1 // RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-checker=core,alpha.core -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions 2 // RUN: %clang_cc1 -triple x86_64-apple-darwin9 -analyze -analyzer-checker=core,alpha.core -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions 3 4 // Test basic handling of references. 5 char &test1_aux(); 6 char *test1() { 7 return &test1_aux(); 8 } 9 10 // Test test1_aux() evaluates to char &. 11 char test1_as_rvalue() { 12 return test1_aux(); 13 } 14 15 // Test passing a value as a reference. The 'const' in test2_aux() adds 16 // an ImplicitCastExpr, which is evaluated as an lvalue. 17 int test2_aux(const int &n); 18 int test2(int n) { 19 return test2_aux(n); 20 } 21 22 int test2_b_aux(const short &n); 23 int test2_b(int n) { 24 return test2_b_aux(n); 25 } 26 27 // Test getting the lvalue of a derived and converting it to a base. This 28 // previously crashed. 29 class Test3_Base {}; 30 class Test3_Derived : public Test3_Base {}; 31 32 int test3_aux(Test3_Base &x); 33 int test3(Test3_Derived x) { 34 return test3_aux(x); 35 } 36 37 //===---------------------------------------------------------------------===// 38 // Test CFG support for C++ condition variables. 39 //===---------------------------------------------------------------------===// 40 41 int test_init_in_condition_aux(); 42 int test_init_in_condition() { 43 if (int x = test_init_in_condition_aux()) { // no-warning 44 return 1; 45 } 46 return 0; 47 } 48 49 int test_init_in_condition_switch() { 50 switch (int x = test_init_in_condition_aux()) { // no-warning 51 case 1: 52 return 0; 53 case 2: 54 if (x == 2) 55 return 0; 56 else { 57 // Unreachable. 58 int *p = 0; 59 *p = 0xDEADBEEF; // no-warning 60 } 61 default: 62 break; 63 } 64 return 0; 65 } 66 67 int test_init_in_condition_while() { 68 int z = 0; 69 while (int x = ++z) { // no-warning 70 if (x == 2) 71 break; 72 } 73 74 if (z == 2) 75 return 0; 76 77 int *p = 0; 78 *p = 0xDEADBEEF; // no-warning 79 return 0; 80 } 81 82 83 int test_init_in_condition_for() { 84 int z = 0; 85 for (int x = 0; int y = ++z; ++x) { 86 if (x == y) // no-warning 87 break; 88 } 89 if (z == 1) 90 return 0; 91 92 int *p = 0; 93 *p = 0xDEADBEEF; // no-warning 94 return 0; 95 } 96 97 //===---------------------------------------------------------------------===// 98 // Test handling of 'this' pointer. 99 //===---------------------------------------------------------------------===// 100 101 class TestHandleThis { 102 int x; 103 104 TestHandleThis(); 105 int foo(); 106 int null_deref_negative(); 107 int null_deref_positive(); 108 }; 109 110 int TestHandleThis::foo() { 111 // Assume that 'x' is initialized. 112 return x + 1; // no-warning 113 } 114 115 int TestHandleThis::null_deref_negative() { 116 x = 10; 117 if (x == 10) { 118 return 1; 119 } 120 int *p = 0; 121 *p = 0xDEADBEEF; // no-warning 122 return 0; 123 } 124 125 int TestHandleThis::null_deref_positive() { 126 x = 10; 127 if (x == 9) { 128 return 1; 129 } 130 int *p = 0; 131 *p = 0xDEADBEEF; // expected-warning{{null pointer}} 132 return 0; 133 } 134 135 // PR 7675 - passing literals by-reference 136 void pr7675(const double &a); 137 void pr7675(const int &a); 138 void pr7675(const char &a); 139 void pr7675_i(const _Complex double &a); 140 141 void pr7675_test() { 142 pr7675(10.0); 143 pr7675(10); 144 pr7675('c'); 145 pr7675_i(4.0i); 146 // Add null deref to ensure we are analyzing the code up to this point. 147 int *p = 0; 148 *p = 0xDEADBEEF; // expected-warning{{null pointer}} 149 } 150 151 // <rdar://problem/8375510> - CFGBuilder should handle temporaries. 