Achillesed · Achillesed · Jan 20, 2026 · Jan 23, 2026 · Jan 24, 2026
diff --git a/SAGA_CheckerCase/ABUSE_COMMA.c b/SAGA_CheckerCase/ABUSE_COMMA.c
@@ -0,0 +1,31 @@
+/**
+    Filename: ABUSE_COMMA.c
+    Vuln: ABUSE_COMMA
+    SourceLine: -1
+    SinkLine: 16
+    Comment: 滥用了逗号运算符
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+void ABUSE_COMMA_BAD()
+{
+
+    int a,b;
+    for(a = 0, b = 0; a < 10, b < 10; a++, b++)   // 缺陷点:布尔表达式a < 10, b < 10中，a < 10没有意义
+    {
+        /* do something */
+    }
+
+}
+void ABUSE_COMMA_GOOD()
+{
+
+    int a,b;
+    for(a = 0, b = 0; a < 10 && b < 10; a++, b++)   // 修复点：使用逻辑运算符 && 修正布尔表达式
+    {
+        /* do something */
+    }
+
+}
diff --git a/SAGA_CheckerCase/ARRAY_COMPARE.c b/SAGA_CheckerCase/ARRAY_COMPARE.c
@@ -0,0 +1,32 @@
+/**
+    Filename: ARRAY_COMPARE.c
+    Vuln: ARRAY_COMPARE
+    SourceLine: -1
+    SinkLine: 19
+    Comment: 数组与 0 做了比较
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+void ARRAY_COMPARE_BAD() 
+{
+    unsigned int a[3] = {0};
+    unsigned int b[1] = {0};
+    unsigned int c[2] = {0};
+    if(*a == 0) 
+        a[0] = 1;
+    if(b == 0)  //  缺陷点：使用数组首地址与0作比较
+        b[0] = 10;  
+}
+
+void ARRAY_COMPARE_GOOD() 
+{
+    unsigned int a[3] = {0};
+    unsigned int b[1] = {0};
+    unsigned int c[2] = {0};
+    if(*a == 0) 
+        a[0] = 1;
+    if(*b == 0)  //  修复点：使用数组首元素与0作比较
+        b[0] = 10;  
+}
diff --git a/SAGA_CheckerCase/ARRAY_VS_SINGLETON_S.c b/SAGA_CheckerCase/ARRAY_VS_SINGLETON_S.c
@@ -0,0 +1,32 @@
+/**
+    Filename: ARRAY_VS_SINGLETON_S.c
+    Vuln: ARRAY_VS_SINGLETON_S
+    SourceLine: -1
+    SinkLine: 14
+    Comment: 单一对象的指针被错误地当作数组
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+void ARRAY_VS_SINGLETON_S_BAD(int *s,int index)
+{
+    s[index] = 123; // 缺陷点：单一对象被当做数组使用
+}
+void ARRAY_VS_SINGLETON_S_BAD_CALL()
+{
+    int c;
+    ARRAY_VS_SINGLETON_S_BAD(&c, 9);
+}
+
+void ARRAY_VS_SINGLETON_S_GOOD(int *s,int index)
+{
+    s[index] = 123; // 修复点：正常使用堆上的数组
+}
+void ARRAY_VS_SINGLETON_S_GOOD_CALL()
+{
+    int *c = malloc(10 * sizeof(int));
+    if(!c) return;
+    ARRAY_VS_SINGLETON_S_GOOD(c, 9);
+    free(c);
+}
diff --git a/SAGA_CheckerCase/ASSERT_EFFECT.c b/SAGA_CheckerCase/ASSERT_EFFECT.c
@@ -0,0 +1,24 @@
+/**
+    Filename: ASSERT_EFFECT.c
+    Vuln: ASSERT_EFFECT
+    SourceLine: -1
+    SinkLine: 16
+    Comment: 断言中的其他作用
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+int getValue();
+void ASSERT_EFFECT_BAD() 
+{
+    int x = getValue();
+    assert(++x);        // 缺陷点：在断言中进行修改操作
+}
+
+void ASSERT_EFFECT_GOOD() 
+{
+    int x = getValue();
+    int temp = x + 1;
+    assert(temp);        // 修复点：在断言前提前修改
+}
