1 // NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued. 2 // RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,alpha.core,osx.cocoa.AtSync -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s 3 // RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-checker=core,alpha.core,osx.cocoa.AtSync -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s 4 5 #ifndef __clang_analyzer__ 6 #error __clang_analyzer__ not defined 7 #endif 8 9 typedef struct objc_ivar *Ivar; 10 typedef struct objc_selector *SEL; 11 typedef signed char BOOL; 12 typedef int NSInteger; 13 typedef unsigned int NSUInteger; 14 typedef struct _NSZone NSZone; 15 @class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator; 16 @protocol NSObject 17 - (BOOL)isEqual:(id)object; 18 - (id)autorelease; 19 @end 20 @protocol NSCopying 21 - (id)copyWithZone:(NSZone *)zone; 22 @end 23 @protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 24 @protocol NSCoding 25 - (void)encodeWithCoder:(NSCoder *)aCoder; 26 @end 27 @interface NSObject <NSObject> {} 28 - (id)init; 29 + (id)allocWithZone:(NSZone *)zone; 30 @end 31 extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 32 @interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 33 - (NSUInteger)length; 34 + (id)stringWithUTF8String:(const char *)nullTerminatedCString; 35 @end extern NSString * const NSBundleDidLoadNotification; 36 @interface NSValue : NSObject <NSCopying, NSCoding> 37 - (void)getValue:(void *)value; 38 @end 39 @interface NSNumber : NSValue 40 - (char)charValue; 41 - (id)initWithBool:(BOOL)value; 42 @end 43 @interface NSAssertionHandler : NSObject {} 44 + (NSAssertionHandler *)currentHandler; 45 - (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 46 @end 47 extern NSString * const NSConnectionReplyMode; 48 typedef float CGFloat; 49 typedef struct _NSPoint { 50 CGFloat x; 51 CGFloat y; 52 } NSPoint; 53 typedef struct _NSSize { 54 CGFloat width; 55 CGFloat height; 56 } NSSize; 57 typedef struct _NSRect { 58 NSPoint origin; 59 NSSize size; 60 } NSRect; 61 62 // Reduced test case from crash in <rdar://problem/6253157> 63 @interface A @end 64 @implementation A 65 - (void)foo:(void (^)(NSObject *x))block { 66 if (!((block != ((void *)0)))) {} 67 } 68 @end 69 70 // Reduced test case from crash in PR 2796; 71 // http://llvm.org/bugs/show_bug.cgi?id=2796 72 73 unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); } 74 75 // Improvement to path-sensitivity involving compound assignments. 76 // Addresses false positive in <rdar://problem/6268365> 77 // 78 79 unsigned r6268365Aux(); 80 81 void r6268365() { 82 unsigned x = 0; 83 x &= r6268365Aux(); 84 unsigned j = 0; 85 86 if (x == 0) ++j; 87 if (x == 0) x = x / j; 88 } 89 90 void divzeroassume(unsigned x, unsigned j) { 91 x /= j; 92 if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 93 if (j == 0) x /= j; // no static-analyzer warning 94 if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 95 } 96 97 void divzeroassumeB(unsigned x, unsigned j) { 98 x = x / j; 99 if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 100 if (j == 0) x /= j; // no static-analyzer warning 101 if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 102 } 103 104 // InitListExpr processing 105 106 typedef float __m128 __attribute__((__vector_size__(16), __may_alias__)); 107 __m128 return128() { 108 // This compound literal has a Vector type. We currently just 109 // return UnknownVal. 110 return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f }; 111 } 112 113 typedef long long __v2di __attribute__ ((__vector_size__ (16))); 114 typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__)); 115 __m128i vec128i(long long __q1, long long __q0) { 116 // This compound literal returns true for both isVectorType() and 117 // isIntegerType(). 118 return __extension__ (__m128i)(__v2di){ __q0, __q1 }; 119 } 120 121 // Zero-sized VLAs. 122 void check_zero_sized_VLA(int x) { 123 if (x) 124 return; 125 126 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has zero size}} 127 } 128 129 void check_uninit_sized_VLA() { 130 int x; 131 int vla[x]; // expected-warning{{Declared variable-length array (VLA) uses a garbage value as its size}} 132 } 133 134 // sizeof(void) 135 // - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211 136 void handle_sizeof_void(unsigned flag) { 137 int* p = 0; 138 139 if (flag) { 140 if (sizeof(void) == 1) 141 return; 142 // Infeasible. 143 *p = 1; // no-warning 144 } 145 146 void* q; 147 148 if (!flag) { 149 if (sizeof(*q) == 1) 150 return; 151 // Infeasibe. 152 *p = 1; // no-warning 153 } 154 155 // Infeasible. 156 *p = 1; // no-warning 157 } 158 159 // check deference of undefined values 160 void check_deref_undef(void) { 161 int *p; 162 *p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}} 163 } 164 165 // PR 3422 166 void pr3422_helper(char *p); 167 void pr3422() { 168 char buf[100]; 169 char *q = &buf[10]; 170 pr3422_helper(&q[1]); 171 } 172 173 // PR 3543 (handle empty statement expressions) 174 void pr_3543(void) { 175 ({}); 176 } 177 178 // <rdar://problem/6611677> 179 // This test case test the use of a vector type within an array subscript 180 // expression. 