misc-ps.m revision 8a90ac0e85e8c5758b585fe486ee7db01c53fb98
1// NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued. 2// RUN: clang-cc -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=basic -fobjc-gc -analyzer-constraints=basic -verify -fblocks %s 3// RUN: clang-cc -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=basic -analyzer-constraints=range -verify -fblocks %s 4// RUN: clang-cc -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -analyzer-constraints=basic -verify -fblocks %s 5// RUN: clang-cc -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -analyzer-constraints=range -verify -fblocks %s 6 7typedef struct objc_ivar *Ivar; 8typedef struct objc_selector *SEL; 9typedef signed char BOOL; 10typedef int NSInteger; 11typedef unsigned int NSUInteger; 12typedef struct _NSZone NSZone; 13@class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator; 14@protocol NSObject 15- (BOOL)isEqual:(id)object; 16- (id)autorelease; 17@end 18@protocol NSCopying 19- (id)copyWithZone:(NSZone *)zone; 20@end 21@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 22@protocol NSCoding 23- (void)encodeWithCoder:(NSCoder *)aCoder; 24@end 25@interface NSObject <NSObject> {} 26- (id)init; 27+ (id)allocWithZone:(NSZone *)zone; 28@end 29extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 30@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 31- (NSUInteger)length; 32+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 33@end extern NSString * const NSBundleDidLoadNotification; 34@interface NSValue : NSObject <NSCopying, NSCoding> 35- (void)getValue:(void *)value; 36@end 37@interface NSNumber : NSValue 38- (char)charValue; 39- (id)initWithBool:(BOOL)value; 40@end 41@interface NSAssertionHandler : NSObject {} 42+ (NSAssertionHandler *)currentHandler; 43- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 44@end 45extern NSString * const NSConnectionReplyMode; 46typedef float CGFloat; 47typedef struct _NSPoint { 48 CGFloat x; 49 CGFloat y; 50} NSPoint; 51typedef struct _NSSize { 52 CGFloat width; 53 CGFloat height; 54} NSSize; 55typedef struct _NSRect { 56 NSPoint origin; 57 NSSize size; 58} NSRect; 59 60// Reduced test case from crash in <rdar://problem/6253157> 61@interface A @end 62@implementation A 63- (void)foo:(void (^)(NSObject *x))block { 64 if (!((block != ((void *)0)))) {} 65} 66@end 67 68// Reduced test case from crash in PR 2796; 69// http://llvm.org/bugs/show_bug.cgi?id=2796 70 71unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); } 72 73// Improvement to path-sensitivity involving compound assignments. 74// Addresses false positive in <rdar://problem/6268365> 75// 76 77unsigned r6268365Aux(); 78 79void r6268365() { 80 unsigned x = 0; 81 x &= r6268365Aux(); 82 unsigned j = 0; 83 84 if (x == 0) ++j; 85 if (x == 0) x = x / j; // no-warning 86} 87 88void divzeroassume(unsigned x, unsigned j) { 89 x /= j; 90 if (j == 0) x /= 0; // no-warning 91 if (j == 0) x /= j; // no-warning 92 if (j == 0) x = x / 0; // no-warning 93} 94 95void divzeroassumeB(unsigned x, unsigned j) { 96 x = x / j; 97 if (j == 0) x /= 0; // no-warning 98 if (j == 0) x /= j; // no-warning 99 if (j == 0) x = x / 0; // no-warning 100} 101 102// InitListExpr processing 103 104typedef float __m128 __attribute__((__vector_size__(16), __may_alias__)); 105__m128 return128() { 106 // This compound literal has a Vector type. We currently just 107 // return UnknownVal. 108 return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f }; 109} 110 111typedef long long __v2di __attribute__ ((__vector_size__ (16))); 112typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__)); 113__m128i vec128i(long long __q1, long long __q0) { 114 // This compound literal returns true for both isVectorType() and 115 // isIntegerType(). 