152 struct R8375510 { 153 R8375510(); 154 ~R8375510(); 155 R8375510 operator++(int); 156 }; 157 158 int r8375510(R8375510 x, R8375510 y) { 159 for (; ; x++) { } 160 } 161 162 // PR8419 -- this used to crash. 163 164 class String8419 { 165 public: 166 char& get(int n); 167 char& operator[](int n); 168 }; 169 170 char& get8419(); 171 172 void Test8419() { 173 String8419 s; 174 ++(s.get(0)); 175 get8419()--; // used to crash 176 --s[0]; // used to crash 177 s[0] &= 1; // used to crash 178 s[0]++; // used to crash 179 } 180 181 // PR8426 -- this used to crash. 182 183 void Use(void* to); 184 185 template <class T> class Foo { 186 ~Foo(); 187 struct Bar; 188 Bar* bar_; 189 }; 190 191 template <class T> Foo<T>::~Foo() { 192 Use(bar_); 193 T::DoSomething(); 194 bar_->Work(); 195 } 196 197 // PR8427 -- this used to crash. 198 199 class Dummy {}; 200 201 bool operator==(Dummy, int); 202 203 template <typename T> 204 class Foo2 { 205 bool Bar(); 206 }; 207 208 template <typename T> 209 bool Foo2<T>::Bar() { 210 return 0 == T(); 211 } 212 213 // PR8433 -- this used to crash. 214 215 template <typename T> 216 class Foo3 { 217 public: 218 void Bar(); 219 void Baz(); 220 T value_; 221 }; 222 223 template <typename T> 224 void Foo3<T>::Bar() { 225 Baz(); 226 value_(); 227 } 228 229 //===---------------------------------------------------------------------===// 230 // Handle misc. C++ constructs. 231 //===---------------------------------------------------------------------===// 232 233 namespace fum { 234 int i = 3; 235 }; 236 237 void test_namespace() { 238 // Previously triggered a crash. 239 using namespace fum; 240 int x = i; 241 } 242 243 // Test handling methods that accept references as parameters, and that 244 // variables are properly invalidated. 245 class RDar9203355 { 246 bool foo(unsigned valA, long long &result) const; 247 bool foo(unsigned valA, int &result) const; 248 }; 249 bool RDar9203355::foo(unsigned valA, int &result) const { 250 long long val; 251 if (foo(valA, val) || 252 (int)val != val) // no-warning 253 return true; 254 result = val; // no-warning 255 return false; 256 } 257 258 // Test handling of new[]. 259 void rdar9212512() { 260 int *x = new int[10]; 261 for (unsigned i = 0 ; i < 2 ; ++i) { 262 // This previously triggered an uninitialized values warning. 263 x[i] = 1; // no-warning 264 } 265 } 266 267 // Test basic support for dynamic_cast<>. 268 struct Rdar9212495_C { virtual void bar() const; }; 269 class Rdar9212495_B : public Rdar9212495_C {}; 270 class Rdar9212495_A : public Rdar9212495_B {}; 271 const Rdar9212495_A& rdar9212495(const Rdar9212495_C* ptr) { 272 const Rdar9212495_A& val = dynamic_cast<const Rdar9212495_A&>(*ptr); 273 274 // This is not valid C++; dynamic_cast with a reference type will throw an 275 // exception if the pointer does not match the expected type. However, our 276 // implementation of dynamic_cast will pass through a null pointer...or a 277 // "null reference"! So this branch is actually possible. 278 if (&val == 0) { 279 val.bar(); // expected-warning{{Called C++ object pointer is null}} 280 } 281 282 return val; 283 } 284 285 const Rdar9212495_A* rdar9212495_ptr(const Rdar9212495_C* ptr) { 286 const Rdar9212495_A* val = dynamic_cast<const Rdar9212495_A*>(ptr); 287 288 if (val == 0) { 289 val->bar(); // expected-warning{{Called C++ object pointer is null}} 290 } 291 292 return val; 293 } 294 295 // Test constructors invalidating arguments. Previously this raised 296 // an uninitialized value warning. 