misc-ps.m revision 6b12da9f89b7863e6fc995312355b94197b75657
1// NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued. 2// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-checker=core.experimental.IdempotentOps -analyzer-checker=core.experimental.CastToStruct -analyzer-checker=cocoa.AtSync -analyzer-store=basic -fobjc-gc -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 3// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-checker=core.experimental.IdempotentOps -analyzer-checker=core.experimental.CastToStruct -analyzer-checker=cocoa.AtSync -analyzer-store=basic -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 4// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-checker=core.experimental.IdempotentOps -analyzer-checker=core.experimental.CastToStruct -analyzer-checker=cocoa.AtSync -analyzer-store=region -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 5// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-checker=core.experimental.IdempotentOps -analyzer-checker=core.experimental.CastToStruct -analyzer-checker=cocoa.AtSync -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 6// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-checker=core.experimental.IdempotentOps -analyzer-checker=core.experimental.CastToStruct -analyzer-checker=cocoa.AtSync -analyzer-store=basic -fobjc-gc -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 7// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-checker=core.experimental.IdempotentOps -analyzer-checker=core.experimental.CastToStruct -analyzer-checker=cocoa.AtSync -analyzer-store=basic -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 8// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-checker=core.experimental.IdempotentOps -analyzer-checker=core.experimental.CastToStruct -analyzer-checker=cocoa.AtSync -analyzer-store=region -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 9// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-checker=core.experimental.IdempotentOps -analyzer-checker=core.experimental.CastToStruct -analyzer-checker=cocoa.AtSync -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 10 11#ifndef __clang_analyzer__ 12#error __clang__analyzer__ not defined 13#endif 14 15typedef struct objc_ivar *Ivar; 16typedef struct objc_selector *SEL; 17typedef signed char BOOL; 18typedef int NSInteger; 19typedef unsigned int NSUInteger; 20typedef struct _NSZone NSZone; 21@class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator; 22@protocol NSObject 23- (BOOL)isEqual:(id)object; 24- (id)autorelease; 25@end 26@protocol NSCopying 27- (id)copyWithZone:(NSZone *)zone; 28@end 29@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 30@protocol NSCoding 31- (void)encodeWithCoder:(NSCoder *)aCoder; 32@end 33@interface NSObject <NSObject> {} 34- (id)init; 35+ (id)allocWithZone:(NSZone *)zone; 36@end 37extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 38@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 39- (NSUInteger)length; 40+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 41@end extern NSString * const NSBundleDidLoadNotification; 42@interface NSValue : NSObject <NSCopying, NSCoding> 43- (void)getValue:(void *)value; 44@end 45@interface NSNumber : NSValue 46- (char)charValue; 47- (id)initWithBool:(BOOL)value; 48@end 49@interface NSAssertionHandler : NSObject {} 50+ (NSAssertionHandler *)currentHandler; 51- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 52@end 53extern NSString * const NSConnectionReplyMode; 54typedef float CGFloat; 55typedef struct _NSPoint { 56 CGFloat x; 57 CGFloat y; 58} NSPoint; 59typedef struct _NSSize { 60 CGFloat width; 61 CGFloat height; 62} NSSize; 63typedef struct _NSRect { 64 NSPoint origin; 65 NSSize size; 66} NSRect; 67 68// Reduced test case from crash in <rdar://problem/6253157> 69@interface A @end 70@implementation A 71- (void)foo:(void (^)(NSObject *x))block { 72 if (!((block != ((void *)0)))) {} 73} 74@end 75 76// Reduced test case from crash in PR 2796; 77// http://llvm.org/bugs/show_bug.cgi?id=2796 78 79unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); } 80 81// Improvement to path-sensitivity involving compound assignments. 82// Addresses false positive in <rdar://problem/6268365> 83// 84 85unsigned r6268365Aux(); 86 87void r6268365() { 88 unsigned x = 0; 89 x &= r6268365Aux(); // expected-warning{{The left operand to '&=' is always 0}} 90 unsigned j = 0; 91 92 if (x == 0) ++j; 93 if (x == 0) x = x / j; // expected-warning{{Assigned value is always the same as the existing value}} expected-warning{{The right operand to '/' is always 1}} 94} 95 96void divzeroassume(unsigned x, unsigned j) { 97 x /= j; 98 if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 99 if (j == 0) x /= j; // no static-analyzer warning 100 if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 101} 102 103void divzeroassumeB(unsigned x, unsigned j) { 104 x = x / j; 105 if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 106 if (j == 0) x /= j; // no static-analyzer warning 107 if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 108} 109 110// InitListExpr processing 111 112typedef float __m128 __attribute__((__vector_size__(16), __may_alias__)); 113__m128 return128() { 114 // This compound literal has a Vector type. We currently just 115 // return UnknownVal. 