misc-ps.m revision c32b24452ebb537934b20b7133a3a0cbce447666
1// NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued. 2// RUN: clang-cc -analyze -checker-cfref --analyzer-store=basic -fobjc-gc -analyzer-constraints=basic --verify -fblocks %s && 3// RUN: clang-cc -analyze -checker-cfref --analyzer-store=basic -analyzer-constraints=range --verify -fblocks %s && 4// RUN: clang-cc -analyze -checker-cfref --analyzer-store=region -analyzer-constraints=basic --verify -fblocks %s && 5// RUN: clang-cc -analyze -checker-cfref --analyzer-store=region -analyzer-constraints=range --verify -fblocks %s 6 7typedef struct objc_ivar *Ivar; 8typedef struct objc_selector *SEL; 9typedef signed char BOOL; 10typedef int NSInteger; 11typedef unsigned int NSUInteger; 12typedef struct _NSZone NSZone; 13@class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator; 14@protocol NSObject 15- (BOOL)isEqual:(id)object; 16- (id)autorelease; 17@end 18@protocol NSCopying 19- (id)copyWithZone:(NSZone *)zone; 20@end 21@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 22@protocol NSCoding 23- (void)encodeWithCoder:(NSCoder *)aCoder; 24@end 25@interface NSObject <NSObject> {} 26- (id)init; 27+ (id)allocWithZone:(NSZone *)zone; 28@end 29extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 30@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 31- (NSUInteger)length; 32+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 33@end extern NSString * const NSBundleDidLoadNotification; 34@interface NSValue : NSObject <NSCopying, NSCoding> 35- (void)getValue:(void *)value; 36@end 37@interface NSNumber : NSValue 38- (char)charValue; 39- (id)initWithBool:(BOOL)value; 40@end 41@interface NSAssertionHandler : NSObject {} 42+ (NSAssertionHandler *)currentHandler; 43- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 44@end 45extern NSString * const NSConnectionReplyMode; 46typedef float CGFloat; 47typedef struct _NSPoint { 48 CGFloat x; 49 CGFloat y; 50} NSPoint; 51typedef struct _NSSize { 52 CGFloat width; 53 CGFloat height; 54} NSSize; 55typedef struct _NSRect { 56 NSPoint origin; 57 NSSize size; 58} NSRect; 59 60// Reduced test case from crash in <rdar://problem/6253157> 61@interface A @end 62@implementation A 63- (void)foo:(void (^)(NSObject *x))block { 64 if (!((block != ((void *)0)))) {} 65} 66@end 67 68// Reduced test case from crash in PR 2796; 69// http://llvm.org/bugs/show_bug.cgi?id=2796 70 71unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); } 72 73// Improvement to path-sensitivity involving compound assignments. 74// Addresses false positive in <rdar://problem/6268365> 75// 76 77unsigned r6268365Aux(); 78 79void r6268365() { 80 unsigned x = 0; 81 x &= r6268365Aux(); 82 unsigned j = 0; 83 84 if (x == 0) ++j; 85 if (x == 0) x = x / j; // no-warning 86} 87 88void divzeroassume(unsigned x, unsigned j) { 89 x /= j; 90 if (j == 0) x /= 0; // no-warning 91 if (j == 0) x /= j; // no-warning 92 if (j == 0) x = x / 0; // no-warning 93} 94 95void divzeroassumeB(unsigned x, unsigned j) { 96 x = x / j; 97 if (j == 0) x /= 0; // no-warning 98 if (j == 0) x /= j; // no-warning 99 if (j == 0) x = x / 0; // no-warning 100} 101 102// InitListExpr processing 103 104typedef float __m128 __attribute__((__vector_size__(16), __may_alias__)); 105__m128 return128() { 106 // This compound literal has a Vector type. We currently just 107 // return UnknownVal. 108 return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f }; 109} 110 111typedef long long __v2di __attribute__ ((__vector_size__ (16))); 112typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__)); 113__m128i vec128i(long long __q1, long long __q0) { 114 // This compound literal returns true for both isVectorType() and 115 // isIntegerType(). 