1// NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued. 2// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -analyzer-checker=core,alpha.core,osx.cocoa.AtSync -Wno-strict-prototypes -Wno-pointer-to-int-cast -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s 3// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -analyzer-checker=core,alpha.core,osx.cocoa.AtSync -Wno-strict-prototypes -Wno-pointer-to-int-cast -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s 4 5#ifndef __clang_analyzer__ 6#error __clang_analyzer__ not defined 7#endif 8 9typedef struct objc_ivar *Ivar; 10typedef struct objc_selector *SEL; 11typedef signed char BOOL; 12typedef int NSInteger; 13typedef unsigned int NSUInteger; 14typedef struct _NSZone NSZone; 15@class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator; 16@protocol NSObject 17- (BOOL)isEqual:(id)object; 18- (id)autorelease; 19@end 20@protocol NSCopying 21- (id)copyWithZone:(NSZone *)zone; 22@end 23@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 24@protocol NSCoding 25- (void)encodeWithCoder:(NSCoder *)aCoder; 26@end 27@interface NSObject <NSObject> {} 28- (id)init; 29+ (id)allocWithZone:(NSZone *)zone; 30@end 31extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 32@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 33- (NSUInteger)length; 34+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 35@end extern NSString * const NSBundleDidLoadNotification; 36@interface NSValue : NSObject <NSCopying, NSCoding> 37- (void)getValue:(void *)value; 38@end 39@interface NSNumber : NSValue 40- (char)charValue; 41- (id)initWithBool:(BOOL)value; 42@end 43@interface NSAssertionHandler : NSObject {} 44+ (NSAssertionHandler *)currentHandler; 45- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 46@end 47extern NSString * const NSConnectionReplyMode; 48typedef float CGFloat; 49typedef struct _NSPoint { 50 CGFloat x; 51 CGFloat y; 52} NSPoint; 53typedef struct _NSSize { 54 CGFloat width; 55 CGFloat height; 56} NSSize; 57typedef struct _NSRect { 58 NSPoint origin; 59 NSSize size; 60} NSRect; 61 62@interface A @end 63@implementation A 64- (void)foo:(void (^)(NSObject *x))block { 65 if (!((block != ((void *)0)))) {} 66} 67@end 68 69// Reduced test case from crash in PR 2796; 70// http://llvm.org/bugs/show_bug.cgi?id=2796 71 72unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); } 73 74// Improvement to path-sensitivity involving compound assignments. 75unsigned r6268365Aux(void); 76 77void r6268365(void) { 78 unsigned x = 0; 79 x &= r6268365Aux(); 80 unsigned j = 0; 81 82 if (x == 0) ++j; 83 if (x == 0) x = x / j; 84} 85 86void divzeroassume(unsigned x, unsigned j) { 87 x /= j; 88 if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 89 if (j == 0) x /= j; // no static-analyzer warning 90 if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 91} 92 93void divzeroassumeB(unsigned x, unsigned j) { 94 x = x / j; 95 if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 96 if (j == 0) x /= j; // no static-analyzer warning 97 if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 98} 99 100// InitListExpr processing 101 102typedef float __m128 __attribute__((__vector_size__(16), __may_alias__)); 103__m128 return128(void) { 104 // This compound literal has a Vector type. We currently just 105 // return UnknownVal. 106 return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f }; 107} 108 109typedef long long __v2di __attribute__ ((__vector_size__ (16))); 110typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__)); 111__m128i vec128i(long long __q1, long long __q0) { 112 // This compound literal returns true for both isVectorType() and 113 // isIntegerType(). 114 return __extension__ (__m128i)(__v2di){ __q0, __q1 }; 115} 116 117// sizeof(void) 118// - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211 119void handle_sizeof_void(unsigned flag) { 120 int* p = 0; 121 122 if (flag) { 123 if (sizeof(void) == 1) 124 return; 125 // Infeasible. 126 *p = 1; // no-warning 127 } 128 129 void* q; 130 131 if (!flag) { 132 if (sizeof(*q) == 1) 133 return; 134 // Infeasibe. 135 *p = 1; // no-warning 136 } 137 138 // Infeasible. 