misc-ps.m revision 8b5dec3002bd3e17061a8bf1fc35ba82912ec768
1// NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued. 2// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=basic -fobjc-gc -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 3// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=basic -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 4// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 5// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 6// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=basic -fobjc-gc -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 7// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=basic -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 8// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=basic -verify -fblocks -Wno-unreachable-code %s 9// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-experimental-internal-checks -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code %s 10 11#ifndef __clang_analyzer__ 12#error __clang__analyzer__ not defined 13#endif 14 15typedef struct objc_ivar *Ivar; 16typedef struct objc_selector *SEL; 17typedef signed char BOOL; 18typedef int NSInteger; 19typedef unsigned int NSUInteger; 20typedef struct _NSZone NSZone; 21@class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator; 22@protocol NSObject 23- (BOOL)isEqual:(id)object; 24- (id)autorelease; 25@end 26@protocol NSCopying 27- (id)copyWithZone:(NSZone *)zone; 28@end 29@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 30@protocol NSCoding 31- (void)encodeWithCoder:(NSCoder *)aCoder; 32@end 33@interface NSObject <NSObject> {} 34- (id)init; 35+ (id)allocWithZone:(NSZone *)zone; 36@end 37extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 38@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 39- (NSUInteger)length; 40+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 41@end extern NSString * const NSBundleDidLoadNotification; 42@interface NSValue : NSObject <NSCopying, NSCoding> 43- (void)getValue:(void *)value; 44@end 45@interface NSNumber : NSValue 46- (char)charValue; 47- (id)initWithBool:(BOOL)value; 48@end 49@interface NSAssertionHandler : NSObject {} 50+ (NSAssertionHandler *)currentHandler; 51- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 52@end 53extern NSString * const NSConnectionReplyMode; 54typedef float CGFloat; 55typedef struct _NSPoint { 56 CGFloat x; 57 CGFloat y; 58} NSPoint; 59typedef struct _NSSize { 60 CGFloat width; 61 CGFloat height; 62} NSSize; 63typedef struct _NSRect { 64 NSPoint origin; 65 NSSize size; 66} NSRect; 67 68// Reduced test case from crash in <rdar://problem/6253157> 69@interface A @end 70@implementation A 71- (void)foo:(void (^)(NSObject *x))block { 72 if (!((block != ((void *)0)))) {} 73} 74@end 75 76// Reduced test case from crash in PR 2796; 77// http://llvm.org/bugs/show_bug.cgi?id=2796 78 79unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); } 80 81// Improvement to path-sensitivity involving compound assignments. 82// Addresses false positive in <rdar://problem/6268365> 83// 84 85unsigned r6268365Aux(); 86 87void r6268365() { 88 unsigned x = 0; 89 x &= r6268365Aux(); 90 unsigned j = 0; 91 92 if (x == 0) ++j; 93 if (x == 0) x = x / j; // no-warning 94} 95 96void divzeroassume(unsigned x, unsigned j) { 97 x /= j; 98 if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 99 if (j == 0) x /= j; // no static-analyzer warning 100 if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 101} 102 103void divzeroassumeB(unsigned x, unsigned j) { 104 x = x / j; 105 if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 106 if (j == 0) x /= j; // no static-analyzer warning 107 if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 108} 109 110// InitListExpr processing 111 112typedef float __m128 __attribute__((__vector_size__(16), __may_alias__)); 113__m128 return128() { 114 // This compound literal has a Vector type. We currently just 115 // return UnknownVal. 