1 // RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,deadcode,alpha.deadcode.IdempotentOperations,alpha.core -std=gnu99 -analyzer-store=region -analyzer-constraints=range -analyzer-purge=none -verify %s -Wno-error=return-type 2 // RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,deadcode,alpha.deadcode.IdempotentOperations,alpha.core -std=gnu99 -analyzer-store=region -analyzer-constraints=range -verify %s -Wno-error=return-type 3 4 typedef unsigned uintptr_t; 5 6 extern void __assert_fail (__const char *__assertion, __const char *__file, 7 unsigned int __line, __const char *__function) 8 __attribute__ ((__noreturn__)); 9 10 #define assert(expr) \ 11 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 12 13 void f1(int *p) { 14 if (p) *p = 1; 15 else *p = 0; // expected-warning{{ereference}} 16 } 17 18 struct foo_struct { 19 int x; 20 }; 21 22 int f2(struct foo_struct* p) { 23 24 if (p) 25 p->x = 1; 26 27 return p->x++; // expected-warning{{Access to field 'x' results in a dereference of a null pointer (loaded from variable 'p')}} 28 } 29 30 int f3(char* x) { 31 32 int i = 2; 33 34 if (x) 35 return x[i - 1]; 36 37 return x[i+1]; // expected-warning{{Array access (from variable 'x') results in a null pointer dereference}} 38 } 39 40 int f3_b(char* x) { 41 42 int i = 2; 43 44 if (x) 45 return x[i - 1]; 46 47 return x[i+1]++; // expected-warning{{Array access (from variable 'x') results in a null pointer dereference}} 48 } 49 50 int f4(int *p) { 51 52 uintptr_t x = (uintptr_t) p; 53 54 if (x) 55 return 1; 56 57 int *q = (int*) x; 58 return *q; // expected-warning{{Dereference of null pointer (loaded from variable 'q')}} 59 } 60 61 int f4_b() { 62 short array[2]; 63 uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion}} 64 short *p = x; // expected-warning{{incompatible integer to pointer conversion}} 65 66 // The following branch should be infeasible. 67 if (!(p == &array[0])) { // expected-warning{{Both operands to '==' always have the same value}} 68 p = 0; 69 *p = 1; // no-warning 70 } 71 72 if (p) { 73 *p = 5; // no-warning 74 p = 0; 75 } 76 else return; // expected-warning {{non-void function 'f4_b' should return a value}} 77 78 *p += 10; // expected-warning{{Dereference of null pointer}} 79 return 0; 80 } 81 82 int f5() { 83 84 char *s = "hello world"; 85 return s[0]; // no-warning 86 } 87 88 int bar(int* p, int q) __attribute__((nonnull)); 89 90 int f6(int *p) { 91 return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 92 : bar(p, 0); // no-warning 93 } 94 95 int bar2(int* p, int q) __attribute__((nonnull(1))); 96 97 int f6b(int *p) { 98 return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 99 : bar2(p, 0); // no-warning 100 } 101 102 int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3))); 103 104 int f6c(int *p, int *q) { 105 return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 106 : bar3(p, 2, q); // no-warning 107 } 108 109 void f6d(int *p) { 110 bar(p, 0); 111 // At this point, 'p' cannot be null. 112 if (!p) { 113 int *q = 0; 114 *q = 0xDEADBEEF; // no-warning 115 } 116 } 117 118 void f6e(int *p, int offset) { 119 // PR7406 - crash from treating an UnknownVal as defined, to see if it's 0. 