181 typedef long long __a64vector __attribute__((__vector_size__(8))); 182 typedef long long __a128vector __attribute__((__vector_size__(16))); 183 static inline __a64vector __attribute__((__always_inline__, __nodebug__)) 184 my_test_mm_movepi64_pi64(__a128vector a) { 185 return (__a64vector)a[0]; 186 } 187 188 // Test basic tracking of ivars associated with 'self'. 189 @interface SelfIvarTest : NSObject { 190 int flag; 191 } 192 - (void)test_self_tracking; 193 @end 194 195 @implementation SelfIvarTest 196 - (void)test_self_tracking { 197 char *p = 0; 198 char c; 199 200 if (flag) 201 p = "hello"; 202 203 if (flag) 204 c = *p; // no-warning 205 } 206 @end 207 208 // PR 3770 209 char pr3770(int x) { 210 int y = x & 0x2; 211 char *p = 0; 212 if (y == 1) 213 p = "hello"; 214 215 if (y == 1) 216 return p[0]; // no-warning 217 218 return 'a'; 219 } 220 221 // PR 3772 222 // - We just want to test that this doesn't crash the analyzer. 223 typedef struct st ST; 224 struct st { char *name; }; 225 extern ST *Cur_Pu; 226 227 void pr3772(void) 228 { 229 static ST *last_Cur_Pu; 230 if (last_Cur_Pu == Cur_Pu) { 231 return; 232 } 233 } 234 235 // PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups. 236 void pr3780(int sz) { typedef double MAT[sz][sz]; } 237 238 // <rdar://problem/6695527> - Test that we don't symbolicate doubles before 239 // we are ready to do something with them. 240 int rdar6695527(double x) { 241 if (!x) { return 0; } 242 return 1; 243 } 244 245 // <rdar://problem/6708148> - Test that we properly invalidate structs 246 // passed-by-reference to a function. 247 void pr6708148_invalidate(NSRect *x); 248 void pr6708148_use(NSRect x); 249 void pr6708148_test(void) { 250 NSRect x; 251 pr6708148_invalidate(&x); 252 pr6708148_use(x); // no-warning 253 } 254 255 // Handle both kinds of noreturn attributes for pruning paths. 256 void rdar_6777003_noret() __attribute__((noreturn)); 257 void rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn)); 258 259 void rdar_6777003(int x) { 260 int *p = 0; 261 262 if (x == 1) { 263 rdar_6777003_noret(); 264 *p = 1; // no-warning; 265 } 266 267 if (x == 2) { 268 rdar_6777003_analyzer_noret(); 269 *p = 1; // no-warning; 270 } 271 272 *p = 1; // expected-warning{{Dereference of null pointer}} 273 } 274 275 // Check that the pointer-to-conts arguments do not get invalidated by Obj C 276 // interfaces. radar://10595327 277 int rdar_10595327(char *str) { 278 char fl = str[0]; 279 int *p = 0; 280 NSString *s = [NSString stringWithUTF8String:str]; 281 if (str[0] != fl) 282 return *p; // no-warning 283 return 0; 284 } 285 286 // For pointer arithmetic, --/++ should be treated as preserving non-nullness, 287 // regardless of how well the underlying StoreManager reasons about pointer 288 // arithmetic. 289 // <rdar://problem/6777209> 290 void rdar_6777209(char *p) { 291 if (p == 0) 292 return; 293 294 ++p; 295 296 // This branch should always be infeasible. 297 if (p == 0) 298 *p = 'c'; // no-warning 299 } 300 301 // PR 4033. A symbolic 'void *' pointer can be used as the address for a 302 // computed goto. 303 typedef void *Opcode; 304 Opcode pr_4033_getOpcode(); 305 void pr_4033(void) { 306 void *lbl = &&next_opcode; 307 next_opcode: 308 { 309 Opcode op = pr_4033_getOpcode(); 310 if (op) goto *op; 311 } 312 } 313 314 // Test invalidating pointers-to-pointers with slightly different types. This 315 // example came from a recent false positive due to a regression where the 316 // branch condition was falsely reported as being uninitialized. 317 void invalidate_by_ref(char **x); 318 int test_invalidate_by_ref() { 319 unsigned short y; 320 invalidate_by_ref((char**) &y); 321 if (y) // no-warning 322 return 1; 323 return 0; 324 } 325 326 // Test for <rdar://problem/7027684>. This just tests that the CFG is 327 // constructed correctly. Previously, the successor block of the entrance 328 // was the block containing the merge for '?', which would trigger an 329 // assertion failure. 330 int rdar_7027684_aux(); 331 int rdar_7027684_aux_2() __attribute__((noreturn)); 332 void rdar_7027684(int x, int y) { 333 {}; // this empty compound statement is critical. 334 (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0); 335 } 336 337 // Test that we handle casts of string literals to arbitrary types. 338 unsigned const char *string_literal_test1() { 339 return (const unsigned char*) "hello"; 340 } 341 342 const float *string_literal_test2() { 343 return (const float*) "hello"; 344 } 345 346 // Test that we handle casts *from* incomplete struct types. 347 extern const struct _FooAssertStruct _cmd; 348 void test_cast_from_incomplete_struct_aux(volatile const void *x); 349 void test_cast_from_incomplete_struct() { 350 test_cast_from_incomplete_struct_aux(&_cmd); 351 } 352 353 // Test for <rdar://problem/7034511> 354 // "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' 355 // when 'T' is a pointer" 356 // 357 // Previously this case would crash. 