116 return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f }; 117} 118 119typedef long long __v2di __attribute__ ((__vector_size__ (16))); 120typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__)); 121__m128i vec128i(long long __q1, long long __q0) { 122 // This compound literal returns true for both isVectorType() and 123 // isIntegerType(). 124 return __extension__ (__m128i)(__v2di){ __q0, __q1 }; 125} 126 127// Zero-sized VLAs. 128void check_zero_sized_VLA(int x) { 129 if (x) 130 return; 131 132 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has zero size}} 133} 134 135void check_uninit_sized_VLA() { 136 int x; 137 int vla[x]; // expected-warning{{Declared variable-length array (VLA) uses a garbage value as its size}} 138} 139 140// sizeof(void) 141// - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211 142void handle_sizeof_void(unsigned flag) { 143 int* p = 0; 144 145 if (flag) { 146 if (sizeof(void) == 1) 147 return; 148 // Infeasible. 149 *p = 1; // no-warning 150 } 151 152 void* q; 153 154 if (!flag) { 155 if (sizeof(*q) == 1) 156 return; 157 // Infeasibe. 158 *p = 1; // no-warning 159 } 160 161 // Infeasible. 162 *p = 1; // no-warning 163} 164 165// check deference of undefined values 166void check_deref_undef(void) { 167 int *p; 168 *p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}} 169} 170 171// PR 3422 172void pr3422_helper(char *p); 173void pr3422() { 174 char buf[100]; 175 char *q = &buf[10]; 176 pr3422_helper(&q[1]); 177} 178 179// PR 3543 (handle empty statement expressions) 180void pr_3543(void) { 181 ({}); 182} 183 184// <rdar://problem/6611677> 185// This test case test the use of a vector type within an array subscript 186// expression. 187typedef long long __a64vector __attribute__((__vector_size__(8))); 188typedef long long __a128vector __attribute__((__vector_size__(16))); 189static inline __a64vector __attribute__((__always_inline__, __nodebug__)) 190my_test_mm_movepi64_pi64(__a128vector a) { 191 return (__a64vector)a[0]; 192} 193 194// Test basic tracking of ivars associated with 'self'. 195@interface SelfIvarTest : NSObject { 196 int flag; 197} 198- (void)test_self_tracking; 199@end 200 201@implementation SelfIvarTest 202- (void)test_self_tracking { 203 char *p = 0; 204 char c; 205 206 if (flag) 207 p = "hello"; 208 209 if (flag) 210 c = *p; // no-warning 211} 212@end 213 214// PR 3770 215char pr3770(int x) { 216 int y = x & 0x2; 217 char *p = 0; 218 if (y == 1) 219 p = "hello"; 220 221 if (y == 1) 222 return p[0]; // no-warning 223 224 return 'a'; 225} 226 227// PR 3772 228// - We just want to test that this doesn't crash the analyzer. 229typedef struct st ST; 230struct st { char *name; }; 231extern ST *Cur_Pu; 232 233void pr3772(void) 234{ 235 static ST *last_Cur_Pu; 236 if (last_Cur_Pu == Cur_Pu) { 237 return; 238 } 239} 240 241// PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups. 242void pr3780(int sz) { typedef double MAT[sz][sz]; } 243 244// <rdar://problem/6695527> - Test that we don't symbolicate doubles before 245// we are ready to do something with them. 246int rdar6695527(double x) { 247 if (!x) { return 0; } 248 return 1; 249} 250 251// <rdar://problem/6708148> - Test that we properly invalidate structs 252// passed-by-reference to a function. 253void pr6708148_invalidate(NSRect *x); 254void pr6708148_use(NSRect x); 255void pr6708148_test(void) { 256 NSRect x; 257 pr6708148_invalidate(&x); 258 pr6708148_use(x); // no-warning 259} 260 261// Handle both kinds of noreturn attributes for pruning paths. 