139 *p = 1; // no-warning 140} 141 142// check deference of undefined values 143void check_deref_undef(void) { 144 int *p; 145 *p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}} 146} 147 148// PR 3422 149void pr3422_helper(char *p); 150void pr3422(void) { 151 char buf[100]; 152 char *q = &buf[10]; 153 pr3422_helper(&q[1]); 154} 155 156// PR 3543 (handle empty statement expressions) 157void pr_3543(void) { 158 ({}); 159} 160 161// This test case test the use of a vector type within an array subscript 162// expression. 163typedef long long __a64vector __attribute__((__vector_size__(8))); 164typedef long long __a128vector __attribute__((__vector_size__(16))); 165static inline __a64vector __attribute__((__always_inline__, __nodebug__)) 166my_test_mm_movepi64_pi64(__a128vector a) { 167 return (__a64vector)a[0]; 168} 169 170// Test basic tracking of ivars associated with 'self'. 171@interface SelfIvarTest : NSObject { 172 int flag; 173} 174- (void)test_self_tracking; 175@end 176 177@implementation SelfIvarTest 178- (void)test_self_tracking { 179 char *p = 0; 180 char c; 181 182 if (flag) 183 p = "hello"; 184 185 if (flag) 186 c = *p; // no-warning 187} 188@end 189 190// PR 3770 191char pr3770(int x) { 192 int y = x & 0x2; 193 char *p = 0; 194 if (y == 1) 195 p = "hello"; 196 197 if (y == 1) 198 return p[0]; // no-warning 199 200 return 'a'; 201} 202 203// PR 3772 204// - We just want to test that this doesn't crash the analyzer. 205typedef struct st ST; 206struct st { char *name; }; 207extern ST *Cur_Pu; 208 209void pr3772(void) 210{ 211 static ST *last_Cur_Pu; 212 if (last_Cur_Pu == Cur_Pu) { 213 return; 214 } 215} 216 217// PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups. 218void pr3780(int sz) { typedef double MAT[sz][sz]; } 219 220// Test that we don't symbolicate doubles before we are ready to do something 221// with them. 222int rdar6695527(double x) { 223 if (!x) { return 0; } 224 return 1; 225} 226 227// Test that we properly invalidate structs passed-by-reference to a function. 228void pr6708148_invalidate(NSRect *x); 229void pr6708148_use(NSRect x); 230void pr6708148_test(void) { 231 NSRect x; 232 pr6708148_invalidate(&x); 233 pr6708148_use(x); // no-warning 234} 235 236// Handle both kinds of noreturn attributes for pruning paths. 237void rdar_6777003_noret(void) __attribute__((noreturn)); 238void rdar_6777003_analyzer_noret(void) __attribute__((analyzer_noreturn)); 239 240void rdar_6777003(int x) { 241 int *p = 0; 242 243 if (x == 1) { 244 rdar_6777003_noret(); 245 *p = 1; // no-warning; 246 } 247 248 if (x == 2) { 249 rdar_6777003_analyzer_noret(); 250 *p = 1; // no-warning; 251 } 252 253 *p = 1; // expected-warning{{Dereference of null pointer}} 254} 255 256// Check that the pointer-to-conts arguments do not get invalidated by Obj C 257// interfaces. 258int rdar_10595327(char *str) { 259 char fl = str[0]; 260 int *p = 0; 261 NSString *s = [NSString stringWithUTF8String:str]; 262 if (str[0] != fl) 263 return *p; // no-warning 264 return 0; 265} 266 267// For pointer arithmetic, --/++ should be treated as preserving non-nullness, 268// regardless of how well the underlying StoreManager reasons about pointer 269// arithmetic. 270void rdar_6777209(char *p) { 271 if (p == 0) 272 return; 273 274 ++p; 275 276 // This branch should always be infeasible. 277 if (p == 0) 278 *p = 'c'; // no-warning 279} 280 281// PR 4033. A symbolic 'void *' pointer can be used as the address for a 282// computed goto. 283typedef void *Opcode; 284Opcode pr_4033_getOpcode(void); 285void pr_4033(void) { 286 void *lbl = &&next_opcode; 287next_opcode: 288 { 289 Opcode op = pr_4033_getOpcode(); 290 if (op) goto *op; 291 } 292} 293 294// Test invalidating pointers-to-pointers with slightly different types. This 295// example came from a recent false positive due to a regression where the 296// branch condition was falsely reported as being uninitialized. 297void invalidate_by_ref(char **x); 298int test_invalidate_by_ref(void) { 299 unsigned short y; 300 invalidate_by_ref((char**) &y); 301 if (y) // no-warning 302 return 1; 303 return 0; 304} 305 306// This just tests that the CFG is constructed correctly. Previously, the 307// successor block of the entrance was the block containing the merge for '?', 308// which would trigger an assertion failure. 