358 void test_rdar_7034511(NSArray *y) { 359 NSObject *x; 360 for (x in y) {} 361 if (x == ((void*) 0)) {} 362 } 363 364 // Handle casts of function pointers (CodeTextRegions) to arbitrary pointer 365 // types. This was previously causing a crash in CastRegion. 366 void handle_funcptr_voidptr_casts() { 367 void **ptr; 368 typedef void *PVOID; 369 typedef void *PCHAR; 370 typedef long INT_PTR, *PINT_PTR; 371 typedef INT_PTR (*FARPROC)(); 372 FARPROC handle_funcptr_voidptr_casts_aux(); 373 PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x); 374 PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x); 375 376 ptr = (void**) handle_funcptr_voidptr_casts_aux(); 377 handle_funcptr_voidptr_casts_aux_2(ptr); 378 handle_funcptr_voidptr_casts_aux_3(ptr); 379 } 380 381 // RegionStore::Retrieve previously crashed on this example. This example 382 // was previously in the test file 'xfail_regionstore_wine_crash.c'. 383 void testA() { 384 long x = 0; 385 char *y = (char *) &x; 386 if (!*y) 387 return; 388 } 389 390 // RegionStoreManager previously crashed on this example. The problem is that 391 // the value bound to the field of b->grue after the call to testB_aux is 392 // a symbolic region. The second '*__gruep__' involves performing a load 393 // from a 'int*' that really is a 'void**'. The loaded location must be 394 // implicitly converted to an integer that wraps a location. Previosly we would 395 // get a crash here due to an assertion failure. 396 typedef struct _BStruct { void *grue; } BStruct; 397 void testB_aux(void *ptr); 398 void testB(BStruct *b) { 399 { 400 int *__gruep__ = ((int *)&((b)->grue)); 401 int __gruev__ = *__gruep__; 402 testB_aux(__gruep__); 403 } 404 { 405 int *__gruep__ = ((int *)&((b)->grue)); 406 int __gruev__ = *__gruep__; 407 if (~0 != __gruev__) {} 408 } 409 } 410 411 void test_trivial_symbolic_comparison(int *x) { 412 int test_trivial_symbolic_comparison_aux(); 413 int a = test_trivial_symbolic_comparison_aux(); 414 int b = a; 415 if (a != b) { 416 int *p = 0; 417 *p = 0xDEADBEEF; // no-warning 418 } 419 420 a = a == 1; 421 b = b == 1; 422 if (a != b) { 423 int *p = 0; 424 *p = 0xDEADBEEF; // no-warning 425 } 426 } 427 428 // Test for: 429 // <rdar://problem/7062158> false positive null dereference due to 430 // BasicStoreManager not tracking *static* globals 431 // 432 // This just tests the proper tracking of symbolic values for globals (both 433 // static and non-static). 434 // 435 static int* x_rdar_7062158; 436 void rdar_7062158() { 437 int *current = x_rdar_7062158; 438 if (current == x_rdar_7062158) 439 return; 440 441 int *p = 0; 442 *p = 0xDEADBEEF; // no-warning 443 } 444 445 int* x_rdar_7062158_2; 446 void rdar_7062158_2() { 447 int *current = x_rdar_7062158_2; 448 if (current == x_rdar_7062158_2) 449 return; 450 451 int *p = 0; 452 *p = 0xDEADBEEF; // no-warning 453 } 454 455 // This test reproduces a case for a crash when analyzing ClamAV using 456 // RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because 457 // it isn't doing anything smart about arrays). The problem is that on the 458 // second line, 'p = &p[i]', p is assigned an ElementRegion whose index 459 // is a 16-bit integer. On the third line, a new ElementRegion is created 460 // based on the previous region, but there the region uses a 32-bit integer, 461 // resulting in a clash of values (an assertion failure at best). We resolve 462 // this problem by implicitly converting index values to 'int' when the 463 // ElementRegion is created. 464 unsigned char test_array_index_bitwidth(const unsigned char *p) { 465 unsigned short i = 0; 466 for (i = 0; i < 2; i++) p = &p[i]; 467 return p[i+1]; 468 } 469 470 // This case tests that CastRegion handles casts involving BlockPointerTypes. 471 // It should not crash. 472 void test_block_cast() { 473 id test_block_cast_aux(); 474 (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}} 475 } 476 477 int OSAtomicCompareAndSwap32Barrier(); 478 479 // Test comparison of 'id' instance variable to a null void* constant after 480 // performing an OSAtomicCompareAndSwap32Barrier. 481 // This previously was a crash in RegionStoreManager. 482 @interface TestIdNull { 483 id x; 484 } 485 -(int)foo; 486 @end 487 @implementation TestIdNull 488 -(int)foo { 489 OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x); 490 if (x == (void*) 0) { return 0; } 491 return 1; 492 } 493 @end 494 495 // Do not crash when performing compare and swap on symbolic values. 496 typedef int int32_t; 497 typedef int int32; 498 typedef int32 Atomic32; 499 int OSAtomicCompareAndSwap32( int32_t __oldValue, int32_t __newValue, volatile int32_t *__theValue); 500 void radar11390991_NoBarrier_CompareAndSwap(volatile Atomic32 *ptr, 501 Atomic32 old_value, 502 Atomic32 new_value) { 503 OSAtomicCompareAndSwap32(old_value, new_value, ptr); 504 } 505 506 // PR 4594 - This was a crash when handling casts in SimpleSValuator. 507 void PR4594() { 508 char *buf[1]; 509 char **foo = buf; 510 *foo = "test"; 511 } 512 513 // Test invalidation logic where an integer is casted to an array with a 514 // different sign and then invalidated. 