120 bar((p+offset)+1, 0); // not crash 121 } 122 123 int* qux(); 124 125 int f7(int x) { 126 127 int* p = 0; 128 129 if (0 == x) 130 p = qux(); 131 132 if (0 == x) 133 *p = 1; // no-warning 134 135 return x; 136 } 137 138 int* f7b(int *x) { 139 140 int* p = 0; 141 142 if (((void*)0) == x) 143 p = qux(); 144 145 if (((void*)0) == x) 146 *p = 1; // no-warning 147 148 return x; 149 } 150 151 int* f7c(int *x) { 152 153 int* p = 0; 154 155 if (((void*)0) == x) 156 p = qux(); 157 158 if (((void*)0) != x) 159 return x; 160 161 // If we reach here then 'p' is not null. 162 *p = 1; // no-warning 163 return x; 164 } 165 166 int* f7c2(int *x) { 167 168 int* p = 0; 169 170 if (((void*)0) == x) 171 p = qux(); 172 173 if (((void*)0) == x) 174 return x; 175 176 *p = 1; // expected-warning{{null}} 177 return x; 178 } 179 180 181 void f8(int *p, int *q) { 182 if (!p) 183 if (p) 184 *p = 1; // no-warning 185 186 if (q) 187 if (!q) 188 *q = 1; // no-warning 189 } 190 191 int* qux(); 192 193 int f9(unsigned len) { 194 assert (len != 0); 195 int *p = 0; 196 unsigned i; 197 198 for (i = 0; i < len; ++i) 199 p = qux(i); 200 201 return *p++; // no-warning 202 } 203 204 int f9b(unsigned len) { 205 assert (len > 0); // note use of '>' 206 int *p = 0; 207 unsigned i; 208 209 for (i = 0; i < len; ++i) 210 p = qux(i); 211 212 return *p++; // no-warning 213 } 214 215 int* f10(int* p, signed char x, int y) { 216 // This line tests symbolication with compound assignments where the 217 // LHS and RHS have different bitwidths. The new symbolic value 218 // for 'x' should have a bitwidth of 8. 219 x &= y; 220 221 // This tests that our symbolication worked, and that we correctly test 222 // x against 0 (with the same bitwidth). 223 if (!x) { 224 if (!p) return 0; 225 *p = 10; 226 } 227 else p = 0; 228 229 if (!x) 230 *p = 5; // no-warning 231 232 return p; 233 } 234 235 // Test case from <rdar://problem/6407949> 236 void f11(unsigned i) { 237 int *x = 0; 238 if (i >= 0) { // expected-warning{{always true}} 239 // always true 240 } else { 241 *x = 42; // no-warning 242 } 243 } 244 245 void f11b(unsigned i) { 246 int *x = 0; 247 if (i <= ~(unsigned)0) { 248 // always true 249 } else { 250 *x = 42; // no-warning 251 } 252 } 253 254 // Test case for switch statements with weird case arms. 255 typedef int BOOL, *PBOOL, *LPBOOL; 256 typedef long LONG_PTR, *PLONG_PTR; 257 typedef unsigned long ULONG_PTR, *PULONG_PTR; 258 typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR; 259 typedef LONG_PTR LRESULT; 260 typedef struct _F12ITEM *HF12ITEM; 261 262 void f12(HF12ITEM i, char *q) { 263 char *p = 0; 264 switch ((DWORD_PTR) i) { 265 case 0 ... 10: 266 p = q; 267 break; 268 case (DWORD_PTR) ((HF12ITEM) - 65535): 269 return; 270 default: 271 return; 272 } 273 274 *p = 1; // no-warning 275 } 276 277 // Test handling of translating between integer "pointers" and back. 278 void f13() { 279 int *x = 0; 280 if (((((int) x) << 2) + 1) >> 1) *x = 1; 281 } 282 283 // PR 4759 - Attribute non-null checking by the analyzer was not correctly 284 // handling pointer values that were undefined. 285 void pr4759_aux(int *p) __attribute__((nonnull)); 286 287 void pr4759() { 288 int *p; 289 pr4759_aux(p); // expected-warning{{Function call argument is an uninitialized value}} 290 } 291 292 // Relax function call arguments invalidation to be aware of const 293 // arguments. Test with function pointers. radar://10595327 294 void ttt(const int *nptr); 295 void ttt2(const int *nptr); 296 typedef void (*NoConstType)(int*); 297 int foo10595327(int b) { 298 void (*fp)(int *); 299 // We use path sensitivity to get the function declaration. Even when the 300 // function pointer is cast to non pointer-to-const parameter type, we can 301 // find the right function declaration. 302 if (b > 5) 303 fp = (NoConstType)ttt2; 304 else 305 fp = (NoConstType)ttt; 306 int x = 3; 307 int y = x + 1; 308 int *p = 0; 309 fp(&y); 310 if (x == y) 311 return *p; // no-warning 312 return 0; 313 } 314