116 return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f }; 117} 118 119typedef long long __v2di __attribute__ ((__vector_size__ (16))); 120typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__)); 121__m128i vec128i(long long __q1, long long __q0) { 122 // This compound literal returns true for both isVectorType() and 123 // isIntegerType(). 124 return __extension__ (__m128i)(__v2di){ __q0, __q1 }; 125} 126 127// Zero-sized VLAs. 128void check_zero_sized_VLA(int x) { 129 if (x) 130 return; 131 132 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has zero size}} 133} 134 135void check_uninit_sized_VLA() { 136 int x; 137 int vla[x]; // expected-warning{{Declared variable-length array (VLA) uses a garbage value as its size}} 138} 139 140// sizeof(void) 141// - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211 142void handle_sizeof_void(unsigned flag) { 143 int* p = 0; 144 145 if (flag) { 146 if (sizeof(void) == 1) 147 return; 148 // Infeasible. 149 *p = 1; // no-warning 150 } 151 152 void* q; 153 154 if (!flag) { 155 if (sizeof(*q) == 1) 156 return; 157 // Infeasibe. 158 *p = 1; // no-warning 159 } 160 161 // Infeasible. 162 *p = 1; // no-warning 163} 164 165// check deference of undefined values 166void check_deref_undef(void) { 167 int *p; 168 *p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}} 169} 170 171// PR 3422 172void pr3422_helper(char *p); 173void pr3422() { 174 char buf[100]; 175 char *q = &buf[10]; 176 pr3422_helper(&q[1]); 177} 178 179// PR 3543 (handle empty statement expressions) 180void pr_3543(void) { 181 ({}); 182} 183 184// <rdar://problem/6611677> 185// This test case test the use of a vector type within an array subscript 186// expression. 187typedef long long __a64vector __attribute__((__vector_size__(8))); 188typedef long long __a128vector __attribute__((__vector_size__(16))); 189static inline __a64vector __attribute__((__always_inline__, __nodebug__)) 190my_test_mm_movepi64_pi64(__a128vector a) { 191 return (__a64vector)a[0]; 192} 193 194// Test basic tracking of ivars associated with 'self'. 195@interface SelfIvarTest : NSObject { 196 int flag; 197} 198- (void)test_self_tracking; 199@end 200 201@implementation SelfIvarTest 202- (void)test_self_tracking { 203 char *p = 0; 204 char c; 205 206 if (flag) 207 p = "hello"; 208 209 if (flag) 210 c = *p; // no-warning 211} 212@end 213 214// PR 3770 215char pr3770(int x) { 216 int y = x & 0x2; 217 char *p = 0; 218 if (y == 1) 219 p = "hello"; 220 221 if (y == 1) 222 return p[0]; // no-warning 223 224 return 'a'; 225} 226 227// PR 3772 228// - We just want to test that this doesn't crash the analyzer. 229typedef struct st ST; 230struct st { char *name; }; 231extern ST *Cur_Pu; 232 233void pr3772(void) 234{ 235 static ST *last_Cur_Pu; 236 if (last_Cur_Pu == Cur_Pu) { 237 return; 238 } 239} 240 241// PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups. 242void pr3780(int sz) { typedef double MAT[sz][sz]; } 243 244// <rdar://problem/6695527> - Test that we don't symbolicate doubles before 245// we are ready to do something with them. 246int rdar6695527(double x) { 247 if (!x) { return 0; } 248 return 1; 249} 250 251// <rdar://problem/6708148> - Test that we properly invalidate structs 252// passed-by-reference to a function. 253void pr6708148_invalidate(NSRect *x); 254void pr6708148_use(NSRect x); 255void pr6708148_test(void) { 256 NSRect x; 257 pr6708148_invalidate(&x); 258 pr6708148_use(x); // no-warning 259} 260 261// Handle both kinds of noreturn attributes for pruning paths. 262void rdar_6777003_noret() __attribute__((noreturn)); 263void rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn)); 264 265void rdar_6777003(int x) { 266 int *p = 0; 267 268 if (x == 1) { 269 rdar_6777003_noret(); 270 *p = 1; // no-warning; 271 } 272 273 if (x == 2) { 274 rdar_6777003_analyzer_noret(); 275 *p = 1; // no-warning; 276 } 277 278 *p = 1; // expected-warning{{Dereference of null pointer}} 279} 280 281// For pointer arithmetic, --/++ should be treated as preserving non-nullness, 282// regardless of how well the underlying StoreManager reasons about pointer 283// arithmetic. 284// <rdar://problem/6777209> 285void rdar_6777209(char *p) { 286 if (p == 0) 287 return; 288 289 ++p; 290 291 // This branch should always be infeasible. 