Home | History | Annotate | Download | only in Analysis
      1 // NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued.
      2 // RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,alpha.deadcode.IdempotentOperations,alpha.core,osx.cocoa.AtSync -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s
      3 // RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-checker=core,alpha.deadcode.IdempotentOperations,alpha.core,osx.cocoa.AtSync -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s
      4 
      5 #ifndef __clang_analyzer__
      6 #error __clang_analyzer__ not defined
      7 #endif
      8 
      9 typedef struct objc_ivar *Ivar;
     10 typedef struct objc_selector *SEL;
     11 typedef signed char BOOL;
     12 typedef int NSInteger;
     13 typedef unsigned int NSUInteger;
     14 typedef struct _NSZone NSZone;
     15 @class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator;
     16 @protocol NSObject
     17 - (BOOL)isEqual:(id)object;
     18 - (id)autorelease;
     19 @end
     20 @protocol NSCopying
     21 - (id)copyWithZone:(NSZone *)zone;
     22 @end
     23 @protocol NSMutableCopying  - (id)mutableCopyWithZone:(NSZone *)zone; @end
     24 @protocol NSCoding
     25 - (void)encodeWithCoder:(NSCoder *)aCoder;
     26 @end
     27 @interface NSObject <NSObject> {}
     28 - (id)init;
     29 + (id)allocWithZone:(NSZone *)zone;
     30 @end
     31 extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone);
     32 @interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding>
     33 - (NSUInteger)length;
     34 + (id)stringWithUTF8String:(const char *)nullTerminatedCString;
     35 @end extern NSString * const NSBundleDidLoadNotification;
     36 @interface NSValue : NSObject <NSCopying, NSCoding>
     37 - (void)getValue:(void *)value;
     38 @end
     39 @interface NSNumber : NSValue
     40 - (char)charValue;
     41 - (id)initWithBool:(BOOL)value;
     42 @end
     43 @interface NSAssertionHandler : NSObject {}
     44 + (NSAssertionHandler *)currentHandler;
     45 - (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...;
     46 @end
     47 extern NSString * const NSConnectionReplyMode;
     48 typedef float CGFloat;
     49 typedef struct _NSPoint {
     50     CGFloat x;
     51     CGFloat y;
     52 } NSPoint;
     53 typedef struct _NSSize {
     54     CGFloat width;
     55     CGFloat height;
     56 } NSSize;
     57 typedef struct _NSRect {
     58     NSPoint origin;
     59     NSSize size;
     60 } NSRect;
     61 
     62 // Reduced test case from crash in <rdar://problem/6253157>
     63 @interface A @end
     64 @implementation A
     65 - (void)foo:(void (^)(NSObject *x))block {
     66   if (!((block != ((void *)0)))) {}
     67 }
     68 @end
     69 
     70 // Reduced test case from crash in PR 2796;
     71 //  http://llvm.org/bugs/show_bug.cgi?id=2796
     72 
     73 unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); }
     74 
     75 // Improvement to path-sensitivity involving compound assignments.
     76 //  Addresses false positive in <rdar://problem/6268365>
     77 //
     78 
     79 unsigned r6268365Aux();
     80 
     81 void r6268365() {
     82   unsigned x = 0;
     83   x &= r6268365Aux(); // expected-warning{{The left operand to '&=' is always 0}}
     84   unsigned j = 0;
     85     
     86   if (x == 0) ++j;
     87   if (x == 0) x = x / j; // expected-warning{{Assigned value is always the same as the existing value}} expected-warning{{The right operand to '/' is always 1}}
     88 }
     89 
     90 void divzeroassume(unsigned x, unsigned j) {  
     91   x /= j;  
     92   if (j == 0) x /= 0;     // no static-analyzer warning    expected-warning {{division by zero is undefined}}
     93   if (j == 0) x /= j;     // no static-analyzer warning
     94   if (j == 0) x = x / 0;  // no static-analyzer warning    expected-warning {{division by zero is undefined}}
     95 }
     96 
     97 void divzeroassumeB(unsigned x, unsigned j) {  
     98   x = x / j;  
     99   if (j == 0) x /= 0;     // no static-analyzer warning     expected-warning {{division by zero is undefined}}
    100   if (j == 0) x /= j;     // no static-analyzer warning
    101   if (j == 0) x = x / 0;  // no static-analyzer warning     expected-warning {{division by zero is undefined}}
    102 }
    103 
    104 // InitListExpr processing
    105 
    106 typedef float __m128 __attribute__((__vector_size__(16), __may_alias__));
    107 __m128 return128() {
    108   // This compound literal has a Vector type.  We currently just
    109   // return UnknownVal.
    110   return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f };
    111 }
    112 
    113 typedef long long __v2di __attribute__ ((__vector_size__ (16)));
    114 typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__));
    115 __m128i vec128i(long long __q1, long long __q0) {
    116   // This compound literal returns true for both isVectorType() and 
    117   // isIntegerType().
    118   return __extension__ (__m128i)(__v2di){ __q0, __q1 };
    119 }
    120 
    121 // Zero-sized VLAs.
    122 void check_zero_sized_VLA(int x) {
    123   if (x)
    124     return;
    125 
    126   int vla[x]; // expected-warning{{Declared variable-length array (VLA) has zero size}}
    127 }
    128 
    129 void check_uninit_sized_VLA() {
    130   int x;
    131   int vla[x]; // expected-warning{{Declared variable-length array (VLA) uses a garbage value as its size}}
    132 }
    133 
    134 // sizeof(void)
    135 // - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211
    136 void handle_sizeof_void(unsigned flag) {
    137   int* p = 0;
    138 
    139   if (flag) {
    140     if (sizeof(void) == 1)
    141       return;
    142     // Infeasible.
    143     *p = 1; // no-warning
    144   }
    145   
    146   void* q;
    147   
    148   if (!flag) {
    149     if (sizeof(*q) == 1)
    150       return;
    151     // Infeasibe.
    152     *p = 1; // no-warning
    153   }
    154     
    155   // Infeasible.
