misc-ps.m revision e030358cc06e1cbce3c2e00ca67c946f9164b2a8
1// NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued. 2// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=basic -fobjc-gc -analyzer-constraints=basic -verify -fblocks %s 3// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=basic -analyzer-constraints=range -verify -fblocks %s 4// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -analyzer-constraints=basic -verify -fblocks %s 5// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -analyzer-constraints=range -verify -fblocks %s 6 7typedef struct objc_ivar *Ivar; 8typedef struct objc_selector *SEL; 9typedef signed char BOOL; 10typedef int NSInteger; 11typedef unsigned int NSUInteger; 12typedef struct _NSZone NSZone; 13@class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator; 14@protocol NSObject 15- (BOOL)isEqual:(id)object; 16- (id)autorelease; 17@end 18@protocol NSCopying 19- (id)copyWithZone:(NSZone *)zone; 20@end 21@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 22@protocol NSCoding 23- (void)encodeWithCoder:(NSCoder *)aCoder; 24@end 25@interface NSObject <NSObject> {} 26- (id)init; 27+ (id)allocWithZone:(NSZone *)zone; 28@end 29extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 30@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 31- (NSUInteger)length; 32+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 33@end extern NSString * const NSBundleDidLoadNotification; 34@interface NSValue : NSObject <NSCopying, NSCoding> 35- (void)getValue:(void *)value; 36@end 37@interface NSNumber : NSValue 38- (char)charValue; 39- (id)initWithBool:(BOOL)value; 40@end 41@interface NSAssertionHandler : NSObject {} 42+ (NSAssertionHandler *)currentHandler; 43- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 44@end 45extern NSString * const NSConnectionReplyMode; 46typedef float CGFloat; 47typedef struct _NSPoint { 48 CGFloat x; 49 CGFloat y; 50} NSPoint; 51typedef struct _NSSize { 52 CGFloat width; 53 CGFloat height; 54} NSSize; 55typedef struct _NSRect { 56 NSPoint origin; 57 NSSize size; 58} NSRect; 59 60// Reduced test case from crash in <rdar://problem/6253157> 61@interface A @end 62@implementation A 63- (void)foo:(void (^)(NSObject *x))block { 64 if (!((block != ((void *)0)))) {} 65} 66@end 67 68// Reduced test case from crash in PR 2796; 69// http://llvm.org/bugs/show_bug.cgi?id=2796 70 71unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); } 72 73// Improvement to path-sensitivity involving compound assignments. 74// Addresses false positive in <rdar://problem/6268365> 75// 76 77unsigned r6268365Aux(); 78 79void r6268365() { 80 unsigned x = 0; 81 x &= r6268365Aux(); 82 unsigned j = 0; 83 84 if (x == 0) ++j; 85 if (x == 0) x = x / j; // no-warning 86} 87 88void divzeroassume(unsigned x, unsigned j) { 89 x /= j; 90 if (j == 0) x /= 0; // no-warning 91 if (j == 0) x /= j; // no-warning 92 if (j == 0) x = x / 0; // no-warning 93} 94 95void divzeroassumeB(unsigned x, unsigned j) { 96 x = x / j; 97 if (j == 0) x /= 0; // no-warning 98 if (j == 0) x /= j; // no-warning 99 if (j == 0) x = x / 0; // no-warning 100} 101 102// InitListExpr processing 103 104typedef float __m128 __attribute__((__vector_size__(16), __may_alias__)); 105__m128 return128() { 106 // This compound literal has a Vector type. We currently just 107 // return UnknownVal. 108 return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f }; 109} 110 111typedef long long __v2di __attribute__ ((__vector_size__ (16))); 112typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__)); 113__m128i vec128i(long long __q1, long long __q0) { 114 // This compound literal returns true for both isVectorType() and 115 // isIntegerType(). 