515 void test_invalidate_cast_int() { 516 void test_invalidate_cast_int_aux(unsigned *i); 517 signed i; 518 test_invalidate_cast_int_aux((unsigned*) &i); 519 if (i < 0) 520 return; 521 } 522 523 int ivar_getOffset(); 524 525 // Reduced from a crash involving the cast of an Objective-C symbolic region to 526 // 'char *' 527 static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) { 528 return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease]; 529 } 530 531 // Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero. 532 // This resulted from not properly handling region casts to 'const void*'. 533 void test_cast_const_voidptr() { 534 char x[10]; 535 char *p = &x[1]; 536 const void* q = p; 537 } 538 539 // Reduced from a crash when analyzing Wine. This test handles loads from 540 // function addresses. 541 typedef long (*FARPROC)(); 542 FARPROC test_load_func(FARPROC origfun) { 543 if (!*(unsigned char*) origfun) 544 return origfun; 545 return 0; 546 } 547 548 // Test passing-by-value an initialized struct variable. 549 struct test_pass_val { 550 int x; 551 int y; 552 }; 553 void test_pass_val_aux(struct test_pass_val s); 554 void test_pass_val() { 555 struct test_pass_val s; 556 s.x = 1; 557 s.y = 2; 558 test_pass_val_aux(s); 559 } 560 561 // This is a reduced test case of a false positive that previously appeared 562 // in RegionStoreManager. Previously the array access resulted in dereferencing 563 // an undefined value. 564 int test_array_compound(int *q, int *r, int *z) { 565 int *array[] = { q, r, z }; 566 int j = 0; 567 for (unsigned i = 0; i < 3 ; ++i) 568 if (*array[i]) ++j; // no-warning 569 return j; 570 } 571 572 // symbolic value stored in 'x' wouldn't be implicitly casted to a signed value 573 // during the comparison. 574 int rdar_7124210(unsigned int x) { 575 enum { SOME_CONSTANT = 123 }; 576 int compare = ((signed) SOME_CONSTANT) == *((signed *) &x); 577 return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint. 578 } 579 580 void pr4781(unsigned long *raw1) { 581 unsigned long *cook, *raw0; 582 unsigned long dough[32]; 583 int i; 584 cook = dough; 585 for( i = 0; i < 16; i++, raw1++ ) { 586 raw0 = raw1++; 587 *cook = (*raw0 & 0x00fc0000L) << 6; 588 *cook |= (*raw0 & 0x00000fc0L) << 10; 589 } 590 } 591 592 // <rdar://problem/7185647> - 'self' should be treated as being non-null 593 // upon entry to an objective-c method. 594 @interface RDar7185647 595 - (id)foo; 596 @end 597 @implementation RDar7185647 598 - (id) foo { 599 if (self) 600 return self; 601 *((volatile int *) 0x0) = 0xDEADBEEF; // no-warning 602 return self; 603 } 604 @end 605 606 // Test reasoning of __builtin_offsetof; 607 struct test_offsetof_A { 608 int x; 609 int y; 610 }; 611 struct test_offsetof_B { 612 int w; 613 int z; 614 }; 615 void test_offsetof_1() { 616 if (__builtin_offsetof(struct test_offsetof_A, x) == 617 __builtin_offsetof(struct test_offsetof_B, w)) 618 return; 619 int *p = 0; 620 *p = 0xDEADBEEF; // no-warning 621 } 622 void test_offsetof_2() { 623 if (__builtin_offsetof(struct test_offsetof_A, y) == 624 __builtin_offsetof(struct test_offsetof_B, z)) 625 return; 626 int *p = 0; 627 *p = 0xDEADBEEF; // no-warning 628 } 629 void test_offsetof_3() { 630 if (__builtin_offsetof(struct test_offsetof_A, y) - 631 __builtin_offsetof(struct test_offsetof_A, x) 632 == 633 __builtin_offsetof(struct test_offsetof_B, z) - 634 __builtin_offsetof(struct test_offsetof_B, w)) 635 return; 636 int *p = 0; 637 *p = 0xDEADBEEF; // no-warning 638 } 639 void test_offsetof_4() { 640 if (__builtin_offsetof(struct test_offsetof_A, y) == 641 __builtin_offsetof(struct test_offsetof_B, w)) 642 return; 643 int *p = 0; 644 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 645 } 646 647 // <rdar://problem/6829164> "nil receiver" false positive: make tracking 648 // of the MemRegion for 'self' path-sensitive 649 @interface RDar6829164 : NSObject { 650 double x; int y; 651 } 652 - (id) init; 653 @end 654 655 id rdar_6829164_1(); 656 double rdar_6829164_2(); 657 658 @implementation RDar6829164 659 - (id) init { 660 if((self = [super init]) != 0) { 661 id z = rdar_6829164_1(); 662 y = (z != 0); 663 if (y) 664 x = rdar_6829164_2(); 665 } 666 return self; 667 } 668 @end 669 670 // <rdar://problem/7242015> - Invalidate values passed-by-reference 671 // to functions when the pointer to the value is passed as an integer. 672 void test_7242015_aux(unsigned long); 673 int rdar_7242015() { 674 int x; 675 test_7242015_aux((unsigned long) &x); // no-warning 676 return x; // Previously we return and uninitialized value when 677 // using RegionStore. 678 } 679 680 // <rdar://problem/7242006> [RegionStore] compound literal assignment with 681 // floats not honored 682 CGFloat rdar7242006(CGFloat x) { 683 NSSize y = (NSSize){x, 10}; 684 return y.width; // no-warning 685 } 686 687 // PR 4988 - This test exhibits a case where a function can be referenced 688 // when not explicitly used in an "lvalue" context (as far as the analyzer is 689 // concerned). This previously triggered a crash due to an invalid assertion. 