null-deref-ps.c revision 40bfbbc8a56bb1cff136c8cd44ced7e673f21a5e
1// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -verify %s -analyzer-constraints=basic -analyzer-store=basic -Wreturn-type 2// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -verify %s -analyzer-constraints=range -analyzer-store=basic -Wreturn-type 3// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -analyzer-no-purge-dead -verify %s -Wreturn-type 4// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -verify %s -Wreturn-type 5 6typedef unsigned uintptr_t; 7 8extern void __assert_fail (__const char *__assertion, __const char *__file, 9 unsigned int __line, __const char *__function) 10 __attribute__ ((__noreturn__)); 11 12#define assert(expr) \ 13 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 14 15void f1(int *p) { 16 if (p) *p = 1; 17 else *p = 0; // expected-warning{{ereference}} 18} 19 20struct foo_struct { 21 int x; 22}; 23 24int f2(struct foo_struct* p) { 25 26 if (p) 27 p->x = 1; 28 29 return p->x++; // expected-warning{{Field access results in a dereference of a null pointer (loaded from variable 'p')}} 30} 31 32int f3(char* x) { 33 34 int i = 2; 35 36 if (x) 37 return x[i - 1]; 38 39 return x[i+1]; // expected-warning{{Dereference of null pointer}} 40} 41 42int f3_b(char* x) { 43 44 int i = 2; 45 46 if (x) 47 return x[i - 1]; 48 49 return x[i+1]++; // expected-warning{{Dereference of null pointer}} 50} 51 52int f4(int *p) { 53 54 uintptr_t x = (uintptr_t) p; 55 56 if (x) 57 return 1; 58 59 int *q = (int*) x; 60 return *q; // expected-warning{{Dereference of null pointer (loaded from variable 'q')}} 61} 62 63int f4_b() { 64 short array[2]; 65 uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion}} 66 short *p = x; // expected-warning{{incompatible integer to pointer conversion}} 67 68 // The following branch should be infeasible. 69 if (!(p == &array[0])) { // expected-warning{{Both operands to '==' always have the same value}} 70 p = 0; 71 *p = 1; // no-warning 72 } 73 74 if (p) { 75 *p = 5; // no-warning 76 p = 0; 77 } 78 else return; // expected-warning {{non-void function 'f4_b' should return a value}} 79 80 *p += 10; // expected-warning{{Dereference of null pointer}} 81 return 0; 82} 83 84int f5() { 85 86 char *s = "hello world"; 87 return s[0]; // no-warning 88} 89 90int bar(int* p, int q) __attribute__((nonnull)); 91 92int f6(int *p) { 93 return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 94 : bar(p, 0); // no-warning 95} 96 97int bar2(int* p, int q) __attribute__((nonnull(1))); 98 99int f6b(int *p) { 100 return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 101 : bar2(p, 0); // no-warning 102} 103 104int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3))); 105 106int f6c(int *p, int *q) { 107 return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 108 : bar3(p, 2, q); // no-warning 109} 110 111void f6d(int *p) { 112 bar(p, 0); 113 // At this point, 'p' cannot be null. 114 if (!p) { 115 int *q = 0; 116 *q = 0xDEADBEEF; // no-warning 117 } 118} 119 120void f6e(int *p, int offset) { 121 // PR7406 - crash from treating an UnknownVal as defined, to see if it's 0. 122 bar((p+offset)+1, 0); // not crash 123} 124 125int* qux(); 126 127int f7(int x) { 128 129 int* p = 0; 130 131 if (0 == x) 132 p = qux(); 133 134 if (0 == x) 135 *p = 1; // no-warning 136 137 return x; 138} 139 140int* f7b(int *x) { 141 142 int* p = 0; 143 144 if (((void*)0) == x) 145 p = qux(); 146 147 if (((void*)0) == x) 148 *p = 1; // no-warning 149 150 return x; 151} 152 153int* f7c(int *x) { 154 155 int* p = 0; 156 157 if (((void*)0) == x) 158 p = qux(); 159 160 if (((void*)0) != x) 161 return x; 162 163 // If we reach here then 'p' is not null. 164 *p = 1; // no-warning 165 return x; 166} 167 168int* f7c2(int *x) { 169 170 int* p = 0; 171 172 if (((void*)0) == x) 173 p = qux(); 174 175 if (((void*)0) == x) 176 return x; 177 178 *p = 1; // expected-warning{{null}} 179 return x; 180} 181 182 183void f8(int *p, int *q) { 184 if (!p) 185 if (p) 186 *p = 1; // no-warning 187 188 if (q) 189 if (!q) 190 *q = 1; // no-warning 191} 192 193int* qux(); 194 195int f9(unsigned len) { 196 assert (len != 0); 197 int *p = 0; 198 unsigned i; 199 200 for (i = 0; i < len; ++i) 201 p = qux(i); 202 203 return *p++; // no-warning 204} 205 206int f9b(unsigned len) { 207 assert (len > 0); // note use of '>' 208 int *p = 0; 209 unsigned i; 210 211 for (i = 0; i < len; ++i) 212 p = qux(i); 213 214 return *p++; // no-warning 215} 216 217int* f10(int* p, signed char x, int y) { 218 // This line tests symbolication with compound assignments where the 219 // LHS and RHS have different bitwidths. The new symbolic value 220 // for 'x' should have a bitwidth of 8. 221 x &= y; 222 223 // This tests that our symbolication worked, and that we correctly test 224 // x against 0 (with the same bitwidth). 225 if (!x) { 226 if (!p) return; // expected-warning {{non-void function 'f10' should return a value}} 227 *p = 10; 228 } 229 else p = 0; 230 231 if (!x) 232 *p = 5; // no-warning 233 234 return p; 235} 236 237// Test case from <rdar://problem/6407949> 238void f11(unsigned i) { 239 int *x = 0; 240 if (i >= 0) { 241 // always true 242 } else { 243 *x = 42; // no-warning 244 } 245} 246 247void f11b(unsigned i) { 248 int *x = 0; 249 if (i <= ~(unsigned)0) { 250 // always true 251 } else { 252 *x = 42; // no-warning 253 } 254} 255 256// Test case for switch statements with weird case arms. 257typedef int BOOL, *PBOOL, *LPBOOL; 258typedef long LONG_PTR, *PLONG_PTR; 259typedef unsigned long ULONG_PTR, *PULONG_PTR; 260typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR; 261typedef LONG_PTR LRESULT; 262typedef struct _F12ITEM *HF12ITEM; 263 264void f12(HF12ITEM i, char *q) { 265 char *p = 0; 266 switch ((DWORD_PTR) i) { 267 case 0 ... 10: 268 p = q; 269 break; 270 case (DWORD_PTR) ((HF12ITEM) - 65535): 271 return; 272 default: 273 return; 274 } 275 276 *p = 1; // no-warning 277} 278 279// Test handling of translating between integer "pointers" and back. 280void f13() { 281 int *x = 0; 282 if (((((int) x) << 2) + 1) >> 1) *x = 1; 283} 284 285// PR 4759 - Attribute non-null checking by the analyzer was not correctly 286// handling pointer values that were undefined. 287void pr4759_aux(int *p) __attribute__((nonnull)); 288 289void pr4759() { 290 int *p; 291 pr4759_aux(p); // expected-warning{{undefined}} 292} 293 294 295