262void rdar_6777003_noret() __attribute__((noreturn)); 263void rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn)); 264 265void rdar_6777003(int x) { 266 int *p = 0; 267 268 if (x == 1) { 269 rdar_6777003_noret(); 270 *p = 1; // no-warning; 271 } 272 273 if (x == 2) { 274 rdar_6777003_analyzer_noret(); 275 *p = 1; // no-warning; 276 } 277 278 *p = 1; // expected-warning{{Dereference of null pointer}} 279} 280 281// For pointer arithmetic, --/++ should be treated as preserving non-nullness, 282// regardless of how well the underlying StoreManager reasons about pointer 283// arithmetic. 284// <rdar://problem/6777209> 285void rdar_6777209(char *p) { 286 if (p == 0) 287 return; 288 289 ++p; 290 291 // This branch should always be infeasible. 292 if (p == 0) 293 *p = 'c'; // no-warning 294} 295 296// PR 4033. A symbolic 'void *' pointer can be used as the address for a 297// computed goto. 298typedef void *Opcode; 299Opcode pr_4033_getOpcode(); 300void pr_4033(void) { 301next_opcode: 302 { 303 Opcode op = pr_4033_getOpcode(); 304 if (op) goto *op; 305 } 306} 307 308// Test invalidating pointers-to-pointers with slightly different types. This 309// example came from a recent false positive due to a regression where the 310// branch condition was falsely reported as being uninitialized. 311void invalidate_by_ref(char **x); 312int test_invalidate_by_ref() { 313 unsigned short y; 314 invalidate_by_ref((char**) &y); 315 if (y) // no-warning 316 return 1; 317 return 0; 318} 319 320// Test for <rdar://problem/7027684>. This just tests that the CFG is 321// constructed correctly. Previously, the successor block of the entrance 322// was the block containing the merge for '?', which would trigger an 323// assertion failure. 324int rdar_7027684_aux(); 325int rdar_7027684_aux_2() __attribute__((noreturn)); 326void rdar_7027684(int x, int y) { 327 {}; // this empty compound statement is critical. 328 (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0); 329} 330 331// Test that we handle casts of string literals to arbitrary types. 332unsigned const char *string_literal_test1() { 333 return (const unsigned char*) "hello"; 334} 335 336const float *string_literal_test2() { 337 return (const float*) "hello"; 338} 339 340// Test that we handle casts *from* incomplete struct types. 341extern const struct _FooAssertStruct _cmd; 342void test_cast_from_incomplete_struct_aux(volatile const void *x); 343void test_cast_from_incomplete_struct() { 344 test_cast_from_incomplete_struct_aux(&_cmd); 345} 346 347// Test for <rdar://problem/7034511> 348// "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' 349// when 'T' is a pointer" 350// 351// Previously this case would crash. 352void test_rdar_7034511(NSArray *y) { 353 NSObject *x; 354 for (x in y) {} 355 if (x == ((void*) 0)) {} 356} 357 358// Handle casts of function pointers (CodeTextRegions) to arbitrary pointer 359// types. This was previously causing a crash in CastRegion. 360void handle_funcptr_voidptr_casts() { 361 void **ptr; 362 typedef void *PVOID; 363 typedef void *PCHAR; 364 typedef long INT_PTR, *PINT_PTR; 365 typedef INT_PTR (*FARPROC)(); 366 FARPROC handle_funcptr_voidptr_casts_aux(); 367 PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x); 368 PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x); 369 370 ptr = (void**) handle_funcptr_voidptr_casts_aux(); 371 handle_funcptr_voidptr_casts_aux_2(ptr); 372 handle_funcptr_voidptr_casts_aux_3(ptr); 373} 374 375// RegionStore::Retrieve previously crashed on this example. This example 376// was previously in the test file 'xfail_regionstore_wine_crash.c'. 377void testA() { 378 long x = 0; 379 char *y = (char *) &x; 380 if (!*y) 381 return; 382} 383 384// RegionStoreManager previously crashed on this example. The problem is that 385// the value bound to the field of b->grue after the call to testB_aux is 386// a symbolic region. The second '*__gruep__' involves performing a load 387// from a 'int*' that really is a 'void**'. The loaded location must be 388// implicitly converted to an integer that wraps a location. Previosly we would 389// get a crash here due to an assertion failure. 