292 if (p == 0) 293 *p = 'c'; // no-warning 294} 295 296// PR 4033. A symbolic 'void *' pointer can be used as the address for a 297// computed goto. 298typedef void *Opcode; 299Opcode pr_4033_getOpcode(); 300void pr_4033(void) { 301 void *lbl = &&next_opcode; 302next_opcode: 303 { 304 Opcode op = pr_4033_getOpcode(); 305 if (op) goto *op; 306 } 307} 308 309// Test invalidating pointers-to-pointers with slightly different types. This 310// example came from a recent false positive due to a regression where the 311// branch condition was falsely reported as being uninitialized. 312void invalidate_by_ref(char **x); 313int test_invalidate_by_ref() { 314 unsigned short y; 315 invalidate_by_ref((char**) &y); 316 if (y) // no-warning 317 return 1; 318 return 0; 319} 320 321// Test for <rdar://problem/7027684>. This just tests that the CFG is 322// constructed correctly. Previously, the successor block of the entrance 323// was the block containing the merge for '?', which would trigger an 324// assertion failure. 325int rdar_7027684_aux(); 326int rdar_7027684_aux_2() __attribute__((noreturn)); 327void rdar_7027684(int x, int y) { 328 {}; // this empty compound statement is critical. 329 (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0); 330} 331 332// Test that we handle casts of string literals to arbitrary types. 333unsigned const char *string_literal_test1() { 334 return (const unsigned char*) "hello"; 335} 336 337const float *string_literal_test2() { 338 return (const float*) "hello"; 339} 340 341// Test that we handle casts *from* incomplete struct types. 342extern const struct _FooAssertStruct _cmd; 343void test_cast_from_incomplete_struct_aux(volatile const void *x); 344void test_cast_from_incomplete_struct() { 345 test_cast_from_incomplete_struct_aux(&_cmd); 346} 347 348// Test for <rdar://problem/7034511> 349// "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' 350// when 'T' is a pointer" 351// 352// Previously this case would crash. 353void test_rdar_7034511(NSArray *y) { 354 NSObject *x; 355 for (x in y) {} 356 if (x == ((void*) 0)) {} 357} 358 359// Handle casts of function pointers (CodeTextRegions) to arbitrary pointer 360// types. This was previously causing a crash in CastRegion. 361void handle_funcptr_voidptr_casts() { 362 void **ptr; 363 typedef void *PVOID; 364 typedef void *PCHAR; 365 typedef long INT_PTR, *PINT_PTR; 366 typedef INT_PTR (*FARPROC)(); 367 FARPROC handle_funcptr_voidptr_casts_aux(); 368 PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x); 369 PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x); 370 371 ptr = (void**) handle_funcptr_voidptr_casts_aux(); 372 handle_funcptr_voidptr_casts_aux_2(ptr); 373 handle_funcptr_voidptr_casts_aux_3(ptr); 374} 375 376// RegionStore::Retrieve previously crashed on this example. This example 377// was previously in the test file 'xfail_regionstore_wine_crash.c'. 378void testA() { 379 long x = 0; 380 char *y = (char *) &x; 381 if (!*y) 382 return; 383} 384 385// RegionStoreManager previously crashed on this example. The problem is that 386// the value bound to the field of b->grue after the call to testB_aux is 387// a symbolic region. The second '*__gruep__' involves performing a load 388// from a 'int*' that really is a 'void**'. The loaded location must be 389// implicitly converted to an integer that wraps a location. Previosly we would 390// get a crash here due to an assertion failure. 391typedef struct _BStruct { void *grue; } BStruct; 392void testB_aux(void *ptr); 393void testB(BStruct *b) { 394 { 395 int *__gruep__ = ((int *)&((b)->grue)); 396 int __gruev__ = *__gruep__; 397 testB_aux(__gruep__); 398 } 399 { 400 int *__gruep__ = ((int *)&((b)->grue)); 401 int __gruev__ = *__gruep__; 402 if (~0 != __gruev__) {} 403 } 404} 405 406void test_trivial_symbolic_comparison(int *x) { 407 int test_trivial_symbolic_comparison_aux(); 408 int a = test_trivial_symbolic_comparison_aux(); 409 int b = a; 410 if (a != b) { // expected-warning{{Both operands to '!=' always have the same value}} 411 int *p = 0; 412 *p = 0xDEADBEEF; // no-warning 413 } 414 415 a = a == 1; 416 b = b == 1; 417 if (a != b) { // expected-warning{{Both operands to '!=' always have the same value}} 418 int *p = 0; 419 *p = 0xDEADBEEF; // no-warning 420 } 421} 422 423// Test for: 424// <rdar://problem/7062158> false positive null dereference due to 425// BasicStoreManager not tracking *static* globals 426// 427// This just tests the proper tracking of symbolic values for globals (both 428// static and non-static). 