misc-ps.m revision 81861abe9cd1669ca46e13866f77f7ece8c4c85f
1// NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued. 2// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=basic -fobjc-gc -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 3// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=basic -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 4// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 5// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 6// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=basic -fobjc-gc -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 7// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=basic -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 8// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 9// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 10 11typedef struct objc_ivar *Ivar; 12typedef struct objc_selector *SEL; 13typedef signed char BOOL; 14typedef int NSInteger; 15typedef unsigned int NSUInteger; 16typedef struct _NSZone NSZone; 17@class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator; 18@protocol NSObject 19- (BOOL)isEqual:(id)object; 20- (id)autorelease; 21@end 22@protocol NSCopying 23- (id)copyWithZone:(NSZone *)zone; 24@end 25@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 26@protocol NSCoding 27- (void)encodeWithCoder:(NSCoder *)aCoder; 28@end 29@interface NSObject <NSObject> {} 30- (id)init; 31+ (id)allocWithZone:(NSZone *)zone; 32@end 33extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 34@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 35- (NSUInteger)length; 36+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 37@end extern NSString * const NSBundleDidLoadNotification; 38@interface NSValue : NSObject <NSCopying, NSCoding> 39- (void)getValue:(void *)value; 40@end 41@interface NSNumber : NSValue 42- (char)charValue; 43- (id)initWithBool:(BOOL)value; 44@end 45@interface NSAssertionHandler : NSObject {} 46+ (NSAssertionHandler *)currentHandler; 47- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 48@end 49extern NSString * const NSConnectionReplyMode; 50typedef float CGFloat; 51typedef struct _NSPoint { 52 CGFloat x; 53 CGFloat y; 54} NSPoint; 55typedef struct _NSSize { 56 CGFloat width; 57 CGFloat height; 58} NSSize; 59typedef struct _NSRect { 60 NSPoint origin; 61 NSSize size; 62} NSRect; 63 64// Reduced test case from crash in <rdar://problem/6253157> 65@interface A @end 66@implementation A 67- (void)foo:(void (^)(NSObject *x))block { 68 if (!((block != ((void *)0)))) {} 69} 70@end 71 72// Reduced test case from crash in PR 2796; 73// http://llvm.org/bugs/show_bug.cgi?id=2796 74 75unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); } 76 77// Improvement to path-sensitivity involving compound assignments. 78// Addresses false positive in <rdar://problem/6268365> 79// 80 81unsigned r6268365Aux(); 82 83void r6268365() { 84 unsigned x = 0; 85 x &= r6268365Aux(); 86 unsigned j = 0; 87 88 if (x == 0) ++j; 89 if (x == 0) x = x / j; // no-warning 90} 91 92void divzeroassume(unsigned x, unsigned j) { 93 x /= j; 94 if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 95 if (j == 0) x /= j; // no static-analyzer warning 96 if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 97} 98 99void divzeroassumeB(unsigned x, unsigned j) { 100 x = x / j; 101 if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 102 if (j == 0) x /= j; // no static-analyzer warning 103 if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 104} 105 106// InitListExpr processing 107 108typedef float __m128 __attribute__((__vector_size__(16), __may_alias__)); 109__m128 return128() { 110 // This compound literal has a Vector type. We currently just 111 // return UnknownVal. 112 return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f }; 113} 114 115typedef long long __v2di __attribute__ ((__vector_size__ (16))); 116typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__)); 117__m128i vec128i(long long __q1, long long __q0) { 118 // This compound literal returns true for both isVectorType() and 119 // isIntegerType(). 