null-deref-ps.c revision 2c0ccd045514ae4dc951fb45b7c29216ba109bf7
1// RUN: clang-cc -analyze -std=gnu99 -checker-simple -verify %s && 2// RUN: clang-cc -analyze -std=gnu99 -checker-simple -verify %s -analyzer-constraints=range && 3// RUN: clang-cc -analyze -std=gnu99 -checker-simple -analyzer-store=region -analyzer-purge-dead=false -verify %s && 4// RUN: clang-cc -analyze -std=gnu99 -checker-cfref -analyzer-store=region -verify %s 5 6#include<stdint.h> 7#include <assert.h> 8 9void f1(int *p) { 10 if (p) *p = 1; 11 else *p = 0; // expected-warning{{ereference}} 12} 13 14struct foo_struct { 15 int x; 16}; 17 18int f2(struct foo_struct* p) { 19 20 if (p) 21 p->x = 1; 22 23 return p->x++; // expected-warning{{Dereference of null pointer.}} 24} 25 26int f3(char* x) { 27 28 int i = 2; 29 30 if (x) 31 return x[i - 1]; 32 33 return x[i+1]; // expected-warning{{Dereference of null pointer.}} 34} 35 36int f3_b(char* x) { 37 38 int i = 2; 39 40 if (x) 41 return x[i - 1]; 42 43 return x[i+1]++; // expected-warning{{Dereference of null pointer.}} 44} 45 46int f4(int *p) { 47 48 uintptr_t x = (uintptr_t) p; 49 50 if (x) 51 return 1; 52 53 int *q = (int*) x; 54 return *q; // expected-warning{{Dereference of null pointer.}} 55} 56 57int f4_b() { 58 short array[2]; 59 uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion initializing}} 60 short *p = x; // expected-warning{{incompatible integer to pointer conversion initializing}} 61 62 // The following branch should be infeasible. 63 if (!(p = &array[0])) { 64 p = 0; 65 *p = 1; // no-warning 66 } 67 68 if (p) { 69 *p = 5; // no-warning 70 p = 0; 71 } 72 else return; // expected-warning {{non-void function 'f4_b' should return a value}} 73 74 *p += 10; // expected-warning{{Dereference of null pointer}} 75} 76 77 78int f5() { 79 80 char *s = "hello world"; 81 return s[0]; // no-warning 82} 83 84int bar(int* p, int q) __attribute__((nonnull)); 85 86int f6(int *p) { 87 return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 88 : bar(p, 0); // no-warning 89} 90 91int bar2(int* p, int q) __attribute__((nonnull(1))); 92 93int f6b(int *p) { 94 return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 95 : bar2(p, 0); // no-warning 96} 97 98int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3))); 99 100int f6c(int *p, int *q) { 101 return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 102 : bar3(p, 2, q); // no-warning 103} 104 105int* qux(); 106 107int f7(int x) { 108 109 int* p = 0; 110 111 if (0 == x) 112 p = qux(); 113 114 if (0 == x) 115 *p = 1; // no-warning 116 117 return x; 118} 119 120int f8(int *p, int *q) { 121 if (!p) 122 if (p) 123 *p = 1; // no-warning 124 125 if (q) 126 if (!q) 127 *q = 1; // no-warning 128} 129 130int* qux(); 131 132int f9(unsigned len) { 133 assert (len != 0); 134 int *p = 0; 135 unsigned i; 136 137 for (i = 0; i < len; ++i) 138 p = qux(i); 139 140 return *p++; // no-warning 141} 142 143int f9b(unsigned len) { 144 assert (len > 0); // note use of '>' 145 int *p = 0; 146 unsigned i; 147 148 for (i = 0; i < len; ++i) 149 p = qux(i); 150 151 return *p++; // no-warning 152} 153 154int* f10(int* p, signed char x, int y) { 155 // This line tests symbolication with compound assignments where the 156 // LHS and RHS have different bitwidths. The new symbolic value 157 // for 'x' should have a bitwidth of 8. 158 x &= y; 159 160 // This tests that our symbolication worked, and that we correctly test 161 // x against 0 (with the same bitwidth). 162 if (!x) { 163 if (!p) return; // expected-warning {{non-void function 'f10' should return a value}} 164 *p = 10; 165 } 166 else p = 0; 167 168 if (!x) 169 *p = 5; // no-warning 170 171 return p; 172} 173 174// Test case from <rdar://problem/6407949> 175void f11(unsigned i) { 176 int *x = 0; 177 if (i >= 0) { 178 // always true 179 } else { 180 *x = 42; // no-warning 181 } 182} 183 184void f11b(unsigned i) { 185 int *x = 0; 186 if (i <= ~(unsigned)0) { 187 // always true 188 } else { 189 *x = 42; // no-warning 190 } 191} 192 193// Test case for switch statements with weird case arms. 194typedef int BOOL, *PBOOL, *LPBOOL; 195typedef long LONG_PTR, *PLONG_PTR; 196typedef unsigned long ULONG_PTR, *PULONG_PTR; 197typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR; 198typedef LONG_PTR LRESULT; 199typedef struct _F12ITEM *HF12ITEM; 200 201void f12(HF12ITEM i, char *q) { 202 char *p = 0; 203 switch ((DWORD_PTR) i) { 204 case 0 ... 10: 205 p = q; 206 break; 207 case (DWORD_PTR) ((HF12ITEM) - 65535): 208 return; 209 default: 210 return; 211 } 212 213 *p = 1; // no-warning 214} 215 216// Test handling of translating between integer "pointers" and back. 217void f13() { 218 int *x = 0; 219 if (((((int) x) << 2) + 1) >> 1) *x = 1; // no-warning 220} 221 222 223