    156   *p = 1; // no-warning
    157 }
    158 
    159 // check deference of undefined values
    160 void check_deref_undef(void) {
    161   int *p;
    162   *p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}}
    163 }
    164 
    165 // PR 3422
    166 void pr3422_helper(char *p);
    167 void pr3422() {
    168   char buf[100];
    169   char *q = &buf[10];
    170   pr3422_helper(&q[1]);
    171 }
    172 
    173 // PR 3543 (handle empty statement expressions)
    174 void pr_3543(void) {
    175   ({});
    176 }
    177 
    178 // <rdar://problem/6611677>
    179 // This test case test the use of a vector type within an array subscript
    180 // expression.
    181 typedef long long __a64vector __attribute__((__vector_size__(8)));
    182 typedef long long __a128vector __attribute__((__vector_size__(16)));
    183 static inline __a64vector __attribute__((__always_inline__, __nodebug__))  
    184 my_test_mm_movepi64_pi64(__a128vector a) {
    185   return (__a64vector)a[0];
    186 }
    187 
    188 // Test basic tracking of ivars associated with 'self'.
    189 @interface SelfIvarTest : NSObject {
    190   int flag;
    191 }
    192 - (void)test_self_tracking;
    193 @end
    194 
    195 @implementation SelfIvarTest
    196 - (void)test_self_tracking {
    197   char *p = 0;
    198   char c;
    199 
    200   if (flag)
    201     p = "hello";
    202 
    203   if (flag)
    204     c = *p; // no-warning
    205 }
    206 @end
    207 
    208 // PR 3770
    209 char pr3770(int x) {
    210   int y = x & 0x2;
    211   char *p = 0;
    212   if (y == 1)
    213     p = "hello";
    214 
    215   if (y == 1)
    216     return p[0]; // no-warning
    217     
    218   return 'a';
    219 }
    220 
    221 // PR 3772
    222 // - We just want to test that this doesn't crash the analyzer.
    223 typedef struct st ST;
    224 struct st { char *name; };
    225 extern ST *Cur_Pu;
    226 
    227 void pr3772(void)
    228 {
    229   static ST *last_Cur_Pu;
    230   if (last_Cur_Pu == Cur_Pu) {
    231     return;
    232   } 
    233 }
    234 
    235 // PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups.
    236 void pr3780(int sz) { typedef double MAT[sz][sz]; }
    237 
    238 // <rdar://problem/6695527> - Test that we don't symbolicate doubles before
    239 // we are ready to do something with them.
    240 int rdar6695527(double x) {
    241   if (!x) { return 0; }
    242   return 1;
    243 }
    244 
    245 // <rdar://problem/6708148> - Test that we properly invalidate structs
    246 //  passed-by-reference to a function.
    247 void pr6708148_invalidate(NSRect *x);
    248 void pr6708148_use(NSRect x);
    249 void pr6708148_test(void) {
    250   NSRect x;
    251   pr6708148_invalidate(&x);
    252   pr6708148_use(x); // no-warning
    253 }
    254 
    255 // Handle both kinds of noreturn attributes for pruning paths.
    256 void rdar_6777003_noret() __attribute__((noreturn));
    257 void rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn));
    258 
    259 void rdar_6777003(int x) {
    260   int *p = 0;
    261   
    262   if (x == 1) {
    263     rdar_6777003_noret();
    264     *p = 1; // no-warning;    
    265   }
    266   
    267   if (x == 2) {
    268     rdar_6777003_analyzer_noret();
    269     *p = 1; // no-warning;
    270   }
    271   
    272   *p = 1; // expected-warning{{Dereference of null pointer}}  
    273 }
    274 
    275 // Check that the pointer-to-conts arguments do not get invalidated by Obj C 
    276 // interfaces. radar://10595327
    277 int rdar_10595327(char *str) {
    278   char fl = str[0]; 
    279   int *p = 0;
    280   NSString *s = [NSString stringWithUTF8String:str];
    281   if (str[0] != fl)
    282       return *p; // no-warning
    283   return 0;
    284 }
    285 
    286 // For pointer arithmetic, --/++ should be treated as preserving non-nullness,
    287 // regardless of how well the underlying StoreManager reasons about pointer
    288 // arithmetic.
    289 // <rdar://problem/6777209>
    290 void rdar_6777209(char *p) {
    291   if (p == 0)
    292     return;
    293   
    294   ++p;
    295   
    296   // This branch should always be infeasible.
    297   if (p == 0)
    298     *p = 'c'; // no-warning
    299 }
    300 
    301 // PR 4033.  A symbolic 'void *' pointer can be used as the address for a
    302 // computed goto.
    303 typedef void *Opcode;
    304 Opcode pr_4033_getOpcode();
    305 void pr_4033(void) {
    306   void *lbl = &&next_opcode;
    307 next_opcode:
    308   {
    309     Opcode op = pr_4033_getOpcode();
    310     if (op) goto *op;
    311   }
    312 }
    313 
    314 // Test invalidating pointers-to-pointers with slightly different types.  This
    315 // example came from a recent false positive due to a regression where the
    316 // branch condition was falsely reported as being uninitialized.
    317 void invalidate_by_ref(char **x);
    318 int test_invalidate_by_ref() {
    319   unsigned short y;
    320   invalidate_by_ref((char**) &y);
    321   if (y) // no-warning
    322     return 1;
    323   return 0;  
    324 }
    325 
    326 // Test for <rdar://problem/7027684>.  This just tests that the CFG is
    327 // constructed correctly.  Previously, the successor block of the entrance
    328 // was the block containing the merge for '?', which would trigger an
    329 // assertion failure.
    330 int rdar_7027684_aux();
    331 int rdar_7027684_aux_2() __attribute__((noreturn));
    332 void rdar_7027684(int x, int y) {
    333   {}; // this empty compound statement is critical.
    334   (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0);
    335 }
    336 
    337 // Test that we handle casts of string literals to arbitrary types.
    338 unsigned const char *string_literal_test1() {
    339   return (const unsigned char*) "hello";
    340 }
    341 
    342 const float *string_literal_test2() {
    343   return (const float*) "hello";
    344 }
    345 
    346 // Test that we handle casts *from* incomplete struct types.