429// 430static int* x_rdar_7062158; 431void rdar_7062158() { 432 int *current = x_rdar_7062158; 433 if (current == x_rdar_7062158) 434 return; 435 436 int *p = 0; 437 *p = 0xDEADBEEF; // no-warning 438} 439 440int* x_rdar_7062158_2; 441void rdar_7062158_2() { 442 int *current = x_rdar_7062158_2; 443 if (current == x_rdar_7062158_2) 444 return; 445 446 int *p = 0; 447 *p = 0xDEADBEEF; // no-warning 448} 449 450// This test reproduces a case for a crash when analyzing ClamAV using 451// RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because 452// it isn't doing anything smart about arrays). The problem is that on the 453// second line, 'p = &p[i]', p is assigned an ElementRegion whose index 454// is a 16-bit integer. On the third line, a new ElementRegion is created 455// based on the previous region, but there the region uses a 32-bit integer, 456// resulting in a clash of values (an assertion failure at best). We resolve 457// this problem by implicitly converting index values to 'int' when the 458// ElementRegion is created. 459unsigned char test_array_index_bitwidth(const unsigned char *p) { 460 unsigned short i = 0; 461 for (i = 0; i < 2; i++) p = &p[i]; 462 return p[i+1]; 463} 464 465// This case tests that CastRegion handles casts involving BlockPointerTypes. 466// It should not crash. 467void test_block_cast() { 468 id test_block_cast_aux(); 469 (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}} 470} 471 472int OSAtomicCompareAndSwap32Barrier(); 473 474// Test comparison of 'id' instance variable to a null void* constant after 475// performing an OSAtomicCompareAndSwap32Barrier. 476// This previously was a crash in RegionStoreManager. 477@interface TestIdNull { 478 id x; 479} 480-(int)foo; 481@end 482@implementation TestIdNull 483-(int)foo { 484 OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x); 485 if (x == (void*) 0) { return 0; } 486 return 1; 487} 488@end 489 490// PR 4594 - This was a crash when handling casts in SimpleSValuator. 491void PR4594() { 492 char *buf[1]; 493 char **foo = buf; 494 *foo = "test"; 495} 496 497// Test invalidation logic where an integer is casted to an array with a 498// different sign and then invalidated. 499void test_invalidate_cast_int() { 500 void test_invalidate_cast_int_aux(unsigned *i); 501 signed i; 502 test_invalidate_cast_int_aux((unsigned*) &i); 503 if (i < 0) 504 return; 505} 506 507int ivar_getOffset(); 508 509// Reduced from a crash involving the cast of an Objective-C symbolic region to 510// 'char *' 511static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) { 512 return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease]; 513} 514 515// Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero. 516// This resulted from not properly handling region casts to 'const void*'. 517void test_cast_const_voidptr() { 518 char x[10]; 519 char *p = &x[1]; 520 const void* q = p; 521} 522 523// Reduced from a crash when analyzing Wine. This test handles loads from 524// function addresses. 525typedef long (*FARPROC)(); 526FARPROC test_load_func(FARPROC origfun) { 527 if (!*(unsigned char*) origfun) 528 return origfun; 529 return 0; 530} 531 532// Test passing-by-value an initialized struct variable. 533struct test_pass_val { 534 int x; 535 int y; 536}; 537void test_pass_val_aux(struct test_pass_val s); 538void test_pass_val() { 539 struct test_pass_val s; 540 s.x = 1; 541 s.y = 2; 542 test_pass_val_aux(s); 543} 544 545// This is a reduced test case of a false positive that previously appeared 546// in RegionStoreManager. Previously the array access resulted in dereferencing 547// an undefined value. 548int test_array_compound(int *q, int *r, int *z) { 549 int *array[] = { q, r, z }; 550 int j = 0; 551 for (unsigned i = 0; i < 3 ; ++i) 552 if (*array[i]) ++j; // no-warning 553 return j; 554} 555 556// This test case previously crashed with -analyzer-store=basic because the 557// symbolic value stored in 'x' wouldn't be implicitly casted to a signed value 558// during the comparison. 559int rdar_7124210(unsigned int x) { 560 enum { SOME_CONSTANT = 123 }; 561 int compare = ((signed) SOME_CONSTANT) == *((signed *) &x); 562 return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint. 563} 564 565void pr4781(unsigned long *raw1) { 566 unsigned long *cook, *raw0; 567 unsigned long dough[32]; 568 int i; 569 cook = dough; 570 for( i = 0; i < 16; i++, raw1++ ) { 571 raw0 = raw1++; 572 *cook = (*raw0 & 0x00fc0000L) << 6; 573 *cook |= (*raw0 & 0x00000fc0L) << 10; 574 } 575} 576 577// <rdar://problem/7185647> - 'self' should be treated as being non-null 578// upon entry to an objective-c method. 