116 return __extension__ (__m128i)(__v2di){ __q0, __q1 }; 117} 118 119// Zero-sized VLAs. 120void check_zero_sized_VLA(int x) { 121 if (x) 122 return; 123 124 int vla[x]; // expected-warning{{Variable-length array 'vla' has zero elements (undefined behavior)}} 125} 126 127void check_uninit_sized_VLA() { 128 int x; 129 int vla[x]; // expected-warning{{Variable-length array 'vla' garbage value for array size}} 130} 131 132// sizeof(void) 133// - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211 134void handle_sizeof_void(unsigned flag) { 135 int* p = 0; 136 137 if (flag) { 138 if (sizeof(void) == 1) 139 return; 140 // Infeasible. 141 *p = 1; // no-warning 142 } 143 144 void* q; 145 146 if (!flag) { 147 if (sizeof(*q) == 1) 148 return; 149 // Infeasibe. 150 *p = 1; // no-warning 151 } 152 153 // Infeasible. 154 *p = 1; // no-warning 155} 156 157// PR 3422 158void pr3422_helper(char *p); 159void pr3422() { 160 char buf[100]; 161 char *q = &buf[10]; 162 pr3422_helper(&q[1]); 163} 164 165// PR 3543 (handle empty statement expressions) 166void pr_3543(void) { 167 ({}); 168} 169 170// <rdar://problem/6611677> 171// This test case test the use of a vector type within an array subscript 172// expression. 173typedef long long __a64vector __attribute__((__vector_size__(8))); 174typedef long long __a128vector __attribute__((__vector_size__(16))); 175static inline __a64vector __attribute__((__always_inline__, __nodebug__)) 176my_test_mm_movepi64_pi64(__a128vector a) { 177 return (__a64vector)a[0]; 178} 179 180// Test basic tracking of ivars associated with 'self'. 181@interface SelfIvarTest : NSObject { 182 int flag; 183} 184- (void)test_self_tracking; 185@end 186 187@implementation SelfIvarTest 188- (void)test_self_tracking { 189 char *p = 0; 190 char c; 191 192 if (flag) 193 p = "hello"; 194 195 if (flag) 196 c = *p; // no-warning 197} 198@end 199 200// PR 3770 201char pr3770(int x) { 202 int y = x & 0x2; 203 char *p = 0; 204 if (y == 1) 205 p = "hello"; 206 207 if (y == 1) 208 return p[0]; // no-warning 209 210 return 'a'; 211} 212 213// PR 3772 214// - We just want to test that this doesn't crash the analyzer. 215typedef struct st ST; 216struct st { char *name; }; 217extern ST *Cur_Pu; 218 219void pr3772(void) 220{ 221 static ST *last_Cur_Pu; 222 if (last_Cur_Pu == Cur_Pu) { 223 return; 224 } 225} 226 227// PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups. 228void pr3780(int sz) { typedef double MAT[sz][sz]; } 229 230// <rdar://problem/6695527> - Test that we don't symbolicate doubles before 231// we are ready to do something with them. 232int rdar6695527(double x) { 233 if (!x) { return 0; } 234 return 1; 235} 236 237// <rdar://problem/6708148> - Test that we properly invalidate structs 238// passed-by-reference to a function. 239void pr6708148_invalidate(NSRect *x); 240void pr6708148_use(NSRect x); 241void pr6708148_test(void) { 242 NSRect x; 243 pr6708148_invalidate(&x); 244 pr6708148_use(x); // no-warning 245} 246 247// Handle both kinds of noreturn attributes for pruning paths. 248void rdar_6777003_noret() __attribute__((noreturn)); 249void rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn)); 250 251void rdar_6777003(int x) { 252 int *p = 0; 253 254 if (x == 1) { 255 rdar_6777003_noret(); 256 *p = 1; // no-warning; 257 } 258 259 if (x == 2) { 260 rdar_6777003_analyzer_noret(); 261 *p = 1; // no-warning; 262 } 263 264 *p = 1; // expected-warning{{Dereference of null pointer}} 265} 266 267// For pointer arithmetic, --/++ should be treated as preserving non-nullness, 268// regardless of how well the underlying StoreManager reasons about pointer 269// arithmetic. 