1// RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-checker=core,alpha.core -analyzer-store=region -verify -fblocks -analyzer-ipa=inlining -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions 2// RUN: %clang_cc1 -triple x86_64-apple-darwin9 -analyze -analyzer-checker=core,alpha.core -analyzer-store=region -verify -fblocks -analyzer-ipa=inlining -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions 3 4// Test basic handling of references. 5char &test1_aux(); 6char *test1() { 7 return &test1_aux(); 8} 9 10// Test test1_aux() evaluates to char &. 11char test1_as_rvalue() { 12 return test1_aux(); 13} 14 15// Test passing a value as a reference. The 'const' in test2_aux() adds 16// an ImplicitCastExpr, which is evaluated as an lvalue. 17int test2_aux(const int &n); 18int test2(int n) { 19 return test2_aux(n); 20} 21 22int test2_b_aux(const short &n); 23int test2_b(int n) { 24 return test2_b_aux(n); 25} 26 27// Test getting the lvalue of a derived and converting it to a base. This 28// previously crashed. 29class Test3_Base {}; 30class Test3_Derived : public Test3_Base {}; 31 32int test3_aux(Test3_Base &x); 33int test3(Test3_Derived x) { 34 return test3_aux(x); 35} 36 37//===---------------------------------------------------------------------===// 38// Test CFG support for C++ condition variables. 39//===---------------------------------------------------------------------===// 40 41int test_init_in_condition_aux(); 42int test_init_in_condition() { 43 if (int x = test_init_in_condition_aux()) { // no-warning 44 return 1; 45 } 46 return 0; 47} 48 49int test_init_in_condition_switch() { 50 switch (int x = test_init_in_condition_aux()) { // no-warning 51 case 1: 52 return 0; 53 case 2: 54 if (x == 2) 55 return 0; 56 else { 57 // Unreachable. 58 int *p = 0; 59 *p = 0xDEADBEEF; // no-warning 60 } 61 default: 62 break; 63 } 64 return 0; 65} 66 67int test_init_in_condition_while() { 68 int z = 0; 69 while (int x = ++z) { // no-warning 70 if (x == 2) 71 break; 72 } 73 74 if (z == 2) 75 return 0; 76 77 int *p = 0; 78 *p = 0xDEADBEEF; // no-warning 79 return 0; 80} 81 82 83int test_init_in_condition_for() { 84 int z = 0; 85 for (int x = 0; int y = ++z; ++x) { 86 if (x == y) // no-warning 87 break; 88 } 89 if (z == 1) 90 return 0; 91 92 int *p = 0; 93 *p = 0xDEADBEEF; // no-warning 94 return 0; 95} 96 97//===---------------------------------------------------------------------===// 98// Test handling of 'this' pointer. 99//===---------------------------------------------------------------------===// 100 101class TestHandleThis { 102 int x; 103 104 TestHandleThis(); 105 int foo(); 106 int null_deref_negative(); 107 int null_deref_positive(); 108}; 109 110int TestHandleThis::foo() { 111 // Assume that 'x' is initialized. 112 return x + 1; // no-warning 113} 114 115int TestHandleThis::null_deref_negative() { 116 x = 10; 117 if (x == 10) { 118 return 1; 119 } 120 int *p = 0; 121 *p = 0xDEADBEEF; // no-warning 122 return 0; 123} 124 125int TestHandleThis::null_deref_positive() { 126 x = 10; 127 if (x == 9) { 128 return 1; 129 } 130 int *p = 0; 131 *p = 0xDEADBEEF; // expected-warning{{null pointer}} 132 return 0; 133} 134 135// PR 7675 - passing literals by-reference 136void pr7675(const double &a); 137void pr7675(const int &a); 138void pr7675(const char &a); 139void pr7675_i(const _Complex double &a); 140 141void pr7675_test() { 142 pr7675(10.0); 143 pr7675(10); 144 pr7675('c'); 145 pr7675_i(4.0i); 146 // Add null deref to ensure we are analyzing the code up to this point. 147 int *p = 0; 148 *p = 0xDEADBEEF; // expected-warning{{null pointer}} 149} 150 151// <rdar://problem/8375510> - CFGBuilder should handle temporaries. 