misc-ps-region-store.m revision 23ade507cecd24b03f5e4b5ebaea48eb38060262
1// RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-checker=core.experimental.IdempotentOps -analyzer-checker=core.experimental.CastToStruct -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s 2// RUN: %clang_cc1 -triple x86_64-apple-darwin9 -DTEST_64 -analyze -analyzer-checker=core.experimental.IdempotentOps -analyzer-checker=core.experimental.CastToStruct -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s 3 4typedef long unsigned int size_t; 5void *memcpy(void *, const void *, size_t); 6void *alloca(size_t); 7 8typedef struct objc_selector *SEL; 9typedef signed char BOOL; 10typedef int NSInteger; 11typedef unsigned int NSUInteger; 12typedef struct _NSZone NSZone; 13@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator; 14@protocol NSObject - (BOOL)isEqual:(id)object; @end 15@protocol NSCopying - (id)copyWithZone:(NSZone *)zone; @end 16@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 17@protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder; @end 18@interface NSObject <NSObject> {} - (id)init; @end 19extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 20@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 21- (NSUInteger)length; 22+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 23@end extern NSString * const NSBundleDidLoadNotification; 24@interface NSAssertionHandler : NSObject {} 25+ (NSAssertionHandler *)currentHandler; 26- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 27@end 28extern NSString * const NSConnectionReplyMode; 29 30#ifdef TEST_64 31typedef long long int64_t; 32typedef int64_t intptr_t; 33#else 34typedef int int32_t; 35typedef int32_t intptr_t; 36#endif 37 38//--------------------------------------------------------------------------- 39// Test case 'checkaccess_union' differs for region store and basic store. 40// The basic store doesn't reason about compound literals, so the code 41// below won't fire an "uninitialized value" warning. 42//--------------------------------------------------------------------------- 43 44// PR 2948 (testcase; crash on VisitLValue for union types) 45// http://llvm.org/bugs/show_bug.cgi?id=2948 46void checkaccess_union() { 47 int ret = 0, status; 48 // Since RegionStore doesn't handle unions yet, 49 // this branch condition won't be triggered 50 // as involving an uninitialized value. 51 if (((((__extension__ (((union { // no-warning 52 __typeof (status) __in; int __i;} 53 ) 54 { 55 .__in = (status)} 56 ).__i))) & 0xff00) >> 8) == 1) 57 ret = 1; 58} 59 60// Check our handling of fields being invalidated by function calls. 61struct test2_struct { int x; int y; char* s; }; 62void test2_help(struct test2_struct* p); 63 64char test2() { 65 struct test2_struct s; 66 test2_help(&s); 67 char *p = 0; 68 69 if (s.x > 1) { 70 if (s.s != 0) { 71 p = "hello"; 72 } 73 } 74 75 if (s.x > 1) { 76 if (s.s != 0) { 77 return *p; 78 } 79 } 80 81 return 'a'; 82} 83 84// BasicStore handles this case incorrectly because it doesn't reason about 85// the value pointed to by 'x' and thus creates different symbolic values 86// at the declarations of 'a' and 'b' respectively. RegionStore handles 87// it correctly. See the companion test in 'misc-ps-basic-store.m'. 88void test_trivial_symbolic_comparison_pointer_parameter(int *x) { 89 int a = *x; 90 int b = *x; 91 if (a != b) { 92 int *p = 0; 93 *p = 0xDEADBEEF; // no-warning 94 } 95} 96 97// This is a modified test from 'misc-ps.m'. Here we have the extra 98// NULL dereferences which are pruned out by RegionStore's symbolic reasoning 99// of fields. 100typedef struct _BStruct { void *grue; } BStruct; 101void testB_aux(void *ptr); 102 103void testB(BStruct *b) { 104 { 105 int *__gruep__ = ((int *)&((b)->grue)); 106 int __gruev__ = *__gruep__; 107 int __gruev2__ = *__gruep__; 108 if (__gruev__ != __gruev2__) { 109 int *p = 0; 110 *p = 0xDEADBEEF; // no-warning 111 } 112 113 testB_aux(__gruep__); 114 } 115 { 116 int *__gruep__ = ((int *)&((b)->grue)); 117 int __gruev__ = *__gruep__; 118 int __gruev2__ = *__gruep__; 119 if (__gruev__ != __gruev2__) { 120 int *p = 0; 121 *p = 0xDEADBEEF; // no-warning 122 } 123 124 if (~0 != __gruev__) {} 125 } 126} 127 128void testB_2(BStruct *b) { 129 { 130 int **__gruep__ = ((int **)&((b)->grue)); 131 int *__gruev__ = *__gruep__; 132 testB_aux(__gruep__); 133 } 134 { 135 int **__gruep__ = ((int **)&((b)->grue)); 136 int *__gruev__ = *__gruep__; 137 if ((int*)~0 != __gruev__) {} 138 } 139} 140 141// This test case is a reduced case of a caching bug discovered by an 142// assertion failure in RegionStoreManager::BindArray. Essentially the 143// DeclStmt is evaluated twice, but on the second loop iteration the 144// engine caches out. Previously a false transition would cause UnknownVal 145// to bind to the variable, firing an assertion failure. This bug was fixed 146// in r76262. 