120 return __extension__ (__m128i)(__v2di){ __q0, __q1 }; 121} 122 123// Zero-sized VLAs. 124void check_zero_sized_VLA(int x) { 125 if (x) 126 return; 127 128 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has zero size}} 129} 130 131void check_uninit_sized_VLA() { 132 int x; 133 int vla[x]; // expected-warning{{Declared variable-length array (VLA) uses a garbage value as its size}} 134} 135 136// sizeof(void) 137// - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211 138void handle_sizeof_void(unsigned flag) { 139 int* p = 0; 140 141 if (flag) { 142 if (sizeof(void) == 1) 143 return; 144 // Infeasible. 145 *p = 1; // no-warning 146 } 147 148 void* q; 149 150 if (!flag) { 151 if (sizeof(*q) == 1) 152 return; 153 // Infeasibe. 154 *p = 1; // no-warning 155 } 156 157 // Infeasible. 158 *p = 1; // no-warning 159} 160 161// check deference of undefined values 162void check_deref_undef(void) { 163 int *p; 164 *p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}} 165} 166 167// PR 3422 168void pr3422_helper(char *p); 169void pr3422() { 170 char buf[100]; 171 char *q = &buf[10]; 172 pr3422_helper(&q[1]); 173} 174 175// PR 3543 (handle empty statement expressions) 176void pr_3543(void) { 177 ({}); 178} 179 180// <rdar://problem/6611677> 181// This test case test the use of a vector type within an array subscript 182// expression. 183typedef long long __a64vector __attribute__((__vector_size__(8))); 184typedef long long __a128vector __attribute__((__vector_size__(16))); 185static inline __a64vector __attribute__((__always_inline__, __nodebug__)) 186my_test_mm_movepi64_pi64(__a128vector a) { 187 return (__a64vector)a[0]; 188} 189 190// Test basic tracking of ivars associated with 'self'. 191@interface SelfIvarTest : NSObject { 192 int flag; 193} 194- (void)test_self_tracking; 195@end 196 197@implementation SelfIvarTest 198- (void)test_self_tracking { 199 char *p = 0; 200 char c; 201 202 if (flag) 203 p = "hello"; 204 205 if (flag) 206 c = *p; // no-warning 207} 208@end 209 210// PR 3770 211char pr3770(int x) { 212 int y = x & 0x2; 213 char *p = 0; 214 if (y == 1) 215 p = "hello"; 216 217 if (y == 1) 218 return p[0]; // no-warning 219 220 return 'a'; 221} 222 223// PR 3772 224// - We just want to test that this doesn't crash the analyzer. 225typedef struct st ST; 226struct st { char *name; }; 227extern ST *Cur_Pu; 228 229void pr3772(void) 230{ 231 static ST *last_Cur_Pu; 232 if (last_Cur_Pu == Cur_Pu) { 233 return; 234 } 235} 236 237// PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups. 238void pr3780(int sz) { typedef double MAT[sz][sz]; } 239 240// <rdar://problem/6695527> - Test that we don't symbolicate doubles before 241// we are ready to do something with them. 242int rdar6695527(double x) { 243 if (!x) { return 0; } 244 return 1; 245} 246 247// <rdar://problem/6708148> - Test that we properly invalidate structs 248// passed-by-reference to a function. 249void pr6708148_invalidate(NSRect *x); 250void pr6708148_use(NSRect x); 251void pr6708148_test(void) { 252 NSRect x; 253 pr6708148_invalidate(&x); 254 pr6708148_use(x); // no-warning 255} 256 257// Handle both kinds of noreturn attributes for pruning paths. 258void rdar_6777003_noret() __attribute__((noreturn)); 259void rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn)); 260 261void rdar_6777003(int x) { 262 int *p = 0; 263 264 if (x == 1) { 265 rdar_6777003_noret(); 266 *p = 1; // no-warning; 267 } 268 269 if (x == 2) { 270 rdar_6777003_analyzer_noret(); 271 *p = 1; // no-warning; 272 } 273 274 *p = 1; // expected-warning{{Dereference of null pointer}} 275} 276 277// For pointer arithmetic, --/++ should be treated as preserving non-nullness, 278// regardless of how well the underlying StoreManager reasons about pointer 279// arithmetic. 