reference.cpp revision 5699f62df144545702b91e91836a63db4e5f2627
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -analyzer-constraints=range -verify -Wno-null-dereference %s 2 3void clang_analyzer_eval(bool); 4 5typedef typeof(sizeof(int)) size_t; 6void malloc (size_t); 7 8void f1() { 9 int const &i = 3; 10 int b = i; 11 12 int *p = 0; 13 14 if (b != 3) 15 *p = 1; // no-warning 16} 17 18char* ptr(); 19char& ref(); 20 21// These next two tests just shouldn't crash. 22char t1 () { 23 ref() = 'c'; 24 return '0'; 25} 26 27// just a sanity test, the same behavior as t1() 28char t2 () { 29 *ptr() = 'c'; 30 return '0'; 31} 32 33// Each of the tests below is repeated with pointers as well as references. 34// This is mostly a sanity check, but then again, both should work! 35char t3 () { 36 char& r = ref(); 37 r = 'c'; // no-warning 38 if (r) return r; 39 return *(char*)0; // no-warning 40} 41 42char t4 () { 43 char* p = ptr(); 44 *p = 'c'; // no-warning 45 if (*p) return *p; 46 return *(char*)0; // no-warning 47} 48 49char t5 (char& r) { 50 r = 'c'; // no-warning 51 if (r) return r; 52 return *(char*)0; // no-warning 53} 54 55char t6 (char* p) { 56 *p = 'c'; // no-warning 57 if (*p) return *p; 58 return *(char*)0; // no-warning 59} 60 61 62// PR13440 / <rdar://problem/11977113> 63// Test that the array-to-pointer decay works for array references as well. 64// More generally, when we want an lvalue for a reference field, we still need 65// to do one level of load. 66namespace PR13440 { 67 typedef int T[1]; 68 struct S { 69 T &x; 70 71 int *m() { return x; } 72 }; 73 74 struct S2 { 75 int (&x)[1]; 76 77 int *m() { return x; } 78 }; 79 80 void test() { 81 int a[1]; 82 S s = { a }; 83 S2 s2 = { a }; 84 85 if (s.x != a) return; 86 if (s2.x != a) return; 87 88 a[0] = 42; 89 clang_analyzer_eval(s.x[0] == 42); // expected-warning{{TRUE}} 90 clang_analyzer_eval(s2.x[0] == 42); // expected-warning{{TRUE}} 91 } 92} 93 94void testNullReference() { 95 int *x = 0; 96 int &y = *x; // expected-warning{{Dereference of null pointer}} 97 y = 5; 98} 99 100void testRetroactiveNullReference(int *x) { 101 // According to the C++ standard, there is no such thing as a 102 // "null reference". So the 'if' statement ought to be dead code. 103 // However, Clang (and other compilers) don't actually check that a pointer 104 // value is non-null in the implementation of references, so it is possible 105 // to produce a supposed "null reference" at runtime. The analyzer shoeuld 106 // still warn when it can prove such errors. 107 int &y = *x; 108 if (x != 0) 109 return; 110 y = 5; // expected-warning{{Dereference of null pointer}} 111} 112 113void testReferenceAddress(int &x) { 114 clang_analyzer_eval(&x != 0); // expected-warning{{TRUE}} 115 clang_analyzer_eval(&ref() != 0); // expected-warning{{TRUE}} 116 117 struct S { int &x; }; 118 119 extern S *getS(); 120 clang_analyzer_eval(&getS()->x != 0); // expected-warning{{TRUE}} 121} 122 123 124void testFunctionPointerReturn(void *opaque) { 125 typedef int &(*RefFn)(); 126 127 RefFn getRef = (RefFn)opaque; 128 129 // Don't crash writing to or reading from this reference. 130 int &x = getRef(); 131 x = 42; 132 clang_analyzer_eval(x == 42); // expected-warning{{TRUE}} 133} 134 135 136// ------------------------------------ 137// False negatives 138// ------------------------------------ 139 140namespace rdar11212286 { 141 class B{}; 142 143 B test() { 144 B *x = 0; 145 return *x; // should warn here! 146 } 147 148 B &testRef() { 149 B *x = 0; 150 return *x; // should warn here! 151 } 152} 153 154void testReferenceFieldAddress() { 155 struct S { int &x; }; 156 157 extern S getS(); 158 clang_analyzer_eval(&getS().x != 0); // expected-warning{{UNKNOWN}} 159} 160