1// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,deadcode,alpha.core -std=gnu99 -analyzer-store=region -analyzer-constraints=range -analyzer-purge=none -verify %s -Wno-error=return-type 2// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,deadcode,alpha.core -std=gnu99 -analyzer-store=region -analyzer-constraints=range -verify %s -Wno-error=return-type 3 4typedef unsigned uintptr_t; 5 6extern void __assert_fail (__const char *__assertion, __const char *__file, 7 unsigned int __line, __const char *__function) 8 __attribute__ ((__noreturn__)); 9 10#define assert(expr) \ 11 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 12 13void f1(int *p) { 14 if (p) *p = 1; 15 else *p = 0; // expected-warning{{ereference}} 16} 17 18struct foo_struct { 19 int x; 20}; 21 22int f2(struct foo_struct* p) { 23 24 if (p) 25 p->x = 1; 26 27 return p->x++; // expected-warning{{Access to field 'x' results in a dereference of a null pointer (loaded from variable 'p')}} 28} 29 30int f3(char* x) { 31 32 int i = 2; 33 34 if (x) 35 return x[i - 1]; 36 37 return x[i+1]; // expected-warning{{Array access (from variable 'x') results in a null pointer dereference}} 38} 39 40int f3_b(char* x) { 41 42 int i = 2; 43 44 if (x) 45 return x[i - 1]; 46 47 return x[i+1]++; // expected-warning{{Array access (from variable 'x') results in a null pointer dereference}} 48} 49 50int f4(int *p) { 51 52 uintptr_t x = (uintptr_t) p; 53 54 if (x) 55 return 1; 56 57 int *q = (int*) x; 58 return *q; // expected-warning{{Dereference of null pointer (loaded from variable 'q')}} 59} 60 61int f4_b() { 62 short array[2]; 63 uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion}} 64 short *p = x; // expected-warning{{incompatible integer to pointer conversion}} 65 66 // The following branch should be infeasible. 67 if (!(p == &array[0])) { 68 p = 0; 69 *p = 1; // no-warning 70 } 71 72 if (p) { 73 *p = 5; // no-warning 74 p = 0; 75 } 76 else return; // expected-warning {{non-void function 'f4_b' should return a value}} 77 78 *p += 10; // expected-warning{{Dereference of null pointer}} 79 return 0; 80} 81 82int f5() { 83 84 char *s = "hello world"; 85 return s[0]; // no-warning 86} 87 88int bar(int* p, int q) __attribute__((nonnull)); 89 90int f6(int *p) { 91 return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 92 : bar(p, 0); // no-warning 93} 94 95int bar2(int* p, int q) __attribute__((nonnull(1))); 96 97int f6b(int *p) { 98 return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 99 : bar2(p, 0); // no-warning 100} 101 102int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3))); 103 104int f6c(int *p, int *q) { 105 return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}} 106 : bar3(p, 2, q); // no-warning 107} 108 109void f6d(int *p) { 110 bar(p, 0); 111 // At this point, 'p' cannot be null. 112 if (!p) { 113 int *q = 0; 114 *q = 0xDEADBEEF; // no-warning 115 } 116} 117 118void f6e(int *p, int offset) { 119 // PR7406 - crash from treating an UnknownVal as defined, to see if it's 0. 120 bar((p+offset)+1, 0); // not crash 121} 122 123int* qux(); 124 125int f7(int x) { 126 127 int* p = 0; 128 129 if (0 == x) 130 p = qux(); 131 132 if (0 == x) 133 *p = 1; // no-warning 134 135 return x; 136} 137 138int* f7b(int *x) { 139 140 int* p = 0; 141 142 if (((void*)0) == x) 143 p = qux(); 144 145 if (((void*)0) == x) 146 *p = 1; // no-warning 147 148 return x; 149} 150 151int* f7c(int *x) { 152 153 int* p = 0; 154 155 if (((void*)0) == x) 156 p = qux(); 157 158 if (((void*)0) != x) 159 return x; 160 161 // If we reach here then 'p' is not null. 162 *p = 1; // no-warning 163 return x; 164} 165 166int* f7c2(int *x) { 167 168 int* p = 0; 169 170 if (((void*)0) == x) 171 p = qux(); 172 173 if (((void*)0) == x) 174 return x; 175 