    347 extern const struct _FooAssertStruct _cmd;
    348 void test_cast_from_incomplete_struct_aux(volatile const void *x);
    349 void test_cast_from_incomplete_struct() {
    350   test_cast_from_incomplete_struct_aux(&_cmd);
    351 }
    352 
    353 // Test for <rdar://problem/7034511> 
    354 //  "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' 
    355 //   when 'T' is a pointer"
    356 //
    357 // Previously this case would crash.
    358 void test_rdar_7034511(NSArray *y) {
    359   NSObject *x;
    360   for (x in y) {}
    361   if (x == ((void*) 0)) {}
    362 }
    363 
    364 // Handle casts of function pointers (CodeTextRegions) to arbitrary pointer
    365 // types. This was previously causing a crash in CastRegion.
    366 void handle_funcptr_voidptr_casts() {
    367   void **ptr;
    368   typedef void *PVOID;
    369   typedef void *PCHAR;  
    370   typedef long INT_PTR, *PINT_PTR;
    371   typedef INT_PTR (*FARPROC)();
    372   FARPROC handle_funcptr_voidptr_casts_aux();
    373   PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x);
    374   PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x);  
    375   
    376   ptr = (void**) handle_funcptr_voidptr_casts_aux();
    377   handle_funcptr_voidptr_casts_aux_2(ptr);
    378   handle_funcptr_voidptr_casts_aux_3(ptr);
    379 }
    380 
    381 // RegionStore::Retrieve previously crashed on this example.  This example
    382 // was previously in the test file 'xfail_regionstore_wine_crash.c'.
    383 void testA() {
    384   long x = 0;
    385   char *y = (char *) &x;
    386   if (!*y)
    387     return;
    388 }
    389 
    390 // RegionStoreManager previously crashed on this example.  The problem is that
    391 // the value bound to the field of b->grue after the call to testB_aux is
    392 // a symbolic region.  The second '*__gruep__' involves performing a load
    393 // from a 'int*' that really is a 'void**'.  The loaded location must be
    394 // implicitly converted to an integer that wraps a location.  Previosly we would
    395 // get a crash here due to an assertion failure.
    396 typedef struct _BStruct { void *grue; } BStruct;
    397 void testB_aux(void *ptr);
    398 void testB(BStruct *b) {
    399   {
    400     int *__gruep__ = ((int *)&((b)->grue));
    401     int __gruev__ = *__gruep__;
    402     testB_aux(__gruep__);
    403   }
    404   {
    405     int *__gruep__ = ((int *)&((b)->grue));
    406     int __gruev__ = *__gruep__;
    407     if (~0 != __gruev__) {}
    408   }
    409 }
    410 
    411 void test_trivial_symbolic_comparison(int *x) {
    412   int test_trivial_symbolic_comparison_aux();
    413   int a = test_trivial_symbolic_comparison_aux();
    414   int b = a;
    415   if (a != b) { // expected-warning{{Both operands to '!=' always have the same value}}
    416     int *p = 0;
    417     *p = 0xDEADBEEF;     // no-warning
    418   }
    419   
    420   a = a == 1;
    421   b = b == 1;
    422   if (a != b) { // expected-warning{{Both operands to '!=' always have the same value}}
    423     int *p = 0;
    424     *p = 0xDEADBEEF;     // no-warning
    425   }
    426 }
    427 
    428 // Test for:
    429 //  <rdar://problem/7062158> false positive null dereference due to
    430 //   BasicStoreManager not tracking *static* globals
    431 //
    432 // This just tests the proper tracking of symbolic values for globals (both 
    433 // static and non-static).
    434 //
    435 static int* x_rdar_7062158;
    436 void rdar_7062158() {
    437   int *current = x_rdar_7062158;
    438   if (current == x_rdar_7062158)
    439     return;
    440     
    441   int *p = 0;
    442   *p = 0xDEADBEEF; // no-warning  
    443 }
    444 
    445 int* x_rdar_7062158_2;
    446 void rdar_7062158_2() {
    447   int *current = x_rdar_7062158_2;
    448   if (current == x_rdar_7062158_2)
    449     return;
    450     
    451   int *p = 0;
    452   *p = 0xDEADBEEF; // no-warning  
    453 }
    454 
    455 // This test reproduces a case for a crash when analyzing ClamAV using
    456 // RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because
    457 // it isn't doing anything smart about arrays).  The problem is that on the
    458 // second line, 'p = &p[i]', p is assigned an ElementRegion whose index
    459 // is a 16-bit integer.  On the third line, a new ElementRegion is created
    460 // based on the previous region, but there the region uses a 32-bit integer,
    461 // resulting in a clash of values (an assertion failure at best).  We resolve
    462 // this problem by implicitly converting index values to 'int' when the
    463 // ElementRegion is created.
    464 unsigned char test_array_index_bitwidth(const unsigned char *p) {
    465   unsigned short i = 0;
    466   for (i = 0; i < 2; i++) p = &p[i];
    467   return p[i+1];
    468 }
    469 
    470 // This case tests that CastRegion handles casts involving BlockPointerTypes.
    471 // It should not crash.
    472 void test_block_cast() {
    473   id test_block_cast_aux();
    474   (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}}
    475 }
    476 
    477 int OSAtomicCompareAndSwap32Barrier();
    478 
    479 // Test comparison of 'id' instance variable to a null void* constant after
    480 // performing an OSAtomicCompareAndSwap32Barrier.
    481 // This previously was a crash in RegionStoreManager.
    482 @interface TestIdNull {
    483   id x;
    484 }
    485 -(int)foo;
    486 @end
    487 @implementation TestIdNull
    488 -(int)foo {
    489   OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x);  
    490   if (x == (void*) 0) { return 0; }
    491   return 1;
    492 }
    493 @end
    494 
    495 // Do not crash when performing compare and swap on symbolic values.