579@interface RDar7185647 580- (id)foo; 581@end 582@implementation RDar7185647 583- (id) foo { 584 if (self) 585 return self; 586 *((volatile int *) 0x0) = 0xDEADBEEF; // no-warning 587 return self; 588} 589@end 590 591// Test reasoning of __builtin_offsetof; 592struct test_offsetof_A { 593 int x; 594 int y; 595}; 596struct test_offsetof_B { 597 int w; 598 int z; 599}; 600void test_offsetof_1() { 601 if (__builtin_offsetof(struct test_offsetof_A, x) == 602 __builtin_offsetof(struct test_offsetof_B, w)) 603 return; 604 int *p = 0; 605 *p = 0xDEADBEEF; // no-warning 606} 607void test_offsetof_2() { 608 if (__builtin_offsetof(struct test_offsetof_A, y) == 609 __builtin_offsetof(struct test_offsetof_B, z)) 610 return; 611 int *p = 0; 612 *p = 0xDEADBEEF; // no-warning 613} 614void test_offsetof_3() { 615 if (__builtin_offsetof(struct test_offsetof_A, y) - 616 __builtin_offsetof(struct test_offsetof_A, x) 617 == 618 __builtin_offsetof(struct test_offsetof_B, z) - 619 __builtin_offsetof(struct test_offsetof_B, w)) 620 return; 621 int *p = 0; 622 *p = 0xDEADBEEF; // no-warning 623} 624void test_offsetof_4() { 625 if (__builtin_offsetof(struct test_offsetof_A, y) == 626 __builtin_offsetof(struct test_offsetof_B, w)) 627 return; 628 int *p = 0; 629 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 630} 631 632// <rdar://problem/6829164> "nil receiver" false positive: make tracking 633// of the MemRegion for 'self' path-sensitive 634@interface RDar6829164 : NSObject { 635 double x; int y; 636} 637- (id) init; 638@end 639 640id rdar_6829164_1(); 641double rdar_6829164_2(); 642 643@implementation RDar6829164 644- (id) init { 645 if((self = [super init]) != 0) { 646 id z = rdar_6829164_1(); 647 y = (z != 0); 648 if (y) 649 x = rdar_6829164_2(); 650 } 651 return self; 652} 653@end 654 655// <rdar://problem/7242015> - Invalidate values passed-by-reference 656// to functions when the pointer to the value is passed as an integer. 657void test_7242015_aux(unsigned long); 658int rdar_7242015() { 659 int x; 660 test_7242015_aux((unsigned long) &x); // no-warning 661 return x; // Previously we return and uninitialized value when 662 // using RegionStore. 663} 664 665// <rdar://problem/7242006> [RegionStore] compound literal assignment with 666// floats not honored 667CGFloat rdar7242006(CGFloat x) { 668 NSSize y = (NSSize){x, 10}; 669 return y.width; // no-warning 670} 671 672// PR 4988 - This test exhibits a case where a function can be referenced 673// when not explicitly used in an "lvalue" context (as far as the analyzer is 674// concerned). This previously triggered a crash due to an invalid assertion. 675void pr_4988(void) { 676 pr_4988; // expected-warning{{expression result unused}} 677} 678 679// <rdar://problem/7152418> - A 'signed char' is used as a flag, which is 680// implicitly converted to an int. 681void *rdar7152418_bar(); 682@interface RDar7152418 { 683 signed char x; 684} 685-(char)foo; 686@end; 687@implementation RDar7152418 688-(char)foo { 689 char *p = 0; 690 void *result = 0; 691 if (x) { 692 result = rdar7152418_bar(); 693 p = "hello"; 694 } 695 if (!result) { 696 result = rdar7152418_bar(); 697 if (result && x) 698 return *p; // no-warning 699 } 700 return 1; 701} 702 703//===----------------------------------------------------------------------===// 704// Test constant-folding of symbolic values, automatically handling type 705// conversions of the symbol as necessary. 706//===----------------------------------------------------------------------===// 707 708// Previously this would crash once we started eagerly evaluating symbols whose 709// values were constrained to a single value. 710void test_symbol_fold_1(signed char x) { 711 while (1) { 712 if (x == ((signed char) 0)) {} 713 } 714} 715 716// This previously caused a crash because it triggered an assertion in APSInt. 717void test_symbol_fold_2(unsigned int * p, unsigned int n, 718 const unsigned int * grumpkin, unsigned int dn) { 719 unsigned int i; 720 unsigned int tempsub[8]; 721 unsigned int *solgrumpkin = tempsub + n; 722 for (i = 0; i < n; i++) 723 solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF; 724 for (i <<= 5; i < (n << 5); i++) {} 725} 726 727// This previously caused a crash because it triggered an assertion in APSInt. 728// 'x' would evaluate to a 8-bit constant (because of the return value of 729// test_symbol_fold_3_aux()) which would not get properly promoted to an 730// integer. 731char test_symbol_fold_3_aux(void); 732unsigned test_symbol_fold_3(void) { 733 unsigned x = test_symbol_fold_3_aux(); 734 if (x == 54) 735 return (x << 8) | 0x5; 736 return 0; 737} 738 739//===----------------------------------------------------------------------===// 740// Tests for the warning of casting a non-struct type to a struct type 741//===----------------------------------------------------------------------===// 742 743typedef struct {unsigned int v;} NSSwappedFloat; 744 745NSSwappedFloat test_cast_nonstruct_to_struct(float x) { 746 struct hodor { 747 float number; 748 NSSwappedFloat sf; 749 }; 750 return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 751} 752 753NSSwappedFloat test_cast_nonstruct_to_union(float x) { 754 union bran { 755 float number; 756 NSSwappedFloat sf; 757 }; 758 return ((union bran *)&x)->sf; // no-warning 759} 760 761void test_undefined_array_subscript() { 762 int i, a[10]; 763 int *p = &a[i]; // expected-warning{{Array subscript is undefined}} 764} 765@end 766 767//===----------------------------------------------------------------------===// 768// Test using an uninitialized value as a branch condition. 