null-deref-ps.c revision 9a126850968b0aa25f7c6f214e7309e33f2d800a
1// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -verify %s -analyzer-constraints=basic -analyzer-store=basic 2// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -verify %s -analyzer-constraints=range -analyzer-store=basic 3// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -analyzer-no-purge-dead -verify %s 4// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-experimental-internal-checks -std=gnu99 -analyzer-check-objc-mem -analyzer-store=region -analyzer-constraints=range -verify %s 5 6typedef unsigned uintptr_t; 7 8extern void __assert_fail (__const char *__assertion, __const char *__file, 9 unsigned int __line, __const char *__function) 10 __attribute__ ((__noreturn__)); 11 12#define assert(expr) \ 13 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 14 15void f1(int *p) { 16 if (p) *p = 1; 17 else *p = 0; // expected-warning{{ereference}} 18} 19 20struct foo_struct { 21 int x; 22}; 23 24int f2(struct foo_struct* p) { 25 26 if (p) 27 p->x = 1; 28 29 return p->x++; // expected-warning{{Field access results in a dereference of a null pointer (loaded from variable 'p')}} 30} 31 32int f3(char* x) { 33 34 int i = 2; 35 36 if (x) 37 return x[i - 1]; 38 39 return x[i+1]; // expected-warning{{Dereference of null pointer}} 40} 41 42int f3_b(char* x) { 43 44 int i = 2; 45 46 if (x) 47 return x[i - 1]; 48 49 return x[i+1]++; // expected-warning{{Dereference of null pointer}} 50} 51 52int f4(int *p) { 53 54 uintptr_t x = (uintptr_t) p; 55 56 if (x) 57 return 1; 58 59 int *q = (int*) x; 60 return *q; // expected-warning{{Dereference of null pointer (loaded from variable 'q')}} 61} 62 63int f4_b() { 64 short array[2]; 65 uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion}} 66 short *p = x; // expected-warning{{incompatible integer to pointer conversion}} 67 68 // The following branch should be infeasible. 69 if (!(p = &array[0])) { 70 p = 0; 71 *p = 1; // no-warning 72 } 73 74 if (p) { 75 *p = 5; // no-warning 76 p = 0; 77 } 78 else return; // expected-warning {{non-void function 'f4_b' should return a value}} 79 80 *p += 10; // expected-warning{{Dereference of null pointer}} 81 return 0; 82} 83 84 85int f5() { 86 87 char *s = "hello world"; 88 return s[0]; // no-warning 89} 90 91int bar(int* p, int q) __attribute__((nonnull)); 92 93int f6(int *p) { 94 return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 95 : bar(p, 0); // no-warning 96} 97 98int bar2(int* p, int q) __attribute__((nonnull(1))); 99 100int f6b(int *p) { 101 return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 102 : bar2(p, 0); // no-warning 103} 104 105int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3))); 106 107int f6c(int *p, int *q) { 108 return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 109 : bar3(p, 2, q); // no-warning 110} 111 112void f6d(int *p) { 113 bar(p, 0); 114 // At this point, 'p' cannot be null. 115 if (!p) { 116 int *q = 0; 117 *q = 0xDEADBEEF; // no-warning 118 } 119} 120 121void f6e(int *p, int offset) { 122 // PR7406 - crash from treating an UnknownVal as defined, to see if it's 0. 123 bar((p+offset)+1, 0); // not crash 124} 125 126int* qux(); 127 128int f7(int x) { 129 130 int* p = 0; 131 132 if (0 == x) 133 p = qux(); 134 135 if (0 == x) 136 *p = 1; // no-warning 137 138 return x; 139} 140 141int* f7b(int *x) { 142 143 int* p = 0; 144 145 if (((void*)0) == x) 146 p = qux(); 147 148 if (((void*)0) == x) 149 *p = 1; // no-warning 150 151 return x; 152} 153 154int* f7c(int *x) { 155 156 int* p = 0; 157 158 if (((void*)0) == x) 159 p = qux(); 160 161 if (((void*)0) != x) 162 return x; 163 164 // If we reach here then 'p' is not null. 165 *p = 1; // no-warning 166 return x; 167} 168 169int* f7c2(int *x) { 170 171 int* p = 0; 172 173 if (((void*)0) == x) 174 p = qux(); 175 176 if (((void*)0) == x) 177 return x; 178 179 *p = 1; // expected-warning{{null}} 180 return x; 181} 182 183 184void f8(int *p, int *q) { 185 if (!p) 186 if (p) 187 *p = 1; // no-warning 188 189 if (q) 190 if (!q) 191 *q = 1; // no-warning 192} 193 194int* qux(); 195 196int f9(unsigned len) { 197 assert (len != 0); 198 int *p = 0; 199 unsigned i; 200 201 for (i = 0; i < len; ++i) 202 p = qux(i); 203 204 return *p++; // no-warning 205} 206 207int f9b(unsigned len) { 208 assert (len > 0); // note use of '>' 209 int *p = 0; 210 unsigned i; 211 212 for (i = 0; i < len; ++i) 213 p = qux(i); 214 215 return *p++; // no-warning 216} 217 218int* f10(int* p, signed char x, int y) { 219 // This line tests symbolication with compound assignments where the 220 // LHS and RHS have different bitwidths. The new symbolic value 221 // for 'x' should have a bitwidth of 8. 222 x &= y; 223 224 // This tests that our symbolication worked, and that we correctly test 225 // x against 0 (with the same bitwidth). 226 if (!x) { 227 if (!p) return; // expected-warning {{non-void function 'f10' should return a value}} 228 *p = 10; 229 } 230 else p = 0; 231 232 if (!x) 233 *p = 5; // no-warning 234 235 return p; 236} 237 238// Test case from <rdar://problem/6407949> 239void f11(unsigned i) { 240 int *x = 0; 241 if (i >= 0) { 242 // always true 243 } else { 244 *x = 42; // no-warning 245 } 246} 247 248void f11b(unsigned i) { 249 int *x = 0; 250 if (i <= ~(unsigned)0) { 251 // always true 252 } else { 253 *x = 42; // no-warning 254 } 255} 256 257// Test case for switch statements with weird case arms. 258typedef int BOOL, *PBOOL, *LPBOOL; 259typedef long LONG_PTR, *PLONG_PTR; 260typedef unsigned long ULONG_PTR, *PULONG_PTR; 261typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR; 262typedef LONG_PTR LRESULT; 263typedef struct _F12ITEM *HF12ITEM; 264 265void f12(HF12ITEM i, char *q) { 266 char *p = 0; 267 switch ((DWORD_PTR) i) { 268 case 0 ... 10: 269 p = q; 270 break; 271 case (DWORD_PTR) ((HF12ITEM) - 65535): 272 return; 273 default: 274 return; 275 } 276 277 *p = 1; // no-warning 278} 279 280// Test handling of translating between integer "pointers" and back. 281void f13() { 282 int *x = 0; 283 if (((((int) x) << 2) + 1) >> 1) *x = 1; // no-warning 284} 285 286// PR 4759 - Attribute non-null checking by the analyzer was not correctly 287// handling pointer values that were undefined. 288void pr4759_aux(int *p) __attribute__((nonnull)); 289 290void pr4759() { 291 int *p; 292 pr4759_aux(p); // expected-warning{{undefined}} 293} 294 295 296