390typedef struct _BStruct { void *grue; } BStruct; 391void testB_aux(void *ptr); 392void testB(BStruct *b) { 393 { 394 int *__gruep__ = ((int *)&((b)->grue)); 395 int __gruev__ = *__gruep__; 396 testB_aux(__gruep__); 397 } 398 { 399 int *__gruep__ = ((int *)&((b)->grue)); 400 int __gruev__ = *__gruep__; 401 if (~0 != __gruev__) {} 402 } 403} 404 405void test_trivial_symbolic_comparison(int *x) { 406 int test_trivial_symbolic_comparison_aux(); 407 int a = test_trivial_symbolic_comparison_aux(); 408 int b = a; 409 if (a != b) { 410 int *p = 0; 411 *p = 0xDEADBEEF; // no-warning 412 } 413 414 a = a == 1; 415 b = b == 1; 416 if (a != b) { 417 int *p = 0; 418 *p = 0xDEADBEEF; // no-warning 419 } 420} 421 422// Test for: 423// <rdar://problem/7062158> false positive null dereference due to 424// BasicStoreManager not tracking *static* globals 425// 426// This just tests the proper tracking of symbolic values for globals (both 427// static and non-static). 428// 429static int* x_rdar_7062158; 430void rdar_7062158() { 431 int *current = x_rdar_7062158; 432 if (current == x_rdar_7062158) 433 return; 434 435 int *p = 0; 436 *p = 0xDEADBEEF; // no-warning 437} 438 439int* x_rdar_7062158_2; 440void rdar_7062158_2() { 441 int *current = x_rdar_7062158_2; 442 if (current == x_rdar_7062158_2) 443 return; 444 445 int *p = 0; 446 *p = 0xDEADBEEF; // no-warning 447} 448 449// This test reproduces a case for a crash when analyzing ClamAV using 450// RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because 451// it isn't doing anything smart about arrays). The problem is that on the 452// second line, 'p = &p[i]', p is assigned an ElementRegion whose index 453// is a 16-bit integer. On the third line, a new ElementRegion is created 454// based on the previous region, but there the region uses a 32-bit integer, 455// resulting in a clash of values (an assertion failure at best). We resolve 456// this problem by implicitly converting index values to 'int' when the 457// ElementRegion is created. 458unsigned char test_array_index_bitwidth(const unsigned char *p) { 459 unsigned short i = 0; 460 for (i = 0; i < 2; i++) p = &p[i]; 461 return p[i+1]; 462} 463 464// This case tests that CastRegion handles casts involving BlockPointerTypes. 465// It should not crash. 466void test_block_cast() { 467 id test_block_cast_aux(); 468 (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}} 469} 470 471int OSAtomicCompareAndSwap32Barrier(); 472 473// Test comparison of 'id' instance variable to a null void* constant after 474// performing an OSAtomicCompareAndSwap32Barrier. 475// This previously was a crash in RegionStoreManager. 476@interface TestIdNull { 477 id x; 478} 479-(int)foo; 480@end 481@implementation TestIdNull 482-(int)foo { 483 OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x); 484 if (x == (void*) 0) { return 0; } 485 return 1; 486} 487@end 488 489// PR 4594 - This was a crash when handling casts in SimpleSValuator. 490void PR4594() { 491 char *buf[1]; 492 char **foo = buf; 493 *foo = "test"; 494} 495 496// Test invalidation logic where an integer is casted to an array with a 497// different sign and then invalidated. 498void test_invalidate_cast_int() { 499 void test_invalidate_cast_int_aux(unsigned *i); 500 signed i; 501 test_invalidate_cast_int_aux((unsigned*) &i); 502 if (i < 0) 503 return; 504} 505 506int ivar_getOffset(); 507 508// Reduced from a crash involving the cast of an Objective-C symbolic region to 509// 'char *' 510static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) { 511 return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease]; 512} 513 514// Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero. 515// This resulted from not properly handling region casts to 'const void*'. 