270// <rdar://problem/6777209> 271void rdar_6777209(char *p) { 272 if (p == 0) 273 return; 274 275 ++p; 276 277 // This branch should always be infeasible. 278 if (p == 0) 279 *p = 'c'; // no-warning 280} 281 282// PR 4033. A symbolic 'void *' pointer can be used as the address for a 283// computed goto. 284typedef void *Opcode; 285Opcode pr_4033_getOpcode(); 286void pr_4033(void) { 287next_opcode: 288 { 289 Opcode op = pr_4033_getOpcode(); 290 if (op) goto *op; 291 } 292} 293 294// Test invalidating pointers-to-pointers with slightly different types. This 295// example came from a recent false positive due to a regression where the 296// branch condition was falsely reported as being uninitialized. 297void invalidate_by_ref(char **x); 298int test_invalidate_by_ref() { 299 unsigned short y; 300 invalidate_by_ref((char**) &y); 301 if (y) // no-warning 302 return 1; 303 return 0; 304} 305 306// Test for <rdar://problem/7027684>. This just tests that the CFG is 307// constructed correctly. Previously, the successor block of the entrance 308// was the block containing the merge for '?', which would trigger an 309// assertion failure. 310int rdar_7027684_aux(); 311int rdar_7027684_aux_2() __attribute__((noreturn)); 312void rdar_7027684(int x, int y) { 313 {}; // this empty compound statement is critical. 314 (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0); 315} 316 317// Test that we handle casts of string literals to arbitrary types. 318unsigned const char *string_literal_test1() { 319 return (const unsigned char*) "hello"; 320} 321 322const float *string_literal_test2() { 323 return (const float*) "hello"; 324} 325 326// Test that we handle casts *from* incomplete struct types. 327extern const struct _FooAssertStruct _cmd; 328void test_cast_from_incomplete_struct_aux(volatile const void *x); 329void test_cast_from_incomplete_struct() { 330 test_cast_from_incomplete_struct_aux(&_cmd); 331} 332 333// Test for <rdar://problem/7034511> 334// "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' 335// when 'T' is a pointer" 336// 337// Previously this case would crash. 338void test_rdar_7034511(NSArray *y) { 339 NSObject *x; 340 for (x in y) {} 341 if (x == ((void*) 0)) {} 342} 343 344// Handle casts of function pointers (CodeTextRegions) to arbitrary pointer 345// types. This was previously causing a crash in CastRegion. 346void handle_funcptr_voidptr_casts() { 347 void **ptr; 348 typedef void *PVOID; 349 typedef void *PCHAR; 350 typedef long INT_PTR, *PINT_PTR; 351 typedef INT_PTR (*FARPROC)(); 352 FARPROC handle_funcptr_voidptr_casts_aux(); 353 PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x); 354 PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x); 355 356 ptr = (void**) handle_funcptr_voidptr_casts_aux(); 357 handle_funcptr_voidptr_casts_aux_2(ptr); 358 handle_funcptr_voidptr_casts_aux_3(ptr); 359} 360 361// RegionStore::Retrieve previously crashed on this example. This example 362// was previously in the test file 'xfail_regionstore_wine_crash.c'. 363void testA() { 364 long x = 0; 365 char *y = (char *) &x; 366 if (!*y) 367 return; 368} 369 370// RegionStoreManager previously crashed on this example. The problem is that 371// the value bound to the field of b->grue after the call to testB_aux is 372// a symbolic region. The second '*__gruep__' involves performing a load 373// from a 'int*' that really is a 'void**'. The loaded location must be 374// implicitly converted to an integer that wraps a location. Previosly we would 375// get a crash here due to an assertion failure. 