152struct R8375510 { 153 R8375510(); 154 ~R8375510(); 155 R8375510 operator++(int); 156}; 157 158int r8375510(R8375510 x, R8375510 y) { 159 for (; ; x++) { } 160} 161 162// PR8419 -- this used to crash. 163 164class String8419 { 165 public: 166 char& get(int n); 167 char& operator[](int n); 168}; 169 170char& get8419(); 171 172void Test8419() { 173 String8419 s; 174 ++(s.get(0)); 175 get8419()--; // used to crash 176 --s[0]; // used to crash 177 s[0] &= 1; // used to crash 178 s[0]++; // used to crash 179} 180 181// PR8426 -- this used to crash. 182 183void Use(void* to); 184 185template <class T> class Foo { 186 ~Foo(); 187 struct Bar; 188 Bar* bar_; 189}; 190 191template <class T> Foo<T>::~Foo() { 192 Use(bar_); 193 T::DoSomething(); 194 bar_->Work(); 195} 196 197// PR8427 -- this used to crash. 198 199class Dummy {}; 200 201bool operator==(Dummy, int); 202 203template <typename T> 204class Foo2 { 205 bool Bar(); 206}; 207 208template <typename T> 209bool Foo2<T>::Bar() { 210 return 0 == T(); 211} 212 213// PR8433 -- this used to crash. 214 215template <typename T> 216class Foo3 { 217 public: 218 void Bar(); 219 void Baz(); 220 T value_; 221}; 222 223template <typename T> 224void Foo3<T>::Bar() { 225 Baz(); 226 value_(); 227} 228 229//===---------------------------------------------------------------------===// 230// Handle misc. C++ constructs. 231//===---------------------------------------------------------------------===// 232 233namespace fum { 234 int i = 3; 235}; 236 237void test_namespace() { 238 // Previously triggered a crash. 239 using namespace fum; 240 int x = i; 241} 242 243// Test handling methods that accept references as parameters, and that 244// variables are properly invalidated. 245class RDar9203355 { 246 bool foo(unsigned valA, long long &result) const; 247 bool foo(unsigned valA, int &result) const; 248}; 249bool RDar9203355::foo(unsigned valA, int &result) const { 250 long long val; 251 if (foo(valA, val) || 252 (int)val != val) // no-warning 253 return true; 254 result = val; // no-warning 255 return false; 256} 257 258// Test handling of new[]. 259void rdar9212512() { 260 int *x = new int[10]; 261 for (unsigned i = 0 ; i < 2 ; ++i) { 262 // This previously triggered an uninitialized values warning. 263 x[i] = 1; // no-warning 264 } 265} 266 267// Test basic support for dynamic_cast<>. 268struct Rdar9212495_C { virtual void bar() const; }; 269class Rdar9212495_B : public Rdar9212495_C {}; 270class Rdar9212495_A : public Rdar9212495_B {}; 271const Rdar9212495_A& rdar9212495(const Rdar9212495_C* ptr) { 272 const Rdar9212495_A& val = dynamic_cast<const Rdar9212495_A&>(*ptr); 273 274 // This is not valid C++; dynamic_cast with a reference type will throw an 275 // exception if the pointer does not match the expected type. However, our 276 // implementation of dynamic_cast will pass through a null pointer...or a 277 // "null reference"! So this branch is actually possible. 278 if (&val == 0) { 279 val.bar(); // expected-warning{{Called C++ object pointer is null}} 280 } 281 282 return val; 283} 284 285const Rdar9212495_A* rdar9212495_ptr(const Rdar9212495_C* ptr) { 286 const Rdar9212495_A* val = dynamic_cast<const Rdar9212495_A*>(ptr); 287 288 if (val == 0) { 289 val->bar(); // expected-warning{{Called C++ object pointer is null}} 290 } 291 292 return val; 293} 294 295// Test constructors invalidating arguments. Previously this raised 296// an uninitialized value warning. 