280// <rdar://problem/6777209> 281void rdar_6777209(char *p) { 282 if (p == 0) 283 return; 284 285 ++p; 286 287 // This branch should always be infeasible. 288 if (p == 0) 289 *p = 'c'; // no-warning 290} 291 292// PR 4033. A symbolic 'void *' pointer can be used as the address for a 293// computed goto. 294typedef void *Opcode; 295Opcode pr_4033_getOpcode(); 296void pr_4033(void) { 297next_opcode: 298 { 299 Opcode op = pr_4033_getOpcode(); 300 if (op) goto *op; 301 } 302} 303 304// Test invalidating pointers-to-pointers with slightly different types. This 305// example came from a recent false positive due to a regression where the 306// branch condition was falsely reported as being uninitialized. 307void invalidate_by_ref(char **x); 308int test_invalidate_by_ref() { 309 unsigned short y; 310 invalidate_by_ref((char**) &y); 311 if (y) // no-warning 312 return 1; 313 return 0; 314} 315 316// Test for <rdar://problem/7027684>. This just tests that the CFG is 317// constructed correctly. Previously, the successor block of the entrance 318// was the block containing the merge for '?', which would trigger an 319// assertion failure. 320int rdar_7027684_aux(); 321int rdar_7027684_aux_2() __attribute__((noreturn)); 322void rdar_7027684(int x, int y) { 323 {}; // this empty compound statement is critical. 324 (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0); 325} 326 327// Test that we handle casts of string literals to arbitrary types. 328unsigned const char *string_literal_test1() { 329 return (const unsigned char*) "hello"; 330} 331 332const float *string_literal_test2() { 333 return (const float*) "hello"; 334} 335 336// Test that we handle casts *from* incomplete struct types. 337extern const struct _FooAssertStruct _cmd; 338void test_cast_from_incomplete_struct_aux(volatile const void *x); 339void test_cast_from_incomplete_struct() { 340 test_cast_from_incomplete_struct_aux(&_cmd); 341} 342 343// Test for <rdar://problem/7034511> 344// "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' 345// when 'T' is a pointer" 346// 347// Previously this case would crash. 348void test_rdar_7034511(NSArray *y) { 349 NSObject *x; 350 for (x in y) {} 351 if (x == ((void*) 0)) {} 352} 353 354// Handle casts of function pointers (CodeTextRegions) to arbitrary pointer 355// types. This was previously causing a crash in CastRegion. 356void handle_funcptr_voidptr_casts() { 357 void **ptr; 358 typedef void *PVOID; 359 typedef void *PCHAR; 360 typedef long INT_PTR, *PINT_PTR; 361 typedef INT_PTR (*FARPROC)(); 362 FARPROC handle_funcptr_voidptr_casts_aux(); 363 PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x); 364 PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x); 365 366 ptr = (void**) handle_funcptr_voidptr_casts_aux(); 367 handle_funcptr_voidptr_casts_aux_2(ptr); 368 handle_funcptr_voidptr_casts_aux_3(ptr); 369} 370 371// RegionStore::Retrieve previously crashed on this example. This example 372// was previously in the test file 'xfail_regionstore_wine_crash.c'. 373void testA() { 374 long x = 0; 375 char *y = (char *) &x; 376 if (!*y) 377 return; 378} 379 380// RegionStoreManager previously crashed on this example. The problem is that 381// the value bound to the field of b->grue after the call to testB_aux is 382// a symbolic region. The second '*__gruep__' involves performing a load 383// from a 'int*' that really is a 'void**'. The loaded location must be 384// implicitly converted to an integer that wraps a location. Previosly we would 385// get a crash here due to an assertion failure. 