176 *p = 1; // expected-warning{{null}} 177 return x; 178} 179 180 181void f8(int *p, int *q) { 182 if (!p) 183 if (p) 184 *p = 1; // no-warning 185 186 if (q) 187 if (!q) 188 *q = 1; // no-warning 189} 190 191int* qux(); 192 193int f9(unsigned len) { 194 assert (len != 0); 195 int *p = 0; 196 unsigned i; 197 198 for (i = 0; i < len; ++i) 199 p = qux(i); 200 201 return *p++; // no-warning 202} 203 204int f9b(unsigned len) { 205 assert (len > 0); // note use of '>' 206 int *p = 0; 207 unsigned i; 208 209 for (i = 0; i < len; ++i) 210 p = qux(i); 211 212 return *p++; // no-warning 213} 214 215int* f10(int* p, signed char x, int y) { 216 // This line tests symbolication with compound assignments where the 217 // LHS and RHS have different bitwidths. The new symbolic value 218 // for 'x' should have a bitwidth of 8. 219 x &= y; 220 221 // This tests that our symbolication worked, and that we correctly test 222 // x against 0 (with the same bitwidth). 223 if (!x) { 224 if (!p) return 0; 225 *p = 10; 226 } 227 else p = 0; 228 229 if (!x) 230 *p = 5; // no-warning 231 232 return p; 233} 234 235// Test case from <rdar://problem/6407949> 236void f11(unsigned i) { 237 int *x = 0; 238 if (i >= 0) { // expected-warning{{always true}} 239 // always true 240 } else { 241 *x = 42; // no-warning 242 } 243} 244 245void f11b(unsigned i) { 246 int *x = 0; 247 if (i <= ~(unsigned)0) { 248 // always true 249 } else { 250 *x = 42; // no-warning 251 } 252} 253 254// Test case for switch statements with weird case arms. 255typedef int BOOL, *PBOOL, *LPBOOL; 256typedef long LONG_PTR, *PLONG_PTR; 257typedef unsigned long ULONG_PTR, *PULONG_PTR; 258typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR; 259typedef LONG_PTR LRESULT; 260typedef struct _F12ITEM *HF12ITEM; 261 262void f12(HF12ITEM i, char *q) { 263 char *p = 0; 264 switch ((DWORD_PTR) i) { 265 case 0 ... 10: 266 p = q; 267 break; 268 case (DWORD_PTR) ((HF12ITEM) - 65535): 269 return; 270 default: 271 return; 272 } 273 274 *p = 1; // no-warning 275} 276 277// Test handling of translating between integer "pointers" and back. 278void f13() { 279 int *x = 0; 280 if (((((int) x) << 2) + 1) >> 1) *x = 1; 281} 282 283// PR 4759 - Attribute non-null checking by the analyzer was not correctly 284// handling pointer values that were undefined. 285void pr4759_aux(int *p) __attribute__((nonnull)); 286 287void pr4759() { 288 int *p; 289 pr4759_aux(p); // expected-warning{{Function call argument is an uninitialized value}} 290} 291 292// Relax function call arguments invalidation to be aware of const 293// arguments. Test with function pointers. radar://10595327 294void ttt(const int *nptr); 295void ttt2(const int *nptr); 296typedef void (*NoConstType)(int*); 297int foo10595327(int b) { 298 void (*fp)(int *); 299 // We use path sensitivity to get the function declaration. Even when the 300 // function pointer is cast to non-pointer-to-const parameter type, we can 301 // find the right function declaration. 302 if (b > 5) 303 fp = (NoConstType)ttt2; 304 else 305 fp = (NoConstType)ttt; 306 int x = 3; 307 int y = x + 1; 308 int *p = 0; 309 fp(&y); 310 if (x == y) 311 return *p; // no-warning 312 return 0; 313} 314 315#define AS_ATTRIBUTE volatile __attribute__((address_space(256))) 316#define _get_base() ((void * AS_ATTRIBUTE *)0) 317void* test_address_space_array(unsigned long slot) { 318 return _get_base()[slot]; // no-warning 319} 320void test_address_space_condition(int AS_ATTRIBUTE *cpu_data) { 321 if (cpu_data == 0) { 322 *cpu_data = 3; // no-warning 323 } 324} 325struct X { int member; }; 326int test_address_space_member() { 327 struct X AS_ATTRIBUTE *data = (struct X AS_ATTRIBUTE *)0UL; 328 int ret; 329 ret = data->member; // no-warning 330 return ret; 331} 332