116 return __extension__ (__m128i)(__v2di){ __q0, __q1 }; 117} 118 119// Zero-sized VLAs. 120void check_zero_sized_VLA(int x) { 121 if (x) 122 return; 123 124 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has zero size}} 125} 126 127void check_uninit_sized_VLA() { 128 int x; 129 int vla[x]; // expected-warning{{Declared variable-length array (VLA) uses a garbage value as its size}} 130} 131 132// sizeof(void) 133// - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211 134void handle_sizeof_void(unsigned flag) { 135 int* p = 0; 136 137 if (flag) { 138 if (sizeof(void) == 1) 139 return; 140 // Infeasible. 141 *p = 1; // no-warning 142 } 143 144 void* q; 145 146 if (!flag) { 147 if (sizeof(*q) == 1) 148 return; 149 // Infeasibe. 150 *p = 1; // no-warning 151 } 152 153 // Infeasible. 154 *p = 1; // no-warning 155} 156 157// check deference of undefined values 158void check_deref_undef(void) { 159 int *p; 160 *p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}} 161} 162 163// PR 3422 164void pr3422_helper(char *p); 165void pr3422() { 166 char buf[100]; 167 char *q = &buf[10]; 168 pr3422_helper(&q[1]); 169} 170 171// PR 3543 (handle empty statement expressions) 172void pr_3543(void) { 173 ({}); 174} 175 176// <rdar://problem/6611677> 177// This test case test the use of a vector type within an array subscript 178// expression. 179typedef long long __a64vector __attribute__((__vector_size__(8))); 180typedef long long __a128vector __attribute__((__vector_size__(16))); 181static inline __a64vector __attribute__((__always_inline__, __nodebug__)) 182my_test_mm_movepi64_pi64(__a128vector a) { 183 return (__a64vector)a[0]; 184} 185 186// Test basic tracking of ivars associated with 'self'. 187@interface SelfIvarTest : NSObject { 188 int flag; 189} 190- (void)test_self_tracking; 191@end 192 193@implementation SelfIvarTest 194- (void)test_self_tracking { 195 char *p = 0; 196 char c; 197 198 if (flag) 199 p = "hello"; 200 201 if (flag) 202 c = *p; // no-warning 203} 204@end 205 206// PR 3770 207char pr3770(int x) { 208 int y = x & 0x2; 209 char *p = 0; 210 if (y == 1) 211 p = "hello"; 212 213 if (y == 1) 214 return p[0]; // no-warning 215 216 return 'a'; 217} 218 219// PR 3772 220// - We just want to test that this doesn't crash the analyzer. 221typedef struct st ST; 222struct st { char *name; }; 223extern ST *Cur_Pu; 224 225void pr3772(void) 226{ 227 static ST *last_Cur_Pu; 228 if (last_Cur_Pu == Cur_Pu) { 229 return; 230 } 231} 232 233// PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups. 234void pr3780(int sz) { typedef double MAT[sz][sz]; } 235 236// <rdar://problem/6695527> - Test that we don't symbolicate doubles before 237// we are ready to do something with them. 238int rdar6695527(double x) { 239 if (!x) { return 0; } 240 return 1; 241} 242 243// <rdar://problem/6708148> - Test that we properly invalidate structs 244// passed-by-reference to a function. 245void pr6708148_invalidate(NSRect *x); 246void pr6708148_use(NSRect x); 247void pr6708148_test(void) { 248 NSRect x; 249 pr6708148_invalidate(&x); 250 pr6708148_use(x); // no-warning 251} 252 253// Handle both kinds of noreturn attributes for pruning paths. 254void rdar_6777003_noret() __attribute__((noreturn)); 255void rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn)); 256 257void rdar_6777003(int x) { 258 int *p = 0; 259 260 if (x == 1) { 261 rdar_6777003_noret(); 262 *p = 1; // no-warning; 263 } 264 265 if (x == 2) { 266 rdar_6777003_analyzer_noret(); 267 *p = 1; // no-warning; 268 } 269 270 *p = 1; // expected-warning{{Dereference of null pointer}} 271} 272 273// For pointer arithmetic, --/++ should be treated as preserving non-nullness, 274// regardless of how well the underlying StoreManager reasons about pointer 275// arithmetic. 276// <rdar://problem/6777209> 277void rdar_6777209(char *p) { 278 if (p == 0) 279 return; 280 281 ++p; 282 283 // This branch should always be infeasible. 