297 extern "C" void __attribute__((noreturn)) PR9645_exit(int i); 298 299 class PR9645_SideEffect 300 { 301 public: 302 PR9645_SideEffect(int *pi); // caches pi in i_ 303 void Read(int *pi); // copies *pi into *i_ 304 private: 305 int *i_; 306 }; 307 308 void PR9645() { 309 int i; 310 311 PR9645_SideEffect se(&i); 312 int j = 1; 313 se.Read(&j); // this has a side-effect of initializing i. 314 315 PR9645_exit(i); // no-warning 316 } 317 318 PR9645_SideEffect::PR9645_SideEffect(int *pi) : i_(pi) {} 319 void PR9645_SideEffect::Read(int *pi) { *i_ = *pi; } 320 321 // Invalidate fields during C++ method calls. 322 class RDar9267815 { 323 int x; 324 void test(); 325 void test_pos(); 326 void test2(); 327 void invalidate(); 328 }; 329 330 void RDar9267815::test_pos() { 331 int *p = 0; 332 if (x == 42) 333 return; 334 *p = 0xDEADBEEF; // expected-warning {{null}} 335 } 336 void RDar9267815::test() { 337 int *p = 0; 338 if (x == 42) 339 return; 340 if (x == 42) 341 *p = 0xDEADBEEF; // no-warning 342 } 343 344 void RDar9267815::test2() { 345 int *p = 0; 346 if (x == 42) 347 return; 348 invalidate(); 349 if (x == 42) 350 *p = 0xDEADBEEF; // expected-warning {{null}} 351 } 352 353 // Test reference parameters. 354 void test_ref_double_aux(double &Value); 355 float test_ref_double() { 356 double dVal; 357 test_ref_double_aux(dVal); 358 // This previously warned because 'dVal' was thought to be uninitialized. 359 float Val = (float)dVal; // no-warning 360 return Val; 361 } 362 363 // Test invalidation of class fields. 364 class TestInvalidateClass { 365 public: 366 int x; 367 }; 368 369 void test_invalidate_class_aux(TestInvalidateClass &x); 370 371 int test_invalidate_class() { 372 TestInvalidateClass y; 373 test_invalidate_class_aux(y); 374 return y.x; // no-warning 375 } 376 377 // Test correct pointer arithmetic using 'p--'. This is to warn that we 378 // were loading beyond the written characters in buf. 379 char *RDar9269695(char *dst, unsigned int n) 380 { 381 char buff[40], *p; 382 383 p = buff; 384 do 385 *p++ = '0' + n % 10; 386 while (n /= 10); 387 388 do 389 *dst++ = *--p; // no-warning 390 while (p != buff); 391 392 return dst; 393 } 394 395 // Test that we invalidate byref arguments passed to constructors. 396 class TestInvalidateInCtor { 397 public: 398 TestInvalidateInCtor(unsigned &x); 399 }; 400 401 unsigned test_invalidate_in_ctor() { 402 unsigned x; 403 TestInvalidateInCtor foo(x); 404 return x; // no-warning 405 } 406 unsigned test_invalidate_in_ctor_new() { 407 unsigned x; 408 delete (new TestInvalidateInCtor(x)); 409 return x; // no-warning 410 } 411 412 // Test assigning into a symbolic offset. 413 struct TestAssignIntoSymbolicOffset { 414 int **stuff[100]; 415 void test(int x, int y); 416 }; 417 418 void TestAssignIntoSymbolicOffset::test(int x, int y) { 419 x--; 420 if (x > 8 || x < 0) 421 return; 422 if (stuff[x]) 423 return; 424 if (!stuff[x]) { 425 stuff[x] = new int*[y+1]; 426 // Previously triggered a null dereference. 427 stuff[x][y] = 0; // no-warning 428 } 429 } 430 431 // Test loads from static fields. This previously triggered an uninitialized 432 // value warning. 433 class ClassWithStatic { 434 public: 435 static const unsigned value = 1; 436 }; 437 438 int rdar9948787_negative() { 439 ClassWithStatic classWithStatic; 440 unsigned value = classWithStatic.value; 441 if (value == 1) 442 return 1; 443 int *p = 0; 444 *p = 0xDEADBEEF; // no-warning 445 return 0; 446 } 447 448 int rdar9948787_positive() { 449 ClassWithStatic classWithStatic; 450 unsigned value = classWithStatic.value; 451 if (value == 0) 452 return 1; 453 int *p = 0; 454 *p = 0xDEADBEEF; // expected-warning {{null}} 455 return 0; 456 } 457 458 // Regression test against global constants and switches. 