116 return __extension__ (__m128i)(__v2di){ __q0, __q1 }; 117} 118 119// Zero-sized VLAs. 120void check_zero_sized_VLA(int x) { 121 if (x) 122 return; 123 124 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has zero size}} 125} 126 127void check_uninit_sized_VLA() { 128 int x; 129 int vla[x]; // expected-warning{{Declared variable-length array (VLA) uses a garbage value as its size}} 130} 131 132// sizeof(void) 133// - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211 134void handle_sizeof_void(unsigned flag) { 135 int* p = 0; 136 137 if (flag) { 138 if (sizeof(void) == 1) 139 return; 140 // Infeasible. 141 *p = 1; // no-warning 142 } 143 144 void* q; 145 146 if (!flag) { 147 if (sizeof(*q) == 1) 148 return; 149 // Infeasibe. 150 *p = 1; // no-warning 151 } 152 153 // Infeasible. 154 *p = 1; // no-warning 155} 156 157// check deference of undefined values 158void check_deref_undef(void) { 159 int *p; 160 *p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}} 161} 162 163// PR 3422 164void pr3422_helper(char *p); 165void pr3422() { 166 char buf[100]; 167 char *q = &buf[10]; 168 pr3422_helper(&q[1]); 169} 170 171// PR 3543 (handle empty statement expressions) 172void pr_3543(void) { 173 ({}); 174} 175 176// <rdar://problem/6611677> 177// This test case test the use of a vector type within an array subscript 178// expression. 179typedef long long __a64vector __attribute__((__vector_size__(8))); 180typedef long long __a128vector __attribute__((__vector_size__(16))); 181static inline __a64vector __attribute__((__always_inline__, __nodebug__)) 182my_test_mm_movepi64_pi64(__a128vector a) { 183 return (__a64vector)a[0]; 184} 185 186// Test basic tracking of ivars associated with 'self'. 187@interface SelfIvarTest : NSObject { 188 int flag; 189} 190- (void)test_self_tracking; 191@end 192 193@implementation SelfIvarTest 194- (void)test_self_tracking { 195 char *p = 0; 196 char c; 197 198 if (flag) 199 p = "hello"; 200 201 if (flag) 202 c = *p; // no-warning 203} 204@end 205 206// PR 3770 207char pr3770(int x) { 208 int y = x & 0x2; 209 char *p = 0; 210 if (y == 1) 211 p = "hello"; 212 213 if (y == 1) 214 return p[0]; // no-warning 215 216 return 'a'; 217} 218 219// PR 3772 220// - We just want to test that this doesn't crash the analyzer. 221typedef struct st ST; 222struct st { char *name; }; 223extern ST *Cur_Pu; 224 225void pr3772(void) 226{ 227 static ST *last_Cur_Pu; 228 if (last_Cur_Pu == Cur_Pu) { 229 return; 230 } 231} 232 233// PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups. 234void pr3780(int sz) { typedef double MAT[sz][sz]; } 235 236// <rdar://problem/6695527> - Test that we don't symbolicate doubles before 237// we are ready to do something with them. 238int rdar6695527(double x) { 239 if (!x) { return 0; } 240 return 1; 241} 242 243// <rdar://problem/6708148> - Test that we properly invalidate structs 244// passed-by-reference to a function. 245void pr6708148_invalidate(NSRect *x); 246void pr6708148_use(NSRect x); 247void pr6708148_test(void) { 248 NSRect x; 249 pr6708148_invalidate(&x); 250 pr6708148_use(x); // no-warning 251} 252 253// Handle both kinds of noreturn attributes for pruning paths. 254void rdar_6777003_noret() __attribute__((noreturn)); 255void rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn)); 256 257void rdar_6777003(int x) { 258 int *p = 0; 259 260 if (x == 1) { 261 rdar_6777003_noret(); 262 *p = 1; // no-warning; 263 } 264 265 if (x == 2) { 266 rdar_6777003_analyzer_noret(); 267 *p = 1; // no-warning; 268 } 269 270 *p = 1; // expected-warning{{Dereference of null pointer}} 271} 272 273// For pointer arithmetic, --/++ should be treated as preserving non-nullness, 274// regardless of how well the underlying StoreManager reasons about pointer 275// arithmetic. 276// <rdar://problem/6777209> 277void rdar_6777209(char *p) { 278 if (p == 0) 279 return; 280 281 ++p; 282 283 // This branch should always be infeasible. 