284 if (p == 0) 285 *p = 'c'; // no-warning 286} 287 288// PR 4033. A symbolic 'void *' pointer can be used as the address for a 289// computed goto. 290typedef void *Opcode; 291Opcode pr_4033_getOpcode(); 292void pr_4033(void) { 293next_opcode: 294 { 295 Opcode op = pr_4033_getOpcode(); 296 if (op) goto *op; 297 } 298} 299 300// Test invalidating pointers-to-pointers with slightly different types. This 301// example came from a recent false positive due to a regression where the 302// branch condition was falsely reported as being uninitialized. 303void invalidate_by_ref(char **x); 304int test_invalidate_by_ref() { 305 unsigned short y; 306 invalidate_by_ref((char**) &y); 307 if (y) // no-warning 308 return 1; 309 return 0; 310} 311 312// Test for <rdar://problem/7027684>. This just tests that the CFG is 313// constructed correctly. Previously, the successor block of the entrance 314// was the block containing the merge for '?', which would trigger an 315// assertion failure. 316int rdar_7027684_aux(); 317int rdar_7027684_aux_2() __attribute__((noreturn)); 318void rdar_7027684(int x, int y) { 319 {}; // this empty compound statement is critical. 320 (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0); 321} 322 323// Test that we handle casts of string literals to arbitrary types. 324unsigned const char *string_literal_test1() { 325 return (const unsigned char*) "hello"; 326} 327 328const float *string_literal_test2() { 329 return (const float*) "hello"; 330} 331 332// Test that we handle casts *from* incomplete struct types. 333extern const struct _FooAssertStruct _cmd; 334void test_cast_from_incomplete_struct_aux(volatile const void *x); 335void test_cast_from_incomplete_struct() { 336 test_cast_from_incomplete_struct_aux(&_cmd); 337} 338 339// Test for <rdar://problem/7034511> 340// "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' 341// when 'T' is a pointer" 342// 343// Previously this case would crash. 344void test_rdar_7034511(NSArray *y) { 345 NSObject *x; 346 for (x in y) {} 347 if (x == ((void*) 0)) {} 348} 349 350// Handle casts of function pointers (CodeTextRegions) to arbitrary pointer 351// types. This was previously causing a crash in CastRegion. 352void handle_funcptr_voidptr_casts() { 353 void **ptr; 354 typedef void *PVOID; 355 typedef void *PCHAR; 356 typedef long INT_PTR, *PINT_PTR; 357 typedef INT_PTR (*FARPROC)(); 358 FARPROC handle_funcptr_voidptr_casts_aux(); 359 PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x); 360 PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x); 361 362 ptr = (void**) handle_funcptr_voidptr_casts_aux(); 363 handle_funcptr_voidptr_casts_aux_2(ptr); 364 handle_funcptr_voidptr_casts_aux_3(ptr); 365} 366 367// RegionStore::Retrieve previously crashed on this example. This example 368// was previously in the test file 'xfail_regionstore_wine_crash.c'. 369void testA() { 370 long x = 0; 371 char *y = (char *) &x; 372 if (!*y) 373 return; 374} 375 376// RegionStoreManager previously crashed on this example. The problem is that 377// the value bound to the field of b->grue after the call to testB_aux is 378// a symbolic region. The second '*__gruep__' involves performing a load 379// from a 'int*' that really is a 'void**'. The loaded location must be 380// implicitly converted to an integer that wraps a location. Previosly we would 381// get a crash here due to an assertion failure. 382typedef struct _BStruct { void *grue; } BStruct; 383void testB_aux(void *ptr); 384void testB(BStruct *b) { 385 { 386 int *__gruep__ = ((int *)&((b)->grue)); 387 int __gruev__ = *__gruep__; 388 testB_aux(__gruep__); 389 } 390 { 391 int *__gruep__ = ((int *)&((b)->grue)); 392 int __gruev__ = *__gruep__; 393 if (~0 != __gruev__) {} 394 } 395} 396 397void test_trivial_symbolic_comparison(int *x) { 398 int test_trivial_symbolic_comparison_aux(); 399 int a = test_trivial_symbolic_comparison_aux(); 400 int b = a; 401 if (a != b) { 402 int *p = 0; 403 *p = 0xDEADBEEF; // no-warning 404 } 405 406 a = a == 1; 407 b = b == 1; 408 if (a != b) { 409 int *p = 0; 410 *p = 0xDEADBEEF; // no-warning 411 } 412} 413 414// Test for: 415// <rdar://problem/7062158> false positive null dereference due to 416// BasicStoreManager not tracking *static* globals 417// 418// This just tests the proper tracking of symbolic values for globals (both 419// static and non-static). 