459 enum rdar10202899_ValT { rdar10202899_ValTA, rdar10202899_ValTB, rdar10202899_ValTC }; 460 const rdar10202899_ValT val = rdar10202899_ValTA; 461 void rdar10202899_test1() { 462 switch (val) { 463 case rdar10202899_ValTA: {} 464 }; 465 } 466 467 void rdar10202899_test2() { 468 if (val == rdar10202899_ValTA) 469 return; 470 int *p = 0; 471 *p = 0xDEADBEEF; 472 } 473 474 void rdar10202899_test3() { 475 switch (val) { 476 case rdar10202899_ValTA: return; 477 default: ; 478 }; 479 int *p = 0; 480 *p = 0xDEADBEEF; 481 } 482 483 // This used to crash the analyzer because of the unnamed bitfield. 484 void PR11249() 485 { 486 struct { 487 char f1:4; 488 char :4; 489 char f2[1]; 490 char f3; 491 } V = { 1, {2}, 3 }; 492 int *p = 0; 493 if (V.f1 != 1) 494 *p = 0xDEADBEEF; // no-warning 495 if (V.f2[0] != 2) 496 *p = 0xDEADBEEF; // no-warning 497 if (V.f3 != 3) 498 *p = 0xDEADBEEF; // no-warning 499 } 500 501 // Handle doing a load from the memory associated with the code for 502 // a function. 503 extern double nan( const char * ); 504 double PR11450() { 505 double NaN = *(double*) nan; 506 return NaN; 507 } 508 509 // Test that 'this' is assumed non-null upon analyzing the entry to a "top-level" 510 // function (i.e., when not analyzing from a specific caller). 511 struct TestNullThis { 512 int field; 513 void test(); 514 }; 515 516 void TestNullThis::test() { 517 int *p = &field; 518 if (p) 519 return; 520 field = 2; // no-warning 521 } 522 523 // Test handling of 'catch' exception variables, and not warning 524 // about uninitialized values. 525 enum MyEnum { MyEnumValue }; 526 MyEnum rdar10892489() { 527 try { 528 throw MyEnumValue; 529 } catch (MyEnum e) { 530 return e; // no-warning 531 } 532 return MyEnumValue; 533 } 534 535 MyEnum rdar10892489_positive() { 536 try { 537 throw MyEnumValue; 538 } catch (MyEnum e) { 539 int *p = 0; 540 // FALSE NEGATIVE 541 *p = 0xDEADBEEF; // {{null}} 542 return e; 543 } 544 return MyEnumValue; 545 } 546 547 // Test handling of catch with no condition variable. 548 void PR11545() { 549 try 550 { 551 throw; 552 } 553 catch (...) 554 { 555 } 556 } 557 558 void PR11545_positive() { 559 try 560 { 561 throw; 562 } 563 catch (...) 564 { 565 int *p = 0; 566 // FALSE NEGATIVE 567 *p = 0xDEADBEEF; // {{null}} 568 } 569 } 570 571 // Test handling taking the address of a field. While the analyzer 572 // currently doesn't do anything intelligent here, this previously 573 // resulted in a crash. 574 class PR11146 { 575 public: 576 struct Entry; 577 void baz(); 578 }; 579 580 struct PR11146::Entry { 581 int x; 582 }; 583 584 void PR11146::baz() { 585 (void) &Entry::x; 586 } 587 588 // Test symbolicating a reference. In this example, the 589 // analyzer (originally) didn't know how to handle x[index - index2], 590 // returning an UnknownVal. The conjured symbol wasn't a location, 591 // and would result in a crash. 592 void rdar10924675(unsigned short x[], int index, int index2) { 593 unsigned short &y = x[index - index2]; 594 if (y == 0) 595 return; 596 } 597 598 // Test handling CXXScalarValueInitExprs. 599 void rdar11401827() { 600 int x = int(); 601 if (!x) { 602 int *p = 0; 603 *p = 0xDEADBEEF; // expected-warning {{null pointer}} 604 } 605 else { 606 int *p = 0; 607 *p = 0xDEADBEEF; 608 } 609 } 610 611 //===---------------------------------------------------------------------===// 612 // Handle inlining of C++ method calls. 