690 void pr_4988(void) { 691 pr_4988; // expected-warning{{expression result unused}} 692 } 693 694 // <rdar://problem/7152418> - A 'signed char' is used as a flag, which is 695 // implicitly converted to an int. 696 void *rdar7152418_bar(); 697 @interface RDar7152418 { 698 signed char x; 699 } 700 -(char)foo; 701 @end; 702 @implementation RDar7152418 703 -(char)foo { 704 char *p = 0; 705 void *result = 0; 706 if (x) { 707 result = rdar7152418_bar(); 708 p = "hello"; 709 } 710 if (!result) { 711 result = rdar7152418_bar(); 712 if (result && x) 713 return *p; // no-warning 714 } 715 return 1; 716 } 717 718 //===----------------------------------------------------------------------===// 719 // Test constant-folding of symbolic values, automatically handling type 720 // conversions of the symbol as necessary. 721 //===----------------------------------------------------------------------===// 722 723 // Previously this would crash once we started eagerly evaluating symbols whose 724 // values were constrained to a single value. 725 void test_symbol_fold_1(signed char x) { 726 while (1) { 727 if (x == ((signed char) 0)) {} 728 } 729 } 730 731 // This previously caused a crash because it triggered an assertion in APSInt. 732 void test_symbol_fold_2(unsigned int * p, unsigned int n, 733 const unsigned int * grumpkin, unsigned int dn) { 734 unsigned int i; 735 unsigned int tempsub[8]; 736 unsigned int *solgrumpkin = tempsub + n; 737 for (i = 0; i < n; i++) 738 solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF; 739 for (i <<= 5; i < (n << 5); i++) {} 740 } 741 742 // This previously caused a crash because it triggered an assertion in APSInt. 743 // 'x' would evaluate to a 8-bit constant (because of the return value of 744 // test_symbol_fold_3_aux()) which would not get properly promoted to an 745 // integer. 746 char test_symbol_fold_3_aux(void); 747 unsigned test_symbol_fold_3(void) { 748 unsigned x = test_symbol_fold_3_aux(); 749 if (x == 54) 750 return (x << 8) | 0x5; 751 return 0; 752 } 753 754 //===----------------------------------------------------------------------===// 755 // Tests for the warning of casting a non-struct type to a struct type 756 //===----------------------------------------------------------------------===// 757 758 typedef struct {unsigned int v;} NSSwappedFloat; 759 760 NSSwappedFloat test_cast_nonstruct_to_struct(float x) { 761 struct hodor { 762 float number; 763 NSSwappedFloat sf; 764 }; 765 return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 766 } 767 768 NSSwappedFloat test_cast_nonstruct_to_union(float x) { 769 union bran { 770 float number; 771 NSSwappedFloat sf; 772 }; 773 return ((union bran *)&x)->sf; // no-warning 774 } 775 776 void test_undefined_array_subscript() { 777 int i, a[10]; 778 int *p = &a[i]; // expected-warning{{Array subscript is undefined}} 779 } 780 @end 781 782 //===----------------------------------------------------------------------===// 783 // Test using an uninitialized value as a branch condition. 784 //===----------------------------------------------------------------------===// 785 786 int test_uninit_branch(void) { 787 int x; 788 if (x) // expected-warning{{Branch condition evaluates to a garbage value}} 789 return 1; 790 return 0; 791 } 792 793 int test_uninit_branch_b(void) { 794 int x; 795 return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}} 796 } 797 798 int test_uninit_branch_c(void) { 799 int x; 800 if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}} 801 return 1; 802 return 0; 803 } 804 805 //===----------------------------------------------------------------------===// 806 // Test passing an undefined value in a message or function call. 807 //===----------------------------------------------------------------------===// 808 809 void test_bad_call_aux(int x); 810 void test_bad_call(void) { 811 int y; 812 test_bad_call_aux(y); // expected-warning{{Function call argument is an uninitialized value}} 813 } 814 815 @interface TestBadArg {} 816 - (void) testBadArg:(int) x; 817 @end 818 819 void test_bad_msg(TestBadArg *p) { 820 int y; 821 [p testBadArg:y]; // expected-warning{{Argument in message expression is an uninitialized value}} 822 } 823 824 //===----------------------------------------------------------------------===// 825 // PR 6033 - Test emitting the correct output in a warning where we use '%' 826 // with operands that are undefined. 827 //===----------------------------------------------------------------------===// 828 829 int pr6033(int x) { 830 int y; 831 return x % y; // expected-warning{{The right operand of '%' is a garbage value}} 832 } 833 834 struct trie { 835 struct trie* next; 836 }; 837 838 struct kwset { 839 struct trie *trie; 840 unsigned char y[10]; 841 struct trie* next[10]; 842 int d; 843 }; 844 845 typedef struct trie trie_t; 846 typedef struct kwset kwset_t; 847 848 void f(kwset_t *kws, char const *p, char const *q) { 849 struct trie const *trie; 850 struct trie * const *next = kws->next; 851 register unsigned char c; 852 register char const *end = p; 853 register char const *lim = q; 854 register int d = 1; 855 register unsigned char const *y = kws->y; 856 857 d = y[c = (end+=d)[-1]]; // no-warning 858 trie = next[c]; 859 } 860 861 //===----------------------------------------------------------------------===// 862 // <rdar://problem/7593875> When handling sizeof(VLA) it leads to a hole in 863 // the ExplodedGraph (causing a false positive) 864 //===----------------------------------------------------------------------===// 865 866 int rdar_7593875_aux(int x); 867 int rdar_7593875(int n) { 868 int z[n > 10 ? 