420// 421static int* x_rdar_7062158; 422void rdar_7062158() { 423 int *current = x_rdar_7062158; 424 if (current == x_rdar_7062158) 425 return; 426 427 int *p = 0; 428 *p = 0xDEADBEEF; // no-warning 429} 430 431int* x_rdar_7062158_2; 432void rdar_7062158_2() { 433 int *current = x_rdar_7062158_2; 434 if (current == x_rdar_7062158_2) 435 return; 436 437 int *p = 0; 438 *p = 0xDEADBEEF; // no-warning 439} 440 441// This test reproduces a case for a crash when analyzing ClamAV using 442// RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because 443// it isn't doing anything smart about arrays). The problem is that on the 444// second line, 'p = &p[i]', p is assigned an ElementRegion whose index 445// is a 16-bit integer. On the third line, a new ElementRegion is created 446// based on the previous region, but there the region uses a 32-bit integer, 447// resulting in a clash of values (an assertion failure at best). We resolve 448// this problem by implicitly converting index values to 'int' when the 449// ElementRegion is created. 450unsigned char test_array_index_bitwidth(const unsigned char *p) { 451 unsigned short i = 0; 452 for (i = 0; i < 2; i++) p = &p[i]; 453 return p[i+1]; 454} 455 456// This case tests that CastRegion handles casts involving BlockPointerTypes. 457// It should not crash. 458void test_block_cast() { 459 id test_block_cast_aux(); 460 (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}} 461} 462 463// Test comparison of 'id' instance variable to a null void* constant after 464// performing an OSAtomicCompareAndSwap32Barrier. 465// This previously was a crash in RegionStoreManager. 466@interface TestIdNull { 467 id x; 468} 469-(int)foo; 470@end 471@implementation TestIdNull 472-(int)foo { 473 OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x); 474 if (x == (void*) 0) { return 0; } 475 return 1; 476} 477@end 478 479// PR 4594 - This was a crash when handling casts in SimpleSValuator. 480void PR4594() { 481 char *buf[1]; 482 char **foo = buf; 483 *foo = "test"; 484} 485 486// Test invalidation logic where an integer is casted to an array with a 487// different sign and then invalidated. 488void test_invalidate_cast_int() { 489 void test_invalidate_cast_int_aux(unsigned *i); 490 signed i; 491 test_invalidate_cast_int_aux((unsigned*) &i); 492 if (i < 0) 493 return; 494} 495 496// Reduced from a crash involving the cast of an Objective-C symbolic region to 497// 'char *' 498static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) { 499 return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease]; 500} 501 502// Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero. 503// This resulted from not properly handling region casts to 'const void*'. 504void test_cast_const_voidptr() { 505 char x[10]; 506 char *p = &x[1]; 507 const void* q = p; 508} 509 510// Reduced from a crash when analyzing Wine. This test handles loads from 511// function addresses. 512typedef long (*FARPROC)(); 513FARPROC test_load_func(FARPROC origfun) { 514 if (!*(unsigned char*) origfun) 515 return origfun; 516 return 0; 517} 518 519// Test passing-by-value an initialized struct variable. 520struct test_pass_val { 521 int x; 522 int y; 523}; 524void test_pass_val_aux(struct test_pass_val s); 525void test_pass_val() { 526 struct test_pass_val s; 527 s.x = 1; 528 s.y = 2; 529 test_pass_val_aux(s); 530} 531 532// This is a reduced test case of a false positive that previously appeared 533// in RegionStoreManager. Previously the array access resulted in dereferencing 534// an undefined value. 