147void test_declstmt_caching() { 148again: 149 { 150 const char a[] = "I like to crash"; 151 goto again; 152 } 153} 154 155//===----------------------------------------------------------------------===// 156// Reduced test case from <rdar://problem/7114618>. 157// Basically a null check is performed on the field value, which is then 158// assigned to a variable and then checked again. 159//===----------------------------------------------------------------------===// 160struct s_7114618 { int *p; }; 161void test_rdar_7114618(struct s_7114618 *s) { 162 if (s->p) { 163 int *p = s->p; 164 if (!p) { 165 // Infeasible 166 int *dead = 0; 167 *dead = 0xDEADBEEF; // no-warning 168 } 169 } 170} 171 172// Test pointers increment correctly. 173void f() { 174 int a[2]; 175 a[1] = 3; 176 int *p = a; 177 p++; 178 if (*p != 3) { 179 int *q = 0; 180 *q = 3; // no-warning 181 } 182} 183 184//===----------------------------------------------------------------------===// 185// <rdar://problem/7185607> 186// Bit-fields of a struct should be invalidated when blasting the entire 187// struct with an integer constant. 188//===----------------------------------------------------------------------===// 189struct test_7185607 { 190 int x : 10; 191 int y : 22; 192}; 193int rdar_test_7185607() { 194 struct test_7185607 s; // Uninitialized. 195 *((unsigned *) &s) = 0U; 196 return s.x; // no-warning 197} 198 199//===----------------------------------------------------------------------===// 200// <rdar://problem/7242006> [RegionStore] compound literal assignment with 201// floats not honored 202// This test case is mirrored in misc-ps.m, but this case is a negative. 203//===----------------------------------------------------------------------===// 204typedef float CGFloat; 205typedef struct _NSSize { 206 CGFloat width; 207 CGFloat height; 208} NSSize; 209 210CGFloat rdar7242006_negative(CGFloat x) { 211 NSSize y; 212 return y.width; // expected-warning{{garbage}} 213} 214 215//===----------------------------------------------------------------------===// 216// <rdar://problem/7249340> - Allow binding of values to symbolic regions. 217// This test case shows how RegionStore tracks the value bound to 'x' 218// after the assignment. 219//===----------------------------------------------------------------------===// 220typedef int* ptr_rdar_7249340; 221void rdar_7249340(ptr_rdar_7249340 x) { 222 *x = 1; 223 if (*x) 224 return; 225 int *p = 0; // This is unreachable. 226 *p = 0xDEADBEEF; // no-warning 227} 228 229//===----------------------------------------------------------------------===// 230// <rdar://problem/7249327> - This test case tests both value tracking of 231// array values and that we handle symbolic values that are casted 232// between different integer types. Note the assignment 'n = *a++'; here 233// 'n' is and 'int' and '*a' is 'unsigned'. Previously we got a false positive 234// at 'x += *b++' (undefined value) because we got a false path. 235//===----------------------------------------------------------------------===// 236int rdar_7249327_aux(void); 237 238void rdar_7249327(unsigned int A[2*32]) { 239 int B[2*32]; 240 int *b; 241 unsigned int *a; 242 int x = 0; 243 244 int n; 245 246 a = A; 247 b = B; 248 249 n = *a++; 250 if (n) 251 *b++ = rdar_7249327_aux(); 252 253 a = A; 254 b = B; 255 256 n = *a++; // expected-warning{{Assigned value is always the same as the existing value}} 257 if (n) 258 x += *b++; // no-warning 259} 260 261//===----------------------------------------------------------------------===// 262// <rdar://problem/6914474> - Check that 'x' is invalidated because its 263// address is passed in as a value to a struct. 264//===----------------------------------------------------------------------===// 265struct doodad_6914474 { int *v; }; 266extern void prod_6914474(struct doodad_6914474 *d); 267int rdar_6914474(void) { 268 int x; 269 struct doodad_6914474 d; 270 d.v = &x; 271 prod_6914474(&d); 272 return x; // no-warning 273} 274 275// Test invalidation of a single field. 276struct s_test_field_invalidate { 277 int x; 278}; 279extern void test_invalidate_field(int *x); 280int test_invalidate_field_test() { 281 struct s_test_field_invalidate y; 282 test_invalidate_field(&y.x); 283 return y.x; // no-warning 284} 285int test_invalidate_field_test_positive() { 286 struct s_test_field_invalidate y; 287 return y.x; // expected-warning{{garbage}} 288} 289 290// This test case illustrates how a typeless array of bytes casted to a 291// struct should be treated as initialized. RemoveDeadBindings previously 292// had a bug that caused 'x' to lose its default symbolic value after the 293// assignment to 'p', thus causing 'p->z' to evaluate to "undefined". 294struct ArrayWrapper { unsigned char y[16]; }; 295struct WrappedStruct { unsigned z; }; 296 297int test_handle_array_wrapper() { 298 struct ArrayWrapper x; 299 test_handle_array_wrapper(&x); 300 struct WrappedStruct *p = (struct WrappedStruct*) x.y; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.