386typedef struct _BStruct { void *grue; } BStruct; 387void testB_aux(void *ptr); 388void testB(BStruct *b) { 389 { 390 int *__gruep__ = ((int *)&((b)->grue)); 391 int __gruev__ = *__gruep__; 392 testB_aux(__gruep__); 393 } 394 { 395 int *__gruep__ = ((int *)&((b)->grue)); 396 int __gruev__ = *__gruep__; 397 if (~0 != __gruev__) {} 398 } 399} 400 401void test_trivial_symbolic_comparison(int *x) { 402 int test_trivial_symbolic_comparison_aux(); 403 int a = test_trivial_symbolic_comparison_aux(); 404 int b = a; 405 if (a != b) { 406 int *p = 0; 407 *p = 0xDEADBEEF; // no-warning 408 } 409 410 a = a == 1; 411 b = b == 1; 412 if (a != b) { 413 int *p = 0; 414 *p = 0xDEADBEEF; // no-warning 415 } 416} 417 418// Test for: 419// <rdar://problem/7062158> false positive null dereference due to 420// BasicStoreManager not tracking *static* globals 421// 422// This just tests the proper tracking of symbolic values for globals (both 423// static and non-static). 424// 425static int* x_rdar_7062158; 426void rdar_7062158() { 427 int *current = x_rdar_7062158; 428 if (current == x_rdar_7062158) 429 return; 430 431 int *p = 0; 432 *p = 0xDEADBEEF; // no-warning 433} 434 435int* x_rdar_7062158_2; 436void rdar_7062158_2() { 437 int *current = x_rdar_7062158_2; 438 if (current == x_rdar_7062158_2) 439 return; 440 441 int *p = 0; 442 *p = 0xDEADBEEF; // no-warning 443} 444 445// This test reproduces a case for a crash when analyzing ClamAV using 446// RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because 447// it isn't doing anything smart about arrays). The problem is that on the 448// second line, 'p = &p[i]', p is assigned an ElementRegion whose index 449// is a 16-bit integer. On the third line, a new ElementRegion is created 450// based on the previous region, but there the region uses a 32-bit integer, 451// resulting in a clash of values (an assertion failure at best). We resolve 452// this problem by implicitly converting index values to 'int' when the 453// ElementRegion is created. 454unsigned char test_array_index_bitwidth(const unsigned char *p) { 455 unsigned short i = 0; 456 for (i = 0; i < 2; i++) p = &p[i]; 457 return p[i+1]; 458} 459 460// This case tests that CastRegion handles casts involving BlockPointerTypes. 461// It should not crash. 462void test_block_cast() { 463 id test_block_cast_aux(); 464 (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}} 465} 466 467int OSAtomicCompareAndSwap32Barrier(); 468 469// Test comparison of 'id' instance variable to a null void* constant after 470// performing an OSAtomicCompareAndSwap32Barrier. 471// This previously was a crash in RegionStoreManager. 472@interface TestIdNull { 473 id x; 474} 475-(int)foo; 476@end 477@implementation TestIdNull 478-(int)foo { 479 OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x); 480 if (x == (void*) 0) { return 0; } 481 return 1; 482} 483@end 484 485// PR 4594 - This was a crash when handling casts in SimpleSValuator. 486void PR4594() { 487 char *buf[1]; 488 char **foo = buf; 489 *foo = "test"; 490} 491 492// Test invalidation logic where an integer is casted to an array with a 493// different sign and then invalidated. 494void test_invalidate_cast_int() { 495 void test_invalidate_cast_int_aux(unsigned *i); 496 signed i; 497 test_invalidate_cast_int_aux((unsigned*) &i); 498 if (i < 0) 499 return; 500} 501 502int ivar_getOffset(); 503 504// Reduced from a crash involving the cast of an Objective-C symbolic region to 505// 'char *' 506static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) { 507 return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease]; 508} 509 510// Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero. 511// This resulted from not properly handling region casts to 'const void*'. 512void test_cast_const_voidptr() { 513 char x[10]; 514 char *p = &x[1]; 515 const void* q = p; 516} 517 518// Reduced from a crash when analyzing Wine. This test handles loads from 519// function addresses. 520typedef long (*FARPROC)(); 521FARPROC test_load_func(FARPROC origfun) { 522 if (!*(unsigned char*) origfun) 523 return origfun; 524 return 0; 525} 526 527// Test passing-by-value an initialized struct variable. 