516void test_cast_const_voidptr() { 517 char x[10]; 518 char *p = &x[1]; 519 const void* q = p; 520} 521 522// Reduced from a crash when analyzing Wine. This test handles loads from 523// function addresses. 524typedef long (*FARPROC)(); 525FARPROC test_load_func(FARPROC origfun) { 526 if (!*(unsigned char*) origfun) 527 return origfun; 528 return 0; 529} 530 531// Test passing-by-value an initialized struct variable. 532struct test_pass_val { 533 int x; 534 int y; 535}; 536void test_pass_val_aux(struct test_pass_val s); 537void test_pass_val() { 538 struct test_pass_val s; 539 s.x = 1; 540 s.y = 2; 541 test_pass_val_aux(s); 542} 543 544// This is a reduced test case of a false positive that previously appeared 545// in RegionStoreManager. Previously the array access resulted in dereferencing 546// an undefined value. 547int test_array_compound(int *q, int *r, int *z) { 548 int *array[] = { q, r, z }; 549 int j = 0; 550 for (unsigned i = 0; i < 3 ; ++i) 551 if (*array[i]) ++j; // no-warning 552 return j; 553} 554 555// This test case previously crashed with -analyzer-store=basic because the 556// symbolic value stored in 'x' wouldn't be implicitly casted to a signed value 557// during the comparison. 558int rdar_7124210(unsigned int x) { 559 enum { SOME_CONSTANT = 123 }; 560 int compare = ((signed) SOME_CONSTANT) == *((signed *) &x); 561 return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint. 562} 563 564void pr4781(unsigned long *raw1) { 565 unsigned long *cook, *raw0; 566 unsigned long dough[32]; 567 int i; 568 cook = dough; 569 for( i = 0; i < 16; i++, raw1++ ) { 570 raw0 = raw1++; 571 *cook = (*raw0 & 0x00fc0000L) << 6; 572 *cook |= (*raw0 & 0x00000fc0L) << 10; 573 } 574} 575 576// <rdar://problem/7185647> - 'self' should be treated as being non-null 577// upon entry to an objective-c method. 578@interface RDar7185647 579- (id)foo; 580@end 581@implementation RDar7185647 582- (id) foo { 583 if (self) 584 return self; 585 *((volatile int *) 0x0) = 0xDEADBEEF; // no-warning 586 return self; 587} 588@end 589 590// Test reasoning of __builtin_offsetof; 591struct test_offsetof_A { 592 int x; 593 int y; 594}; 595struct test_offsetof_B { 596 int w; 597 int z; 598}; 599void test_offsetof_1() { 600 if (__builtin_offsetof(struct test_offsetof_A, x) == 601 __builtin_offsetof(struct test_offsetof_B, w)) 602 return; 603 int *p = 0; 604 *p = 0xDEADBEEF; // no-warning 605} 606void test_offsetof_2() { 607 if (__builtin_offsetof(struct test_offsetof_A, y) == 608 __builtin_offsetof(struct test_offsetof_B, z)) 609 return; 610 int *p = 0; 611 *p = 0xDEADBEEF; // no-warning 612} 613void test_offsetof_3() { 614 if (__builtin_offsetof(struct test_offsetof_A, y) - 615 __builtin_offsetof(struct test_offsetof_A, x) 616 == 617 __builtin_offsetof(struct test_offsetof_B, z) - 618 __builtin_offsetof(struct test_offsetof_B, w)) 619 return; 620 int *p = 0; 621 *p = 0xDEADBEEF; // no-warning 622} 623void test_offsetof_4() { 624 if (__builtin_offsetof(struct test_offsetof_A, y) == 625 __builtin_offsetof(struct test_offsetof_B, w)) 626 return; 627 int *p = 0; 628 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 629} 630 631// <rdar://problem/6829164> "nil receiver" false positive: make tracking 632// of the MemRegion for 'self' path-sensitive 633@interface RDar6829164 : NSObject { 634 double x; int y; 635} 636- (id) init; 637@end 638 639id rdar_6829164_1(); 640double rdar_6829164_2(); 641 642@implementation RDar6829164 643- (id) init { 644 if((self = [super init]) != 0) { 645 id z = rdar_6829164_1(); 646 y = (z != 0); 647 if (y) 648 x = rdar_6829164_2(); 649 } 650 return self; 651} 652@end 653 654// <rdar://problem/7242015> - Invalidate values passed-by-reference 655// to functions when the pointer to the value is passed as an integer. 656void test_7242015_aux(unsigned long); 657int rdar_7242015() { 658 int x; 659 test_7242015_aux((unsigned long) &x); // no-warning 660 return x; // Previously we return and uninitialized value when 661 // using RegionStore. 