diff --git a/SAGA_CheckerCase/BAD_ALLOC_ARITHMETIC_S.c b/SAGA_CheckerCase/BAD_ALLOC_ARITHMETIC_S.c
@@ -0,0 +1,22 @@
+/**
+    Filename: BAD_ALLOC_ARITHMETIC_S.c
+    Vuln: BAD_ALLOC_ARITHMETIC_S
+    SourceLine: -1
+    SinkLine: 14
+    Comment: 离散的指针算术运算
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+void BAD_ALLOC_ARITHMETIC_S_BAD(int a, int b) 
+{
+  char *p = malloc(a) + b;   // 缺陷点：可能由于圆括号放错位置，导致分配不足或分配过度以及非正常的指针算术运算
+  free(p);
+}
+
+void BAD_ALLOC_ARITHMETIC_S_GOOD(int a, int b) 
+{
+  char *p = malloc(a + b);   // 修复点：避免错误的指针算数运算
+  free(p);
+}
diff --git a/SAGA_CheckerCase/BAD_ALLOC_STRLEN_S.c b/SAGA_CheckerCase/BAD_ALLOC_STRLEN_S.c
@@ -0,0 +1,33 @@
+/**
+    Filename: BAD_ALLOC_STRLEN_S.c
+    Vuln: BAD_ALLOC_STRLEN_S
+    SourceLine: -1
+    SinkLine: 18
+    Comment: 字符串长度计算错误
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void BAD_ALLOC_STRLEN_S_BAD(char* name)
+{
+  char *new_name = NULL;
+  if (name) 
+  {
+    new_name = (char*)malloc(strlen(name+1));  //缺陷点：分配大小错误，可能导致复制时发生缓冲区溢出
+    //strcpy(new_name, name);
+    free(new_name);
+  }
+}
+
+void BAD_ALLOC_STRLEN_S_GOOD(char* name)
+{
+  char *new_name = NULL;
+  if (name) 
+  {
+    new_name = (char*)malloc(strlen(name) + 1);  //修复点：使用正确的字符串长度计算
+    //strcpy(new_name, name);
+    free(new_name);
+  }
+}
diff --git a/SAGA_CheckerCase/BAD_COMPARE_MEMCMP_S.c b/SAGA_CheckerCase/BAD_COMPARE_MEMCMP_S.c
@@ -0,0 +1,27 @@
+/**
+    Filename: BAD_COMPARE_MEMCMP_S.c
+    Vuln: BAD_COMPARE_MEMCMP_S
+    SourceLine: -1
+    SinkLine: 15
+    Comment: 滥用了 memcmp 风格函数
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void BAD_COMPARE_MEMCMP_S_BAD(const char *s) 
+{
+    if (strcmp(s, "blah") == 1)     //缺陷点：错误的认为 memcmp 类函数返回值为定值
+    {
+        /* do something */
+    }
+}
+
+void BAD_COMPARE_MEMCMP_S_GOOD(const char *s) 
+{
+    if (strcmp(s, "blah") > 0)      //修复点：memcmp 类函数返回值应为正数情况
+    {
+        /* do something */
+    }
+}
diff --git a/SAGA_CheckerCase/BAD_COMPARE_NOTOP_S.c b/SAGA_CheckerCase/BAD_COMPARE_NOTOP_S.c
@@ -0,0 +1,26 @@
+/**
+    Filename: BAD_COMPARE_NOTOP_S.c
+    Vuln: BAD_COMPARE_NOTOP_S
+    SourceLine: -1
+    SinkLine: 14
+    Comment: 非正常值与逻辑否定运算符做了比较
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+void BAD_COMPARE_NOTOP_S_BAD(int x, int y) 
+{
+    if (!x == y)    //缺陷点：运算优先级先进行 !x 在做比较 可能是用户意料之外的
+    {
+        /* do something */
+    }
+}
+
+void BAD_COMPARE_NOTOP_S_GOOD(int x, int y) 
+{
+    if (!(x == y))    //修复点：使用括号明确优先级
+    {
+        /* do something */
+    }
+}
diff --git a/SAGA_CheckerCase/BAD_COMPARE_NULL_S.c b/SAGA_CheckerCase/BAD_COMPARE_NULL_S.c
@@ -0,0 +1,26 @@
+/**
+    Filename: BAD_COMPARE_NULL_S.c
+    Vuln: BAD_COMPARE_NULL_S
+    SourceLine: -1
