Home | History | Annotate | Download | only in Analysis
      1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -analyzer-constraints=range -verify -Wno-null-dereference %s
      2 
      3 void clang_analyzer_eval(bool);
      4 
      5 typedef typeof(sizeof(int)) size_t;
      6 void malloc (size_t);
      7 
      8 void f1() {
      9   int const &i = 3;
     10   int b = i;
     11 
     12   int *p = 0;
     13 
     14   if (b != 3)
     15     *p = 1; // no-warning
     16 }
     17 
     18 char* ptr();
     19 char& ref();
     20 
     21 // These next two tests just shouldn't crash.
     22 char t1 () {
     23   ref() = 'c';
     24   return '0';
     25 }
     26 
     27 // just a sanity test, the same behavior as t1()
     28 char t2 () {
     29   *ptr() = 'c';
     30   return '0';
     31 }
     32 
     33 // Each of the tests below is repeated with pointers as well as references.
     34 // This is mostly a sanity check, but then again, both should work!
     35 char t3 () {
     36   char& r = ref();
     37   r = 'c'; // no-warning
     38   if (r) return r;
     39   return *(char*)0; // no-warning
     40 }
     41 
     42 char t4 () {
     43   char* p = ptr();
     44   *p = 'c'; // no-warning
     45   if (*p) return *p;
     46   return *(char*)0; // no-warning
     47 }
     48 
     49 char t5 (char& r) {
     50   r = 'c'; // no-warning
     51   if (r) return r;
     52   return *(char*)0; // no-warning
     53 }
     54 
     55 char t6 (char* p) {
     56   *p = 'c'; // no-warning
     57   if (*p) return *p;
     58   return *(char*)0; // no-warning
     59 }
     60 
     61 
     62 // PR13440 / <rdar://problem/11977113>
     63 // Test that the array-to-pointer decay works for array references as well.
     64 // More generally, when we want an lvalue for a reference field, we still need
     65 // to do one level of load.
     66 namespace PR13440 {
     67   typedef int T[1];
     68   struct S {
     69     T &x;
     70 
     71     int *m() { return x; }
     72   };
     73 
     74   struct S2 {
     75     int (&x)[1];
     76 
     77     int *m() { return x; }
     78 
     79     void testArrayToPointerDecayWithNonTypedValueRegion() {
     80       int *p = x;
     81       int *q = x;
     82       clang_analyzer_eval(p[0] == q[0]); // expected-warning{{TRUE}}
     83     }
     84 
     85   };
     86 
     87   void test() {
     88     int a[1];
     89     S s = { a };
     90     S2 s2 = { a };
     91 
     92     if (s.x != a) return;
     93     if (s2.x != a) return;
     94 
     95     a[0] = 42;
     96     clang_analyzer_eval(s.x[0] == 42); // expected-warning{{TRUE}}
     97     clang_analyzer_eval(s2.x[0] == 42); // expected-warning{{TRUE}}
     98   }
     99 }
    100 
    101 void testNullReference() {
    102   int *x = 0;
    103   int &y = *x; // expected-warning{{Dereference of null pointer}}
    104   y = 5;
    105 }
    106 
    107 void testRetroactiveNullReference(int *x) {
    108   // According to the C++ standard, there is no such thing as a
    109   // "null reference". So the 'if' statement ought to be dead code.
    110   // However, Clang (and other compilers) don't actually check that a pointer
    111   // value is non-null in the implementation of references, so it is possible
    112   // to produce a supposed "null reference" at runtime. The analyzer should
    113   // still warn when it can prove such errors.
    114   int &y = *x;
    115   if (x != 0)
    116     return;
    117   y = 5; // expected-warning{{Dereference of null pointer}}
    118 }
    119 
    120 void testReferenceAddress(int &x) {
    121   clang_analyzer_eval(&x != 0); // expected-warning{{TRUE}}
    122   clang_analyzer_eval(&ref() != 0); // expected-warning{{TRUE}}
    123 
    124   struct S { int &x; };
    125 
    126   extern S getS();
    127   clang_analyzer_eval(&getS().x != 0); // expected-warning{{TRUE}}
    128 
    129   extern S *getSP();
    130   clang_analyzer_eval(&getSP()->x != 0); // expected-warning{{TRUE}}
    131 }
    132 
    133 
    134 void testFunctionPointerReturn(void *opaque) {
    135   typedef int &(*RefFn)();
    136 
    137   RefFn getRef = (RefFn)opaque;
    138 
    139   // Don't crash writing to or reading from this reference.
    140   int &x = getRef();
    141   x = 42;
    142   clang_analyzer_eval(x == 42); // expected-warning{{TRUE}}
    143 }
    144 
    145 int &testReturnNullReference() {
    146   int *x = 0;
    147   return *x; // expected-warning{{Returning null reference}}
    148 }
    149 
    150 char &refFromPointer() {
    151   return *ptr();
    152 }
    153 
    154 void testReturnReference() {
    155   clang_analyzer_eval(ptr() == 0); // expected-warning{{UNKNOWN}}
    156   clang_analyzer_eval(&refFromPointer() == 0); // expected-warning{{FALSE}}
    157 }
    158 
    159 void intRefParam(int &r) {
    160 	;
    161 }
    162 
    163 void test(int *ptr) {
    164 	clang_analyzer_eval(ptr == 0); // expected-warning{{UNKNOWN}}
    165 
    166 	extern void use(int &ref);
    167 	use(*ptr);
    168 
    169 	clang_analyzer_eval(ptr == 0); // expected-warning{{FALSE}}
    170 }
    171 
    172 void testIntRefParam() {
    173 	int i = 0;
    174 	intRefParam(i); // no-warning
    175 }
    176 
    177 int refParam(int &byteIndex) {
    178 	return byteIndex;
    179 }
    180 
    181 void testRefParam(int *p) {
    182 	if (p)
    183 		;
    184 	refParam(*p); // expected-warning {{Forming reference to null pointer}}
    185 }
    186 
    187 int ptrRefParam(int *&byteIndex) {
    188 	return *byteIndex;  // expected-warning {{Dereference of null pointer}}
    189 }
    190 void testRefParam2() {
    191 	int *p = 0;
    192 	int *&rp = p;
    193 	ptrRefParam(rp);
    194 }
    195 
    196 int *maybeNull() {
    197 	extern bool coin();
    198 	static int x;
    199 	return coin() ? &x : 0;
    200 }
    201 
    202 void use(int &x) {
    203 	x = 1; // no-warning
    204 }
    205 
    206 void testSuppression() {
    207 	use(*maybeNull());
    208 }
    209 
    210 namespace rdar11212286 {
    211   class B{};
    212 
    213   B test() {
    214     B *x = 0;
    215     return *x; // expected-warning {{Forming reference to null pointer}}
    216   }
    217 
    218   B testif(B *x) {
    219     if (x)
    220       ;
    221     return *x; // expected-warning {{Forming reference to null pointer}}
    222   }
    223 
    224   void idc(B *x) {
    225     if (x)
    226       ;
    227   }
    228 
    229   B testidc(B *x) {
    230     idc(x);
    231     return *x; // no-warning
    232   }
    233 }
    234 
    235 namespace PR15694 {
    236   class C {
    237     bool bit : 1;
    238     template <class T> void bar(const T &obj) {}
    239     void foo() {
    240       bar(bit); // don't crash
    241     }
    242   };
    243 }
    244