null-deref-ps.c revision a48f7378a05095595d0f6a9c11fc8141e7a5ea61
1// RUN: clang -analyze -std=gnu99 -checker-simple -verify %s && 2// RUN: clang -analyze -std=gnu99 -checker-simple -analyzer-store-region -analyzer-purge-dead=false -verify %s && 3// RUN: clang -analyze -std=gnu99 -checker-cfref -analyzer-store-region -verify %s 4 5#include<stdint.h> 6#include <assert.h> 7 8void f1(int *p) { 9 if (p) *p = 1; 10 else *p = 0; // expected-warning{{ereference}} 11} 12 13struct foo_struct { 14 int x; 15}; 16 17int f2(struct foo_struct* p) { 18 19 if (p) 20 p->x = 1; 21 22 return p->x++; // expected-warning{{Dereference of null pointer.}} 23} 24 25int f3(char* x) { 26 27 int i = 2; 28 29 if (x) 30 return x[i - 1]; 31 32 return x[i+1]; // expected-warning{{Dereference of null pointer.}} 33} 34 35int f3_b(char* x) { 36 37 int i = 2; 38 39 if (x) 40 return x[i - 1]; 41 42 return x[i+1]++; // expected-warning{{Dereference of null pointer.}} 43} 44 45int f4(int *p) { 46 47 uintptr_t x = (uintptr_t) p; 48 49 if (x) 50 return 1; 51 52 int *q = (int*) x; 53 return *q; // expected-warning{{Dereference of null pointer.}} 54} 55 56int f4_b() { 57 short array[2]; 58 uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion initializing}} 59 short *p = x; // expected-warning{{incompatible integer to pointer conversion initializing}} 60 61 // The following branch should be infeasible. 62 if (!(p = &array[0])) { 63 p = 0; 64 *p = 1; // no-warning 65 } 66 67 if (p) { 68 *p = 5; // no-warning 69 p = 0; 70 } 71 else return; 72 73 *p += 10; // expected-warning{{Dereference of null pointer}} 74} 75 76 77int f5() { 78 79 char *s = "hello world"; 80 return s[0]; // no-warning 81} 82 83int bar(int* p, int q) __attribute__((nonnull)); 84 85int f6(int *p) { 86 return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 87 : bar(p, 0); // no-warning 88} 89 90int bar2(int* p, int q) __attribute__((nonnull(1))); 91 92int f6b(int *p) { 93 return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 94 : bar2(p, 0); // no-warning 95} 96 97int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3))); 98 99int f6c(int *p, int *q) { 100 return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 101 : bar3(p, 2, q); // no-warning 102} 103 104int* qux(); 105 106int f7(int x) { 107 108 int* p = 0; 109 110 if (0 == x) 111 p = qux(); 112 113 if (0 == x) 114 *p = 1; // no-warning 115 116 return x; 117} 118 119int f8(int *p, int *q) { 120 if (!p) 121 if (p) 122 *p = 1; // no-warning 123 124 if (q) 125 if (!q) 126 *q = 1; // no-warning 127} 128 129int* qux(); 130 131int f9(unsigned len) { 132 assert (len != 0); 133 int *p = 0; 134 unsigned i; 135 136 for (i = 0; i < len; ++i) 137 p = qux(i); 138 139 return *p++; // no-warning 140} 141 142int f9b(unsigned len) { 143 assert (len > 0); // note use of '>' 144 int *p = 0; 145 unsigned i; 146 147 for (i = 0; i < len; ++i) 148 p = qux(i); 149 150 return *p++; // no-warning 151} 152 153int* f10(int* p, signed char x, int y) { 154 // This line tests symbolication with compound assignments where the 155 // LHS and RHS have different bitwidths. The new symbolic value 156 // for 'x' should have a bitwidth of 8. 157 x &= y; 158 159 // This tests that our symbolication worked, and that we correctly test 160 // x against 0 (with the same bitwidth). 161 if (!x) { 162 if (!p) return; 163 *p = 10; 164 } 165 else p = 0; 166 167 if (!x) 168 *p = 5; // no-warning 169 170 return p; 171} 172 173// Test case from <rdar://problem/6407949> 174void f11(unsigned i) { 175 int *x = 0; 176 if (i >= 0) { 177 // always true 178 } else { 179 *x = 42; // no-warning 180 } 181} 182 183void f11b(unsigned i) { 184 int *x = 0; 185 if (i <= ~(unsigned)0) { 186 // always true 187 } else { 188 *x = 42; // no-warning 189 } 190} 191 192// Test case for switch statements with weird case arms. 193typedef int BOOL, *PBOOL, *LPBOOL; 194typedef long LONG_PTR, *PLONG_PTR; 195typedef unsigned long ULONG_PTR, *PULONG_PTR; 196typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR; 197typedef LONG_PTR LRESULT; 198typedef struct _F12ITEM *HF12ITEM; 199 200void f12(HF12ITEM i, char *q) { 201 char *p = 0; 202 switch ((DWORD_PTR) i) { 203 case 0 ... 10: 204 p = q; 205 break; 206 case (DWORD_PTR) ((HF12ITEM) - 65535): 207 return; 208 default: 209 return; 210 } 211 212 *p = 1; // no-warning 213} 214 215// Exercise ElementRegion with SymbolicRegion as super region. 216void foo(int* p) { 217 int *x; 218 int a; 219 if (p[0] == 1) 220 x = &a; 221 if (p[0] == 1) 222 *x; // no-warning 223} 224