10 : n]; // VLA. 869 int v; 870 v = rdar_7593875_aux(sizeof(z)); 871 // Previously we got a false positive about 'v' being uninitialized. 872 return v; // no-warning 873 } 874 875 //===----------------------------------------------------------------------===// 876 // Handle casts from symbolic regions (packaged as integers) to doubles. 877 // Previously this caused an assertion failure. 878 //===----------------------------------------------------------------------===// 879 880 void *foo_rev95119(); 881 void baz_rev95119(double x); 882 void bar_rev95119() { 883 // foo_rev95119() returns a symbolic pointer. It is then 884 // cast to an int which is then cast to a double. 885 int value = (int) foo_rev95119(); 886 baz_rev95119((double)value); 887 } 888 889 //===----------------------------------------------------------------------===// 890 // Handle loading a symbolic pointer from a symbolic region that was 891 // invalidated by a call to an unknown function. 892 //===----------------------------------------------------------------------===// 893 894 void bar_rev95192(int **x); 895 void foo_rev95192(int **x) { 896 *x = 0; 897 bar_rev95192(x); 898 // Not a null dereference. 899 **x = 1; // no-warning 900 } 901 902 //===----------------------------------------------------------------------===// 903 // Handle casts of a function to a function pointer with a different return 904 // value. We don't yet emit an error for such cases, but we now we at least 905 // don't crash when the return value gets interpreted in a way that 906 // violates our invariants. 907 //===----------------------------------------------------------------------===// 908 909 void *foo_rev95267(); 910 int bar_rev95267() { 911 char (*Callback_rev95267)(void) = (char (*)(void)) foo_rev95267; 912 if ((*Callback_rev95267)() == (char) 0) 913 return 1; 914 return 0; 915 } 916 917 // Same as previous case, but handle casts to 'void'. 918 int bar_rev95274() { 919 void (*Callback_rev95274)(void) = (void (*)(void)) foo_rev95267; 920 (*Callback_rev95274)(); 921 return 0; 922 } 923 924 void rdar7582031_test_static_init_zero() { 925 static unsigned x; 926 if (x == 0) 927 return; 928 int *p = 0; 929 *p = 0xDEADBEEF; 930 } 931 void rdar7582031_test_static_init_zero_b() { 932 static void* x; 933 if (x == 0) 934 return; 935 int *p = 0; 936 *p = 0xDEADBEEF; 937 } 938 939 //===----------------------------------------------------------------------===// 940 // Test handling of parameters that are structs that contain floats and // 941 // nested fields. // 942 //===----------------------------------------------------------------------===// 943 944 struct s_rev95547_nested { float x, y; }; 945 struct s_rev95547 { 946 struct s_rev95547_nested z1; 947 struct s_rev95547_nested z2; 948 }; 949 float foo_rev95547(struct s_rev95547 w) { 950 return w.z1.x + 20.0; // no-warning 951 } 952 void foo_rev95547_b(struct s_rev95547 w) { 953 struct s_rev95547 w2 = w; 954 w2.z1.x += 20.0; // no-warning 955 } 956 957 //===----------------------------------------------------------------------===// 958 // Test handling statement expressions that don't populate a CFG block that 959 // is used to represent the computation of the RHS of a logical operator. 960 // This previously triggered a crash. 961 //===----------------------------------------------------------------------===// 962 963 void pr6938() { 964 if (1 && ({ 965 while (0); 966 0; 967 }) == 0) { 968 } 969 } 970 971 void pr6938_b() { 972 if (1 && *({ // expected-warning{{Dereference of null pointer}} 973 while (0) {} 974 ({ 975 (int *) 0; 976 }); 977 }) == 0) { 978 } 979 } 980 981 //===----------------------------------------------------------------------===// 982 // <rdar://problem/7979430> - The CFG for code containing an empty 983 // @synchronized block was previously broken (and would crash the analyzer). 984 //===----------------------------------------------------------------------===// 985 986 void r7979430(id x) { 987 @synchronized(x) {} 988 } 989 990 //===----------------------------------------------------------------------=== 991 // PR 7361 - Test that functions wrapped in macro instantiations are analyzed. 992 //===----------------------------------------------------------------------=== 993 #define MAKE_TEST_FN() \ 994 void test_pr7361 (char a) {\ 995 char* b = 0x0; *b = a;\ 996 } 997 998 MAKE_TEST_FN() // expected-warning{{null pointer}} 999 1000 //===----------------------------------------------------------------------=== 1001 // PR 7491 - Test that symbolic expressions can be used as conditions. 