}} 301 return p->z; // no-warning 302} 303 304//===----------------------------------------------------------------------===// 305// <rdar://problem/7261075> [RegionStore] crash when 306// handling load: '*((unsigned int *)"????")' 307//===----------------------------------------------------------------------===// 308 309int rdar_7261075(void) { 310 unsigned int var = 0; 311 if (var == *((unsigned int *)"????")) 312 return 1; 313 return 0; 314} 315 316//===----------------------------------------------------------------------===// 317// <rdar://problem/7275774> false path due to limited pointer 318// arithmetic constraints 319//===----------------------------------------------------------------------===// 320 321void rdar_7275774(void *data, unsigned n) { 322 if (!(data || n == 0)) 323 return; 324 325 unsigned short *p = (unsigned short*) data; 326 unsigned short *q = p + (n / 2); 327 328 if (p < q) { 329 // If we reach here, 'p' cannot be null. If 'p' is null, then 'n' must 330 // be '0', meaning that this branch is not feasible. 331 *p = *q; // no-warning 332 } 333} 334 335//===----------------------------------------------------------------------===// 336// <rdar://problem/7312221> 337// 338// Test that Objective-C instance variables aren't prematurely pruned 339// from the analysis state. 340//===----------------------------------------------------------------------===// 341 342struct rdar_7312221_value { int x; }; 343 344@interface RDar7312221 345{ 346 struct rdar_7312221_value *y; 347} 348- (void) doSomething_7312221; 349@end 350 351extern struct rdar_7312221_value *rdar_7312221_helper(); 352extern int rdar_7312221_helper_2(id o); 353extern void rdar_7312221_helper_3(int z); 354 355@implementation RDar7312221 356- (void) doSomething_7312221 { 357 if (y == 0) { 358 y = rdar_7312221_helper(); 359 if (y != 0) { 360 y->x = rdar_7312221_helper_2(self); 361 // The following use of 'y->x' previously triggered a null dereference, as the value of 'y' 362 // before 'y = rdar_7312221_helper()' would be used. 363 rdar_7312221_helper_3(y->x); // no-warning 364 } 365 } 366} 367@end 368 369struct rdar_7312221_container { 370 struct rdar_7312221_value *y; 371}; 372 373extern int rdar_7312221_helper_4(struct rdar_7312221_container *s); 374 375// This test case essentially matches the one in [RDar7312221 doSomething_7312221]. 376void doSomething_7312221_with_struct(struct rdar_7312221_container *Self) { 377 if (Self->y == 0) { 378 Self->y = rdar_7312221_helper(); 379 if (Self->y != 0) { 380 Self->y->x = rdar_7312221_helper_4(Self); 381 rdar_7312221_helper_3(Self->y->x); // no-warning 382 } 383 } 384} 385 386//===----------------------------------------------------------------------===// 387// <rdar://problem/7332673> - Just more tests cases for regions 388//===----------------------------------------------------------------------===// 389 390void rdar_7332673_test1() { 391 char value[1]; 392 if ( *(value) != 1 ) {} // expected-warning{{The left operand of '!=' is a garbage value}} 393} 394int rdar_7332673_test2_aux(char *x); 395void rdar_7332673_test2() { 396 char *value; 397 if ( rdar_7332673_test2_aux(value) != 1 ) {} // expected-warning{{Function call argument is an uninitialized value}} 398} 399 400//===----------------------------------------------------------------------===// 401// <rdar://problem/7347252>: Because of a bug in 402// RegionStoreManager::RemoveDeadBindings(), the symbol for s->session->p 403// would incorrectly be pruned from the state after the call to 404// rdar7347252_malloc1(), and would incorrectly result in a warning about 405// passing a null pointer to rdar7347252_memcpy(). 406//===----------------------------------------------------------------------===// 407 408struct rdar7347252_AA { char *p;}; 409typedef struct { 410 struct rdar7347252_AA *session; 411 int t; 412 char *q; 413} rdar7347252_SSL1; 414 415int rdar7347252_f(rdar7347252_SSL1 *s); 416char *rdar7347252_malloc1(int); 417char *rdar7347252_memcpy1(char *d, char *s, int n) __attribute__((nonnull (1,2))); 418 419int rdar7347252(rdar7347252_SSL1 *s) { 420 rdar7347252_f(s); // the SymbolicRegion of 's' is set a default binding of conjured symbol 421 if (s->session->p == ((void*)0)) { 422 if ((s->session->p = rdar7347252_malloc1(10)) == ((void*)0)) { 423 return 0; 424 } 425 rdar7347252_memcpy1(s->session->p, "aa", 2); // no-warning 426 } 427 return 0; 428} 429 430//===----------------------------------------------------------------------===// 431// PR 5316 - "crash when accessing field of lazy compound value" 432// Previously this caused a crash at the MemberExpr '.chr' when loading 433// a field value from a LazyCompoundVal 434//===----------------------------------------------------------------------===// 435 436typedef unsigned int pr5316_wint_t; 437typedef pr5316_wint_t pr5316_REFRESH_CHAR; 438typedef struct { 439 pr5316_REFRESH_CHAR chr; 440} 441pr5316_REFRESH_ELEMENT; 442static void pr5316(pr5316_REFRESH_ELEMENT *dst, const pr5316_REFRESH_ELEMENT *src) { 443 while ((*dst++ = *src++).chr != L'\0') ; 444} 445 446//===----------------------------------------------------------------------===// 447// Exercise creating ElementRegion with symbolic super region. 