null-deref-ps.c revision 818b433a943653b329df56bdaa1b18385603d2bd 
1// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -verify %s -analyzer-constraints=basic -analyzer-store=basic -Wreturn-type
2// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -verify %s -analyzer-constraints=range -analyzer-store=basic -Wreturn-type
3// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -analyzer-no-purge-dead -verify %s -Wreturn-type
4// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -verify %s -Wreturn-type
5
6typedef unsigned uintptr_t;
7
8extern void __assert_fail (__const char *__assertion, __const char *__file,
9    unsigned int __line, __const char *__function)
10     __attribute__ ((__noreturn__));
11
12#define assert(expr) \
13  ((expr)  ? (void)(0)  : __assert_fail (#expr, __FILE__, __LINE__, __func__))
14
15void f1(int *p) {
16  if (p) *p = 1;
17  else *p = 0; // expected-warning{{ereference}}
18}
19
20struct foo_struct {
21  int x;
22};
23
24int f2(struct foo_struct* p) {
25
26  if (p)
27    p->x = 1;
28
29  return p->x++; // expected-warning{{Field access results in a dereference of a null pointer (loaded from variable 'p')}}
30}
31
32int f3(char* x) {
33
34  int i = 2;
35
36  if (x)
37    return x[i - 1];
38
39  return x[i+1]; // expected-warning{{Dereference of null pointer}}
40}
41
42int f3_b(char* x) {
43
44  int i = 2;
45
46  if (x)
47    return x[i - 1];
48
49  return x[i+1]++; // expected-warning{{Dereference of null pointer}}
50}
51
52int f4(int *p) {
53
54  uintptr_t x = (uintptr_t) p;
55
56  if (x)
57    return 1;
58
59  int *q = (int*) x;
60  return *q; // expected-warning{{Dereference of null pointer (loaded from variable 'q')}}
61}
62
63int f4_b() {
64  short array[2];
65  uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion}}
66  short *p = x; // expected-warning{{incompatible integer to pointer conversion}}
67
68  // The following branch should be infeasible.
69  if (!(p == &array[0])) { // expected-warning{{Both operands to '==' always have the same value}}
70    p = 0;
71    *p = 1; // no-warning
72  }
73
74  if (p) {
75    *p = 5; // no-warning
76    p = 0;
77  }
78  else return; // expected-warning {{non-void function 'f4_b' should return a value}}
79
80  *p += 10; // expected-warning{{Dereference of null pointer}}
81  return 0;
82}
83
84int f5() {
85
86  char *s = "hello world";
87  return s[0]; // no-warning
88}
89
90int bar(int* p, int q) __attribute__((nonnull));
91
92int f6(int *p) {
93  return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
94         : bar(p, 0);   // no-warning
95}
96
97int bar2(int* p, int q) __attribute__((nonnull(1)));
98
99int f6b(int *p) {
100  return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
101         : bar2(p, 0);   // no-warning
102}
103
104int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3)));
105
106int f6c(int *p, int *q) {
107   return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
108             : bar3(p, 2, q); // no-warning
109}
110
111void f6d(int *p) {
112  bar(p, 0);
113  // At this point, 'p' cannot be null.
114  if (!p) {
115    int *q = 0;
116    *q = 0xDEADBEEF; // no-warning
117  }
118}
119
120void f6e(int *p, int offset) {
121  // PR7406 - crash from treating an UnknownVal as defined, to see if it's 0.
122  bar((p+offset)+1, 0); // not crash
123}
124
125int* qux();
126
127int f7(int x) {
128
129  int* p = 0;
130
131  if (0 == x)
132    p = qux();
133
134  if (0 == x)
135    *p = 1; // no-warning
136
137  return x;
138}
139
140int* f7b(int *x) {
141
142  int* p = 0;
143
144  if (((void*)0) == x)
145    p = qux();
146
147  if (((void*)0) == x)
148    *p = 1; // no-warning
149
150  return x;
151}
152
153int* f7c(int *x) {
154
155  int* p = 0;
156
157  if (((void*)0) == x)
158    p = qux();
159
160  if (((void*)0) != x)
161    return x;
162
163  // If we reach here then 'p' is not null.
164  *p = 1; // no-warning
165  return x;
166}
167
168int* f7c2(int *x) {
169
170  int* p = 0;
171
172  if (((void*)0) == x)
173    p = qux();
174
175  if (((void*)0) == x)
176    return x;
177
178  *p = 1; // expected-warning{{null}}
179  return x;
180}
181
182
183void f8(int *p, int *q) {
184  if (!p)
185    if (p)
186      *p = 1; // no-warning
187
188  if (q)
189    if (!q)
190      *q = 1; // no-warning
191}
192
193int* qux();
194
195int f9(unsigned len) {
196  assert (len != 0);
197  int *p = 0;
198  unsigned i;
199
200  for (i = 0; i < len; ++i)
201   p = qux(i);
202
203  return *p++; // no-warning
204}
205
206int f9b(unsigned len) {
207  assert (len > 0);  // note use of '>'
208  int *p = 0;
209  unsigned i;
210
211  for (i = 0; i < len; ++i)
212   p = qux(i);
213
214  return *p++; // no-warning
215}
216
217int* f10(int* p, signed char x, int y) {
218  // This line tests symbolication with compound assignments where the
219  // LHS and RHS have different bitwidths.  The new symbolic value
220  // for 'x' should have a bitwidth of 8.
221  x &= y;
222
223  // This tests that our symbolication worked, and that we correctly test
224  // x against 0 (with the same bitwidth).
225  if (!x) {
226    if (!p) return; // expected-warning {{non-void function 'f10' should return a value}}
227    *p = 10;
228  }
229  else p = 0;
230
231  if (!x)
232    *p = 5; // no-warning
233
234  return p;
235}
236
237// Test case from <rdar://problem/6407949>
238void f11(unsigned i) {
239  int *x = 0;
240  if (i >= 0) { // expected-warning{{always true}}
241    // always true
242  } else {
243    *x = 42; // no-warning
244  }
245}
246
247void f11b(unsigned i) {
248  int *x = 0;
249  if (i <= ~(unsigned)0) {
250    // always true
251  } else {
252    *x = 42; // no-warning
253  }
254}
255
256// Test case for switch statements with weird case arms.
257typedef int     BOOL, *PBOOL, *LPBOOL;
258typedef long    LONG_PTR, *PLONG_PTR;
259typedef unsigned long ULONG_PTR, *PULONG_PTR;
260typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR;
261typedef LONG_PTR LRESULT;
262typedef struct _F12ITEM *HF12ITEM;
263
264void f12(HF12ITEM i, char *q) {
265  char *p = 0;
266  switch ((DWORD_PTR) i) {
267  case 0 ... 10:
268    p = q;
269    break;
270  case (DWORD_PTR) ((HF12ITEM) - 65535):
271    return;
272  default:
273    return;
274  }
275
276  *p = 1; // no-warning
277}
278
279// Test handling of translating between integer "pointers" and back.
280void f13() {
281  int *x = 0;
282  if (((((int) x) << 2) + 1) >> 1) *x = 1;
283}
284
285// PR 4759 - Attribute non-null checking by the analyzer was not correctly
286// handling pointer values that were undefined.
287void pr4759_aux(int *p) __attribute__((nonnull));
288
289void pr4759() {
290  int *p;
291  pr4759_aux(p); // expected-warning{{Function call argument is an uninitialized value}}
292}
293
294
295