376typedef struct _BStruct { void *grue; } BStruct; 377void testB_aux(void *ptr); 378void testB(BStruct *b) { 379 { 380 int *__gruep__ = ((int *)&((b)->grue)); 381 int __gruev__ = *__gruep__; 382 testB_aux(__gruep__); 383 } 384 { 385 int *__gruep__ = ((int *)&((b)->grue)); 386 int __gruev__ = *__gruep__; 387 if (~0 != __gruev__) {} 388 } 389} 390 391void test_trivial_symbolic_comparison(int *x) { 392 int test_trivial_symbolic_comparison_aux(); 393 int a = test_trivial_symbolic_comparison_aux(); 394 int b = a; 395 if (a != b) { 396 int *p = 0; 397 *p = 0xDEADBEEF; // no-warning 398 } 399 400 a = a == 1; 401 b = b == 1; 402 if (a != b) { 403 int *p = 0; 404 *p = 0xDEADBEEF; // no-warning 405 } 406} 407 408// Test for: 409// <rdar://problem/7062158> false positive null dereference due to 410// BasicStoreManager not tracking *static* globals 411// 412// This just tests the proper tracking of symbolic values for globals (both 413// static and non-static). 414// 415static int* x_rdar_7062158; 416void rdar_7062158() { 417 int *current = x_rdar_7062158; 418 if (current == x_rdar_7062158) 419 return; 420 421 int *p = 0; 422 *p = 0xDEADBEEF; // no-warning 423} 424 425int* x_rdar_7062158_2; 426void rdar_7062158_2() { 427 int *current = x_rdar_7062158_2; 428 if (current == x_rdar_7062158_2) 429 return; 430 431 int *p = 0; 432 *p = 0xDEADBEEF; // no-warning 433} 434 435// This test reproduces a case for a crash when analyzing ClamAV using 436// RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because 437// it isn't doing anything smart about arrays). The problem is that on the 438// second line, 'p = &p[i]', p is assigned an ElementRegion whose index 439// is a 16-bit integer. On the third line, a new ElementRegion is created 440// based on the previous region, but there the region uses a 32-bit integer, 441// resulting in a clash of values (an assertion failure at best). We resolve 442// this problem by implicitly converting index values to 'int' when the 443// ElementRegion is created. 444unsigned char test_array_index_bitwidth(const unsigned char *p) { 445 unsigned short i = 0; 446 for (i = 0; i < 2; i++) p = &p[i]; 447 return p[i+1]; 448} 449 450// This case tests that CastRegion handles casts involving BlockPointerTypes. 451// It should not crash. 452void test_block_cast() { 453 id test_block_cast_aux(); 454 (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}} 455} 456 457// Test comparison of 'id' instance variable to a null void* constant after 458// performing an OSAtomicCompareAndSwap32Barrier. 459// This previously was a crash in RegionStoreManager. 460@interface TestIdNull { 461 id x; 462} 463-(int)foo; 464@end 465@implementation TestIdNull 466-(int)foo { 467 OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x); 468 if (x == (void*) 0) { return 0; } 469 return 1; 470} 471@end 472 473// PR 4594 - This was a crash when handling casts in SimpleSValuator. 474void PR4594() { 475 char *buf[1]; 476 char **foo = buf; 477 *foo = "test"; 478} 479 480// Test invalidation logic where an integer is casted to an array with a 481// different sign and then invalidated. 482void test_invalidate_cast_int() { 483 void test_invalidate_cast_int_aux(unsigned *i); 484 signed i; 485 test_invalidate_cast_int_aux((unsigned*) &i); 486 if (i < 0) 487 return; 488} 489 490// Reduced from a crash involving the cast of an Objective-C symbolic region to 491// 'char *' 492static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) { 493 return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease]; 494} 495 496// Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero. 497// This resulted from not properly handling region casts to 'const void*'. 