297extern "C" void __attribute__((noreturn)) PR9645_exit(int i); 298 299class PR9645_SideEffect 300{ 301public: 302 PR9645_SideEffect(int *pi); // caches pi in i_ 303 void Read(int *pi); // copies *pi into *i_ 304private: 305 int *i_; 306}; 307 308void PR9645() { 309 int i; 310 311 PR9645_SideEffect se(&i); 312 int j = 1; 313 se.Read(&j); // this has a side-effect of initializing i. 314 315 PR9645_exit(i); // no-warning 316} 317 318PR9645_SideEffect::PR9645_SideEffect(int *pi) : i_(pi) {} 319void PR9645_SideEffect::Read(int *pi) { *i_ = *pi; } 320 321// Invalidate fields during C++ method calls. 322class RDar9267815 { 323 int x; 324 void test(); 325 void test_pos(); 326 void test2(); 327 void invalidate(); 328}; 329 330void RDar9267815::test_pos() { 331 int *p = 0; 332 if (x == 42) 333 return; 334 *p = 0xDEADBEEF; // expected-warning {{null}} 335} 336void RDar9267815::test() { 337 int *p = 0; 338 if (x == 42) 339 return; 340 if (x == 42) 341 *p = 0xDEADBEEF; // no-warning 342} 343 344void RDar9267815::test2() { 345 int *p = 0; 346 if (x == 42) 347 return; 348 invalidate(); 349 if (x == 42) 350 *p = 0xDEADBEEF; // expected-warning {{null}} 351} 352 353// Test reference parameters. 354void test_ref_double_aux(double &Value); 355float test_ref_double() { 356 double dVal; 357 test_ref_double_aux(dVal); 358 // This previously warned because 'dVal' was thought to be uninitialized. 359 float Val = (float)dVal; // no-warning 360 return Val; 361} 362 363// Test invalidation of class fields. 364class TestInvalidateClass { 365public: 366 int x; 367}; 368 369void test_invalidate_class_aux(TestInvalidateClass &x); 370 371int test_invalidate_class() { 372 TestInvalidateClass y; 373 test_invalidate_class_aux(y); 374 return y.x; // no-warning 375} 376 377// Test correct pointer arithmetic using 'p--'. This is to warn that we 378// were loading beyond the written characters in buf. 379char *RDar9269695(char *dst, unsigned int n) 380{ 381 char buff[40], *p; 382 383 p = buff; 384 do 385 *p++ = '0' + n % 10; 386 while (n /= 10); 387 388 do 389 *dst++ = *--p; // no-warning 390 while (p != buff); 391 392 return dst; 393} 394 395// Test that we invalidate byref arguments passed to constructors. 396class TestInvalidateInCtor { 397public: 398 TestInvalidateInCtor(unsigned &x); 399}; 400 401unsigned test_invalidate_in_ctor() { 402 unsigned x; 403 TestInvalidateInCtor foo(x); 404 return x; // no-warning 405} 406unsigned test_invalidate_in_ctor_new() { 407 unsigned x; 408 delete (new TestInvalidateInCtor(x)); 409 return x; // no-warning 410} 411 412// Test assigning into a symbolic offset. 413struct TestAssignIntoSymbolicOffset { 414 int **stuff[100]; 415 void test(int x, int y); 416}; 417 418void TestAssignIntoSymbolicOffset::test(int x, int y) { 419 x--; 420 if (x > 8 || x < 0) 421 return; 422 if (stuff[x]) 423 return; 424 if (!stuff[x]) { 425 stuff[x] = new int*[y+1]; 426 // Previously triggered a null dereference. 427 stuff[x][y] = 0; // no-warning 428 } 429} 430 431// Test loads from static fields. This previously triggered an uninitialized 432// value warning. 433class ClassWithStatic { 434public: 435 static const unsigned value = 1; 436}; 437 438int rdar9948787_negative() { 439 ClassWithStatic classWithStatic; 440 unsigned value = classWithStatic.value; 441 if (value == 1) 442 return 1; 443 int *p = 0; 444 *p = 0xDEADBEEF; // no-warning 445 return 0; 446} 447 448int rdar9948787_positive() { 449 ClassWithStatic classWithStatic; 450 unsigned value = classWithStatic.value; 451 if (value == 0) 452 return 1; 453 int *p = 0; 454 *p = 0xDEADBEEF; // expected-warning {{null}} 455 return 0; 456} 457 458// Regression test against global constants and switches. 