535int test_array_compound(int *q, int *r, int *z) { 536 int *array[] = { q, r, z }; 537 int j = 0; 538 for (unsigned i = 0; i < 3 ; ++i) 539 if (*array[i]) ++j; // no-warning 540 return j; 541} 542 543// This test case previously crashed with -analyzer-store=basic because the 544// symbolic value stored in 'x' wouldn't be implicitly casted to a signed value 545// during the comparison. 546int rdar_7124210(unsigned int x) { 547 enum { SOME_CONSTANT = 123 }; 548 int compare = ((signed) SOME_CONSTANT) == *((signed *) &x); 549 return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint. 550} 551 552void pr4781(unsigned long *raw1) { 553 unsigned long *cook, *raw0; 554 unsigned long dough[32]; 555 int i; 556 cook = dough; 557 for( i = 0; i < 16; i++, raw1++ ) { 558 raw0 = raw1++; 559 *cook = (*raw0 & 0x00fc0000L) << 6; 560 *cook |= (*raw0 & 0x00000fc0L) << 10; 561 } 562} 563 564// <rdar://problem/7185647> - 'self' should be treated as being non-null 565// upon entry to an objective-c method. 566@interface RDar7185647 567- (id)foo; 568@end 569@implementation RDar7185647 570- (id) foo { 571 if (self) 572 return self; 573 *((int *) 0x0) = 0xDEADBEEF; // no-warning 574 return self; 575} 576@end 577 578// Test reasoning of __builtin_offsetof; 579struct test_offsetof_A { 580 int x; 581 int y; 582}; 583struct test_offsetof_B { 584 int w; 585 int z; 586}; 587void test_offsetof_1() { 588 if (__builtin_offsetof(struct test_offsetof_A, x) == 589 __builtin_offsetof(struct test_offsetof_B, w)) 590 return; 591 int *p = 0; 592 *p = 0xDEADBEEF; // no-warning 593} 594void test_offsetof_2() { 595 if (__builtin_offsetof(struct test_offsetof_A, y) == 596 __builtin_offsetof(struct test_offsetof_B, z)) 597 return; 598 int *p = 0; 599 *p = 0xDEADBEEF; // no-warning 600} 601void test_offsetof_3() { 602 if (__builtin_offsetof(struct test_offsetof_A, y) - 603 __builtin_offsetof(struct test_offsetof_A, x) 604 == 605 __builtin_offsetof(struct test_offsetof_B, z) - 606 __builtin_offsetof(struct test_offsetof_B, w)) 607 return; 608 int *p = 0; 609 *p = 0xDEADBEEF; // no-warning 610} 611void test_offsetof_4() { 612 if (__builtin_offsetof(struct test_offsetof_A, y) == 613 __builtin_offsetof(struct test_offsetof_B, w)) 614 return; 615 int *p = 0; 616 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 617} 618 619// <rdar://problem/6829164> "nil receiver" false positive: make tracking 620// of the MemRegion for 'self' path-sensitive 621@interface RDar6829164 : NSObject { 622 double x; int y; 623} 624- (id) init; 625@end 626 627id rdar_6829164_1(); 628double rdar_6829164_2(); 629 630@implementation RDar6829164 631- (id) init { 632 if((self = [super init]) != 0) { 633 id z = rdar_6829164_1(); 634 y = (z != 0); 635 if (y) 636 x = rdar_6829164_2(); 637 } 638 return self; 639} 640@end 641 642// <rdar://problem/7242015> - Invalidate values passed-by-reference 643// to functions when the pointer to the value is passed as an integer. 644void test_7242015_aux(unsigned long); 645int rdar_7242015() { 646 int x; 647 test_7242015_aux((unsigned long) &x); // no-warning 648 return x; // Previously we return and uninitialized value when 649 // using RegionStore. 650} 651 652// <rdar://problem/7242006> [RegionStore] compound literal assignment with 653// floats not honored 654CGFloat rdar7242006(CGFloat x) { 655 NSSize y = (NSSize){x, 10}; 656 return y.width; // no-warning 657} 658 659// PR 4988 - This test exhibits a case where a function can be referenced 660// when not explicitly used in an "lvalue" context (as far as the analyzer is 661// concerned). This previously triggered a crash due to an invalid assertion. 