309int rdar_7027684_aux(void); 310int rdar_7027684_aux_2(void) __attribute__((noreturn)); 311void rdar_7027684(int x, int y) { 312 {}; // this empty compound statement is critical. 313 (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0); 314} 315 316// Test that we handle casts of string literals to arbitrary types. 317unsigned const char *string_literal_test1(void) { 318 return (const unsigned char*) "hello"; 319} 320 321const float *string_literal_test2(void) { 322 return (const float*) "hello"; 323} 324 325// Test that we handle casts *from* incomplete struct types. 326extern const struct _FooAssertStruct _cmd; 327void test_cast_from_incomplete_struct_aux(volatile const void *x); 328void test_cast_from_incomplete_struct(void) { 329 test_cast_from_incomplete_struct_aux(&_cmd); 330} 331 332// "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' 333// when 'T' is a pointer" 334// 335// Previously this case would crash. 336void test_rdar_7034511(NSArray *y) { 337 NSObject *x; 338 for (x in y) {} 339 if (x == ((void*) 0)) {} 340} 341 342// Handle casts of function pointers (CodeTextRegions) to arbitrary pointer 343// types. This was previously causing a crash in CastRegion. 344void handle_funcptr_voidptr_casts(void) { 345 void **ptr; 346 typedef void *PVOID; 347 typedef void *PCHAR; 348 typedef long INT_PTR, *PINT_PTR; 349 typedef INT_PTR (*FARPROC)(void); 350 FARPROC handle_funcptr_voidptr_casts_aux(void); 351 PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x); 352 PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x); 353 354 ptr = (void**) handle_funcptr_voidptr_casts_aux(); 355 handle_funcptr_voidptr_casts_aux_2(ptr); 356 handle_funcptr_voidptr_casts_aux_3(ptr); 357} 358 359// RegionStore::Retrieve previously crashed on this example. This example 360// was previously in the test file 'xfail_regionstore_wine_crash.c'. 361void testA(void) { 362 long x = 0; 363 char *y = (char *) &x; 364 if (!*y) 365 return; 366} 367 368// RegionStoreManager previously crashed on this example. The problem is that 369// the value bound to the field of b->grue after the call to testB_aux is 370// a symbolic region. The second '*__gruep__' involves performing a load 371// from a 'int*' that really is a 'void**'. The loaded location must be 372// implicitly converted to an integer that wraps a location. Previosly we would 373// get a crash here due to an assertion failure. 374typedef struct _BStruct { void *grue; } BStruct; 375void testB_aux(void *ptr); 376void testB(BStruct *b) { 377 { 378 int *__gruep__ = ((int *)&((b)->grue)); 379 int __gruev__ = *__gruep__; 380 testB_aux(__gruep__); 381 } 382 { 383 int *__gruep__ = ((int *)&((b)->grue)); 384 int __gruev__ = *__gruep__; 385 if (~0 != __gruev__) {} 386 } 387} 388 389void test_trivial_symbolic_comparison(int *x) { 390 int test_trivial_symbolic_comparison_aux(void); 391 int a = test_trivial_symbolic_comparison_aux(); 392 int b = a; 393 if (a != b) { 394 int *p = 0; 395 *p = 0xDEADBEEF; // no-warning 396 } 397 398 a = a == 1; 399 b = b == 1; 400 if (a != b) { 401 int *p = 0; 402 *p = 0xDEADBEEF; // no-warning 403 } 404} 405 406// Test for: 407// false positive null dereference due to BasicStoreManager not tracking 408// *static* globals 409// 410// This just tests the proper tracking of symbolic values for globals (both 411// static and non-static). 412// 413static int* x_rdar_7062158; 414void rdar_7062158(void) { 415 int *current = x_rdar_7062158; 416 if (current == x_rdar_7062158) 417 return; 418 419 int *p = 0; 420 *p = 0xDEADBEEF; // no-warning 421} 422 423int* x_rdar_7062158_2; 424void rdar_7062158_2(void) { 425 int *current = x_rdar_7062158_2; 426 if (current == x_rdar_7062158_2) 427 return; 428 429 int *p = 0; 430 *p = 0xDEADBEEF; // no-warning 431} 432 433// This test reproduces a case for a crash when analyzing ClamAV using 434// RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because 435// it isn't doing anything smart about arrays). The problem is that on the 436// second line, 'p = &p[i]', p is assigned an ElementRegion whose index 437// is a 16-bit integer. On the third line, a new ElementRegion is created 438// based on the previous region, but there the region uses a 32-bit integer, 439// resulting in a clash of values (an assertion failure at best). We resolve 440// this problem by implicitly converting index values to 'int' when the 441// ElementRegion is created. 