448//===----------------------------------------------------------------------===// 449void element_region_with_symbolic_superregion(int* p) { 450 int *x; 451 int a; 452 if (p[0] == 1) 453 x = &a; 454 if (p[0] == 1) 455 (void)*x; // no-warning 456} 457 458//===----------------------------------------------------------------------===// 459// Test returning an out-of-bounds pointer (CWE-466) 460//===----------------------------------------------------------------------===// 461 462static int test_cwe466_return_outofbounds_pointer_a[10]; 463int *test_cwe466_return_outofbounds_pointer() { 464 int *p = test_cwe466_return_outofbounds_pointer_a+10; 465 return p; // expected-warning{{Returned pointer value points outside the original object}} 466} 467 468//===----------------------------------------------------------------------===// 469// PR 3135 - Test case that shows that a variable may get invalidated when its 470// address is included in a structure that is passed-by-value to an unknown function. 471//===----------------------------------------------------------------------===// 472 473typedef struct { int *a; } pr3135_structure; 474int pr3135_bar(pr3135_structure *x); 475int pr3135() { 476 int x; 477 pr3135_structure y = { &x }; 478 // the call to pr3135_bar may initialize x 479 if (pr3135_bar(&y) && x) // no-warning 480 return 1; 481 return 0; 482} 483 484//===----------------------------------------------------------------------===// 485// <rdar://problem/7403269> - Test that we handle compound initializers with 486// partially unspecified array values. Previously this caused a crash. 487//===----------------------------------------------------------------------===// 488 489typedef struct RDar7403269 { 490 unsigned x[10]; 491 unsigned y; 492} RDar7403269; 493 494void rdar7403269() { 495 RDar7403269 z = { .y = 0 }; 496 if (z.x[4] == 0) 497 return; 498 int *p = 0; 499 *p = 0xDEADBEEF; // no-warning 500} 501 502typedef struct RDar7403269_b { 503 struct zorg { int w; int k; } x[10]; 504 unsigned y; 505} RDar7403269_b; 506 507void rdar7403269_b() { 508 RDar7403269_b z = { .y = 0 }; 509 if (z.x[5].w == 0) 510 return; 511 int *p = 0; 512 *p = 0xDEADBEEF; // no-warning 513} 514 515void rdar7403269_b_pos() { 516 RDar7403269_b z = { .y = 0 }; 517 if (z.x[5].w == 1) 518 return; 519 int *p = 0; 520 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 521} 522 523 524//===----------------------------------------------------------------------===// 525// Test that incrementing a non-null pointer results in a non-null pointer. 526// (<rdar://problem/7191542>) 527//===----------------------------------------------------------------------===// 528 529void test_increment_nonnull_rdar_7191542(const char *path) { 530 const char *alf = 0; 531 532 for (;;) { 533 // When using basic-store, we get a null dereference here because we lose information 534 // about path after the pointer increment. 535 char c = *path++; // no-warning 536 if (c == 'a') { 537 alf = path; 538 } 539 540 if (alf) 541 return; 542 } 543} 544 545//===----------------------------------------------------------------------===// 546// Test that the store (implicitly) tracks values for doubles/floats that are 547// uninitialized (<rdar://problem/6811085>) 548//===----------------------------------------------------------------------===// 549 550double rdar_6811085(void) { 551 double u; 552 return u + 10; // expected-warning{{The left operand of '+' is a garbage value}} 553} 554 555//===----------------------------------------------------------------------===// 556// Path-sensitive tests for blocks. 557//===----------------------------------------------------------------------===// 558 559void indirect_block_call(void (^f)()); 560 561int blocks_1(int *p, int z) { 562 __block int *q = 0; 563 void (^bar)() = ^{ q = p; }; 564 565 if (z == 1) { 566 // The call to 'bar' might cause 'q' to be invalidated. 567 bar(); 568 *q = 0x1; // no-warning 569 } 570 else if (z == 2) { 571 // The function 'indirect_block_call' might invoke bar, thus causing 572 // 'q' to possibly be invalidated. 573 indirect_block_call(bar); 574 *q = 0x1; // no-warning 575 } 576 else { 577 *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 578 } 579 return z; 580} 581 582int blocks_2(int *p, int z) { 583 int *q = 0; 584 void (^bar)(int **) = ^(int **r){ *r = p; }; 585 586 if (z) { 587 // The call to 'bar' might cause 'q' to be invalidated. 588 bar(&q); 589 *q = 0x1; // no-warning 590 } 591 else { 592 *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 593 } 594 return z; 595} 596 597// Test that the value of 'x' is considered invalidated after the block 598// is passed as an argument to the message expression. 599typedef void (^RDar7582031CB)(void); 600@interface RDar7582031 601- rdar7582031:RDar7582031CB; 602- rdar7582031_b:RDar7582031CB; 603@end 604 605// Test with one block. 