null-deref-ps.c revision c26a8b06e255bc7a8eb3f5df22e32b62a3dbf4c0
1// RUN: clang-cc -analyze -std=gnu99 -checker-cfref -verify %s -analyzer-constraints=basic -analyzer-store=basic && 2// RUN: clang-cc -analyze -std=gnu99 -checker-cfref -verify %s -analyzer-constraints=basic -analyzer-store=basic-old-cast && 3// RUN: clang-cc -analyze -std=gnu99 -checker-cfref -verify %s -analyzer-constraints=range -analyzer-store=basic && 4// RUN: clang-cc -analyze -std=gnu99 -checker-cfref -verify %s -analyzer-constraints=range -analyzer-store=basic-old-cast && 5// RUN: clang-cc -analyze -std=gnu99 -checker-cfref -analyzer-store=region -analyzer-constraints=range -analyzer-purge-dead=false -verify %s && 6// RUN: clang-cc -analyze -std=gnu99 -checker-cfref -analyzer-store=region -analyzer-constraints=range -verify %s 7 8#include<stdint.h> 9#include <assert.h> 10 11void f1(int *p) { 12 if (p) *p = 1; 13 else *p = 0; // expected-warning{{ereference}} 14} 15 16struct foo_struct { 17 int x; 18}; 19 20int f2(struct foo_struct* p) { 21 22 if (p) 23 p->x = 1; 24 25 return p->x++; // expected-warning{{Dereference of null pointer.}} 26} 27 28int f3(char* x) { 29 30 int i = 2; 31 32 if (x) 33 return x[i - 1]; 34 35 return x[i+1]; // expected-warning{{Dereference of null pointer.}} 36} 37 38int f3_b(char* x) { 39 40 int i = 2; 41 42 if (x) 43 return x[i - 1]; 44 45 return x[i+1]++; // expected-warning{{Dereference of null pointer.}} 46} 47 48int f4(int *p) { 49 50 uintptr_t x = (uintptr_t) p; 51 52 if (x) 53 return 1; 54 55 int *q = (int*) x; 56 return *q; // expected-warning{{Dereference of null pointer.}} 57} 58 59int f4_b() { 60 short array[2]; 61 uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion initializing}} 62 short *p = x; // expected-warning{{incompatible integer to pointer conversion initializing}} 63 64 // The following branch should be infeasible. 65 if (!(p = &array[0])) { 66 p = 0; 67 *p = 1; // no-warning 68 } 69 70 if (p) { 71 *p = 5; // no-warning 72 p = 0; 73 } 74 else return; // expected-warning {{non-void function 'f4_b' should return a value}} 75 76 *p += 10; // expected-warning{{Dereference of null pointer}} 77 return 0; 78} 79 80 81int f5() { 82 83 char *s = "hello world"; 84 return s[0]; // no-warning 85} 86 87int bar(int* p, int q) __attribute__((nonnull)); 88 89int f6(int *p) { 90 return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 91 : bar(p, 0); // no-warning 92} 93 94int bar2(int* p, int q) __attribute__((nonnull(1))); 95 96int f6b(int *p) { 97 return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 98 : bar2(p, 0); // no-warning 99} 100 101int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3))); 102 103int f6c(int *p, int *q) { 104 return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 105 : bar3(p, 2, q); // no-warning 106} 107 108int f6d(int *p) { 109 bar(p, 0); 110 // At this point, 'p' cannot be null. 111 if (!p) { 112 int *q = 0; 113 *q = 0xDEADBEEF; // no-warning 114 } 115} 116 117int* qux(); 118 119int f7(int x) { 120 121 int* p = 0; 122 123 if (0 == x) 124 p = qux(); 125 126 if (0 == x) 127 *p = 1; // no-warning 128 129 return x; 130} 131 132int* f7b(int *x) { 133 134 int* p = 0; 135 136 if (((void*)0) == x) 137 p = qux(); 138 139 if (((void*)0) == x) 140 *p = 1; // no-warning 141 142 return x; 143} 144 145int* f7c(int *x) { 146 147 int* p = 0; 148 149 if (((void*)0) == x) 150 p = qux(); 151 152 if (((void*)0) != x) 153 return x; 154 155 // If we reach here then 'p' is not null. 156 *p = 1; // no-warning 157 return x; 158} 159 160int* f7c2(int *x) { 161 162 int* p = 0; 163 164 if (((void*)0) == x) 165 p = qux(); 166 167 if (((void*)0) == x) 168 return x; 169 170 *p = 1; // expected-warning{{null}} 171 return x; 172} 173 174 175void f8(int *p, int *q) { 176 if (!p) 177 if (p) 178 *p = 1; // no-warning 179 180 if (q) 181 if (!q) 182 *q = 1; // no-warning 183} 184 185int* qux(); 186 187int f9(unsigned len) { 188 assert (len != 0); 189 int *p = 0; 190 unsigned i; 191 192 for (i = 0; i < len; ++i) 193 p = qux(i); 194 195 return *p++; // no-warning 196} 197 198int f9b(unsigned len) { 199 assert (len > 0); // note use of '>' 200 int *p = 0; 201 unsigned i; 202 203 for (i = 0; i < len; ++i) 204 p = qux(i); 205 206 return *p++; // no-warning 207} 208 209int* f10(int* p, signed char x, int y) { 210 // This line tests symbolication with compound assignments where the 211 // LHS and RHS have different bitwidths. The new symbolic value 212 // for 'x' should have a bitwidth of 8. 213 x &= y; 214 215 // This tests that our symbolication worked, and that we correctly test 216 // x against 0 (with the same bitwidth). 217 if (!x) { 218 if (!p) return; // expected-warning {{non-void function 'f10' should return a value}} 219 *p = 10; 220 } 221 else p = 0; 222 223 if (!x) 224 *p = 5; // no-warning 225 226 return p; 227} 228 229// Test case from <rdar://problem/6407949> 230void f11(unsigned i) { 231 int *x = 0; 232 if (i >= 0) { 233 // always true 234 } else { 235 *x = 42; // no-warning 236 } 237} 238 239void f11b(unsigned i) { 240 int *x = 0; 241 if (i <= ~(unsigned)0) { 242 // always true 243 } else { 244 *x = 42; // no-warning 245 } 246} 247 248// Test case for switch statements with weird case arms. 249typedef int BOOL, *PBOOL, *LPBOOL; 250typedef long LONG_PTR, *PLONG_PTR; 251typedef unsigned long ULONG_PTR, *PULONG_PTR; 252typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR; 253typedef LONG_PTR LRESULT; 254typedef struct _F12ITEM *HF12ITEM; 255 256void f12(HF12ITEM i, char *q) { 257 char *p = 0; 258 switch ((DWORD_PTR) i) { 259 case 0 ... 10: 260 p = q; 261 break; 262 case (DWORD_PTR) ((HF12ITEM) - 65535): 263 return; 264 default: 265 return; 266 } 267 268 *p = 1; // no-warning 269} 270 271// Test handling of translating between integer "pointers" and back. 272void f13() { 273 int *x = 0; 274 if (((((int) x) << 2) + 1) >> 1) *x = 1; // no-warning 275} 276 277 278