null-deref-ps.c revision 565e465c6d0093f1bf8414b2cabdc842022385a9 
1// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -verify %s -analyzer-constraints=basic -analyzer-store=basic
2// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -verify %s -analyzer-constraints=range -analyzer-store=basic
3// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -analyzer-no-purge-dead -verify %s
4// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -verify %s
5
6typedef unsigned uintptr_t;
7
8extern void __assert_fail (__const char *__assertion, __const char *__file,
9    unsigned int __line, __const char *__function)
10     __attribute__ ((__noreturn__));
11
12#define assert(expr) \
13  ((expr)  ? (void)(0)  : __assert_fail (#expr, __FILE__, __LINE__, __func__))
14
15void f1(int *p) {
16  if (p) *p = 1;
17  else *p = 0; // expected-warning{{ereference}}
18}
19
20struct foo_struct {
21  int x;
22};
23
24int f2(struct foo_struct* p) {
25
26  if (p)
27    p->x = 1;
28
29  return p->x++; // expected-warning{{Dereference of null pointer}}
30}
31
32int f3(char* x) {
33
34  int i = 2;
35
36  if (x)
37    return x[i - 1];
38
39  return x[i+1]; // expected-warning{{Dereference of null pointer}}
40}
41
42int f3_b(char* x) {
43
44  int i = 2;
45
46  if (x)
47    return x[i - 1];
48
49  return x[i+1]++; // expected-warning{{Dereference of null pointer}}
50}
51
52int f4(int *p) {
53
54  uintptr_t x = (uintptr_t) p;
55
56  if (x)
57    return 1;
58
59  int *q = (int*) x;
60  return *q; // expected-warning{{Dereference of null pointer loaded from variable 'q'}}
61}
62
63int f4_b() {
64  short array[2];
65  uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion initializing}}
66  short *p = x; // expected-warning{{incompatible integer to pointer conversion initializing}}
67
68  // The following branch should be infeasible.
69  if (!(p = &array[0])) {
70    p = 0;
71    *p = 1; // no-warning
72  }
73
74  if (p) {
75    *p = 5; // no-warning
76    p = 0;
77  }
78  else return; // expected-warning {{non-void function 'f4_b' should return a value}}
79
80  *p += 10; // expected-warning{{Dereference of null pointer}}
81  return 0;
82}
83
84
85int f5() {
86
87  char *s = "hello world";
88  return s[0]; // no-warning
89}
90
91int bar(int* p, int q) __attribute__((nonnull));
92
93int f6(int *p) {
94  return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
95         : bar(p, 0);   // no-warning
96}
97
98int bar2(int* p, int q) __attribute__((nonnull(1)));
99
100int f6b(int *p) {
101  return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
102         : bar2(p, 0);   // no-warning
103}
104
105int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3)));
106
107int f6c(int *p, int *q) {
108   return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
109             : bar3(p, 2, q); // no-warning
110}
111
112void f6d(int *p) {
113  bar(p, 0);
114  // At this point, 'p' cannot be null.
115  if (!p) {
116    int *q = 0;
117    *q = 0xDEADBEEF; // no-warning
118  }
119}
120
121int* qux();
122
123int f7(int x) {
124
125  int* p = 0;
126
127  if (0 == x)
128    p = qux();
129
130  if (0 == x)
131    *p = 1; // no-warning
132
133  return x;
134}
135
136int* f7b(int *x) {
137
138  int* p = 0;
139
140  if (((void*)0) == x)
141    p = qux();
142
143  if (((void*)0) == x)
144    *p = 1; // no-warning
145
146  return x;
147}
148
149int* f7c(int *x) {
150
151  int* p = 0;
152
153  if (((void*)0) == x)
154    p = qux();
155
156  if (((void*)0) != x)
157    return x;
158
159  // If we reach here then 'p' is not null.
160  *p = 1; // no-warning
161  return x;
162}
163
164int* f7c2(int *x) {
165
166  int* p = 0;
167
168  if (((void*)0) == x)
169    p = qux();
170
171  if (((void*)0) == x)
172    return x;
173
174  *p = 1; // expected-warning{{null}}
175  return x;
176}
177
178
179void f8(int *p, int *q) {
180  if (!p)
181    if (p)
182      *p = 1; // no-warning
183
184  if (q)
185    if (!q)
186      *q = 1; // no-warning
187}
188
189int* qux();
190
191int f9(unsigned len) {
192  assert (len != 0);
193  int *p = 0;
194  unsigned i;
195
196  for (i = 0; i < len; ++i)
197   p = qux(i);
198
199  return *p++; // no-warning
200}
201
202int f9b(unsigned len) {
203  assert (len > 0);  // note use of '>'
204  int *p = 0;
205  unsigned i;
206
207  for (i = 0; i < len; ++i)
208   p = qux(i);
209
210  return *p++; // no-warning
211}
212
213int* f10(int* p, signed char x, int y) {
214  // This line tests symbolication with compound assignments where the
215  // LHS and RHS have different bitwidths.  The new symbolic value
216  // for 'x' should have a bitwidth of 8.
217  x &= y;
218
219  // This tests that our symbolication worked, and that we correctly test
220  // x against 0 (with the same bitwidth).
221  if (!x) {
222    if (!p) return; // expected-warning {{non-void function 'f10' should return a value}}
223    *p = 10;
224  }
225  else p = 0;
226
227  if (!x)
228    *p = 5; // no-warning
229
230  return p;
231}
232
233// Test case from <rdar://problem/6407949>
234void f11(unsigned i) {
235  int *x = 0;
236  if (i >= 0) {
237    // always true
238  } else {
239    *x = 42; // no-warning
240  }
241}
242
243void f11b(unsigned i) {
244  int *x = 0;
245  if (i <= ~(unsigned)0) {
246    // always true
247  } else {
248    *x = 42; // no-warning
249  }
250}
251
252// Test case for switch statements with weird case arms.
253typedef int     BOOL, *PBOOL, *LPBOOL;
254typedef long    LONG_PTR, *PLONG_PTR;
255typedef unsigned long ULONG_PTR, *PULONG_PTR;
256typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR;
257typedef LONG_PTR LRESULT;
258typedef struct _F12ITEM *HF12ITEM;
259
260void f12(HF12ITEM i, char *q) {
261  char *p = 0;
262  switch ((DWORD_PTR) i) {
263  case 0 ... 10:
264    p = q;
265    break;
266  case (DWORD_PTR) ((HF12ITEM) - 65535):
267    return;
268  default:
269    return;
270  }
271
272  *p = 1; // no-warning
273}
274
275// Test handling of translating between integer "pointers" and back.
276void f13() {
277  int *x = 0;
278  if (((((int) x) << 2) + 1) >> 1) *x = 1; // no-warning
279}
280
281// PR 4759 - Attribute non-null checking by the analyzer was not correctly
282// handling pointer values that were undefined.
283void pr4759_aux(int *p) __attribute__((nonnull));
284
285void pr4759() {
286  int *p;
287  pr4759_aux(p); // expected-warning{{undefined}}
288}
289
290
291