528struct test_pass_val { 529 int x; 530 int y; 531}; 532void test_pass_val_aux(struct test_pass_val s); 533void test_pass_val() { 534 struct test_pass_val s; 535 s.x = 1; 536 s.y = 2; 537 test_pass_val_aux(s); 538} 539 540// This is a reduced test case of a false positive that previously appeared 541// in RegionStoreManager. Previously the array access resulted in dereferencing 542// an undefined value. 543int test_array_compound(int *q, int *r, int *z) { 544 int *array[] = { q, r, z }; 545 int j = 0; 546 for (unsigned i = 0; i < 3 ; ++i) 547 if (*array[i]) ++j; // no-warning 548 return j; 549} 550 551// This test case previously crashed with -analyzer-store=basic because the 552// symbolic value stored in 'x' wouldn't be implicitly casted to a signed value 553// during the comparison. 554int rdar_7124210(unsigned int x) { 555 enum { SOME_CONSTANT = 123 }; 556 int compare = ((signed) SOME_CONSTANT) == *((signed *) &x); 557 return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint. 558} 559 560void pr4781(unsigned long *raw1) { 561 unsigned long *cook, *raw0; 562 unsigned long dough[32]; 563 int i; 564 cook = dough; 565 for( i = 0; i < 16; i++, raw1++ ) { 566 raw0 = raw1++; 567 *cook = (*raw0 & 0x00fc0000L) << 6; 568 *cook |= (*raw0 & 0x00000fc0L) << 10; 569 } 570} 571 572// <rdar://problem/7185647> - 'self' should be treated as being non-null 573// upon entry to an objective-c method. 574@interface RDar7185647 575- (id)foo; 576@end 577@implementation RDar7185647 578- (id) foo { 579 if (self) 580 return self; 581 *((int *) 0x0) = 0xDEADBEEF; // no-warning 582 return self; 583} 584@end 585 586// Test reasoning of __builtin_offsetof; 587struct test_offsetof_A { 588 int x; 589 int y; 590}; 591struct test_offsetof_B { 592 int w; 593 int z; 594}; 595void test_offsetof_1() { 596 if (__builtin_offsetof(struct test_offsetof_A, x) == 597 __builtin_offsetof(struct test_offsetof_B, w)) 598 return; 599 int *p = 0; 600 *p = 0xDEADBEEF; // no-warning 601} 602void test_offsetof_2() { 603 if (__builtin_offsetof(struct test_offsetof_A, y) == 604 __builtin_offsetof(struct test_offsetof_B, z)) 605 return; 606 int *p = 0; 607 *p = 0xDEADBEEF; // no-warning 608} 609void test_offsetof_3() { 610 if (__builtin_offsetof(struct test_offsetof_A, y) - 611 __builtin_offsetof(struct test_offsetof_A, x) 612 == 613 __builtin_offsetof(struct test_offsetof_B, z) - 614 __builtin_offsetof(struct test_offsetof_B, w)) 615 return; 616 int *p = 0; 617 *p = 0xDEADBEEF; // no-warning 618} 619void test_offsetof_4() { 620 if (__builtin_offsetof(struct test_offsetof_A, y) == 621 __builtin_offsetof(struct test_offsetof_B, w)) 622 return; 623 int *p = 0; 624 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 625} 626 627// <rdar://problem/6829164> "nil receiver" false positive: make tracking 628// of the MemRegion for 'self' path-sensitive 629@interface RDar6829164 : NSObject { 630 double x; int y; 631} 632- (id) init; 633@end 634 635id rdar_6829164_1(); 636double rdar_6829164_2(); 637 638@implementation RDar6829164 639- (id) init { 640 if((self = [super init]) != 0) { 641 id z = rdar_6829164_1(); 642 y = (z != 0); 643 if (y) 644 x = rdar_6829164_2(); 645 } 646 return self; 647} 648@end 649 650// <rdar://problem/7242015> - Invalidate values passed-by-reference 651// to functions when the pointer to the value is passed as an integer. 652void test_7242015_aux(unsigned long); 653int rdar_7242015() { 654 int x; 655 test_7242015_aux((unsigned long) &x); // no-warning 656 return x; // Previously we return and uninitialized value when 657 // using RegionStore. 658} 659 660// <rdar://problem/7242006> [RegionStore] compound literal assignment with 661// floats not honored 662CGFloat rdar7242006(CGFloat x) { 663 NSSize y = (NSSize){x, 10}; 664 return y.width; // no-warning 665} 666 667// PR 4988 - This test exhibits a case where a function can be referenced 668// when not explicitly used in an "lvalue" context (as far as the analyzer is 669// concerned). This previously triggered a crash due to an invalid assertion. 