662} 663 664// <rdar://problem/7242006> [RegionStore] compound literal assignment with 665// floats not honored 666CGFloat rdar7242006(CGFloat x) { 667 NSSize y = (NSSize){x, 10}; 668 return y.width; // no-warning 669} 670 671// PR 4988 - This test exhibits a case where a function can be referenced 672// when not explicitly used in an "lvalue" context (as far as the analyzer is 673// concerned). This previously triggered a crash due to an invalid assertion. 674void pr_4988(void) { 675 pr_4988; // expected-warning{{expression result unused}} 676} 677 678// <rdar://problem/7152418> - A 'signed char' is used as a flag, which is 679// implicitly converted to an int. 680void *rdar7152418_bar(); 681@interface RDar7152418 { 682 signed char x; 683} 684-(char)foo; 685@end; 686@implementation RDar7152418 687-(char)foo { 688 char *p = 0; 689 void *result = 0; 690 if (x) { 691 result = rdar7152418_bar(); 692 p = "hello"; 693 } 694 if (!result) { 695 result = rdar7152418_bar(); 696 if (result && x) 697 return *p; // no-warning 698 } 699 return 1; 700} 701 702//===----------------------------------------------------------------------===// 703// Test constant-folding of symbolic values, automatically handling type 704// conversions of the symbol as necessary. 705//===----------------------------------------------------------------------===// 706 707// Previously this would crash once we started eagerly evaluating symbols whose 708// values were constrained to a single value. 709void test_symbol_fold_1(signed char x) { 710 while (1) { 711 if (x == ((signed char) 0)) {} 712 } 713} 714 715// This previously caused a crash because it triggered an assertion in APSInt. 716void test_symbol_fold_2(unsigned int * p, unsigned int n, 717 const unsigned int * grumpkin, unsigned int dn) { 718 unsigned int i; 719 unsigned int tempsub[8]; 720 unsigned int *solgrumpkin = tempsub + n; 721 for (i = 0; i < n; i++) 722 solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF; 723 for (i <<= 5; i < (n << 5); i++) {} 724} 725 726// This previously caused a crash because it triggered an assertion in APSInt. 727// 'x' would evaluate to a 8-bit constant (because of the return value of 728// test_symbol_fold_3_aux()) which would not get properly promoted to an 729// integer. 730char test_symbol_fold_3_aux(void); 731unsigned test_symbol_fold_3(void) { 732 unsigned x = test_symbol_fold_3_aux(); 733 if (x == 54) 734 return (x << 8) | 0x5; 735 return 0; 736} 737 738//===----------------------------------------------------------------------===// 739// Tests for the warning of casting a non-struct type to a struct type 740//===----------------------------------------------------------------------===// 741 742typedef struct {unsigned int v;} NSSwappedFloat; 743 744NSSwappedFloat test_cast_nonstruct_to_struct(float x) { 745 struct hodor { 746 float number; 747 NSSwappedFloat sf; 748 }; 749 return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 750} 751 752NSSwappedFloat test_cast_nonstruct_to_union(float x) { 753 union bran { 754 float number; 755 NSSwappedFloat sf; 756 }; 757 return ((union bran *)&x)->sf; // no-warning 758} 759 760void test_undefined_array_subscript() { 761 int i, a[10]; 762 int *p = &a[i]; // expected-warning{{Array subscript is undefined}} 763} 764@end 765 766//===----------------------------------------------------------------------===// 767// Test using an uninitialized value as a branch condition. 