606unsigned rdar7582031(RDar7582031 *o) { 607 __block unsigned x; 608 [o rdar7582031:^{ x = 1; }]; 609 return x; // no-warning 610} 611 612// Test with two blocks. 613unsigned long rdar7582031_b(RDar7582031 *o) { 614 __block unsigned y; 615 __block unsigned long x; 616 [o rdar7582031:^{ y = 1; }]; 617 [o rdar7582031_b:^{ x = 1LL; }]; 618 return x + (unsigned long) y; // no-warning 619} 620 621// Show we get an error when 'o' is null because the message 622// expression has no effect. 623unsigned long rdar7582031_b2(RDar7582031 *o) { 624 __block unsigned y; 625 __block unsigned long x; 626 if (o) 627 return 1; 628 [o rdar7582031:^{ y = 1; }]; 629 [o rdar7582031_b:^{ x = 1LL; }]; 630 return x + (unsigned long) y; // expected-warning{{The left operand of '+' is a garbage value}} 631} 632 633// Show that we handle static variables also getting invalidated. 634void rdar7582031_aux(void (^)(void)); 635RDar7582031 *rdar7582031_aux_2(); 636 637unsigned rdar7582031_static() { 638 static RDar7582031 *o = 0; 639 rdar7582031_aux(^{ o = rdar7582031_aux_2(); }); 640 641 __block unsigned x; 642 [o rdar7582031:^{ x = 1; }]; 643 return x; // no-warning 644} 645 646//===----------------------------------------------------------------------===// 647// <rdar://problem/7462324> - Test that variables passed using __blocks 648// are not treated as being uninitialized. 649//===----------------------------------------------------------------------===// 650 651typedef void (^RDar_7462324_Callback)(id obj); 652 653@interface RDar7462324 654- (void) foo:(id)target; 655- (void) foo_positive:(id)target; 656 657@end 658 659@implementation RDar7462324 660- (void) foo:(id)target { 661 __block RDar_7462324_Callback builder = ((void*) 0); 662 builder = ^(id object) { 663 if (object) { 664 builder(self); // no-warning 665 } 666 }; 667 builder(target); 668} 669- (void) foo_positive:(id)target { 670 __block RDar_7462324_Callback builder = ((void*) 0); 671 builder = ^(id object) { 672 id x; 673 if (object) { 674 builder(x); // expected-warning{{Function call argument is an uninitialized value}} 675 } 676 }; 677 builder(target); 678} 679@end 680 681//===----------------------------------------------------------------------===// 682// <rdar://problem/7468209> - Scanning for live variables within a block should 683// not crash on variables passed by reference via __block. 684//===----------------------------------------------------------------------===// 685 686int rdar7468209_aux(); 687void rdar7468209_aux_2(); 688 689void rdar7468209() { 690 __block int x = 0; 691 ^{ 692 x = rdar7468209_aux(); 693 // We need a second statement so that 'x' would be removed from the store if it wasn't 694 // passed by reference. 695 rdar7468209_aux_2(); 696 }(); 697} 698 699//===----------------------------------------------------------------------===// 700// PR 5857 - Test loading an integer from a byte array that has also been 701// reinterpreted to be loaded as a field. 702//===----------------------------------------------------------------------===// 703 704typedef struct { int x; } TestFieldLoad; 705int pr5857(char *src) { 706 TestFieldLoad *tfl = (TestFieldLoad *) (intptr_t) src; 707 int y = tfl->x; 708 long long *z = (long long *) (intptr_t) src; 709 long long w = 0; 710 int n = 0; 711 for (n = 0; n < y; ++n) { 712 // Previously we crashed analyzing this statement. 713 w = *z++; 714 } 715 return 1; 716} 717 718//===----------------------------------------------------------------------===// 719// PR 4358 - Without field-sensitivity, this code previously triggered 720// a false positive that 'uninit' could be uninitialized at the call 721// to pr4358_aux(). 722//===----------------------------------------------------------------------===// 723 724struct pr4358 { 725 int bar; 726 int baz; 727}; 728void pr4358_aux(int x); 729void pr4358(struct pr4358 *pnt) { 730 int uninit; 731 if (pnt->bar < 3) { 732 uninit = 1; 733 } else if (pnt->baz > 2) { 734 uninit = 3; 735 } else if (pnt->baz <= 2) { 736 uninit = 2; 737 } 738 pr4358_aux(uninit); // no-warning 739} 740 741//===----------------------------------------------------------------------===// 742// <rdar://problem/7526777> 743// Test handling fields of values returned from function calls or 744// message expressions. 