    496 typedef int int32_t;
    497 typedef int int32;
    498 typedef int32 Atomic32;
    499 int OSAtomicCompareAndSwap32( int32_t __oldValue, int32_t __newValue, volatile int32_t *__theValue);
    500 void radar11390991_NoBarrier_CompareAndSwap(volatile Atomic32 *ptr,
    501                               Atomic32 old_value,
    502                               Atomic32 new_value) {
    503   OSAtomicCompareAndSwap32(old_value, new_value, ptr);
    504 }
    505 
    506 // PR 4594 - This was a crash when handling casts in SimpleSValuator.
    507 void PR4594() {
    508   char *buf[1];
    509   char **foo = buf;
    510   *foo = "test";
    511 }
    512 
    513 // Test invalidation logic where an integer is casted to an array with a
    514 // different sign and then invalidated.
    515 void test_invalidate_cast_int() {
    516   void test_invalidate_cast_int_aux(unsigned *i);
    517   signed i;  
    518   test_invalidate_cast_int_aux((unsigned*) &i);
    519   if (i < 0)
    520     return;
    521 }
    522 
    523 int ivar_getOffset();
    524 
    525 // Reduced from a crash involving the cast of an Objective-C symbolic region to
    526 // 'char *'
    527 static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) {
    528   return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease];
    529 }
    530 
    531 // Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero.
    532 // This resulted from not properly handling region casts to 'const void*'.
    533 void test_cast_const_voidptr() {
    534   char x[10];
    535   char *p = &x[1];
    536   const void* q = p;
    537 }
    538 
    539 // Reduced from a crash when analyzing Wine.  This test handles loads from
    540 // function addresses.
    541 typedef long (*FARPROC)();
    542 FARPROC test_load_func(FARPROC origfun) {
    543   if (!*(unsigned char*) origfun)
    544     return origfun;
    545   return 0;
    546 }
    547 
    548 // Test passing-by-value an initialized struct variable.
    549 struct test_pass_val {
    550   int x;
    551   int y;
    552 };
    553 void test_pass_val_aux(struct test_pass_val s);
    554 void test_pass_val() {
    555   struct test_pass_val s;
    556   s.x = 1;
    557   s.y = 2;
    558   test_pass_val_aux(s);
    559 }
    560 
    561 // This is a reduced test case of a false positive that previously appeared
    562 // in RegionStoreManager.  Previously the array access resulted in dereferencing
    563 // an undefined value.
    564 int test_array_compound(int *q, int *r, int *z) {
    565   int *array[] = { q, r, z };
    566   int j = 0;
    567   for (unsigned i = 0; i < 3 ; ++i)
    568     if (*array[i]) ++j; // no-warning
    569   return j;
    570 }
    571 
    572 // symbolic value stored in 'x' wouldn't be implicitly casted to a signed value
    573 // during the comparison.
    574 int rdar_7124210(unsigned int x) {
    575   enum { SOME_CONSTANT = 123 };
    576   int compare = ((signed) SOME_CONSTANT) == *((signed *) &x);
    577   return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint.
    578 }
    579 
    580 void pr4781(unsigned long *raw1) {
    581   unsigned long *cook, *raw0;
    582   unsigned long dough[32];
    583   int i;
    584   cook = dough;
    585   for( i = 0; i < 16; i++, raw1++ ) {
    586     raw0 = raw1++;
    587     *cook = (*raw0 & 0x00fc0000L) << 6;
    588     *cook |= (*raw0 & 0x00000fc0L) << 10;
    589   }
    590 }
    591 
    592 // <rdar://problem/7185647> - 'self' should be treated as being non-null
    593 // upon entry to an objective-c method.
    594 @interface RDar7185647
    595 - (id)foo;
    596 @end
    597 @implementation RDar7185647
    598 - (id) foo {
    599   if (self)
    600     return self;
    601   *((volatile int *) 0x0) = 0xDEADBEEF; // no-warning
    602   return self;
    603 }
    604 @end
    605 
    606 // Test reasoning of __builtin_offsetof;
    607 struct test_offsetof_A {
    608   int x;
    609   int y;
    610 };
    611 struct test_offsetof_B {
    612   int w;
    613   int z;
    614 };
    615 void test_offsetof_1() {
    616   if (__builtin_offsetof(struct test_offsetof_A, x) ==
    617       __builtin_offsetof(struct test_offsetof_B, w))
    618     return;
    619   int *p = 0;
    620   *p = 0xDEADBEEF; // no-warning
    621 }
    622 void test_offsetof_2() {
    623   if (__builtin_offsetof(struct test_offsetof_A, y) ==
    624       __builtin_offsetof(struct test_offsetof_B, z))
    625     return;
    626   int *p = 0;
    627   *p = 0xDEADBEEF; // no-warning
    628 }
    629 void test_offsetof_3() {
    630   if (__builtin_offsetof(struct test_offsetof_A, y) -
    631       __builtin_offsetof(struct test_offsetof_A, x)
    632       ==
    633       __builtin_offsetof(struct test_offsetof_B, z) -
    634       __builtin_offsetof(struct test_offsetof_B, w))
    635     return;
    636   int *p = 0;
    637   *p = 0xDEADBEEF; // no-warning
    638 }
    639 void test_offsetof_4() {
    640   if (__builtin_offsetof(struct test_offsetof_A, y) ==
    641       __builtin_offsetof(struct test_offsetof_B, w))
    642     return;
    643   int *p = 0;
    644   *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
    645 }
    646 
    647 // <rdar://problem/6829164> "nil receiver" false positive: make tracking 
    648 // of the MemRegion for 'self' path-sensitive
    649 @interface RDar6829164 : NSObject {
    650   double x; int y;
    651 }
    652 - (id) init;
    653 @end
    654 
    655 id rdar_6829164_1();
    656 double rdar_6829164_2();
    657 
    658 @implementation RDar6829164
    659 - (id) init {
    660   if((self = [super init]) != 0) {
    661     id z = rdar_6829164_1();
    662     y = (z != 0);
    663     if (y)
    664       x = rdar_6829164_2();
    665   }
    666   return self;
    667 }
    668 @end
    669 
    670 // <rdar://problem/7242015> - Invalidate values passed-by-reference
    671 // to functions when the pointer to the value is passed as an integer.
    672 void test_7242015_aux(unsigned long);
    673 int rdar_7242015() {
    674   int x;
    675   test_7242015_aux((unsigned long) &x); // no-warning
    676   return x; // Previously we return and uninitialized value when
    677             // using RegionStore.