+    SinkLine: 14
+    Comment: 与 NULL 做了不相等比较
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+void BAD_COMPARE_NULL_S_BAD(int *x) 
+{
+    if (x >= NULL)     //缺陷点：与 NULL 做了不相等比较
+    {
+        /* do something */
+    }
+}
+
+void BAD_COMPARE_NULL_S_GOOD(int *x) 
+{
+    if (x == NULL)     //修复点：与 NULL 做相等和不相等比较
+    {
+        /* do something */
+    }
+}
diff --git a/SAGA_CheckerCase/BAD_COMPARE_STR_S.c b/SAGA_CheckerCase/BAD_COMPARE_STR_S.c
@@ -0,0 +1,27 @@
+/**
+    Filename: BAD_COMPARE_STR_S.c
+    Vuln: BAD_COMPARE_STR_S
+    SourceLine: -1
+    SinkLine: 15
+    Comment: 指针与字符串常量做了比较
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void BAD_COMPARE_STR_S_GOOD(const char *other) 
+{
+    if(other == "expected")     //缺陷点：指针（地址）与字符串常量作比较
+    {
+        /* do something */
+    }
+}
+
+void BAD_COMPARE_STR_S_BAD(const char *other) 
+{
+    if(strcmp(other, "expected") == 0)     //修复点：使用 strcmp 函数比较字符串内容
+    {
+        /* do something */
+    }
+}
diff --git a/SAGA_CheckerCase/BAD_FILE_OPEN_S.c b/SAGA_CheckerCase/BAD_FILE_OPEN_S.c
@@ -0,0 +1,27 @@
+/**
+    Filename: BAD_FILE_OPEN_S.c
+    Vuln: BAD_FILE_OPEN_S
+    SourceLine: -1
+    SinkLine: 17
+    Comment: 关闭打开失败的文件
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+void BAD_FILE_OPEN_S_BAD()
+{
+  FILE *fd;
+  fd = fopen("/proc/stat", "r");
+   /* do something */
+  fclose(fd);       //缺陷点：关闭的文件符 fd 可能打开失败
+}
+
+void BAD_FILE_OPEN_S_GOOD()
+{
+  FILE *fd;
+  fd = fopen("/proc/stat", "r");
+  if(fd == NULL) return;
+   /* do something */
+  fclose(fd);      //修复点：关闭前检查了 fopen 返回值，防止打开失败
+}
diff --git a/SAGA_CheckerCase/BAD_FLOAT_RET.c b/SAGA_CheckerCase/BAD_FLOAT_RET.c
@@ -0,0 +1,20 @@
+/**
+    Filename: BAD_FLOAT_RET.c
+    Vuln: BAD_FLOAT_RET
+    SourceLine: -1
+    SinkLine: 14
+    Comment: 结果不是浮点型
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+int BAD_FLOAT_RET_BAD(int a, int b) 
+{
+    return (int)(0.5 + ((a + b) / 2)); // 缺陷点：除数和被除数都不为浮点型，结果被截断为整数，可能会丢失精度
+}
+
+int BAD_FLOAT_RET_GOOD(int a, int b) 
+{
+    return (int)(0.5 + ((double)a + b) / 2); // 修复点：被除数为浮点型
+}
diff --git a/SAGA_CheckerCase/BAD_FREE_S.c b/SAGA_CheckerCase/BAD_FREE_S.c
@@ -0,0 +1,28 @@
+/**
+    Filename: BAD_FREE_S.c
+    Vuln: BAD_FREE_S
+    SourceLine: -1
+    SinkLine: 20
+    Comment: 释放非堆上的内存
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#define MAX_SIZE 16
+
+struct S { int a[4]; };
+
+void BAD_FREE_S_BAD(struct S *s) 
+{
+    int stackarray[3];
+    int *p = stackarray;  
+    free(p);              // 缺陷点：释放了栈上的内存
+}
+
+void BAD_FREE_S_GOOD(struct S *s) 
+{
+    int *stackarray = malloc(sizeof(int)*4);
+    int *p = stackarray;  
+    free(p);              // 修复点：释放堆上内存
+}