745//===----------------------------------------------------------------------===// 746 747typedef struct testReturn_rdar_7526777 { 748 int x; 749 int y; 750} testReturn_rdar_7526777; 751 752@interface TestReturnStruct_rdar_7526777 753- (testReturn_rdar_7526777) foo; 754@end 755 756int test_return_struct(TestReturnStruct_rdar_7526777 *x) { 757 return [x foo].x; 758} 759 760testReturn_rdar_7526777 test_return_struct_2_aux_rdar_7526777(); 761 762int test_return_struct_2_rdar_7526777() { 763 return test_return_struct_2_aux_rdar_7526777().x; 764} 765 766//===----------------------------------------------------------------------===// 767// <rdar://problem/7527292> Assertion failed: (Op == BinaryOperator::Add || 768// Op == BinaryOperator::Sub) 769// This test case previously triggered an assertion failure due to a discrepancy 770// been the loaded/stored value in the array 771//===----------------------------------------------------------------------===// 772 773_Bool OSAtomicCompareAndSwapPtrBarrier( void *__oldValue, void *__newValue, void * volatile *__theValue ); 774 775void rdar_7527292() { 776 static id Cache7527292[32]; 777 for (signed long idx = 0; 778 idx < 32; 779 idx++) { 780 id v = Cache7527292[idx]; 781 if (v && OSAtomicCompareAndSwapPtrBarrier(v, ((void*)0), (void * volatile *)(Cache7527292 + idx))) { 782 } 783 } 784} 785 786//===----------------------------------------------------------------------===// 787// <rdar://problem/7515938> - Handle initialization of incomplete arrays 788// in structures using a compound value. Previously this crashed. 789//===----------------------------------------------------------------------===// 790 791struct rdar_7515938 { 792 int x; 793 int y[]; 794}; 795 796const struct rdar_7515938 *rdar_7515938() { 797 static const struct rdar_7515938 z = { 0, { 1, 2 } }; 798 if (z.y[0] != 1) { 799 int *p = 0; 800 *p = 0xDEADBEEF; // no-warning 801 } 802 return &z; 803} 804 805struct rdar_7515938_str { 806 int x; 807 char y[]; 808}; 809 810const struct rdar_7515938_str *rdar_7515938_str() { 811 static const struct rdar_7515938_str z = { 0, "hello" }; 812 return &z; 813} 814 815//===----------------------------------------------------------------------===// 816// Assorted test cases from PR 4172. 817//===----------------------------------------------------------------------===// 818 819struct PR4172A_s { int *a; }; 820 821void PR4172A_f2(struct PR4172A_s *p); 822 823int PR4172A_f1(void) { 824 struct PR4172A_s m; 825 int b[4]; 826 m.a = b; 827 PR4172A_f2(&m); 828 return b[3]; // no-warning 829} 830 831struct PR4172B_s { int *a; }; 832 833void PR4172B_f2(struct PR4172B_s *p); 834 835int PR4172B_f1(void) { 836 struct PR4172B_s m; 837 int x; 838 m.a = &x; 839 PR4172B_f2(&m); 840 return x; // no-warning 841} 842 843//===----------------------------------------------------------------------===// 844// Test invalidation of values in struct literals. 845//===----------------------------------------------------------------------===// 846 847struct s_rev96062 { int *x; int *y; }; 848struct s_rev96062_nested { struct s_rev96062 z; }; 849 850void test_a_rev96062_aux(struct s_rev96062 *s); 851void test_a_rev96062_aux2(struct s_rev96062_nested *s); 852 853int test_a_rev96062() { 854 int a, b; 855 struct s_rev96062 x = { &a, &b }; 856 test_a_rev96062_aux(&x); 857 return a + b; // no-warning 858} 859int test_b_rev96062() { 860 int a, b; 861 struct s_rev96062 x = { &a, &b }; 862 struct s_rev96062 z = x; 863 test_a_rev96062_aux(&z); 864 return a + b; // no-warning 865} 866int test_c_rev96062() { 867 int a, b; 868 struct s_rev96062 x = { &a, &b }; 869 struct s_rev96062_nested w = { x }; 870 struct s_rev96062_nested z = w; 871 test_a_rev96062_aux2(&z); 872 return a + b; // no-warning 873} 874 875//===----------------------------------------------------------------------===// 876// <rdar://problem/7242010> - The access to y[0] at the bottom previously 877// was reported as an uninitialized value. 878//===----------------------------------------------------------------------===// 879 880char *rdar_7242010(int count, char **y) { 881 char **x = alloca((count + 4) * sizeof(*x)); 882 x[0] = "hi"; 883 x[1] = "there"; 884 x[2] = "every"; 885 x[3] = "body"; 886 memcpy(x + 4, y, count * sizeof(*x)); 887 y = x; 888 return y[0]; // no-warning 889} 890 891//===----------------------------------------------------------------------===// 892// <rdar://problem/7770737> 893//===----------------------------------------------------------------------===// 894 895struct rdar_7770737_s { intptr_t p; }; 896void rdar_7770737_aux(struct rdar_7770737_s *p); 897int rdar_7770737(void) 898{ 899 int x; 900 901 // Previously 'f' was not properly invalidated, causing the use of 902 // an uninitailized value below. 903 struct rdar_7770737_s f = { .p = (intptr_t)&x }; 904 rdar_7770737_aux(&f); 905 return x; // no-warning 906} 907int rdar_7770737_pos(void) 908{ 909 int x; 910 struct rdar_7770737_s f = { .p = (intptr_t)&x }; 911 return x; // expected-warning{{Undefined or garbage value returned to caller}} 912} 913 914//===----------------------------------------------------------------------===// 915// Test handling of the implicit 'isa' field. For now we don't do anything 916// interesting. 917//===----------------------------------------------------------------------===// 918 919void pr6302(id x, Class y) { 920 // This previously crashed the analyzer (reported in PR 6302) 921 x->isa = y; 922} 923 924//===----------------------------------------------------------------------===// 925// Specially handle global variables that are declared constant. In the 926// example below, this forces the loop to take exactly 2 iterations. 