284 if (p == 0) 285 *p = 'c'; // no-warning 286} 287 288// PR 4033. A symbolic 'void *' pointer can be used as the address for a 289// computed goto. 290typedef void *Opcode; 291Opcode pr_4033_getOpcode(); 292void pr_4033(void) { 293next_opcode: 294 { 295 Opcode op = pr_4033_getOpcode(); 296 if (op) goto *op; 297 } 298} 299 300// Test invalidating pointers-to-pointers with slightly different types. This 301// example came from a recent false positive due to a regression where the 302// branch condition was falsely reported as being uninitialized. 303void invalidate_by_ref(char **x); 304int test_invalidate_by_ref() { 305 unsigned short y; 306 invalidate_by_ref((char**) &y); 307 if (y) // no-warning 308 return 1; 309 return 0; 310} 311 312// Test for <rdar://problem/7027684>. This just tests that the CFG is 313// constructed correctly. Previously, the successor block of the entrance 314// was the block containing the merge for '?', which would trigger an 315// assertion failure. 316int rdar_7027684_aux(); 317int rdar_7027684_aux_2() __attribute__((noreturn)); 318void rdar_7027684(int x, int y) { 319 {}; // this empty compound statement is critical. 320 (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0); 321} 322 323// Test that we handle casts of string literals to arbitrary types. 324unsigned const char *string_literal_test1() { 325 return (const unsigned char*) "hello"; 326} 327 328const float *string_literal_test2() { 329 return (const float*) "hello"; 330} 331 332// Test that we handle casts *from* incomplete struct types. 333extern const struct _FooAssertStruct _cmd; 334void test_cast_from_incomplete_struct_aux(volatile const void *x); 335void test_cast_from_incomplete_struct() { 336 test_cast_from_incomplete_struct_aux(&_cmd); 337} 338 339// Test for <rdar://problem/7034511> 340// "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' 341// when 'T' is a pointer" 342// 343// Previously this case would crash. 344void test_rdar_7034511(NSArray *y) { 345 NSObject *x; 346 for (x in y) {} 347 if (x == ((void*) 0)) {} 348} 349 350// Handle casts of function pointers (CodeTextRegions) to arbitrary pointer 351// types. This was previously causing a crash in CastRegion. 352void handle_funcptr_voidptr_casts() { 353 void **ptr; 354 typedef void *PVOID; 355 typedef void *PCHAR; 356 typedef long INT_PTR, *PINT_PTR; 357 typedef INT_PTR (*FARPROC)(); 358 FARPROC handle_funcptr_voidptr_casts_aux(); 359 PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x); 360 PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x); 361 362 ptr = (void**) handle_funcptr_voidptr_casts_aux(); 363 handle_funcptr_voidptr_casts_aux_2(ptr); 364 handle_funcptr_voidptr_casts_aux_3(ptr); 365} 366 367// RegionStore::Retrieve previously crashed on this example. This example 368// was previously in the test file 'xfail_regionstore_wine_crash.c'. 369void testA() { 370 long x = 0; 371 char *y = (char *) &x; 372 if (!*y) 373 return; 374} 375 376// RegionStoreManager previously crashed on this example. The problem is that 377// the value bound to the field of b->grue after the call to testB_aux is 378// a symbolic region. The second '*__gruep__' involves performing a load 379// from a 'int*' that really is a 'void**'. The loaded location must be 380// implicitly converted to an integer that wraps a location. Previosly we would 381// get a crash here due to an assertion failure. 382typedef struct _BStruct { void *grue; } BStruct; 383void testB_aux(void *ptr); 384void testB(BStruct *b) { 385 { 386 int *__gruep__ = ((int *)&((b)->grue)); 387 int __gruev__ = *__gruep__; 388 testB_aux(__gruep__); 389 } 390 { 391 int *__gruep__ = ((int *)&((b)->grue)); 392 int __gruev__ = *__gruep__; 393 if (~0 != __gruev__) {} 394 } 395} 396 397void test_trivial_symbolic_comparison(int *x) { 398 int test_trivial_symbolic_comparison_aux(); 399 int a = test_trivial_symbolic_comparison_aux(); 400 int b = a; 401 if (a != b) { 402 int *p = 0; 403 *p = 0xDEADBEEF; // no-warning 404 } 405 406 a = a == 1; 407 b = b == 1; 408 if (a != b) { 409 int *p = 0; 410 *p = 0xDEADBEEF; // no-warning 411 } 412} 413 414// Test for: 415// <rdar://problem/7062158> false positive null dereference due to 416// BasicStoreManager not tracking *static* globals 417// 418// This just tests the proper tracking of symbolic values for globals (both 419// static and non-static). 