459enum rdar10202899_ValT { rdar10202899_ValTA, rdar10202899_ValTB, rdar10202899_ValTC }; 460const rdar10202899_ValT val = rdar10202899_ValTA; 461void rdar10202899_test1() { 462 switch (val) { 463 case rdar10202899_ValTA: {} 464 }; 465} 466 467void rdar10202899_test2() { 468 if (val == rdar10202899_ValTA) 469 return; 470 int *p = 0; 471 *p = 0xDEADBEEF; 472} 473 474void rdar10202899_test3() { 475 switch (val) { 476 case rdar10202899_ValTA: return; 477 default: ; 478 }; 479 int *p = 0; 480 *p = 0xDEADBEEF; 481} 482 483// This used to crash the analyzer because of the unnamed bitfield. 484void PR11249() 485{ 486 struct { 487 char f1:4; 488 char :4; 489 char f2[1]; 490 char f3; 491 } V = { 1, {2}, 3 }; 492 int *p = 0; 493 if (V.f1 != 1) 494 *p = 0xDEADBEEF; // no-warning 495 if (V.f2[0] != 2) 496 *p = 0xDEADBEEF; // no-warning 497 if (V.f3 != 3) 498 *p = 0xDEADBEEF; // no-warning 499} 500 501// Handle doing a load from the memory associated with the code for 502// a function. 503extern double nan( const char * ); 504double PR11450() { 505 double NaN = *(double*) nan; 506 return NaN; 507} 508 509// Test that 'this' is assumed non-null upon analyzing the entry to a "top-level" 510// function (i.e., when not analyzing from a specific caller). 511struct TestNullThis { 512 int field; 513 void test(); 514}; 515 516void TestNullThis::test() { 517 int *p = &field; 518 if (p) 519 return; 520 field = 2; // no-warning 521} 522 523// Test handling of 'catch' exception variables, and not warning 524// about uninitialized values. 525enum MyEnum { MyEnumValue }; 526MyEnum rdar10892489() { 527 try { 528 throw MyEnumValue; 529 } catch (MyEnum e) { 530 return e; // no-warning 531 } 532 return MyEnumValue; 533} 534 535MyEnum rdar10892489_positive() { 536 try { 537 throw MyEnumValue; 538 } catch (MyEnum e) { 539 int *p = 0; 540 // FALSE NEGATIVE 541 *p = 0xDEADBEEF; // {{null}} 542 return e; 543 } 544 return MyEnumValue; 545} 546 547// Test handling of catch with no condition variable. 548void PR11545() { 549 try 550 { 551 throw; 552 } 553 catch (...) 554 { 555 } 556} 557 558void PR11545_positive() { 559 try 560 { 561 throw; 562 } 563 catch (...) 564 { 565 int *p = 0; 566 // FALSE NEGATIVE 567 *p = 0xDEADBEEF; // {{null}} 568 } 569} 570 571// Test handling taking the address of a field. While the analyzer 572// currently doesn't do anything intelligent here, this previously 573// resulted in a crash. 574class PR11146 { 575public: 576 struct Entry; 577 void baz(); 578}; 579 580struct PR11146::Entry { 581 int x; 582}; 583 584void PR11146::baz() { 585 (void) &Entry::x; 586} 587 588// Test symbolicating a reference. In this example, the 589// analyzer (originally) didn't know how to handle x[index - index2], 590// returning an UnknownVal. The conjured symbol wasn't a location, 591// and would result in a crash. 592void rdar10924675(unsigned short x[], int index, int index2) { 593 unsigned short &y = x[index - index2]; 594 if (y == 0) 595 return; 596} 597 598// Test handling CXXScalarValueInitExprs. 599void rdar11401827() { 600 int x = int(); 601 if (!x) { 602 int *p = 0; 603 *p = 0xDEADBEEF; // expected-warning {{null pointer}} 604 } 605 else { 606 int *p = 0; 607 *p = 0xDEADBEEF; 608 } 609} 610 611//===---------------------------------------------------------------------===// 612// Handle inlining of C++ method calls. 613//===---------------------------------------------------------------------===// 614 615struct A { 616 int *p; 617 void foo(int *q) { 618 p = q; 619 } 620 void bar() { 621 *p = 0; // expected-warning {{null pointer}} 622 } 623}; 624 625void test_inline() { 626 A a; 627 a.foo(0); 628 a.bar(); 629} 630 631