1002 //===----------------------------------------------------------------------=== 1003 1004 void pr7491 () { 1005 extern int getint(); 1006 int a = getint()-1; 1007 if (a) { 1008 return; 1009 } 1010 if (!a) { 1011 return; 1012 } else { 1013 // Should be unreachable 1014 (void)*(char*)0; // no-warning 1015 } 1016 } 1017 1018 //===----------------------------------------------------------------------=== 1019 // PR 7475 - Test that assumptions about global variables are reset after 1020 // calling a global function. 1021 //===----------------------------------------------------------------------=== 1022 1023 int *pr7475_someGlobal; 1024 void pr7475_setUpGlobal(); 1025 1026 void pr7475() { 1027 if (pr7475_someGlobal == 0) 1028 pr7475_setUpGlobal(); 1029 *pr7475_someGlobal = 0; // no-warning 1030 } 1031 1032 void pr7475_warn() { 1033 static int *someStatic = 0; 1034 if (someStatic == 0) 1035 pr7475_setUpGlobal(); 1036 *someStatic = 0; // expected-warning{{null pointer}} 1037 } 1038 1039 // <rdar://problem/8202272> - __imag passed non-complex should not crash 1040 float f0(_Complex float x) { 1041 float l0 = __real x; 1042 return __real l0 + __imag l0; 1043 } 1044 1045 1046 //===----------------------------------------------------------------------=== 1047 // Test that we can reduce symbols to constants whether they are on the left 1048 // or right side of an expression. 1049 //===----------------------------------------------------------------------=== 1050 1051 void reduce_to_constant(int x, int y) { 1052 if (x != 20) 1053 return; 1054 1055 int a = x + y; 1056 int b = y + x; 1057 1058 if (y == -20 && a != 0) 1059 (void)*(char*)0; // no-warning 1060 if (y == -20 && b != 0) 1061 (void)*(char*)0; // no-warning 1062 } 1063 1064 // <rdar://problem/8360854> - Test that code after a switch statement with no 1065 // 'case:' labels is correctly evaluated. 1066 void r8360854(int n) { 1067 switch (n) { 1068 default: ; 1069 } 1070 int *p = 0; 1071 *p = 0xDEADBEEF; // expected-warning{{null pointer}} 1072 } 1073 1074 // PR 8050 - crash in CastSizeChecker when pointee is an incomplete type 1075 typedef long unsigned int __darwin_size_t; 1076 typedef __darwin_size_t size_t; 1077 void *malloc(size_t); 1078 1079 struct PR8050; 1080 1081 void pr8050(struct PR8050 **arg) 1082 { 1083 *arg = malloc(1); 1084 } 1085 1086 // <rdar://problem/5880430> Switch on enum should not consider default case live 1087 // if all enum values are covered 1088 enum Cases { C1, C2, C3, C4 }; 1089 void test_enum_cases(enum Cases C) { 1090 switch (C) { 1091 case C1: 1092 case C2: 1093 case C4: 1094 case C3: 1095 return; 1096 } 1097 int *p = 0; 1098 *p = 0xDEADBEEF; // no-warning 1099 } 1100 1101 void test_enum_cases_positive(enum Cases C) { 1102 switch (C) { // expected-warning{{enumeration value 'C4' not handled in switch}} 1103 case C1: 1104 case C2: 1105 case C3: 1106 return; 1107 } 1108 int *p = 0; 1109 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 1110 } 1111 1112 // <rdar://problem/6351970> rule request: warn if synchronization mutex can be nil 1113 void rdar6351970() { 1114 id x = 0; 1115 @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}} 1116 } 1117 1118 void rdar6351970_b(id x) { 1119 if (!x) 1120 @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}} 1121 } 1122 1123 void rdar6351970_c() { 1124 id x; 1125 @synchronized(x) {} // expected-warning{{Uninitialized value used as mutex for @synchronized}} 1126 } 1127 1128 @interface Rdar8578650 1129 - (id) foo8578650; 1130 @end 1131 1132 void rdar8578650(id x) { 1133 @synchronized (x) { 1134 [x foo8578650]; 1135 } 1136 // At this point we should assume that 'x' is not nil, not 1137 // the inverse. 1138 @synchronized (x) { // no-warning 1139 } 1140 } 1141 1142 // <rdar://problem/6352035> rule request: direct structure member access null pointer dereference 1143 @interface RDar6352035 { 1144 int c; 1145 } 1146 - (void)foo; 1147 - (void)bar; 1148 @end 1149 1150 @implementation RDar6352035 1151 - (void)foo { 1152 RDar6352035 *friend = 0; 1153 friend->c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'friend')}} 1154 } 1155 - (void)bar { 1156 self = 0; 1157 c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'self')}} 1158 } 1159 @end 1160 1161 // PR 8149 - GNU statement expression in condition of ForStmt. 1162 // This previously triggered an assertion failure in CFGBuilder. 1163 void pr8149(void) { 1164 for (; ({ do { } while (0); 0; });) { } 1165 } 1166 1167 // PR 8458 - Make sure @synchronized doesn't crash with properties. 1168 @interface PR8458 {} 1169 @property(readonly) id lock; 1170 @end 1171 1172 static 1173 void __PR8458(PR8458 *x) { 1174 @synchronized(x.lock) {} // no-warning 1175 } 1176 1177 // PR 8440 - False null dereference during store to array-in-field-in-global. 1178 // This test case previously resulted in a bogus null deref warning from 1179 // incorrect lazy symbolication logic in RegionStore. 