    678 }
    679 
    680 // <rdar://problem/7242006> [RegionStore] compound literal assignment with
    681 //  floats not honored
    682 CGFloat rdar7242006(CGFloat x) {
    683   NSSize y = (NSSize){x, 10};
    684   return y.width; // no-warning
    685 }
    686 
    687 // PR 4988 - This test exhibits a case where a function can be referenced
    688 //  when not explicitly used in an "lvalue" context (as far as the analyzer is
    689 //  concerned). This previously triggered a crash due to an invalid assertion.
    690 void pr_4988(void) {
    691   pr_4988; // expected-warning{{expression result unused}}
    692 }
    693 
    694 // <rdar://problem/7152418> - A 'signed char' is used as a flag, which is
    695 //  implicitly converted to an int.
    696 void *rdar7152418_bar();
    697 @interface RDar7152418 {
    698   signed char x;
    699 }
    700 -(char)foo;
    701 @end;
    702 @implementation RDar7152418
    703 -(char)foo {
    704   char *p = 0;
    705   void *result = 0;
    706   if (x) {
    707     result = rdar7152418_bar();
    708     p = "hello";
    709   }
    710   if (!result) {
    711     result = rdar7152418_bar();
    712     if (result && x)
    713       return *p; // no-warning
    714   }
    715   return 1;
    716 }
    717 
    718 //===----------------------------------------------------------------------===//
    719 // Test constant-folding of symbolic values, automatically handling type
    720 // conversions of the symbol as necessary.
    721 //===----------------------------------------------------------------------===//
    722 
    723 // Previously this would crash once we started eagerly evaluating symbols whose 
    724 // values were constrained to a single value.
    725 void test_symbol_fold_1(signed char x) {
    726   while (1) {
    727     if (x == ((signed char) 0)) {}
    728   }
    729 }
    730 
    731 // This previously caused a crash because it triggered an assertion in APSInt.
    732 void test_symbol_fold_2(unsigned int * p, unsigned int n,
    733                         const unsigned int * grumpkin, unsigned int dn) {
    734   unsigned int i;
    735   unsigned int tempsub[8];
    736   unsigned int *solgrumpkin = tempsub + n;
    737   for (i = 0; i < n; i++)
    738     solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF;
    739   for (i <<= 5; i < (n << 5); i++) {}
    740 }
    741 
    742 // This previously caused a crash because it triggered an assertion in APSInt.
    743 // 'x' would evaluate to a 8-bit constant (because of the return value of
    744 // test_symbol_fold_3_aux()) which would not get properly promoted to an
    745 // integer.
    746 char test_symbol_fold_3_aux(void);
    747 unsigned test_symbol_fold_3(void) {
    748   unsigned x = test_symbol_fold_3_aux();
    749   if (x == 54)
    750     return (x << 8) | 0x5;
    751   return 0;
    752 } 
    753 
    754 //===----------------------------------------------------------------------===//
    755 // Tests for the warning of casting a non-struct type to a struct type
    756 //===----------------------------------------------------------------------===//
    757 
    758 typedef struct {unsigned int v;} NSSwappedFloat;
    759 
    760 NSSwappedFloat test_cast_nonstruct_to_struct(float x) {
    761   struct hodor {
    762     float number;
    763     NSSwappedFloat sf;
    764   };
    765   return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
    766 }
    767 
    768 NSSwappedFloat test_cast_nonstruct_to_union(float x) {
    769   union bran {
    770     float number;
    771     NSSwappedFloat sf;
    772   };
    773   return ((union bran *)&x)->sf; // no-warning
    774 }
    775 
    776 void test_undefined_array_subscript() {
    777   int i, a[10];
    778   int *p = &a[i]; // expected-warning{{Array subscript is undefined}}
    779 }
    780 @end
    781 
    782 //===----------------------------------------------------------------------===//
    783 // Test using an uninitialized value as a branch condition.
    784 //===----------------------------------------------------------------------===//
    785 
    786 int test_uninit_branch(void) {
    787   int x;
    788   if (x) // expected-warning{{Branch condition evaluates to a garbage value}}
    789     return 1;
    790   return 0; 
    791 }
    792 
    793 int test_uninit_branch_b(void) {
    794   int x;
    795   return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}}
    796 }
    797 
    798 int test_uninit_branch_c(void) {
    799   int x;
    800   if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}}
    801     return 1;
    802   return 0; 
    803 }
    804 
    805 //===----------------------------------------------------------------------===//
    806 // Test passing an undefined value in a message or function call.
    807 //===----------------------------------------------------------------------===//
    808 
    809 void test_bad_call_aux(int x);
    810 void test_bad_call(void) {
    811   int y;
    812   test_bad_call_aux(y); // expected-warning{{Function call argument is an uninitialized value}}
    813 }
    814 
    815 @interface TestBadArg {}
    816 - (void) testBadArg:(int) x;
    817 @end
    818 
    819 void test_bad_msg(TestBadArg *p) {
    820   int y;
    821   [p testBadArg:y]; // expected-warning{{Argument in message expression is an uninitialized value}}
    822 }
    823 
    824 //===----------------------------------------------------------------------===//
    825 // PR 6033 - Test emitting the correct output in a warning where we use '%'
    826 //  with operands that are undefined.
    827 //===----------------------------------------------------------------------===//
    828 
    829 int pr6033(int x) {
    830   int y;
    831   return x % y; // expected-warning{{The right operand of '%' is a garbage value}}
    832 }
    833 
    834 struct trie {
    835   struct trie* next;
    836 };
    837 
    838 struct kwset {
    839   struct trie *trie;
    840   unsigned char y[10];
    841   struct trie* next[10];
    842   int d;
    843 };
    844 
    845 typedef struct trie trie_t;
    846 typedef struct kwset kwset_t;
    847 
    848 void f(kwset_t *kws, char const *p, char const *q) {
    849   struct trie const *trie;
    850   struct trie * const *next = kws->next;
    851   register unsigned char c;
    852   register char const *end = p;
    853   register char const *lim = q;
    854   register int d = 1;
    855   register unsigned char const *y = kws->y;
    856 
    857   d = y[c = (end+=d)[-1]]; // no-warning
    858   trie = next[c];
    859 }
    860 
    861 //===----------------------------------------------------------------------===//
    862 // <rdar://problem/7593875> When handling sizeof(VLA) it leads to a hole in
    863 // the ExplodedGraph (causing a false positive)
    864 //===----------------------------------------------------------------------===//
    865 
    866 int rdar_7593875_aux(int x);
    867 int rdar_7593875(int n) {
    868   int z[n > 10 ? 10 : n]; // VLA.
