analyzer: add test coverage for flexible array members [PR98247]

gcc/testsuite/ChangeLog:
	PR analyzer/98247
	* gcc.dg/analyzer/flexible-array-member-1.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

diff --git a/gcc/testsuite/gcc.dg/analyzer/flexible-array-member-1.c b/gcc/testsuite/gcc.dg/analyzer/flexible-array-member-1.c
new file mode 100644 (file)
index 0000000..2df085a
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/flexible-array-member-1.c
@@ -0,0 +1,100 @@
+#include <stdlib.h>
+#include <string.h>
+
+struct str {
+  size_t len;
+  char data[];
+};
+
+struct str *
+test_const_size (void)
+{
+  struct str *str = malloc(sizeof(str) + 10);
+  if (str) {
+    str->len = 10;
+    memset(str->data, 'x', 10);
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_const_size_oob_1 (void)
+{
+  /* Forgetting to add space for the trailing array.  */
+  struct str *str = malloc(sizeof(str));
+  if (str) {
+    str->len = 10;
+    memset(str->data, 'x', 10); /* { dg-warning "heap-based buffer overflow" "Wanalyzer-out-of-bounds" } */
+    /* { dg-warning "'memset' writing 10 bytes into a region of size 0 overflows the destination" "Wstringop-overflow" { target *-*-* } .-1 } */
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_const_size_oob_2 (void)
+{
+  struct str *str = malloc(sizeof(str) + 10);
+  if (str) {
+    str->len = 10;
+    /* Using the wrong size here.  */
+    memset(str->data, 'x', 11); /* { dg-warning "heap-based buffer overflow" "Wanalyzer-out-of-bounds" } */
+    /* { dg-warning "'memset' writing 11 bytes into a region of size 10 overflows the destination" "Wstringop-overflow" { target *-*-* } .-1 } */
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_symbolic_size (size_t len)
+{
+  struct str *str = malloc(sizeof(str) + len);
+  if (str) {
+    str->len = len;
+    memset(str->data, 'x', len);
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_symbolic_size_oob (size_t len)
+{
+  /* Forgetting to add space for the trailing array.  */
+  struct str *str = malloc(sizeof(str));
+  if (str) {
+    str->len = len;
+    memset(str->data, 'x', len); /* { dg-warning "heap-based buffer overflow" "PR analyzer/98247" { xfail *-*-* } } */
+    // TODO(xfail): we don't yet complain about this case, which occurs when len > 0
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_symbolic_size_with_terminator (size_t len)
+{
+  struct str *str = malloc(sizeof(str) + len + 1);
+  if (str) {
+    str->len = len;
+    memset(str->data, 'x', len);
+    str->data[len] = '\0';
+    return str;
+  }
+  return NULL;
+}
+
+struct str *
+test_symbolic_size_with_terminator_oob (size_t len)
+{
+  /* Forgetting to add 1 for the terminator.  */
+  struct str *str = malloc(sizeof(str) + len);
+  if (str) {
+    str->len = len;
+    memset(str->data, 'x', len);
+    str->data[len] = '\0'; /* { dg-warning "heap-based buffer overflow" } */
+    return str;
+  }
+  return NULL;
+}