768//===----------------------------------------------------------------------===// 769 770int test_uninit_branch(void) { 771 int x; 772 if (x) // expected-warning{{Branch condition evaluates to a garbage value}} 773 return 1; 774 return 0; 775} 776 777int test_uninit_branch_b(void) { 778 int x; 779 return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}} 780} 781 782int test_uninit_branch_c(void) { 783 int x; 784 if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}} 785 return 1; 786 return 0; 787} 788 789//===----------------------------------------------------------------------===// 790// Test passing an undefined value in a message or function call. 791//===----------------------------------------------------------------------===// 792 793void test_bad_call_aux(int x); 794void test_bad_call(void) { 795 int y; 796 test_bad_call_aux(y); // expected-warning{{Pass-by-value argument in function call is undefined}} 797} 798 799@interface TestBadArg {} 800- (void) testBadArg:(int) x; 801@end 802 803void test_bad_msg(TestBadArg *p) { 804 int y; 805 [p testBadArg:y]; // expected-warning{{Pass-by-value argument in message expression is undefined}} 806} 807 808//===----------------------------------------------------------------------===// 809// PR 6033 - Test emitting the correct output in a warning where we use '%' 810// with operands that are undefined. 811//===----------------------------------------------------------------------===// 812 813int pr6033(int x) { 814 int y; 815 return x % y; // expected-warning{{The right operand of '%' is a garbage value}} 816} 817 818struct trie { 819 struct trie* next; 820}; 821 822struct kwset { 823 struct trie *trie; 824 unsigned char delta[10]; 825 struct trie* next[10]; 826 int d; 827}; 828 829typedef struct trie trie_t; 830typedef struct kwset kwset_t; 831 832void f(kwset_t *kws, char const *p, char const *q) { 833 struct trie const *trie; 834 struct trie * const *next = kws->next; 835 register unsigned char c; 836 register char const *end = p; 837 register char const *lim = q; 838 register int d = 1; 839 register unsigned char const *delta = kws->delta; 840 841 d = delta[c = (end+=d)[-1]]; // no-warning 842 trie = next[c]; 843} 844 845//===----------------------------------------------------------------------===// 846// <rdar://problem/7593875> When handling sizeof(VLA) it leads to a hole in 847// the ExplodedGraph (causing a false positive) 848//===----------------------------------------------------------------------===// 849 850int rdar_7593875_aux(int x); 851int rdar_7593875(int n) { 852 int z[n > 10 ? 10 : n]; // VLA. 853 int v; 854 v = rdar_7593875_aux(sizeof(z)); 855 // Previously we got a false positive about 'v' being uninitialized. 856 return v; // no-warning 857} 858 859//===----------------------------------------------------------------------===// 860// Handle casts from symbolic regions (packaged as integers) to doubles. 861// Previously this caused an assertion failure. 862//===----------------------------------------------------------------------===// 863 864void *foo_rev95119(); 865void baz_rev95119(double x); 866void bar_rev95119() { 867 // foo_rev95119() returns a symbolic pointer. It is then 868 // cast to an int which is then cast to a double. 869 int value = (int) foo_rev95119(); 870 baz_rev95119((double)value); 871} 872 873//===----------------------------------------------------------------------===// 874// Handle loading a symbolic pointer from a symbolic region that was 875// invalidated by a call to an unknown function. 876//===----------------------------------------------------------------------===// 877 878void bar_rev95192(int **x); 879void foo_rev95192(int **x) { 880 *x = 0; 881 bar_rev95192(x); 882 // Not a null dereference. 883 **x = 1; // no-warning 884} 885 886//===----------------------------------------------------------------------===// 887// Handle casts of a function to a function pointer with a different return 888// value. We don't yet emit an error for such cases, but we now we at least 889// don't crash when the return value gets interpreted in a way that 890// violates our invariants. 