    869   int v;
    870   v = rdar_7593875_aux(sizeof(z));
    871   // Previously we got a false positive about 'v' being uninitialized.
    872   return v; // no-warning
    873 }
    874 
    875 //===----------------------------------------------------------------------===//
    876 // Handle casts from symbolic regions (packaged as integers) to doubles.
    877 // Previously this caused an assertion failure.
    878 //===----------------------------------------------------------------------===//
    879 
    880 void *foo_rev95119();
    881 void baz_rev95119(double x);
    882 void bar_rev95119() {
    883   // foo_rev95119() returns a symbolic pointer.  It is then 
    884   // cast to an int which is then cast to a double.
    885   int value = (int) foo_rev95119();
    886   baz_rev95119((double)value);
    887 }
    888 
    889 //===----------------------------------------------------------------------===//
    890 // Handle loading a symbolic pointer from a symbolic region that was
    891 // invalidated by a call to an unknown function.
    892 //===----------------------------------------------------------------------===//
    893 
    894 void bar_rev95192(int **x);
    895 void foo_rev95192(int **x) {
    896   *x = 0;
    897   bar_rev95192(x);
    898   // Not a null dereference.
    899   **x = 1; // no-warning
    900 }
    901 
    902 //===----------------------------------------------------------------------===//
    903 // Handle casts of a function to a function pointer with a different return
    904 // value.  We don't yet emit an error for such cases, but we now we at least
    905 // don't crash when the return value gets interpreted in a way that
    906 // violates our invariants.
    907 //===----------------------------------------------------------------------===//
    908 
    909 void *foo_rev95267();
    910 int bar_rev95267() {
    911   char (*Callback_rev95267)(void) = (char (*)(void)) foo_rev95267;
    912   if ((*Callback_rev95267)() == (char) 0)
    913     return 1;
    914   return 0;
    915 }
    916 
    917 // Same as previous case, but handle casts to 'void'.
    918 int bar_rev95274() {
    919   void (*Callback_rev95274)(void) = (void (*)(void)) foo_rev95267;
    920   (*Callback_rev95274)();
    921   return 0;
    922 }
    923 
    924 void rdar7582031_test_static_init_zero() {
    925   static unsigned x;
    926   if (x == 0)
    927     return;
    928   int *p = 0;
    929   *p = 0xDEADBEEF;
    930 }
    931 void rdar7582031_test_static_init_zero_b() {
    932   static void* x;
    933   if (x == 0)
    934     return;
    935   int *p = 0;
    936   *p = 0xDEADBEEF;
    937 }
    938 
    939 //===----------------------------------------------------------------------===//
    940 // Test handling of parameters that are structs that contain floats and       //
    941 // nested fields.                                                             //
    942 //===----------------------------------------------------------------------===//
    943 
    944 struct s_rev95547_nested { float x, y; };
    945 struct s_rev95547 {
    946   struct s_rev95547_nested z1;
    947   struct s_rev95547_nested z2;
    948 };
    949 float foo_rev95547(struct s_rev95547 w) {
    950   return w.z1.x + 20.0; // no-warning
    951 }
    952 void foo_rev95547_b(struct s_rev95547 w) {
    953   struct s_rev95547 w2 = w;
    954   w2.z1.x += 20.0; // no-warning
    955 }
    956 
    957 //===----------------------------------------------------------------------===//
    958 // Test handling statement expressions that don't populate a CFG block that
    959 // is used to represent the computation of the RHS of a logical operator.
    960 // This previously triggered a crash.
    961 //===----------------------------------------------------------------------===//
    962 
    963 void pr6938() {
    964   if (1 && ({
    965     while (0);
    966     0;
    967   }) == 0) {
    968   }
    969 }
    970 
    971 void pr6938_b() {
    972   if (1 && *({ // expected-warning{{Dereference of null pointer}}
    973     while (0) {}
    974     ({
    975       (int *) 0;
    976     });
    977   }) == 0) {
    978   }
    979 }
    980 
    981 //===----------------------------------------------------------------------===//
    982 // <rdar://problem/7979430> - The CFG for code containing an empty
    983 //  @synchronized block was previously broken (and would crash the analyzer).
    984 //===----------------------------------------------------------------------===//
    985 
    986 void r7979430(id x) {
    987   @synchronized(x) {}
    988 }
    989 
    990 //===----------------------------------------------------------------------===
    991 // PR 7361 - Test that functions wrapped in macro instantiations are analyzed.
    992 //===----------------------------------------------------------------------===
    993 #define MAKE_TEST_FN() \
    994   void test_pr7361 (char a) {\
    995     char* b = 0x0;  *b = a;\
    996   }
    997 
    998 MAKE_TEST_FN() // expected-warning{{null pointer}}
    999 
   1000 //===----------------------------------------------------------------------===
   1001 // PR 7491 - Test that symbolic expressions can be used as conditions.
   1002 //===----------------------------------------------------------------------===
   1003 
   1004 void pr7491 () {
   1005   extern int getint();
   1006   int a = getint()-1;
   1007   if (a) {
   1008     return;
   1009   }
   1010   if (!a) {
   1011     return;
   1012   } else {
   1013     // Should be unreachable
   1014     (void)*(char*)0; // no-warning
   1015   }
   1016 }
   1017 
   1018 //===----------------------------------------------------------------------===
   1019 // PR 7475 - Test that assumptions about global variables are reset after
   1020 //  calling a global function.