420// 421static int* x_rdar_7062158; 422void rdar_7062158() { 423 int *current = x_rdar_7062158; 424 if (current == x_rdar_7062158) 425 return; 426 427 int *p = 0; 428 *p = 0xDEADBEEF; // no-warning 429} 430 431int* x_rdar_7062158_2; 432void rdar_7062158_2() { 433 int *current = x_rdar_7062158_2; 434 if (current == x_rdar_7062158_2) 435 return; 436 437 int *p = 0; 438 *p = 0xDEADBEEF; // no-warning 439} 440 441// This test reproduces a case for a crash when analyzing ClamAV using 442// RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because 443// it isn't doing anything smart about arrays). The problem is that on the 444// second line, 'p = &p[i]', p is assigned an ElementRegion whose index 445// is a 16-bit integer. On the third line, a new ElementRegion is created 446// based on the previous region, but there the region uses a 32-bit integer, 447// resulting in a clash of values (an assertion failure at best). We resolve 448// this problem by implicitly converting index values to 'int' when the 449// ElementRegion is created. 450unsigned char test_array_index_bitwidth(const unsigned char *p) { 451 unsigned short i = 0; 452 for (i = 0; i < 2; i++) p = &p[i]; 453 return p[i+1]; 454} 455 456// This case tests that CastRegion handles casts involving BlockPointerTypes. 457// It should not crash. 458void test_block_cast() { 459 id test_block_cast_aux(); 460 (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}} 461} 462 463int OSAtomicCompareAndSwap32Barrier(); 464 465// Test comparison of 'id' instance variable to a null void* constant after 466// performing an OSAtomicCompareAndSwap32Barrier. 467// This previously was a crash in RegionStoreManager. 468@interface TestIdNull { 469 id x; 470} 471-(int)foo; 472@end 473@implementation TestIdNull 474-(int)foo { 475 OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x); 476 if (x == (void*) 0) { return 0; } 477 return 1; 478} 479@end 480 481// PR 4594 - This was a crash when handling casts in SimpleSValuator. 482void PR4594() { 483 char *buf[1]; 484 char **foo = buf; 485 *foo = "test"; 486} 487 488// Test invalidation logic where an integer is casted to an array with a 489// different sign and then invalidated. 490void test_invalidate_cast_int() { 491 void test_invalidate_cast_int_aux(unsigned *i); 492 signed i; 493 test_invalidate_cast_int_aux((unsigned*) &i); 494 if (i < 0) 495 return; 496} 497 498int ivar_getOffset(); 499 500// Reduced from a crash involving the cast of an Objective-C symbolic region to 501// 'char *' 502static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) { 503 return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease]; 504} 505 506// Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero. 507// This resulted from not properly handling region casts to 'const void*'. 508void test_cast_const_voidptr() { 509 char x[10]; 510 char *p = &x[1]; 511 const void* q = p; 512} 513 514// Reduced from a crash when analyzing Wine. This test handles loads from 515// function addresses. 516typedef long (*FARPROC)(); 517FARPROC test_load_func(FARPROC origfun) { 518 if (!*(unsigned char*) origfun) 519 return origfun; 520 return 0; 521} 522 523// Test passing-by-value an initialized struct variable. 524struct test_pass_val { 525 int x; 526 int y; 527}; 528void test_pass_val_aux(struct test_pass_val s); 529void test_pass_val() { 530 struct test_pass_val s; 531 s.x = 1; 532 s.y = 2; 533 test_pass_val_aux(s); 534} 535 536// This is a reduced test case of a false positive that previously appeared 537// in RegionStoreManager. Previously the array access resulted in dereferencing 538// an undefined value. 