null-deref-ps.c revision a96ac060debe3b83caa5c4ddba0c44a44b4499fe
1// RUN: clang -std=gnu99 -checker-simple -verify %s && 2// RUN: clang -std=gnu99 -checker-simple -analyzer-store-region -verify %s 3 4#include<stdint.h> 5#include <assert.h> 6 7void f1(int *p) { 8 if (p) *p = 1; 9 else *p = 0; // expected-warning{{ereference}} 10} 11 12struct foo_struct { 13 int x; 14}; 15 16int f2(struct foo_struct* p) { 17 18 if (p) 19 p->x = 1; 20 21 return p->x++; // expected-warning{{Dereference of null pointer.}} 22} 23 24int f3(char* x) { 25 26 int i = 2; 27 28 if (x) 29 return x[i - 1]; 30 31 return x[i+1]; // expected-warning{{Dereference of null pointer.}} 32} 33 34int f3_b(char* x) { 35 36 int i = 2; 37 38 if (x) 39 return x[i - 1]; 40 41 return x[i+1]++; // expected-warning{{Dereference of null pointer.}} 42} 43 44int f4(int *p) { 45 46 uintptr_t x = (uintptr_t) p; 47 48 if (x) 49 return 1; 50 51 int *q = (int*) x; 52 return *q; // expected-warning{{Dereference of null pointer.}} 53} 54 55int f5() { 56 57 char *s = "hello world"; 58 return s[0]; // no-warning 59} 60 61int bar(int* p, int q) __attribute__((nonnull)); 62 63int f6(int *p) { 64 return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 65 : bar(p, 0); // no-warning 66} 67 68int bar2(int* p, int q) __attribute__((nonnull(1))); 69 70int f6b(int *p) { 71 return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 72 : bar2(p, 0); // no-warning 73} 74 75 76 77int* qux(); 78 79int f7(int x) { 80 81 int* p = 0; 82 83 if (0 == x) 84 p = qux(); 85 86 if (0 == x) 87 *p = 1; // no-warning 88 89 return x; 90} 91 92int f8(int *p, int *q) { 93 if (!p) 94 if (p) 95 *p = 1; // no-warning 96 97 if (q) 98 if (!q) 99 *q = 1; // no-warning 100} 101 102int* qux(); 103 104int f9(unsigned len) { 105 assert (len != 0); 106 int *p = 0; 107 unsigned i; 108 109 for (i = 0; i < len; ++i) 110 p = qux(i); 111 112 return *p++; // no-warning 113} 114 115int f9b(unsigned len) { 116 assert (len > 0); // note use of '>' 117 int *p = 0; 118 unsigned i; 119 120 for (i = 0; i < len; ++i) 121 p = qux(i); 122 123 return *p++; // no-warning 124} 125 126int* f10(int* p, signed char x, int y) { 127 // This line tests symbolication with compound assignments where the 128 // LHS and RHS have different bitwidths. The new symbolic value 129 // for 'x' should have a bitwidth of 8. 130 x &= y; 131 132 // This tests that our symbolication worked, and that we correctly test 133 // x against 0 (with the same bitwidth). 134 if (!x) { 135 if (!p) return; 136 *p = 10; 137 } 138 else p = 0; 139 140 if (!x) 141 *p = 5; // no-warning 142 143 return p; 144} 145 146// Test case from <rdar://problem/6407949> 147void f11(unsigned i) { 148 int *x = 0; 149 if (i >= 0) { 150 // always true 151 } else { 152 *x = 42; // no-warning 153 } 154} 155 156void f11b(unsigned i) { 157 int *x = 0; 158 if (i <= ~(unsigned)0) { 159 // always true 160 } else { 161 *x = 42; // no-warning 162 } 163} 164 165