1180 static struct { 1181 int num; 1182 char **data; 1183 } saved_pr8440; 1184 1185 char *foo_pr8440(); 1186 char **bar_pr8440(); 1187 void baz_pr8440(int n) 1188 { 1189 saved_pr8440.num = n; 1190 if (saved_pr8440.data) 1191 return; 1192 saved_pr8440.data = bar_pr8440(); 1193 for (int i = 0 ; i < n ; i ++) 1194 saved_pr8440.data[i] = foo_pr8440(); // no-warning 1195 } 1196 1197 // Support direct accesses to non-null memory. Reported in: 1198 // PR 5272 1199 // <rdar://problem/6839683> 1200 int test_direct_address_load() { 1201 int *p = (int*) 0x4000; 1202 return *p; // no-warning 1203 } 1204 1205 void pr5272_test() { 1206 struct pr5272 { int var2; }; 1207 (*(struct pr5272*)0xBC000000).var2 = 0; // no-warning 1208 (*(struct pr5272*)0xBC000000).var2 += 2; // no-warning 1209 } 1210 1211 // Support casting the return value of function to another different type 1212 // This previously caused a crash, although we likely need more precise 1213 // reasoning here. <rdar://problem/8663544> 1214 void* rdar8663544(); 1215 typedef struct {} Val8663544; 1216 Val8663544 bazR8663544() { 1217 Val8663544(*func) () = (Val8663544(*) ()) rdar8663544; 1218 return func(); 1219 } 1220 1221 // PR 8619 - Handle ternary expressions with a call to a noreturn function. 1222 // This previously resulted in a crash. 1223 void pr8619_noreturn(int x) __attribute__((noreturn)); 1224 1225 void pr8619(int a, int b, int c) { 1226 a ?: pr8619_noreturn(b || c); 1227 } 1228 1229 1230 // PR 8646 - crash in the analyzer when handling unions. 1231 union pr8648_union { 1232 signed long long pr8648_union_field; 1233 }; 1234 void pr8648() { 1235 long long y; 1236 union pr8648_union x = { .pr8648_union_field = 0LL }; 1237 y = x.pr8648_union_field; 1238 1239 union pr8648_union z; 1240 z = (union pr8648_union) { .pr8648_union_field = 0LL }; 1241 1242 union pr8648_union w; 1243 w = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }); 1244 1245 // crash, no assignment 1246 (void) ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field; 1247 1248 // crash with assignment 1249 y = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field; 1250 } 1251 1252 // PR 9269 - don't assert when building the following CFG. The for statement 1253 // contains a condition with multiple basic blocks, and the value of the 1254 // statement expression is then indexed as part of a bigger condition expression. 1255 // This example exposed a bug in child traversal in the CFGBuilder. 1256 void pr9269() { 1257 struct s { char *bar[10]; } baz[2] = { 0 }; 1258 unsigned i = 0; 1259 for (i = 0; 1260 (* ({ while(0); ({ &baz[0]; }); })).bar[0] != 0; // expected-warning {{while loop has empty body}} expected-note {{put the semicolon on a separate line to silence this warning}} 1261 ++i) {} 1262 } 1263 1264 // Test evaluation of GNU-style ?:. 1265 int pr9287(int type) { return type ? : 0; } // no-warning 1266 1267 void pr9287_b(int type, int *p) { 1268 int x = type ? : 0; 1269 if (x) { 1270 p = 0; 1271 } 1272 if (type) { 1273 *p = 0xDEADBEEF; // expected-warning {{null pointer}} 1274 } 1275 } 1276 1277 void pr9287_c(int type, int *p) { 1278 int x = type ? : 0; 1279 if (x) { 1280 p = 0; 1281 } 1282 if (!type) { 1283 *p = 0xDEADBEEF; // no-warning 1284 } 1285 } 1286 1287 void test_switch() { 1288 switch (4) { 1289 case 1: { 1290 int *p = 0; 1291 *p = 0xDEADBEEF; // no-warning 1292 break; 1293 } 1294 case 4: { 1295 int *p = 0; 1296 *p = 0xDEADBEEF; // expected-warning {{null}} 1297 break; 1298 } 1299 default: { 1300 int *p = 0; 1301 *p = 0xDEADBEEF; // no-warning 1302 break; 1303 } 1304 } 1305 } 1306 1307 // PR 9467. Tests various CFG optimizations. This previously crashed. 1308 static void test(unsigned int bit_mask) 1309 { 1310 unsigned int bit_index; 1311 for (bit_index = 0; 1312 bit_index < 24; 1313 bit_index++) { 1314 switch ((0x01 << bit_index) & bit_mask) { 1315 case 0x100000: ; 1316 } 1317 } 1318 } 1319 1320 // Don't crash on code containing __label__. 1321 int radar9414427_aux(); 1322 void radar9414427() { 1323 __label__ mylabel; 1324 if (radar9414427_aux()) { 1325 mylabel: do {} 1326 while (0); 1327 } 1328 } 1329 1330 // Analyze methods in @implementation (category) 1331 @interface RDar9465344 1332 @end 1333 1334 @implementation RDar9465344 (MyCategory) 1335 - (void) testcategoryImpl { 1336 int *p = 0x0; 1337 *p = 0xDEADBEEF; // expected-warning {{null}} 1338 } 1339 @end 1340 1341 @implementation RDar9465344 1342 @end 1343 1344 // Don't crash when analyzing access to 'self' within a block. 1345 @interface Rdar10380300Base 1346 - (void) foo; 1347 @end 1348 @interface Rdar10380300 : Rdar10380300Base @end 1349 @implementation Rdar10380300 1350 - (void)foo { 1351 ^{ 1352 [super foo]; 1353 }(); 1354 } 1355 @end 1356 1357 // Don't crash when a ?: is only preceded by a statement (not an expression) 1358 // in the CFG. 1359 void __assert_fail(); 1360 1361 enum rdar1196620_e { E_A, E_B, E_C, E_D }; 1362 struct rdar1196620_s { int ints[E_D+1]; }; 1363 1364 static void rdar1196620_call_assert(struct rdar1196620_s* s) { 1365 int i = 0; 1366 s?(void)0:__assert_fail(); 1367 } 1368 1369 static void rdar1196620(struct rdar1196620_s* s) { 1370 rdar1196620_call_assert(s); 1371 } 1372 1373 1374