498void test_cast_const_voidptr() { 499 char x[10]; 500 char *p = &x[1]; 501 const void* q = p; 502} 503 504// Reduced from a crash when analyzing Wine. This test handles loads from 505// function addresses. 506typedef long (*FARPROC)(); 507FARPROC test_load_func(FARPROC origfun) { 508 if (!*(unsigned char*) origfun) 509 return origfun; 510 return 0; 511} 512 513// Test passing-by-value an initialized struct variable. 514struct test_pass_val { 515 int x; 516 int y; 517}; 518void test_pass_val_aux(struct test_pass_val s); 519void test_pass_val() { 520 struct test_pass_val s; 521 s.x = 1; 522 s.y = 2; 523 test_pass_val_aux(s); 524} 525 526// This is a reduced test case of a false positive that previously appeared 527// in RegionStoreManager. Previously the array access resulted in dereferencing 528// an undefined value. 529int test_array_compound(int *q, int *r, int *z) { 530 int *array[] = { q, r, z }; 531 int j = 0; 532 for (unsigned i = 0; i < 3 ; ++i) 533 if (*array[i]) ++j; // no-warning 534 return j; 535} 536 537// This test case previously crashed with -analyzer-store=basic because the 538// symbolic value stored in 'x' wouldn't be implicitly casted to a signed value 539// during the comparison. 540int rdar_7124210(unsigned int x) { 541 enum { SOME_CONSTANT = 123 }; 542 int compare = ((signed) SOME_CONSTANT) == *((signed *) &x); 543 return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint. 544} 545 546void pr4781(unsigned long *raw1) { 547 unsigned long *cook, *raw0; 548 unsigned long dough[32]; 549 int i; 550 cook = dough; 551 for( i = 0; i < 16; i++, raw1++ ) { 552 raw0 = raw1++; 553 *cook = (*raw0 & 0x00fc0000L) << 6; 554 *cook |= (*raw0 & 0x00000fc0L) << 10; 555 } 556} 557 558// <rdar://problem/7185647> - 'self' should be treated as being non-null 559// upon entry to an objective-c method. 560@interface RDar7185647 561- (id)foo; 562@end 563@implementation RDar7185647 564- (id) foo { 565 if (self) 566 return self; 567 *((int *) 0x0) = 0xDEADBEEF; // no-warning 568 return self; 569} 570@end 571 572// Test reasoning of __builtin_offsetof; 573struct test_offsetof_A { 574 int x; 575 int y; 576}; 577struct test_offsetof_B { 578 int w; 579 int z; 580}; 581void test_offsetof_1() { 582 if (__builtin_offsetof(struct test_offsetof_A, x) == 583 __builtin_offsetof(struct test_offsetof_B, w)) 584 return; 585 int *p = 0; 586 *p = 0xDEADBEEF; // no-warning 587} 588void test_offsetof_2() { 589 if (__builtin_offsetof(struct test_offsetof_A, y) == 590 __builtin_offsetof(struct test_offsetof_B, z)) 591 return; 592 int *p = 0; 593 *p = 0xDEADBEEF; // no-warning 594} 595void test_offsetof_3() { 596 if (__builtin_offsetof(struct test_offsetof_A, y) - 597 __builtin_offsetof(struct test_offsetof_A, x) 598 == 599 __builtin_offsetof(struct test_offsetof_B, z) - 600 __builtin_offsetof(struct test_offsetof_B, w)) 601 return; 602 int *p = 0; 603 *p = 0xDEADBEEF; // no-warning 604} 605void test_offsetof_4() { 606 if (__builtin_offsetof(struct test_offsetof_A, y) == 607 __builtin_offsetof(struct test_offsetof_B, w)) 608 return; 609 int *p = 0; 610 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 611} 612 613// <rdar://problem/6829164> "nil receiver" false positive: make tracking 614// of the MemRegion for 'self' path-sensitive 615@interface RDar6829164 : NSObject { 616 double x; int y; 617} 618- (id) init; 619@end 620 621id rdar_6829164_1(); 622double rdar_6829164_2(); 623 624@implementation RDar6829164 625- (id) init { 626 if((self = [super init]) != 0) { 627 id z = rdar_6829164_1(); 628 y = (z != 0); 629 if (y) 630 x = rdar_6829164_2(); 631 } 632 return self; 633} 634@end 635