670void pr_4988(void) { 671 pr_4988; // expected-warning{{expression result unused}} 672} 673 674// <rdar://problem/7152418> - A 'signed char' is used as a flag, which is 675// implicitly converted to an int. 676void *rdar7152418_bar(); 677@interface RDar7152418 { 678 signed char x; 679} 680-(char)foo; 681@end; 682@implementation RDar7152418 683-(char)foo { 684 char *p = 0; 685 void *result = 0; 686 if (x) { 687 result = rdar7152418_bar(); 688 p = "hello"; 689 } 690 if (!result) { 691 result = rdar7152418_bar(); 692 if (result && x) 693 return *p; // no-warning 694 } 695 return 1; 696} 697 698//===----------------------------------------------------------------------===// 699// Test constant-folding of symbolic values, automatically handling type 700// conversions of the symbol as necessary. 701//===----------------------------------------------------------------------===// 702 703// Previously this would crash once we started eagerly evaluating symbols whose 704// values were constrained to a single value. 705void test_symbol_fold_1(signed char x) { 706 while (1) { 707 if (x == ((signed char) 0)) {} 708 } 709} 710 711// This previously caused a crash because it triggered an assertion in APSInt. 712void test_symbol_fold_2(unsigned int * p, unsigned int n, 713 const unsigned int * grumpkin, unsigned int dn) { 714 unsigned int i; 715 unsigned int tempsub[8]; 716 unsigned int *solgrumpkin = tempsub + n; 717 for (i = 0; i < n; i++) 718 solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF; 719 for (i <<= 5; i < (n << 5); i++) {} 720} 721 722// This previously caused a crash because it triggered an assertion in APSInt. 723// 'x' would evaluate to a 8-bit constant (because of the return value of 724// test_symbol_fold_3_aux()) which would not get properly promoted to an 725// integer. 726char test_symbol_fold_3_aux(void); 727unsigned test_symbol_fold_3(void) { 728 unsigned x = test_symbol_fold_3_aux(); 729 if (x == 54) 730 return (x << 8) | 0x5; 731 return 0; 732} 733 734//===----------------------------------------------------------------------===// 735// Tests for the warning of casting a non-struct type to a struct type 736//===----------------------------------------------------------------------===// 737 738typedef struct {unsigned int v;} NSSwappedFloat; 739 740NSSwappedFloat test_cast_nonstruct_to_struct(float x) { 741 struct hodor { 742 float number; 743 NSSwappedFloat sf; 744 }; 745 return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 746} 747 748NSSwappedFloat test_cast_nonstruct_to_union(float x) { 749 union bran { 750 float number; 751 NSSwappedFloat sf; 752 }; 753 return ((union bran *)&x)->sf; // no-warning 754} 755 756void test_undefined_array_subscript() { 757 int i, a[10]; 758 int *p = &a[i]; // expected-warning{{Array subscript is undefined}} 759} 760@end 761 762//===----------------------------------------------------------------------===// 763// Test using an uninitialized value as a branch condition. 764//===----------------------------------------------------------------------===// 765 766int test_uninit_branch(void) { 767 int x; 768 if (x) // expected-warning{{Branch condition evaluates to a garbage value}} 769 return 1; 770 return 0; 771} 772 773int test_uninit_branch_b(void) { 774 int x; 775 return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}} 776} 777 778int test_uninit_branch_c(void) { 779 int x; 780 if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}} 781 return 1; 782 return 0; 783} 784 785//===----------------------------------------------------------------------===// 786// Test passing an undefined value in a message or function call. 787//===----------------------------------------------------------------------===// 788 789void test_bad_call_aux(int x); 790void test_bad_call(void) { 791 int y; 792 test_bad_call_aux(y); // expected-warning{{Pass-by-value argument in function call is undefined}} 793} 794 795@interface TestBadArg {} 796- (void) testBadArg:(int) x; 797@end 798 799void test_bad_msg(TestBadArg *p) { 800 int y; 801 [p testBadArg:y]; // expected-warning{{Pass-by-value argument in message expression is undefined}} 802} 803 804//===----------------------------------------------------------------------===// 805// PR 6033 - Test emitting the correct output in a warning where we use '%' 806// with operands that are undefined. 