891//===----------------------------------------------------------------------===// 892 893void *foo_rev95267(); 894int bar_rev95267() { 895 char (*Callback_rev95267)(void) = (char (*)(void)) foo_rev95267; 896 if ((*Callback_rev95267)() == (char) 0) 897 return 1; 898 return 0; 899} 900 901// Same as previous case, but handle casts to 'void'. 902int bar_rev95274() { 903 void (*Callback_rev95274)(void) = (void (*)(void)) foo_rev95267; 904 (*Callback_rev95274)(); 905 return 0; 906} 907 908void rdar7582031_test_static_init_zero() { 909 static unsigned x; 910 if (x == 0) 911 return; 912 int *p = 0; 913 *p = 0xDEADBEEF; 914} 915void rdar7582031_test_static_init_zero_b() { 916 static void* x; 917 if (x == 0) 918 return; 919 int *p = 0; 920 *p = 0xDEADBEEF; 921} 922 923//===----------------------------------------------------------------------===// 924// Test handling of parameters that are structs that contain floats and // 925// nested fields. // 926//===----------------------------------------------------------------------===// 927 928struct s_rev95547_nested { float x, y; }; 929struct s_rev95547 { 930 struct s_rev95547_nested z1; 931 struct s_rev95547_nested z2; 932}; 933float foo_rev95547(struct s_rev95547 w) { 934 return w.z1.x + 20.0; // no-warning 935} 936void foo_rev95547_b(struct s_rev95547 w) { 937 struct s_rev95547 w2 = w; 938 w2.z1.x += 20.0; // no-warning 939} 940 941//===----------------------------------------------------------------------===// 942// Test handling statement expressions that don't populate a CFG block that 943// is used to represent the computation of the RHS of a logical operator. 944// This previously triggered a crash. 945//===----------------------------------------------------------------------===// 946 947void pr6938() { 948 if (1 && ({ 949 while (0); 950 0; 951 }) == 0) { 952 } 953} 954 955void pr6938_b() { 956 if (1 && *({ // expected-warning{{Dereference of null pointer}} 957 while (0) {} 958 ({ 959 (int *) 0; 960 }); 961 }) == 0) { 962 } 963} 964 965//===----------------------------------------------------------------------===// 966// <rdar://problem/7979430> - The CFG for code containing an empty 967// @synchronized block was previously broken (and would crash the analyzer). 968//===----------------------------------------------------------------------===// 969 970void r7979430(id x) { 971 @synchronized(x) {} 972} 973 974//===----------------------------------------------------------------------=== 975// PR 7361 - Test that functions wrapped in macro instantiations are analyzed. 976//===----------------------------------------------------------------------=== 977#define MAKE_TEST_FN() \ 978 void test_pr7361 (char a) {\ 979 char* b = 0x0; *b = a;\ 980 } 981 982MAKE_TEST_FN() // expected-warning{{null pointer}} 983 984//===----------------------------------------------------------------------=== 985// PR 7491 - Test that symbolic expressions can be used as conditions. 986//===----------------------------------------------------------------------=== 987 988void pr7491 () { 989 extern int getint(); 990 int a = getint()-1; 991 if (a) { 992 return; 993 } 994 if (!a) { 995 return; 996 } else { 997 // Should be unreachable 998 (void)*(char*)0; // no-warning 999 } 1000} 1001 1002//===----------------------------------------------------------------------=== 1003// PR 7475 - Test that assumptions about global variables are reset after 1004// calling a global function. 1005//===----------------------------------------------------------------------=== 1006 1007int *pr7475_someGlobal; 1008void pr7475_setUpGlobal(); 1009 1010void pr7475() { 1011 if (pr7475_someGlobal == 0) 1012 pr7475_setUpGlobal(); 1013 *pr7475_someGlobal = 0; // no-warning 1014} 1015 1016void pr7475_warn() { 1017 static int *someStatic = 0; 1018 if (someStatic == 0) 1019 pr7475_setUpGlobal(); 1020 *someStatic = 0; // expected-warning{{null pointer}} 1021} 1022 1023