927//===----------------------------------------------------------------------===// 928 929const int pr6288_L_N = 2; 930void pr6288_(void) { 931 int x[2]; 932 int *px[2]; 933 int i; 934 for (i = 0; i < pr6288_L_N; i++) 935 px[i] = &x[i]; 936 *(px[0]) = 0; // no-warning 937} 938 939void pr6288_pos(int z) { 940 int x[2]; 941 int *px[2]; 942 int i; 943 for (i = 0; i < z; i++) 944 px[i] = &x[i]; // expected-warning{{Access out-of-bound array element (buffer overflow)}} 945 *(px[0]) = 0; // expected-warning{{Dereference of undefined pointer value}} 946} 947 948void pr6288_b(void) { 949 const int L_N = 2; 950 int x[2]; 951 int *px[2]; 952 int i; 953 for (i = 0; i < L_N; i++) 954 px[i] = &x[i]; 955 *(px[0]) = 0; // no-warning 956} 957 958// <rdar://problem/7817800> - A bug in RemoveDeadBindings was causing instance variable bindings 959// to get prematurely pruned from the state. 960@interface Rdar7817800 { 961 char *x; 962} 963- (void) rdar7817800_baz; 964@end 965 966char *rdar7817800_foobar(); 967void rdar7817800_qux(void*); 968 969@implementation Rdar7817800 970- (void) rdar7817800_baz { 971 if (x) 972 rdar7817800_qux(x); 973 x = rdar7817800_foobar(); 974 // Previously this triggered a bogus null dereference warning. 975 x[1] = 'a'; // no-warning 976} 977@end 978 979// PR 6036 - This test case triggered a crash inside StoreManager::CastRegion because the size 980// of 'unsigned long (*)[0]' is 0. 981struct pr6036_a { int pr6036_b; }; 982struct pr6036_c; 983void u132monitk (struct pr6036_c *pr6036_d) { 984 (void) ((struct pr6036_a *) (unsigned long (*)[0]) ((char *) pr6036_d - 1))->pr6036_b; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 985} 986 987// <rdar://problem/7813989> - ?-expressions used as a base of a member expression should be treated as an lvalue 988typedef struct rdar7813989_NestedVal { int w; } rdar7813989_NestedVal; 989typedef struct rdar7813989_Val { rdar7813989_NestedVal nv; } rdar7813989_Val; 990 991int rdar7813989(int x, rdar7813989_Val *a, rdar7813989_Val *b) { 992 // This previously crashed with an assertion failure. 993 int z = (x ? a->nv : b->nv).w; 994 return z + 1; 995} 996 997// PR 6844 - Don't crash on vaarg expression. 998typedef __builtin_va_list va_list; 999void map(int srcID, ...) { 1000 va_list ap; 1001 int i; 1002 for (i = 0; i < srcID; i++) { 1003 int v = __builtin_va_arg(ap, int); 1004 } 1005} 1006 1007// PR 6854 - crash when casting symbolic memory address to a float 1008// Handle casting from a symbolic region to a 'float'. This isn't 1009// really all that intelligent, but previously this caused a crash 1010// in SimpleSValuator. 1011void pr6854(void * arg) { 1012 void * a = arg; 1013 *(void**)a = arg; 1014 float f = *(float*) a; 1015} 1016 1017// <rdar://problem/8032791> False positive due to symbolic store not find 1018// value because of 'const' qualifier 1019double rdar_8032791_2(); 1020double rdar_8032791_1() { 1021 struct R8032791 { double x[2]; double y; } 1022 data[3] = { 1023 {{1.0, 3.0}, 3.0}, // 1 2 3 1024 {{1.0, 1.0}, 0.0}, // 1 1 2 2 3 3 1025 {{1.0, 3.0}, 1.0} // 1 2 3 1026 }; 1027 1028 double x = 0.0; 1029 for (unsigned i = 0 ; i < 3; i++) { 1030 const struct R8032791 *p = &data[i]; 1031 x += p->y + rdar_8032791_2(); // no-warning 1032 } 1033 return x; 1034} 1035 1036// PR 7450 - Handle pointer arithmetic with __builtin_alloca 1037void pr_7450_aux(void *x); 1038void pr_7450() { 1039 void *p = __builtin_alloca(10); 1040 // Don't crash when analyzing the following statement. 1041 pr_7450_aux(p + 8); 1042} 1043 1044// <rdar://problem/8243408> - Symbolicate struct values returned by value. 1045struct s_rdar_8243408 { int x; }; 1046extern struct s_rdar_8243408 rdar_8243408_aux(void); 1047void rdar_8243408(void) { 1048 struct s_rdar_8243408 a = { 1 }, *b = 0; 1049 while (a.x && !b) 1050 a = rdar_8243408_aux(); 1051 1052 // Previously there was a false error here with 'b' being null. 1053 (void) (a.x && b->x); // no-warning 1054 1055 // Introduce a null deref to ensure we are checking this path. 1056 int *p = 0; 1057 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 1058} 1059 1060// <rdar://problem/8258814> 1061int r8258814() 1062{ 1063 int foo; 1064 int * a = &foo; 1065 a[0] = 10; 1066 // Do not warn that the value of 'foo' is uninitialized. 1067 return foo; // no-warning 1068} 1069 1070// PR 8052 - Don't crash when reasoning about loads from a function address.\n 1071typedef unsigned int __uint32_t; 1072typedef unsigned long vm_offset_t; 1073typedef __uint32_t pd_entry_t; 1074typedef unsigned char u_char; 1075typedef unsigned int u_int; 1076typedef unsigned long u_long; 1077extern int bootMP_size; 1078void bootMP(void); 1079static void 1080pr8052(u_int boot_addr) 1081{ 1082 int x; 1083 int size = *(int *) ((u_long) & bootMP_size); 1084 u_char *src = (u_char *) ((u_long) bootMP); 1085 u_char *dst = (u_char *) boot_addr + ((vm_offset_t) ((((((((1 << 108612) / (sizeof(pd_entry_t))) - 1) - 1) - (260 - 2))) << 22) | ((0) << 12))); 1087 for (x = 0; 1088 x < size; 1089 ++x) 1090 *dst++ = *src++; 1091} 1092 1093// PR 8015 - don't return undefined values for arrays when using a valid 1094// symbolic index 1095int pr8015_A(); 1096void pr8015_B(const char *); 1097 1098void pr8015_C() { 1099 int number = pr8015_A(); 1100 const char *numbers[] = { "zero" }; 1101 if (number == 0) { 1102 pr8015_B(numbers[number]); // no-warning 1103 } 1104} 1105 1106// Tests that we correctly handle that 'number' is perfectly constrained 1107// after 'if (nunber == 0)', allowing us to resolve that 1108// numbers[number] == numbers[0]. 