442unsigned char test_array_index_bitwidth(const unsigned char *p) { 443 unsigned short i = 0; 444 for (i = 0; i < 2; i++) p = &p[i]; 445 return p[i+1]; 446} 447 448// This case tests that CastRegion handles casts involving BlockPointerTypes. 449// It should not crash. 450void test_block_cast(void) { 451 id test_block_cast_aux(void); 452 (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}} 453} 454 455int OSAtomicCompareAndSwap32Barrier(); 456 457// Test comparison of 'id' instance variable to a null void* constant after 458// performing an OSAtomicCompareAndSwap32Barrier. 459// This previously was a crash in RegionStoreManager. 460@interface TestIdNull { 461 id x; 462} 463-(int)foo; 464@end 465@implementation TestIdNull 466-(int)foo { 467 OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x); 468 if (x == (void*) 0) { return 0; } 469 return 1; 470} 471@end 472 473// Do not crash when performing compare and swap on symbolic values. 474typedef int int32_t; 475typedef int int32; 476typedef int32 Atomic32; 477int OSAtomicCompareAndSwap32( int32_t __oldValue, int32_t __newValue, volatile int32_t *__theValue); 478void radar11390991_NoBarrier_CompareAndSwap(volatile Atomic32 *ptr, 479 Atomic32 old_value, 480 Atomic32 new_value) { 481 OSAtomicCompareAndSwap32(old_value, new_value, ptr); 482} 483 484// PR 4594 - This was a crash when handling casts in SimpleSValuator. 485void PR4594(void) { 486 char *buf[1]; 487 char **foo = buf; 488 *foo = "test"; 489} 490 491// Test invalidation logic where an integer is casted to an array with a 492// different sign and then invalidated. 493void test_invalidate_cast_int(void) { 494 void test_invalidate_cast_int_aux(unsigned *i); 495 signed i; 496 test_invalidate_cast_int_aux((unsigned*) &i); 497 if (i < 0) 498 return; 499} 500 501int ivar_getOffset(); 502 503// Reduced from a crash involving the cast of an Objective-C symbolic region to 504// 'char *' 505static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) { 506 return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease]; 507} 508 509// Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero. 510// This resulted from not properly handling region casts to 'const void*'. 511void test_cast_const_voidptr(void) { 512 char x[10]; 513 char *p = &x[1]; 514 const void* q = p; 515} 516 517// Reduced from a crash when analyzing Wine. This test handles loads from 518// function addresses. 519typedef long (*FARPROC)(void); 520FARPROC test_load_func(FARPROC origfun) { 521 if (!*(unsigned char*) origfun) 522 return origfun; 523 return 0; 524} 525 526// Test passing-by-value an initialized struct variable. 527struct test_pass_val { 528 int x; 529 int y; 530}; 531void test_pass_val_aux(struct test_pass_val s); 532void test_pass_val(void) { 533 struct test_pass_val s; 534 s.x = 1; 535 s.y = 2; 536 test_pass_val_aux(s); 537} 538 539// This is a reduced test case of a false positive that previously appeared 540// in RegionStoreManager. Previously the array access resulted in dereferencing 541// an undefined value. 542int test_array_compound(int *q, int *r, int *z) { 543 int *array[] = { q, r, z }; 544 int j = 0; 545 for (unsigned i = 0; i < 3 ; ++i) 546 if (*array[i]) ++j; // no-warning 547 return j; 548} 549 550// symbolic value stored in 'x' wouldn't be implicitly casted to a signed value 551// during the comparison. 552int rdar_7124210(unsigned int x) { 553 enum { SOME_CONSTANT = 123 }; 554 int compare = ((signed) SOME_CONSTANT) == *((signed *) &x); 555 return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint. 556} 557 558void pr4781(unsigned long *raw1) { 559 unsigned long *cook, *raw0; 560 unsigned long dough[32]; 561 int i; 562 cook = dough; 563 for( i = 0; i < 16; i++, raw1++ ) { 564 raw0 = raw1++; 565 *cook = (*raw0 & 0x00fc0000L) << 6; 566 *cook |= (*raw0 & 0x00000fc0L) << 10; 567 } 568} 569 570// 'self' should be treated as being non-null upon entry to an objective-c 571// method. 