662void pr_4988(void) { 663 pr_4988; // expected-warning{{expression result unused}} 664} 665 666// <rdar://problem/7152418> - A 'signed char' is used as a flag, which is 667// implicitly converted to an int. 668void *rdar7152418_bar(); 669@interface RDar7152418 { 670 signed char x; 671} 672-(char)foo; 673@end; 674@implementation RDar7152418 675-(char)foo { 676 char *p = 0; 677 void *result = 0; 678 if (x) { 679 result = rdar7152418_bar(); 680 p = "hello"; 681 } 682 if (!result) { 683 result = rdar7152418_bar(); 684 if (result && x) 685 return *p; // no-warning 686 } 687 return 1; 688} 689 690//===----------------------------------------------------------------------===// 691// Test constant-folding of symbolic values, automatically handling type 692// conversions of the symbol as necessary. 693//===----------------------------------------------------------------------===// 694 695// Previously this would crash once we started eagerly evaluating symbols whose 696// values were constrained to a single value. 697void test_symbol_fold_1(signed char x) { 698 while (1) { 699 if (x == ((signed char) 0)) {} 700 } 701} 702 703// This previously caused a crash because it triggered an assertion in APSInt. 704void test_symbol_fold_2(unsigned int * p, unsigned int n, 705 const unsigned int * grumpkin, unsigned int dn) { 706 unsigned int i; 707 unsigned int tempsub[8]; 708 unsigned int *solgrumpkin = tempsub + n; 709 for (i = 0; i < n; i++) 710 solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF; 711 for (i <<= 5; i < (n << 5); i++) {} 712} 713 714// This previously caused a crash because it triggered an assertion in APSInt. 715// 'x' would evaluate to a 8-bit constant (because of the return value of 716// test_symbol_fold_3_aux()) which would not get properly promoted to an 717// integer. 718char test_symbol_fold_3_aux(void); 719unsigned test_symbol_fold_3(void) { 720 unsigned x = test_symbol_fold_3_aux(); 721 if (x == 54) 722 return (x << 8) | 0x5; 723 return 0; 724} 725 726//===----------------------------------------------------------------------===// 727// Tests for the warning of casting a non-struct type to a struct type 728//===----------------------------------------------------------------------===// 729 730typedef struct {unsigned int v;} NSSwappedFloat; 731 732NSSwappedFloat test_cast_nonstruct_to_struct(float x) { 733 struct hodor { 734 float number; 735 NSSwappedFloat sf; 736 }; 737 return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 738} 739 740NSSwappedFloat test_cast_nonstruct_to_union(float x) { 741 union bran { 742 float number; 743 NSSwappedFloat sf; 744 }; 745 return ((union bran *)&x)->sf; // no-warning 746} 747 748void test_undefined_array_subscript() { 749 int i, a[10]; 750 int *p = &a[i]; // expected-warning{{Array subscript is undefined}} 751} 752@end 753 754//===----------------------------------------------------------------------===// 755// Test using an uninitialized value as a branch condition. 756//===----------------------------------------------------------------------===// 757 758int test_uninit_branch(void) { 759 int x; 760 if (x) // expected-warning{{Branch condition evaluates to a garbage value}} 761 return 1; 762 return 0; 763} 764 765int test_uninit_branch_b(void) { 766 int x; 767 return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}} 768} 769 770int test_uninit_branch_c(void) { 771 int x; 772 if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}} 773 return 1; 774 return 0; 775} 776 777//===----------------------------------------------------------------------===// 778// Test passing an undefined value in a message or function call. 779//===----------------------------------------------------------------------===// 780 781void test_bad_call_aux(int x); 782void test_bad_call(void) { 783 int y; 784 test_bad_call_aux(y); // expected-warning{{Pass-by-value argument in function call is undefined}} 785} 786 787@interface TestBadArg {} 788- (void) testBadArg:(int) x; 789@end 790 791void test_bad_msg(TestBadArg *p) { 792 int y; 793 [p testBadArg:y]; // expected-warning{{Pass-by-value argument in message expression is undefined}} 794} 795 796