769//===----------------------------------------------------------------------===// 770 771int test_uninit_branch(void) { 772 int x; 773 if (x) // expected-warning{{Branch condition evaluates to a garbage value}} 774 return 1; 775 return 0; 776} 777 778int test_uninit_branch_b(void) { 779 int x; 780 return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}} 781} 782 783int test_uninit_branch_c(void) { 784 int x; 785 if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}} 786 return 1; 787 return 0; 788} 789 790//===----------------------------------------------------------------------===// 791// Test passing an undefined value in a message or function call. 792//===----------------------------------------------------------------------===// 793 794void test_bad_call_aux(int x); 795void test_bad_call(void) { 796 int y; 797 test_bad_call_aux(y); // expected-warning{{Function call argument is an uninitialized value}} 798} 799 800@interface TestBadArg {} 801- (void) testBadArg:(int) x; 802@end 803 804void test_bad_msg(TestBadArg *p) { 805 int y; 806 [p testBadArg:y]; // expected-warning{{Argument in message expression is an uninitialized value}} 807} 808 809//===----------------------------------------------------------------------===// 810// PR 6033 - Test emitting the correct output in a warning where we use '%' 811// with operands that are undefined. 812//===----------------------------------------------------------------------===// 813 814int pr6033(int x) { 815 int y; 816 return x % y; // expected-warning{{The right operand of '%' is a garbage value}} 817} 818 819struct trie { 820 struct trie* next; 821}; 822 823struct kwset { 824 struct trie *trie; 825 unsigned char y[10]; 826 struct trie* next[10]; 827 int d; 828}; 829 830typedef struct trie trie_t; 831typedef struct kwset kwset_t; 832 833void f(kwset_t *kws, char const *p, char const *q) { 834 struct trie const *trie; 835 struct trie * const *next = kws->next; 836 register unsigned char c; 837 register char const *end = p; 838 register char const *lim = q; 839 register int d = 1; 840 register unsigned char const *y = kws->y; 841 842 d = y[c = (end+=d)[-1]]; // no-warning 843 trie = next[c]; 844} 845 846//===----------------------------------------------------------------------===// 847// <rdar://problem/7593875> When handling sizeof(VLA) it leads to a hole in 848// the ExplodedGraph (causing a false positive) 849//===----------------------------------------------------------------------===// 850 851int rdar_7593875_aux(int x); 852int rdar_7593875(int n) { 853 int z[n > 10 ? 10 : n]; // VLA. 854 int v; 855 v = rdar_7593875_aux(sizeof(z)); 856 // Previously we got a false positive about 'v' being uninitialized. 857 return v; // no-warning 858} 859 860//===----------------------------------------------------------------------===// 861// Handle casts from symbolic regions (packaged as integers) to doubles. 862// Previously this caused an assertion failure. 863//===----------------------------------------------------------------------===// 864 865void *foo_rev95119(); 866void baz_rev95119(double x); 867void bar_rev95119() { 868 // foo_rev95119() returns a symbolic pointer. It is then 869 // cast to an int which is then cast to a double. 870 int value = (int) foo_rev95119(); 871 baz_rev95119((double)value); 872} 873 874//===----------------------------------------------------------------------===// 875// Handle loading a symbolic pointer from a symbolic region that was 876// invalidated by a call to an unknown function. 877//===----------------------------------------------------------------------===// 878 879void bar_rev95192(int **x); 880void foo_rev95192(int **x) { 881 *x = 0; 882 bar_rev95192(x); 883 // Not a null dereference. 884 **x = 1; // no-warning 885} 886 887//===----------------------------------------------------------------------===// 888// Handle casts of a function to a function pointer with a different return 889// value. We don't yet emit an error for such cases, but we now we at least 890// don't crash when the return value gets interpreted in a way that 891// violates our invariants. 892//===----------------------------------------------------------------------===// 893 894void *foo_rev95267(); 895int bar_rev95267() { 896 char (*Callback_rev95267)(void) = (char (*)(void)) foo_rev95267; 897 if ((*Callback_rev95267)() == (char) 0) 898 return 1; 899 return 0; 900} 901 902// Same as previous case, but handle casts to 'void'. 