test program for integer bugs

0c9babe8 · an7s · f9036d29 · 0c9babe8 · 0c9babe8 · 0c9babe8
Commit 0c9babe8 authored 13 years ago by an7s
--- a/.gitattributes
+++ b/.gitattributes
@@ -144,6 +144,7 @@ beaengine/obj/Linux.gnu.Debug/beaengineSources/CMakeFiles/progress.marks -text
 examples/Makefile -text
 examples/dumbledore.c -text
 examples/dumbledore_cmd.c -text
+examples/integerbug.c -text
 examples/overflow1.c -text
 examples/test1.c -text
 libIRDB/Makefile -text

--- a/examples/Makefile
+++ b/examples/Makefile
@@ -6,8 +6,9 @@ LD=DO_NOT_USE
 .SUFFIXES: .o .c .cpp .exe

 #exes=dumbledore_cmd.exe test1.exe
-exes=overflow1.exe #overflow2.exe
+#exes=overflow1.exe #overflow2.exe
 #exes=dumbledore_cmd.exe
+exes=integerbug.exe


 all: env_check  ${exes}
@@ -15,8 +16,8 @@ all: env_check  ${exes}
 .PHONY: env_check 

 .o.exe:
-	${PEASOUP_HOME}/tools/ps_link.sh $< -o $@ 
-#	gcc $< -o $@ 
+#	${PEASOUP_HOME}/tools/ps_link.sh $< -o $@ 
+	gcc $< -o $@ 
 	${PEASOUP_HOME}/tools/ps_analyze.sh  $@ $@

 .c.o:

--- a/examples/integerbug.c
+++ b/examples/integerbug.c
+int int_fussy_overflow(int x, int y)
+{
+  printf("int_fussy_overflow: %d %d\n", x, y);
+  int result = x + 10000 - y;
+  return result;
+}
+
+unsigned uint_fussy_overflow(unsigned x, unsigned y)
+{
+  printf("uint_fussy_overflow: %u %u\n", x, y);
+  unsigned result = x + 10000 - y;
+  return result;
+}
+
+int signed_overflow(int x, int y)
+{
+  printf("signed_overflow: %d %d\n", x, y);
+  int sum = x + y;  
+  return sum;
+}
+
+unsigned unsigned_overflow(unsigned x, unsigned y)
+{
+  printf("unsigned_overflow: %u %u\n", x, y);
+  unsigned sum = x + y;  
+  return sum;
+}
+
+char* integer_overflow_into_malloc_1(unsigned numElements)
+{
+  printf("integer_overflow_into_malloc_1: %u\n", numElements);
+  unsigned int size = numElements * 4; // compiler may use shifting here
+  char *buf = malloc(size);
+  return buf;
+}
+
+char* integer_overflow_into_malloc_2(unsigned numElements, unsigned sizePerElement)
+{
+  printf("integer_overflow_into_malloc_2: %u %u\n", numElements, sizePerElement);
+  unsigned int size = numElements * sizePerElement; 
+  char *buf = malloc(size);
+  return buf;
+}
+
+char* integer_underflow(unsigned len, char *src)
+{
+  printf("integer_underflow: %d\n", len);
+  unsigned int size;
+  size = len - 2; // len = 0, size = -2
+  char *comm = (char*) malloc(size + 1); // -1 (MAX_UNSIGNED_INT) passed to malloc
+  memcpy(comm, src, size);
+  return comm;
+}
+
+char* signed_error(int size)
+{
+  printf("signed_error: %d\n", size);
+  return malloc(size);
+}
+
+int signed_error_bypass_check(unsigned value)
+{
+  printf("signed_error_bypass_check: %u\n", value);
+  int x = value;
+  if ( x > 1024 ) 
+  {
+    printf("too big\n");
+    return 1;
+  }
+  else
+  {
+    printf("passed upper bound check\n");
+    return 0;
+  }
+}
+
+char* trunc_error(unsigned size, int numElements)
+{
+  printf("trunc_error: %u %d\n", size, numElements);
+  short len = size;
+  return malloc(len * numElements);
+}
+
+int main(int argc, char **argv)
+{
+  int selector = 0;
+  int myint;
+  int result;
+  char *bufptr;
+  char buf[16] = "hello";
+
+  if (argc == 2)
+    selector = atoi(argv[1]);
+
+  switch(selector)
+  {
+    case 0:
+      bufptr = integer_overflow_into_malloc_2(4, 4);
+    break;
+    case 1:
+      bufptr = integer_overflow_into_malloc_2(2000000000, 4);
+    break;
+    case 2:
+      bufptr = integer_overflow_into_malloc_1(4);
+    break;
+    case 3:
+      bufptr = integer_overflow_into_malloc_1(4000000000);
+    break;
+    case 4:
+      bufptr = integer_underflow(10, buf);
+    break;
+    case 5:
+      result = signed_error_bypass_check(2048);
+    break;
+    case 6:
+      result = signed_error_bypass_check(4000000000);
+    break;
+  }
+}