539int test_array_compound(int *q, int *r, int *z) { 540 int *array[] = { q, r, z }; 541 int j = 0; 542 for (unsigned i = 0; i < 3 ; ++i) 543 if (*array[i]) ++j; // no-warning 544 return j; 545} 546 547// This test case previously crashed with -analyzer-store=basic because the 548// symbolic value stored in 'x' wouldn't be implicitly casted to a signed value 549// during the comparison. 550int rdar_7124210(unsigned int x) { 551 enum { SOME_CONSTANT = 123 }; 552 int compare = ((signed) SOME_CONSTANT) == *((signed *) &x); 553 return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint. 554} 555 556void pr4781(unsigned long *raw1) { 557 unsigned long *cook, *raw0; 558 unsigned long dough[32]; 559 int i; 560 cook = dough; 561 for( i = 0; i < 16; i++, raw1++ ) { 562 raw0 = raw1++; 563 *cook = (*raw0 & 0x00fc0000L) << 6; 564 *cook |= (*raw0 & 0x00000fc0L) << 10; 565 } 566} 567 568// <rdar://problem/7185647> - 'self' should be treated as being non-null 569// upon entry to an objective-c method. 570@interface RDar7185647 571- (id)foo; 572@end 573@implementation RDar7185647 574- (id) foo { 575 if (self) 576 return self; 577 *((int *) 0x0) = 0xDEADBEEF; // no-warning 578 return self; 579} 580@end 581 582// Test reasoning of __builtin_offsetof; 583struct test_offsetof_A { 584 int x; 585 int y; 586}; 587struct test_offsetof_B { 588 int w; 589 int z; 590}; 591void test_offsetof_1() { 592 if (__builtin_offsetof(struct test_offsetof_A, x) == 593 __builtin_offsetof(struct test_offsetof_B, w)) 594 return; 595 int *p = 0; 596 *p = 0xDEADBEEF; // no-warning 597} 598void test_offsetof_2() { 599 if (__builtin_offsetof(struct test_offsetof_A, y) == 600 __builtin_offsetof(struct test_offsetof_B, z)) 601 return; 602 int *p = 0; 603 *p = 0xDEADBEEF; // no-warning 604} 605void test_offsetof_3() { 606 if (__builtin_offsetof(struct test_offsetof_A, y) - 607 __builtin_offsetof(struct test_offsetof_A, x) 608 == 609 __builtin_offsetof(struct test_offsetof_B, z) - 610 __builtin_offsetof(struct test_offsetof_B, w)) 611 return; 612 int *p = 0; 613 *p = 0xDEADBEEF; // no-warning 614} 615void test_offsetof_4() { 616 if (__builtin_offsetof(struct test_offsetof_A, y) == 617 __builtin_offsetof(struct test_offsetof_B, w)) 618 return; 619 int *p = 0; 620 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 621} 622 623// <rdar://problem/6829164> "nil receiver" false positive: make tracking 624// of the MemRegion for 'self' path-sensitive 625@interface RDar6829164 : NSObject { 626 double x; int y; 627} 628- (id) init; 629@end 630 631id rdar_6829164_1(); 632double rdar_6829164_2(); 633 634@implementation RDar6829164 635- (id) init { 636 if((self = [super init]) != 0) { 637 id z = rdar_6829164_1(); 638 y = (z != 0); 639 if (y) 640 x = rdar_6829164_2(); 641 } 642 return self; 643} 644@end 645 646// <rdar://problem/7242015> - Invalidate values passed-by-reference 647// to functions when the pointer to the value is passed as an integer. 648void test_7242015_aux(unsigned long); 649int rdar_7242015() { 650 int x; 651 test_7242015_aux((unsigned long) &x); // no-warning 652 return x; // Previously we return and uninitialized value when 653 // using RegionStore. 654} 655 656// <rdar://problem/7242006> [RegionStore] compound literal assignment with 657// floats not honored 658CGFloat rdar7242006(CGFloat x) { 659 NSSize y = (NSSize){x, 10}; 660 return y.width; // no-warning 661} 662 663// PR 4988 - This test exhibits a case where a function can be referenced 664// when not explicitly used in an "lvalue" context (as far as the analyzer is 665// concerned). This previously triggered a crash due to an invalid assertion. 