null-deref-ps.c revision 72afb3739da0da02158242ae41a50cfe0bea78b4
1// RUN: clang -std=gnu99 -checker-simple -verify %s && 2// RUN: clang -std=gnu99 -checker-simple -analyzer-store-region -analyzer-purge-dead=false -verify %s 3 4#include<stdint.h> 5#include <assert.h> 6 7void f1(int *p) { 8 if (p) *p = 1; 9 else *p = 0; // expected-warning{{ereference}} 10} 11 12struct foo_struct { 13 int x; 14}; 15 16int f2(struct foo_struct* p) { 17 18 if (p) 19 p->x = 1; 20 21 return p->x++; // expected-warning{{Dereference of null pointer.}} 22} 23 24int f3(char* x) { 25 26 int i = 2; 27 28 if (x) 29 return x[i - 1]; 30 31 return x[i+1]; // expected-warning{{Dereference of null pointer.}} 32} 33 34int f3_b(char* x) { 35 36 int i = 2; 37 38 if (x) 39 return x[i - 1]; 40 41 return x[i+1]++; // expected-warning{{Dereference of null pointer.}} 42} 43 44int f4(int *p) { 45 46 uintptr_t x = (uintptr_t) p; 47 48 if (x) 49 return 1; 50 51 int *q = (int*) x; 52 return *q; // expected-warning{{Dereference of null pointer.}} 53} 54 55int f4_b() { 56 short array[2]; 57 uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion initializing}} 58 short *p = x; // expected-warning{{incompatible integer to pointer conversion initializing}} 59 60 // The following branch should be infeasible. 61 if (!(p = &array[0])) { 62 p = 0; 63 *p = 1; // no-warning 64 } 65 66 if (p) { 67 *p = 5; // no-warning 68 p = 0; 69 } 70 else return; 71 72 *p += 10; // expected-warning{{Dereference of null pointer}} 73} 74 75 76int f5() { 77 78 char *s = "hello world"; 79 return s[0]; // no-warning 80} 81 82int bar(int* p, int q) __attribute__((nonnull)); 83 84int f6(int *p) { 85 return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 86 : bar(p, 0); // no-warning 87} 88 89int bar2(int* p, int q) __attribute__((nonnull(1))); 90 91int f6b(int *p) { 92 return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 93 : bar2(p, 0); // no-warning 94} 95 96int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3))); 97 98int f6c(int *p, int *q) { 99 return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 100 : bar3(p, 2, q); // no-warning 101} 102 103int* qux(); 104 105int f7(int x) { 106 107 int* p = 0; 108 109 if (0 == x) 110 p = qux(); 111 112 if (0 == x) 113 *p = 1; // no-warning 114 115 return x; 116} 117 118int f8(int *p, int *q) { 119 if (!p) 120 if (p) 121 *p = 1; // no-warning 122 123 if (q) 124 if (!q) 125 *q = 1; // no-warning 126} 127 128int* qux(); 129 130int f9(unsigned len) { 131 assert (len != 0); 132 int *p = 0; 133 unsigned i; 134 135 for (i = 0; i < len; ++i) 136 p = qux(i); 137 138 return *p++; // no-warning 139} 140 141int f9b(unsigned len) { 142 assert (len > 0); // note use of '>' 143 int *p = 0; 144 unsigned i; 145 146 for (i = 0; i < len; ++i) 147 p = qux(i); 148 149 return *p++; // no-warning 150} 151 152int* f10(int* p, signed char x, int y) { 153 // This line tests symbolication with compound assignments where the 154 // LHS and RHS have different bitwidths. The new symbolic value 155 // for 'x' should have a bitwidth of 8. 156 x &= y; 157 158 // This tests that our symbolication worked, and that we correctly test 159 // x against 0 (with the same bitwidth). 160 if (!x) { 161 if (!p) return; 162 *p = 10; 163 } 164 else p = 0; 165 166 if (!x) 167 *p = 5; // no-warning 168 169 return p; 170} 171 172// Test case from <rdar://problem/6407949> 173void f11(unsigned i) { 174 int *x = 0; 175 if (i >= 0) { 176 // always true 177 } else { 178 *x = 42; // no-warning 179 } 180} 181 182void f11b(unsigned i) { 183 int *x = 0; 184 if (i <= ~(unsigned)0) { 185 // always true 186 } else { 187 *x = 42; // no-warning 188 } 189} 190 191// Test case for switch statements with weird case arms. 192typedef int BOOL, *PBOOL, *LPBOOL; 193typedef long LONG_PTR, *PLONG_PTR; 194typedef unsigned long ULONG_PTR, *PULONG_PTR; 195typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR; 196typedef LONG_PTR LRESULT; 197typedef struct _F12ITEM *HF12ITEM; 198 199void f12(HF12ITEM i, char *q) { 200 char *p = 0; 201 switch ((DWORD_PTR) i) { 202 case 0 ... 10: 203 p = q; 204 break; 205 case (DWORD_PTR) ((HF12ITEM) - 65535): 206 return; 207 default: 208 return; 209 } 210 211 *p = 1; // no-warning 212} 213 214