613 //===---------------------------------------------------------------------===// 614 615 struct A { 616 int *p; 617 void foo(int *q) { 618 p = q; 619 } 620 void bar() { 621 *p = 0; // expected-warning {{null pointer}} 622 } 623 }; 624 625 void test_inline() { 626 A a; 627 a.foo(0); 628 a.bar(); 629 } 630 631 void test_alloca_in_a_recursive_function(int p1) { 632 __builtin_alloca (p1); 633 test_alloca_in_a_recursive_function(1); 634 test_alloca_in_a_recursive_function(2); 635 } 636 637 //===---------------------------------------------------------------------===// 638 // Random tests. 639 //===---------------------------------------------------------------------===// 640 641 // Tests assigning using a C-style initializer to a struct 642 // variable whose sub-field is also a struct. This currently 643 // results in a CXXTempObjectRegion being created, but not 644 // properly handled. For now, we just ignore that value 645 // to avoid a crash (<rdar://problem/12753384>). 646 struct RDar12753384_ClassA { 647 unsigned z; 648 }; 649 struct RDar12753384_ClassB { 650 unsigned x; 651 RDar12753384_ClassA y[ 8 ] ; 652 }; 653 unsigned RDar12753384() { 654 RDar12753384_ClassB w = { 0x00 }; 655 RDar12753384_ClassA y[8]; 656 return w.x; 657 } 658 659 // This testcase tests whether we treat the anonymous union and union 660 // the same way. This previously resulted in a "return of stack address" 661 // warning because the anonymous union resulting in a temporary object 662 // getting put into the initializer. We still aren't handling this correctly, 663 // but now if a temporary object appears in an initializer we just ignore it. 664 // Fixes <rdar://problem/12755044>. 665 666 struct Rdar12755044_foo 667 { 668 struct Rdar12755044_bar 669 { 670 union baz 671 { 672 int i; 673 }; 674 } aBar; 675 }; 676 677 struct Rdar12755044_foo_anon 678 { 679 struct Rdar12755044_bar 680 { 681 union 682 { 683 int i; 684 }; 685 } aBar; 686 }; 687 688 const Rdar12755044_foo_anon *radar12755044_anon() { 689 static const Rdar12755044_foo_anon Rdar12755044_foo_list[] = { { { } } }; 690 return Rdar12755044_foo_list; // no-warning 691 } 692 693 const Rdar12755044_foo *radar12755044() { 694 static const Rdar12755044_foo Rdar12755044_foo_list[] = { { { } } }; 695 return Rdar12755044_foo_list; // no-warning 696 } 697 698 // Test the correct handling of integer to bool conversions. Previously 699 // this resulted in a false positive because integers were being truncated 700 // and not tested for non-zero. 701 void rdar12759044() { 702 int flag = 512; 703 if (!(flag & 512)) { 704 int *p = 0; 705 *p = 0xDEADBEEF; // no-warning 706 } 707 } 708 709 // The analyzer currently does not model complex types. Test that the load 710 // from 'x' is not flagged as being uninitialized. 711 typedef __complex__ float _ComplexT; 712 void rdar12964481(_ComplexT *y) { 713 _ComplexT x; 714 __real__ x = 1.0; 715 __imag__ x = 1.0; 716 *y *= x; // no-warning 717 } 718 void rdar12964481_b(_ComplexT *y) { 719 _ComplexT x; 720 // Eventually this should be a warning. 721 *y *= x; // no-warning 722 } 723 724 // Test case for PR 12921. This previously produced 725 // a bogus warning. 726 static const int pr12921_arr[] = { 0, 1 }; 727 static const int pr12921_arrcount = sizeof(pr12921_arr)/sizeof(int); 728 729 int pr12921(int argc, char **argv) { 730 int i, retval; 731 for (i = 0; i < pr12921_arrcount; i++) { 732 if (argc == i) { 733 retval = i; 734 break; 735 } 736 } 737 738 // No match 739 if (i == pr12921_arrcount) return 66; 740 return pr12921_arr[retval]; 741 } 742 743