666void pr_4988(void) { 667 pr_4988; // expected-warning{{expression result unused}} 668} 669 670// <rdar://problem/7152418> - A 'signed char' is used as a flag, which is 671// implicitly converted to an int. 672void *rdar7152418_bar(); 673@interface RDar7152418 { 674 signed char x; 675} 676-(char)foo; 677@end; 678@implementation RDar7152418 679-(char)foo { 680 char *p = 0; 681 void *result = 0; 682 if (x) { 683 result = rdar7152418_bar(); 684 p = "hello"; 685 } 686 if (!result) { 687 result = rdar7152418_bar(); 688 if (result && x) 689 return *p; // no-warning 690 } 691 return 1; 692} 693 694//===----------------------------------------------------------------------===// 695// Test constant-folding of symbolic values, automatically handling type 696// conversions of the symbol as necessary. 697//===----------------------------------------------------------------------===// 698 699// Previously this would crash once we started eagerly evaluating symbols whose 700// values were constrained to a single value. 701void test_symbol_fold_1(signed char x) { 702 while (1) { 703 if (x == ((signed char) 0)) {} 704 } 705} 706 707// This previously caused a crash because it triggered an assertion in APSInt. 708void test_symbol_fold_2(unsigned int * p, unsigned int n, 709 const unsigned int * grumpkin, unsigned int dn) { 710 unsigned int i; 711 unsigned int tempsub[8]; 712 unsigned int *solgrumpkin = tempsub + n; 713 for (i = 0; i < n; i++) 714 solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF; 715 for (i <<= 5; i < (n << 5); i++) {} 716} 717 718// This previously caused a crash because it triggered an assertion in APSInt. 719// 'x' would evaluate to a 8-bit constant (because of the return value of 720// test_symbol_fold_3_aux()) which would not get properly promoted to an 721// integer. 722char test_symbol_fold_3_aux(void); 723unsigned test_symbol_fold_3(void) { 724 unsigned x = test_symbol_fold_3_aux(); 725 if (x == 54) 726 return (x << 8) | 0x5; 727 return 0; 728} 729 730//===----------------------------------------------------------------------===// 731// Tests for the warning of casting a non-struct type to a struct type 732//===----------------------------------------------------------------------===// 733 734typedef struct {unsigned int v;} NSSwappedFloat; 735 736NSSwappedFloat test_cast_nonstruct_to_struct(float x) { 737 struct hodor { 738 float number; 739 NSSwappedFloat sf; 740 }; 741 return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 742} 743 744NSSwappedFloat test_cast_nonstruct_to_union(float x) { 745 union bran { 746 float number; 747 NSSwappedFloat sf; 748 }; 749 return ((union bran *)&x)->sf; // no-warning 750} 751 752void test_undefined_array_subscript() { 753 int i, a[10]; 754 int *p = &a[i]; // expected-warning{{Array subscript is undefined}} 755} 756@end 757 758//===----------------------------------------------------------------------===// 759// Test using an uninitialized value as a branch condition. 760//===----------------------------------------------------------------------===// 761 762int test_uninit_branch(void) { 763 int x; 764 if (x) // expected-warning{{Branch condition evaluates to a garbage value}} 765 return 1; 766 return 0; 767} 768 769int test_uninit_branch_b(void) { 770 int x; 771 return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}} 772} 773 774int test_uninit_branch_c(void) { 775 int x; 776 if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}} 777 return 1; 778 return 0; 779} 780 781//===----------------------------------------------------------------------===// 782// Test passing an undefined value in a message or function call. 783//===----------------------------------------------------------------------===// 784 785void test_bad_call_aux(int x); 786void test_bad_call(void) { 787 int y; 788 test_bad_call_aux(y); // expected-warning{{Pass-by-value argument in function call is undefined}} 789} 790 791@interface TestBadArg {} 792- (void) testBadArg:(int) x; 793@end 794 795void test_bad_msg(TestBadArg *p) { 796 int y; 797 [p testBadArg:y]; // expected-warning{{Pass-by-value argument in message expression is undefined}} 798} 799 800