903int bar_rev95274() { 904 void (*Callback_rev95274)(void) = (void (*)(void)) foo_rev95267; 905 (*Callback_rev95274)(); 906 return 0; 907} 908 909void rdar7582031_test_static_init_zero() { 910 static unsigned x; 911 if (x == 0) 912 return; 913 int *p = 0; 914 *p = 0xDEADBEEF; 915} 916void rdar7582031_test_static_init_zero_b() { 917 static void* x; 918 if (x == 0) 919 return; 920 int *p = 0; 921 *p = 0xDEADBEEF; 922} 923 924//===----------------------------------------------------------------------===// 925// Test handling of parameters that are structs that contain floats and // 926// nested fields. // 927//===----------------------------------------------------------------------===// 928 929struct s_rev95547_nested { float x, y; }; 930struct s_rev95547 { 931 struct s_rev95547_nested z1; 932 struct s_rev95547_nested z2; 933}; 934float foo_rev95547(struct s_rev95547 w) { 935 return w.z1.x + 20.0; // no-warning 936} 937void foo_rev95547_b(struct s_rev95547 w) { 938 struct s_rev95547 w2 = w; 939 w2.z1.x += 20.0; // no-warning 940} 941 942//===----------------------------------------------------------------------===// 943// Test handling statement expressions that don't populate a CFG block that 944// is used to represent the computation of the RHS of a logical operator. 945// This previously triggered a crash. 946//===----------------------------------------------------------------------===// 947 948void pr6938() { 949 if (1 && ({ 950 while (0); 951 0; 952 }) == 0) { 953 } 954} 955 956void pr6938_b() { 957 if (1 && *({ // expected-warning{{Dereference of null pointer}} 958 while (0) {} 959 ({ 960 (int *) 0; 961 }); 962 }) == 0) { 963 } 964} 965 966//===----------------------------------------------------------------------===// 967// <rdar://problem/7979430> - The CFG for code containing an empty 968// @synchronized block was previously broken (and would crash the analyzer). 969//===----------------------------------------------------------------------===// 970 971void r7979430(id x) { 972 @synchronized(x) {} 973} 974 975//===----------------------------------------------------------------------=== 976// PR 7361 - Test that functions wrapped in macro instantiations are analyzed. 977//===----------------------------------------------------------------------=== 978#define MAKE_TEST_FN() \ 979 void test_pr7361 (char a) {\ 980 char* b = 0x0; *b = a;\ 981 } 982 983MAKE_TEST_FN() // expected-warning{{null pointer}} 984 985//===----------------------------------------------------------------------=== 986// PR 7491 - Test that symbolic expressions can be used as conditions. 987//===----------------------------------------------------------------------=== 988 989void pr7491 () { 990 extern int getint(); 991 int a = getint()-1; 992 if (a) { 993 return; 994 } 995 if (!a) { 996 return; 997 } else { 998 // Should be unreachable 999 (void)*(char*)0; // no-warning 1000 } 1001} 1002 1003//===----------------------------------------------------------------------=== 1004// PR 7475 - Test that assumptions about global variables are reset after 1005// calling a global function. 1006//===----------------------------------------------------------------------=== 1007 1008int *pr7475_someGlobal; 1009void pr7475_setUpGlobal(); 1010 1011void pr7475() { 1012 if (pr7475_someGlobal == 0) 1013 pr7475_setUpGlobal(); 1014 *pr7475_someGlobal = 0; // no-warning 1015} 1016 1017void pr7475_warn() { 1018 static int *someStatic = 0; 1019 if (someStatic == 0) 1020 pr7475_setUpGlobal(); 1021 *someStatic = 0; // expected-warning{{null pointer}} 1022} 1023 1024// <rdar://problem/8202272> - __imag passed non-complex should not crash 1025float f0(_Complex float x) { 1026 float l0 = __real x; 1027 return __real l0 + __imag l0; 1028} 1029 1030 1031//===----------------------------------------------------------------------=== 1032// Test that we can reduce symbols to constants whether they are on the left 1033// or right side of an expression. 1034//===----------------------------------------------------------------------=== 1035 1036void reduce_to_constant(int x, int y) { 1037 if (x != 20) 1038 return; 1039 1040 int a = x + y; 1041 int b = y + x; 1042 1043 if (y == -20 && a != 0) 1044 (void)*(char*)0; // no-warning 1045 if (y == -20 && b != 0) 1046 (void)*(char*)0; // no-warning 1047} 1048 1049// <rdar://problem/8360854> - Test that code after a switch statement with no 1050// 'case:' labels is correctly evaluated. 1051void r8360854(int n) { 1052 switch (n) { 1053 default: ; 1054 } 1055 int *p = 0; 1056 *p = 0xDEADBEEF; // expected-warning{{null pointer}} 1057} 1058 1059// PR 8050 - crash in CastSizeChecker when pointee is an incomplete type 1060typedef long unsigned int __darwin_size_t; 1061typedef __darwin_size_t size_t; 1062void *malloc(size_t); 1063 1064struct PR8050; 1065 1066void pr8050(struct PR8050 **arg) 1067{ 1068 *arg = malloc(1); 1069} 1070 1071// <rdar://problem/5880430> Switch on enum should not consider default case live 1072// if all enum values are covered 1073enum Cases { C1, C2, C3, C4 }; 1074void test_enum_cases(enum Cases C) { 1075 switch (C) { 1076 case C1: 1077 case C2: 1078 case C4: 1079 case C3: 1080 return; 1081 } 1082 int *p = 0; 1083 *p = 0xDEADBEEF; // no-warning 1084} 1085 1086void