_analyzer_isTainted(buf[0]);            // expected-warning {{YES}}
  clang_analyzer_isTainted_any_suffix(buf[0]); // expected-warning {{YES}}

  int tainted_value = buf[0]; // no-warning
}

void exactly_one_argument_required() {
  char buf[32] = "";
  scanf("%s", buf);
  clang_analyzer_isTainted_many_arguments(buf[0], 42, 42);
  // expected-warning@-1 {{clang_analyzer_isTainted() requires exactly one argument}}
}