null-deref-ps.c revision a317e90f4c4aeb871359c3b8c3420f1ddab97d5c
1// RUN: clang -std=gnu99 -checker-simple -verify %s && 2// RUN: clang -std=gnu99 -checker-simple -analyzer-store-region -verify %s 3 4#include<stdint.h> 5#include <assert.h> 6 7void f1(int *p) { 8 if (p) *p = 1; 9 else *p = 0; // expected-warning{{ereference}} 10} 11 12struct foo_struct { 13 int x; 14}; 15 16int f2(struct foo_struct* p) { 17 18 if (p) 19 p->x = 1; 20 21 return p->x++; // expected-warning{{Dereference of null pointer.}} 22} 23 24int f3(char* x) { 25 26 int i = 2; 27 28 if (x) 29 return x[i - 1]; 30 31 return x[i+1]; // expected-warning{{Dereference of null pointer.}} 32} 33 34int f3_b(char* x) { 35 36 int i = 2; 37 38 if (x) 39 return x[i - 1]; 40 41 return x[i+1]++; // expected-warning{{Dereference of null pointer.}} 42} 43 44int f4(int *p) { 45 46 uintptr_t x = (uintptr_t) p; 47 48 if (x) 49 return 1; 50 51 int *q = (int*) x; 52 return *q; // expected-warning{{Dereference of null pointer.}} 53} 54 55int f5() { 56 57 char *s = "hello world"; 58 return s[0]; // no-warning 59} 60 61int bar(int* p, int q) __attribute__((nonnull)); 62 63int f6(int *p) { 64 return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 65 : bar(p, 0); // no-warning 66} 67 68int bar2(int* p, int q) __attribute__((nonnull(1))); 69 70int f6b(int *p) { 71 return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 72 : bar2(p, 0); // no-warning 73} 74 75int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3))); 76 77int f6c(int *p, int *q) { 78 return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 79 : bar3(p, 2, q); // no-warning 80} 81 82int* qux(); 83 84int f7(int x) { 85 86 int* p = 0; 87 88 if (0 == x) 89 p = qux(); 90 91 if (0 == x) 92 *p = 1; // no-warning 93 94 return x; 95} 96 97int f8(int *p, int *q) { 98 if (!p) 99 if (p) 100 *p = 1; // no-warning 101 102 if (q) 103 if (!q) 104 *q = 1; // no-warning 105} 106 107int* qux(); 108 109int f9(unsigned len) { 110 assert (len != 0); 111 int *p = 0; 112 unsigned i; 113 114 for (i = 0; i < len; ++i) 115 p = qux(i); 116 117 return *p++; // no-warning 118} 119 120int f9b(unsigned len) { 121 assert (len > 0); // note use of '>' 122 int *p = 0; 123 unsigned i; 124 125 for (i = 0; i < len; ++i) 126 p = qux(i); 127 128 return *p++; // no-warning 129} 130 131int* f10(int* p, signed char x, int y) { 132 // This line tests symbolication with compound assignments where the 133 // LHS and RHS have different bitwidths. The new symbolic value 134 // for 'x' should have a bitwidth of 8. 135 x &= y; 136 137 // This tests that our symbolication worked, and that we correctly test 138 // x against 0 (with the same bitwidth). 139 if (!x) { 140 if (!p) return; 141 *p = 10; 142 } 143 else p = 0; 144 145 if (!x) 146 *p = 5; // no-warning 147 148 return p; 149} 150 151// Test case from <rdar://problem/6407949> 152void f11(unsigned i) { 153 int *x = 0; 154 if (i >= 0) { 155 // always true 156 } else { 157 *x = 42; // no-warning 158 } 159} 160 161void f11b(unsigned i) { 162 int *x = 0; 163 if (i <= ~(unsigned)0) { 164 // always true 165 } else { 166 *x = 42; // no-warning 167 } 168} 169 170