1109void pr8015_D_FIXME() { 1110 int number = pr8015_A(); 1111 const char *numbers[] = { "zero" }; 1112 if (number == 0) { 1113 if (numbers[number] == numbers[0]) // expected-warning{{Both operands to '==' always have the same value}} 1114 return; 1115 // Unreachable. 1116 int *p = 0; 1117 *p = 0xDEADBEEF; // no-warnng 1118 } 1119} 1120 1121void pr8015_E() { 1122 // Similar to pr8015_C, but number is allowed to be a valid range. 1123 unsigned number = pr8015_A(); 1124 const char *numbers[] = { "zero", "one", "two" }; 1125 if (number < 3) { 1126 pr8015_B(numbers[number]); // no-warning 1127 } 1128} 1129 1130void pr8015_F_FIXME() { 1131 // Similar to pr8015_E, but like pr8015_D we check if the pointer 1132 // is the same as one of the string literals. The null dereference 1133 // here is not feasible in practice, so this is a false positive. 1134 int number = pr8015_A(); 1135 const char *numbers[] = { "zero", "one", "two" }; 1136 if (number < 3) { 1137 const char *p = numbers[number]; 1138 if (p == numbers[0] || p == numbers[1] || p == numbers[2]) 1139 return; 1140 int *q = 0; 1141 *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 1142 } 1143} 1144 1145// PR 8141. Previously the statement expression in the for loop caused 1146// the CFG builder to crash. 1147struct list_pr8141 1148{ 1149 struct list_pr8141 *tail; 1150}; 1151 1152struct list_pr8141 * 1153pr8141 (void) { 1154 struct list_pr8141 *items; 1155 for (;; items = ({ do { } while (0); items->tail; })) // expected-warning{{Dereference of undefined pointer value}} 1156 { 1157 } 1158} 1159 1160// Don't crash when building the CFG. 1161void do_not_crash(int x) { 1162 while (x - ({do {} while (0); x; })) { 1163 } 1164} 1165 1166// <rdar://problem/8424269> - Handle looking at the size of a VLA in 1167// ArrayBoundChecker. Nothing intelligent (yet); just don't crash. 1168typedef struct RDar8424269_A { 1169 int RDar8424269_C; 1170} RDar8424269_A; 1171static void RDar8424269_B(RDar8424269_A *p, unsigned char *RDar8424269_D, 1172 const unsigned char *RDar8424269_E, int RDar8424269_F, 1173 int b_w, int b_h, int dx, int dy) { 1174 int x, y, b, r, l; 1175 unsigned char tmp2t[3][RDar8424269_F * (32 + 8)]; 1176 unsigned char *tmp2 = tmp2t[0]; 1177 if (p && !p->RDar8424269_C) 1178 b = 15; 1179 tmp2 = tmp2t[1]; 1180 if (b & 2) { // expected-warning{{The left operand of '&' is a garbage value}} 1181 for (y = 0; y < b_h; y++) { 1182 for (x = 0; x < b_w + 1; x++) { 1183 int am = 0; 1184 tmp2[x] = am; 1185 } 1186 } 1187 } 1188 tmp2 = tmp2t[2]; 1189} 1190 1191// <rdar://problem/8642434> - Handle transparent unions with the AttrNonNullChecker. 1192typedef union { 1193 struct rdar_8642434_typeA *_dq; 1194} 1195rdar_8642434_typeB __attribute__((transparent_union)); 1196 1197__attribute__((visibility("default"))) __attribute__((__nonnull__)) __attribute__((__nothrow__)) 1198void rdar_8642434_funcA(rdar_8642434_typeB object); 1199 1200void rdar_8642434_funcB(struct rdar_8642434_typeA *x, struct rdar_8642434_typeA *y) { 1201 rdar_8642434_funcA(x); 1202 if (!y) 1203 rdar_8642434_funcA(y); // expected-warning{{Null pointer passed as an argument to a 'nonnull' parameter}} 1204} 1205 1206// <rdar://problem/8848957> - Handle loads and stores from a symbolic index 1207// into array without warning about an uninitialized value being returned. 1208// While RegionStore can't fully reason about this example, it shouldn't 1209// warn here either. 1210typedef struct s_test_rdar8848957 { 1211 int x, y, z; 1212} s_test_rdar8848957; 1213 1214s_test_rdar8848957 foo_rdar8848957(); 1215int rdar8848957(int index) { 1216 s_test_rdar8848957 vals[10]; 1217 vals[index] = foo_rdar8848957(); 1218 return vals[index].x; // no-warning 1219} 1220 1221// PR 9049 - crash on symbolicating unions. This test exists solely to 1222// test that the analyzer doesn't crash. 1223typedef struct pr9048_cdev *pr9048_cdev_t; 1224typedef union pr9048_abstracted_disklabel { void *opaque; } pr9048_disklabel_t; 1225struct pr9048_diskslice { pr9048_disklabel_t ds_label; }; 1226struct pr9048_diskslices { 1227 int dss_secmult; 1228 struct pr9048_diskslice dss_slices[16]; 1229}; 1230void pr9048(pr9048_cdev_t dev, struct pr9048_diskslices * ssp, unsigned int slice) 1231{ 1232 pr9048_disklabel_t lp; 1233 struct pr9048_diskslice *sp; 1234 sp = &ssp->dss_slices[slice]; 1235 if (ssp->dss_secmult == 1) { 1236 } else if ((lp = sp->ds_label).opaque != ((void *) 0)) { 1237 } 1238} 1239 1240