   1021 //===----------------------------------------------------------------------===
   1022 
   1023 int *pr7475_someGlobal;
   1024 void pr7475_setUpGlobal();
   1025 
   1026 void pr7475() {
   1027   if (pr7475_someGlobal == 0)
   1028     pr7475_setUpGlobal();
   1029   *pr7475_someGlobal = 0; // no-warning
   1030 }
   1031 
   1032 void pr7475_warn() {
   1033   static int *someStatic = 0;
   1034   if (someStatic == 0)
   1035     pr7475_setUpGlobal();
   1036   *someStatic = 0; // expected-warning{{null pointer}}
   1037 }
   1038 
   1039 // <rdar://problem/8202272> - __imag passed non-complex should not crash
   1040 float f0(_Complex float x) {
   1041   float l0 = __real x;
   1042   return  __real l0 + __imag l0;
   1043 }
   1044 
   1045 
   1046 //===----------------------------------------------------------------------===
   1047 // Test that we can reduce symbols to constants whether they are on the left
   1048 //  or right side of an expression.
   1049 //===----------------------------------------------------------------------===
   1050 
   1051 void reduce_to_constant(int x, int y) {
   1052   if (x != 20)
   1053     return;
   1054 
   1055   int a = x + y;
   1056   int b = y + x;
   1057 
   1058   if (y == -20 && a != 0)
   1059     (void)*(char*)0; // no-warning
   1060   if (y == -20 && b != 0)
   1061     (void)*(char*)0; // no-warning
   1062 }
   1063 
   1064 // <rdar://problem/8360854> - Test that code after a switch statement with no 
   1065 // 'case:' labels is correctly evaluated.
   1066 void r8360854(int n) {
   1067   switch (n) {
   1068    default: ;
   1069   }
   1070   int *p = 0;
   1071   *p = 0xDEADBEEF; // expected-warning{{null pointer}}
   1072 }
   1073 
   1074 // PR 8050 - crash in CastSizeChecker when pointee is an incomplete type
   1075 typedef long unsigned int __darwin_size_t;
   1076 typedef __darwin_size_t size_t;
   1077 void *malloc(size_t);
   1078 
   1079 struct PR8050;
   1080 
   1081 void pr8050(struct PR8050 **arg)
   1082 {
   1083     *arg = malloc(1);
   1084 }
   1085 
   1086 // <rdar://problem/5880430> Switch on enum should not consider default case live
   1087 //  if all enum values are covered
   1088 enum Cases { C1, C2, C3, C4 };
   1089 void test_enum_cases(enum Cases C) {
   1090   switch (C) {
   1091   case C1:
   1092   case C2:
   1093   case C4:
   1094   case C3:
   1095     return;
   1096   }
   1097   int *p = 0;
   1098   *p = 0xDEADBEEF; // no-warning
   1099 }
   1100 
   1101 void test_enum_cases_positive(enum Cases C) {
   1102   switch (C) { // expected-warning{{enumeration value 'C4' not handled in switch}}
   1103   case C1:
   1104   case C2:
   1105   case C3:
   1106     return;
   1107   }
   1108   int *p = 0;
   1109   *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
   1110 }
   1111 
   1112 // <rdar://problem/6351970> rule request: warn if synchronization mutex can be nil
   1113 void rdar6351970() {
   1114   id x = 0;
   1115   @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}}
   1116 }
   1117 
   1118 void rdar6351970_b(id x) {
   1119   if (!x)
   1120     @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}}
   1121 }
   1122 
   1123 void rdar6351970_c() {
   1124   id x;
   1125   @synchronized(x) {} // expected-warning{{Uninitialized value used as mutex for @synchronized}}
   1126 }
   1127 
   1128 @interface Rdar8578650
   1129 - (id) foo8578650;
   1130 @end
   1131 
   1132 void rdar8578650(id x) {
   1133   @synchronized (x) {
   1134     [x foo8578650];
   1135   }
   1136   // At this point we should assume that 'x' is not nil, not
   1137   // the inverse.
   1138   @synchronized (x) { // no-warning
   1139   }
   1140 }
   1141 
   1142 // <rdar://problem/6352035> rule request: direct structure member access null pointer dereference
   1143 @interface RDar6352035 {
   1144   int c;
   1145 }
   1146 - (void)foo;
   1147 - (void)bar;
   1148 @end
   1149 
   1150 @implementation RDar6352035
   1151 - (void)foo {
   1152   RDar6352035 *friend = 0;
   1153   friend->c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'friend')}}
   1154 }
   1155 - (void)bar {
   1156   self = 0;
   1157   c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'self')}}
   1158 }
   1159 @end
   1160 
   1161 // PR 8149 - GNU statement expression in condition of ForStmt.
   1162 // This previously triggered an assertion failure in CFGBuilder.
   1163 void pr8149(void) {
   1164   for (; ({ do { } while (0); 0; });) { }
   1165 }
   1166 
   1167 // PR 8458 - Make sure @synchronized doesn't crash with properties.
   1168 @interface PR8458 {}
   1169 @property(readonly) id lock;
   1170 @end
   1171 
   1172 static
   1173 void __PR8458(PR8458 *x) {
   1174   @synchronized(x.lock) {} // no-warning
   1175 }
   1176 
   1177 // PR 8440 - False null dereference during store to array-in-field-in-global.
   1178 // This test case previously resulted in a bogus null deref warning from
   1179 // incorrect lazy symbolication logic in RegionStore.