807//===----------------------------------------------------------------------===// 808 809int pr6033(int x) { 810 int y; 811 return x % y; // expected-warning{{The right operand of '%' is a garbage value}} 812} 813 814struct trie { 815 struct trie* next; 816}; 817 818struct kwset { 819 struct trie *trie; 820 unsigned char delta[10]; 821 struct trie* next[10]; 822 int d; 823}; 824 825typedef struct trie trie_t; 826typedef struct kwset kwset_t; 827 828void f(kwset_t *kws, char const *p, char const *q) { 829 struct trie const *trie; 830 struct trie * const *next = kws->next; 831 register unsigned char c; 832 register char const *end = p; 833 register char const *lim = q; 834 register int d = 1; 835 register unsigned char const *delta = kws->delta; 836 837 d = delta[c = (end+=d)[-1]]; // no-warning 838 trie = next[c]; 839} 840 841//===----------------------------------------------------------------------===// 842// <rdar://problem/7593875> When handling sizeof(VLA) it leads to a hole in 843// the ExplodedGraph (causing a false positive) 844//===----------------------------------------------------------------------===// 845 846int rdar_7593875_aux(int x); 847int rdar_7593875(int n) { 848 int z[n > 10 ? 10 : n]; // VLA. 849 int v; 850 v = rdar_7593875_aux(sizeof(z)); 851 // Previously we got a false positive about 'v' being uninitialized. 852 return v; // no-warning 853} 854 855//===----------------------------------------------------------------------===// 856// Handle casts from symbolic regions (packaged as integers) to doubles. 857// Previously this caused an assertion failure. 858//===----------------------------------------------------------------------===// 859 860void *foo_rev95119(); 861void baz_rev95119(double x); 862void bar_rev95119() { 863 // foo_rev95119() returns a symbolic pointer. It is then 864 // cast to an int which is then cast to a double. 865 int value = (int) foo_rev95119(); 866 baz_rev95119((double)value); 867} 868 869//===----------------------------------------------------------------------===// 870// Handle loading a symbolic pointer from a symbolic region that was 871// invalidated by a call to an unknown function. 872//===----------------------------------------------------------------------===// 873 874void bar_rev95192(int **x); 875void foo_rev95192(int **x) { 876 *x = 0; 877 bar_rev95192(x); 878 // Not a null dereference. 879 **x = 1; // no-warning 880} 881 882//===----------------------------------------------------------------------===// 883// Handle casts of a function to a function pointer with a different return 884// value. We don't yet emit an error for such cases, but we now we at least 885// don't crash when the return value gets interpreted in a way that 886// violates our invariants. 887//===----------------------------------------------------------------------===// 888 889void *foo_rev95267(); 890int bar_rev95267() { 891 char (*Callback_rev95267)(void) = (char (*)(void)) foo_rev95267; 892 if ((*Callback_rev95267)() == (char) 0) 893 return 1; 894 return 0; 895} 896 897// Same as previous case, but handle casts to 'void'. 898int bar_rev95274() { 899 void (*Callback_rev95274)(void) = (void (*)(void)) foo_rev95267; 900 (*Callback_rev95274)(); 901 return 0; 902} 903 904void rdar7582031_test_static_init_zero() { 905 static unsigned x; 906 if (x == 0) 907 return; 908 int *p = 0; 909 *p = 0xDEADBEEF; 910} 911void rdar7582031_test_static_init_zero_b() { 912 static void* x; 913 if (x == 0) 914 return; 915 int *p = 0; 916 *p = 0xDEADBEEF; 917} 918