null-deref-ps.c revision 935022a9aebb32459fd56ccfb1e1cfb9c0a5176c 
1// RUN: clang-cc -analyze -std=gnu99 -checker-simple -verify %s &&
2// RUN: clang-cc -analyze -std=gnu99 -checker-simple -verify %s   -analyzer-constraints=range &&
3// RUN: clang-cc -analyze -std=gnu99 -checker-simple -analyzer-store=region -analyzer-purge-dead=false -verify %s &&
4// RUN: clang-cc -analyze -std=gnu99 -checker-cfref -analyzer-store=region -verify %s
5
6#include<stdint.h>
7#include <assert.h>
8
9void f1(int *p) {
10  if (p) *p = 1;
11  else *p = 0; // expected-warning{{ereference}}
12}
13
14struct foo_struct {
15  int x;
16};
17
18int f2(struct foo_struct* p) {
19
20  if (p)
21    p->x = 1;
22
23  return p->x++; // expected-warning{{Dereference of null pointer.}}
24}
25
26int f3(char* x) {
27
28  int i = 2;
29
30  if (x)
31    return x[i - 1];
32
33  return x[i+1]; // expected-warning{{Dereference of null pointer.}}
34}
35
36int f3_b(char* x) {
37
38  int i = 2;
39
40  if (x)
41    return x[i - 1];
42
43  return x[i+1]++; // expected-warning{{Dereference of null pointer.}}
44}
45
46int f4(int *p) {
47
48  uintptr_t x = (uintptr_t) p;
49
50  if (x)
51    return 1;
52
53  int *q = (int*) x;
54  return *q; // expected-warning{{Dereference of null pointer.}}
55}
56
57int f4_b() {
58  short array[2];
59  uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion initializing}}
60  short *p = x; // expected-warning{{incompatible integer to pointer conversion initializing}}
61
62  // The following branch should be infeasible.
63  if (!(p = &array[0])) {
64    p = 0;
65    *p = 1; // no-warning
66  }
67
68  if (p) {
69    *p = 5; // no-warning
70    p = 0;
71  }
72  else return; // expected-warning {{non-void function 'f4_b' should return a value}}
73
74  *p += 10; // expected-warning{{Dereference of null pointer}}
75}
76
77
78int f5() {
79
80  char *s = "hello world";
81  return s[0]; // no-warning
82}
83
84int bar(int* p, int q) __attribute__((nonnull));
85
86int f6(int *p) {
87  return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
88         : bar(p, 0);   // no-warning
89}
90
91int bar2(int* p, int q) __attribute__((nonnull(1)));
92
93int f6b(int *p) {
94  return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
95         : bar2(p, 0);   // no-warning
96}
97
98int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3)));
99
100int f6c(int *p, int *q) {
101   return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
102             : bar3(p, 2, q); // no-warning
103}
104
105int* qux();
106
107int f7(int x) {
108
109  int* p = 0;
110
111  if (0 == x)
112    p = qux();
113
114  if (0 == x)
115    *p = 1; // no-warning
116
117  return x;
118}
119
120int* f7b(int *x) {
121
122  int* p = 0;
123
124  if (((void*)0) == x)
125    p = qux();
126
127  if (((void*)0) == x)
128    *p = 1; // no-warning
129
130  return x;
131}
132
133
134int f8(int *p, int *q) {
135  if (!p)
136    if (p)
137      *p = 1; // no-warning
138
139  if (q)
140    if (!q)
141      *q = 1; // no-warning
142}
143
144int* qux();
145
146int f9(unsigned len) {
147  assert (len != 0);
148  int *p = 0;
149  unsigned i;
150
151  for (i = 0; i < len; ++i)
152   p = qux(i);
153
154  return *p++; // no-warning
155}
156
157int f9b(unsigned len) {
158  assert (len > 0);  // note use of '>'
159  int *p = 0;
160  unsigned i;
161
162  for (i = 0; i < len; ++i)
163   p = qux(i);
164
165  return *p++; // no-warning
166}
167
168int* f10(int* p, signed char x, int y) {
169  // This line tests symbolication with compound assignments where the
170  // LHS and RHS have different bitwidths.  The new symbolic value
171  // for 'x' should have a bitwidth of 8.
172  x &= y;
173
174  // This tests that our symbolication worked, and that we correctly test
175  // x against 0 (with the same bitwidth).
176  if (!x) {
177    if (!p) return; // expected-warning {{non-void function 'f10' should return a value}}
178    *p = 10;
179  }
180  else p = 0;
181
182  if (!x)
183    *p = 5; // no-warning
184
185  return p;
186}
187
188// Test case from <rdar://problem/6407949>
189void f11(unsigned i) {
190  int *x = 0;
191  if (i >= 0) {
192    // always true
193  } else {
194    *x = 42; // no-warning
195  }
196}
197
198void f11b(unsigned i) {
199  int *x = 0;
200  if (i <= ~(unsigned)0) {
201    // always true
202  } else {
203    *x = 42; // no-warning
204  }
205}
206
207// Test case for switch statements with weird case arms.
208typedef int     BOOL, *PBOOL, *LPBOOL;
209typedef long    LONG_PTR, *PLONG_PTR;
210typedef unsigned long ULONG_PTR, *PULONG_PTR;
211typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR;
212typedef LONG_PTR LRESULT;
213typedef struct _F12ITEM *HF12ITEM;
214
215void f12(HF12ITEM i, char *q) {
216  char *p = 0;
217  switch ((DWORD_PTR) i) {
218  case 0 ... 10:
219    p = q;
220    break;
221  case (DWORD_PTR) ((HF12ITEM) - 65535):
222    return;
223  default:
224    return;
225  }
226
227  *p = 1; // no-warning
228}
229
230// Test handling of translating between integer "pointers" and back.
231void f13() {
232  int *x = 0;
233  if (((((int) x) << 2) + 1) >> 1) *x = 1; // no-warning
234}
235
236
237