   1180 static struct {
   1181   int num;
   1182   char **data;
   1183 } saved_pr8440;
   1184 
   1185 char *foo_pr8440();
   1186 char **bar_pr8440();
   1187 void baz_pr8440(int n)
   1188 {
   1189    saved_pr8440.num = n;
   1190    if (saved_pr8440.data) 
   1191      return;
   1192    saved_pr8440.data = bar_pr8440();
   1193    for (int i = 0 ; i < n ; i ++)
   1194      saved_pr8440.data[i] = foo_pr8440(); // no-warning
   1195 }
   1196 
   1197 // Support direct accesses to non-null memory.  Reported in:
   1198 //  PR 5272
   1199 //  <rdar://problem/6839683>
   1200 int test_direct_address_load() {
   1201   int *p = (int*) 0x4000;
   1202   return *p; // no-warning
   1203 }
   1204 
   1205 void pr5272_test() {
   1206   struct pr5272 { int var2; };
   1207   (*(struct pr5272*)0xBC000000).var2 = 0; // no-warning
   1208   (*(struct pr5272*)0xBC000000).var2 += 2; // no-warning
   1209 }
   1210 
   1211 // Support casting the return value of function to another different type
   1212 // This previously caused a crash, although we likely need more precise
   1213 // reasoning here. <rdar://problem/8663544>
   1214 void* rdar8663544();
   1215 typedef struct {} Val8663544;
   1216 Val8663544 bazR8663544() {
   1217   Val8663544(*func) () = (Val8663544(*) ()) rdar8663544;
   1218   return func();
   1219 }
   1220 
   1221 // PR 8619 - Handle ternary expressions with a call to a noreturn function.
   1222 // This previously resulted in a crash.
   1223 void pr8619_noreturn(int x) __attribute__((noreturn));
   1224 
   1225 void pr8619(int a, int b, int c) {
   1226   a ?: pr8619_noreturn(b || c);
   1227 }
   1228 
   1229 
   1230 // PR 8646 - crash in the analyzer when handling unions.
   1231 union pr8648_union {
   1232         signed long long pr8648_union_field;
   1233 };
   1234 void pr8648() {
   1235   long long y;
   1236   union pr8648_union x = { .pr8648_union_field = 0LL };
   1237   y = x.pr8648_union_field;
   1238   
   1239   union pr8648_union z;
   1240   z = (union pr8648_union) { .pr8648_union_field = 0LL };
   1241 
   1242   union pr8648_union w;
   1243   w = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }); 
   1244 
   1245   // crash, no assignment
   1246   (void) ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field;
   1247 
   1248   // crash with assignment
   1249   y = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field;
   1250 }
   1251 
   1252 // PR 9269 - don't assert when building the following CFG.  The for statement
   1253 // contains a condition with multiple basic blocks, and the value of the
   1254 // statement expression is then indexed as part of a bigger condition expression.
   1255 // This example exposed a bug in child traversal in the CFGBuilder.
   1256 void pr9269() {
   1257   struct s { char *bar[10]; } baz[2] = { 0 };
   1258   unsigned i = 0;
   1259   for (i = 0;
   1260   (* ({ while(0); ({ &baz[0]; }); })).bar[0] != 0; // expected-warning {{while loop has empty body}} expected-note {{put the semicolon on a separate line to silence this warning}}
   1261        ++i) {}
   1262 }
   1263 
   1264 // Test evaluation of GNU-style ?:.
   1265 int pr9287(int type) { return type ? : 0; } // no-warning
   1266 
   1267 void pr9287_b(int type, int *p) { 
   1268   int x = type ? : 0;
   1269   if (x) {
   1270     p = 0;
   1271   }
   1272   if (type) {
   1273     *p = 0xDEADBEEF; // expected-warning {{null pointer}}
   1274   }
   1275 }
   1276 
   1277 void pr9287_c(int type, int *p) { 
   1278   int x = type ? : 0;
   1279   if (x) {
   1280     p = 0;
   1281   }
   1282   if (!type) {
   1283     *p = 0xDEADBEEF; // no-warning
   1284   }
   1285 }
   1286 
   1287 void test_switch() {
   1288   switch (4) {
   1289     case 1: {
   1290       int *p = 0;
   1291       *p = 0xDEADBEEF; // no-warning
   1292       break;
   1293     }
   1294     case 4: {
   1295       int *p = 0;
   1296       *p = 0xDEADBEEF; // expected-warning {{null}}
   1297       break;
   1298     }
   1299     default: {
   1300       int *p = 0;
   1301       *p = 0xDEADBEEF; // no-warning
   1302       break;
   1303     }
   1304   }
   1305 }
   1306 
   1307 // PR 9467.  Tests various CFG optimizations.  This previously crashed.
   1308 static void test(unsigned int bit_mask)
   1309 {
   1310   unsigned int bit_index;
   1311   for (bit_index = 0;
   1312        bit_index < 24;
   1313        bit_index++) {
   1314     switch ((0x01 << bit_index) & bit_mask) {
   1315     case 0x100000: ;
   1316     }
   1317   }
   1318 }
   1319 
   1320 // Don't crash on code containing __label__.
   1321 int radar9414427_aux();
   1322 void radar9414427() {
   1323   __label__ mylabel;
   1324   if (radar9414427_aux()) {
   1325   mylabel: do {}
   1326   while (0);
   1327   }
   1328 }
   1329 
   1330 // Analyze methods in @implementation (category)
   1331 @interface RDar9465344
   1332 @end
   1333 
   1334 @implementation RDar9465344 (MyCategory)
   1335 - (void) testcategoryImpl {
   1336   int *p = 0x0;
   1337   *p = 0xDEADBEEF; // expected-warning {{null}}
   1338 }
   1339 @end
   1340 
   1341 @implementation RDar9465344
   1342 @end
   1343 
   1344 // Don't crash when analyzing access to 'self' within a block.
   1345 @interface Rdar10380300Base 
   1346 - (void) foo;
   1347 @end
   1348 @interface Rdar10380300 : Rdar10380300Base @end
   1349 @implementation Rdar10380300
   1350 - (void)foo {
   1351   ^{
   1352     [super foo];
   1353   }();
   1354 }
   1355 @end
   1356 
   1357 // Don't crash when a ?: is only preceded by a statement (not an expression)
   1358 // in the CFG.
   1359 void __assert_fail();
   1360 
   1361 enum rdar1196620_e { E_A, E_B, E_C, E_D };
   1362 struct rdar1196620_s { int ints[E_D+1]; };
   1363 
   1364 static void rdar1196620_call_assert(struct rdar1196620_s* s) {
   1365   int i = 0;
   1366   s?(void)0:__assert_fail();
   1367 }
   1368 
   1369 static void rdar1196620(struct rdar1196620_s* s) {
   1370   rdar1196620_call_assert(s);
   1371 }
   1372 
   1373 
   1374