test_enum_cases_positive(enum Cases C) { 1087 switch (C) { // expected-warning{{enumeration value 'C4' not handled in switch}} 1088 case C1: 1089 case C2: 1090 case C3: 1091 return; 1092 } 1093 int *p = 0; 1094 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 1095} 1096 1097// <rdar://problem/6351970> rule request: warn if synchronization mutex can be nil 1098void rdar6351970() { 1099 id x = 0; 1100 @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}} 1101} 1102 1103void rdar6351970_b(id x) { 1104 if (!x) 1105 @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}} 1106} 1107 1108void rdar6351970_c() { 1109 id x; 1110 @synchronized(x) {} // expected-warning{{Uninitialized value used as mutex for @synchronized}} 1111} 1112 1113@interface Rdar8578650 1114- (id) foo8578650; 1115@end 1116 1117void rdar8578650(id x) { 1118 @synchronized (x) { 1119 [x foo8578650]; 1120 } 1121 // At this point we should assume that 'x' is not nil, not 1122 // the inverse. 1123 @synchronized (x) { // no-warning 1124 } 1125} 1126 1127// <rdar://problem/6352035> rule request: direct structure member access null pointer dereference 1128@interface RDar6352035 { 1129 int c; 1130} 1131- (void)foo; 1132- (void)bar; 1133@end 1134 1135@implementation RDar6352035 1136- (void)foo { 1137 RDar6352035 *friend = 0; 1138 friend->c = 7; // expected-warning{{Instance variable access (via 'friend') results in a null pointer dereference}} 1139} 1140- (void)bar { 1141 self = 0; 1142 c = 7; // expected-warning{{Instance variable access (via 'self') results in a null pointer dereference}} 1143} 1144@end 1145 1146// PR 8149 - GNU statement expression in condition of ForStmt. 1147// This previously triggered an assertion failure in CFGBuilder. 1148void pr8149(void) { 1149 for (; ({ do { } while (0); 0; });) { } 1150} 1151 1152// PR 8458 - Make sure @synchronized doesn't crash with properties. 1153@interface PR8458 {} 1154@property(readonly) id lock; 1155@end 1156 1157static 1158void __PR8458(PR8458 *x) { 1159 @synchronized(x.lock) {} // no-warning 1160} 1161 1162// PR 8440 - False null dereference during store to array-in-field-in-global. 1163// This test case previously resulted in a bogus null deref warning from 1164// incorrect lazy symbolication logic in RegionStore. 1165static struct { 1166 int num; 1167 char **data; 1168} saved_pr8440; 1169 1170char *foo_pr8440(); 1171char **bar_pr8440(); 1172void baz_pr8440(int n) 1173{ 1174 saved_pr8440.num = n; 1175 if (saved_pr8440.data) 1176 return; 1177 saved_pr8440.data = bar_pr8440(); 1178 for (int i = 0 ; i < n ; i ++) 1179 saved_pr8440.data[i] = foo_pr8440(); // no-warning 1180} 1181 1182// Support direct accesses to non-null memory. Reported in: 1183// PR 5272 1184// <rdar://problem/6839683> 1185int test_direct_address_load() { 1186 int *p = (int*) 0x4000; 1187 return *p; // no-warning 1188} 1189 1190void pr5272_test() { 1191 struct pr5272 { int var2; }; 1192 (*(struct pr5272*)0xBC000000).var2 = 0; // no-warning 1193 (*(struct pr5272*)0xBC000000).var2 += 2; // no-warning 1194} 1195 1196// Support casting the return value of function to another different type 1197// This previously caused a crash, although we likely need more precise 1198// reasoning here. <rdar://problem/8663544> 1199void* rdar8663544(); 1200typedef struct {} Val8663544; 1201Val8663544 bazR8663544() { 1202 Val8663544(*func) () = (Val8663544(*) ()) rdar8663544; 1203 return func(); 1204} 1205 1206// PR 8619 - Handle ternary expressions with a call to a noreturn function. 1207// This previously resulted in a crash. 1208void pr8619_noreturn(int x) __attribute__((noreturn)); 1209 1210void pr8619(int a, int b, int c) { 1211 a ?: pr8619_noreturn(b || c); 1212} 1213 1214 1215// PR 8646 - crash in the analyzer when handling unions. 1216union pr8648_union { 1217 signed long long pr8648_union_field; 1218}; 1219void pr8648() { 1220 long long y; 1221 union pr8648_union x = { .pr8648_union_field = 0LL }; 1222 y = x.pr8648_union_field; 1223 1224 union pr8648_union z; 1225 z = (union pr8648_union) { .pr8648_union_field = 0LL }; 1226 1227 union pr8648_union w; 1228 w = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }); 1229 1230 // crash, no assignment 1231 (void) ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field; 1232 1233 // crash with assignment 1234 y = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field; 1235} 1236 1237// PR 9269 - don't assert when building the following CFG. The for statement 1238// contains a condition with multiple basic blocks, and the value of the 1239// statement expression is then indexed as part of a bigger condition expression. 1240// This example exposed a bug in child traversal in the CFGBuilder. 1241void pr9269() { 1242 struct s { char *bar[10]; } baz[2] = { 0 }; 1243 unsigned i = 0; 1244 for (i = 0; 1245 (* ({ while(0); ({ &baz[0]; }); })).bar[0] != 0; 1246 ++i) {} 1247} 1248 1249