572@interface RDar7185647 573- (id)foo; 574@end 575@implementation RDar7185647 576- (id) foo { 577 if (self) 578 return self; 579 *((volatile int *) 0x0) = 0xDEADBEEF; // no-warning 580 return self; 581} 582@end 583 584// Test reasoning of __builtin_offsetof; 585struct test_offsetof_A { 586 int x; 587 int y; 588}; 589struct test_offsetof_B { 590 int w; 591 int z; 592}; 593void test_offsetof_1(void) { 594 if (__builtin_offsetof(struct test_offsetof_A, x) == 595 __builtin_offsetof(struct test_offsetof_B, w)) 596 return; 597 int *p = 0; 598 *p = 0xDEADBEEF; // no-warning 599} 600void test_offsetof_2(void) { 601 if (__builtin_offsetof(struct test_offsetof_A, y) == 602 __builtin_offsetof(struct test_offsetof_B, z)) 603 return; 604 int *p = 0; 605 *p = 0xDEADBEEF; // no-warning 606} 607void test_offsetof_3(void) { 608 if (__builtin_offsetof(struct test_offsetof_A, y) - 609 __builtin_offsetof(struct test_offsetof_A, x) 610 == 611 __builtin_offsetof(struct test_offsetof_B, z) - 612 __builtin_offsetof(struct test_offsetof_B, w)) 613 return; 614 int *p = 0; 615 *p = 0xDEADBEEF; // no-warning 616} 617void test_offsetof_4(void) { 618 if (__builtin_offsetof(struct test_offsetof_A, y) == 619 __builtin_offsetof(struct test_offsetof_B, w)) 620 return; 621 int *p = 0; 622 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 623} 624 625// "nil receiver" false positive: make tracking of the MemRegion for 'self' 626// path-sensitive 627@interface RDar6829164 : NSObject { 628 double x; int y; 629} 630- (id) init; 631@end 632 633id rdar_6829164_1(void); 634double rdar_6829164_2(void); 635 636@implementation RDar6829164 637- (id) init { 638 if((self = [super init]) != 0) { 639 id z = rdar_6829164_1(); 640 y = (z != 0); 641 if (y) 642 x = rdar_6829164_2(); 643 } 644 return self; 645} 646@end 647 648// Invalidate values passed-by-reference to functions when the pointer to the 649// value is passed as an integer. 650void test_7242015_aux(unsigned long); 651int rdar_7242015(void) { 652 int x; 653 test_7242015_aux((unsigned long) &x); // no-warning 654 return x; // Previously we return and uninitialized value when 655 // using RegionStore. 656} 657 658// [RegionStore] compound literal assignment with floats not honored 659CGFloat rdar7242006(CGFloat x) { 660 NSSize y = (NSSize){x, 10}; 661 return y.width; // no-warning 662} 663 664// PR 4988 - This test exhibits a case where a function can be referenced 665// when not explicitly used in an "lvalue" context (as far as the analyzer is 666// concerned). This previously triggered a crash due to an invalid assertion. 667void pr_4988(void) { 668 pr_4988; // expected-warning{{expression result unused}} 669} 670 671// A 'signed char' is used as a flag, which is implicitly converted to an int. 672void *rdar7152418_bar(void); 673@interface RDar7152418 { 674 signed char x; 675} 676-(char)foo; 677@end; 678@implementation RDar7152418 679-(char)foo { 680 char *p = 0; 681 void *result = 0; 682 if (x) { 683 result = rdar7152418_bar(); 684 p = "hello"; 685 } 686 if (!result) { 687 result = rdar7152418_bar(); 688 if (result && x) 689 return *p; // no-warning 690 } 691 return 1; 692} 693 694//===----------------------------------------------------------------------===// 695// Test constant-folding of symbolic values, automatically handling type 696// conversions of the symbol as necessary. 697//===----------------------------------------------------------------------===// 698 699// Previously this would crash once we started eagerly evaluating symbols whose 700// values were constrained to a single value. 701void test_symbol_fold_1(signed char x) { 702 while (1) { 703 if (x == ((signed char) 0)) {} 704 } 705} 706 707// This previously caused a crash because it triggered an assertion in APSInt. 708void test_symbol_fold_2(unsigned int * p, unsigned int n, 709 const unsigned int * grumpkin, unsigned int dn) { 710 unsigned int i; 711 unsigned int tempsub[8]; 712 unsigned int *solgrumpkin = tempsub + n; 713 for (i = 0; i < n; i++) 714 solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF; 715 for (i <<= 5; i < (n << 5); i++) {} 716} 717 718// This previously caused a crash because it triggered an assertion in APSInt. 719// 'x' would evaluate to a 8-bit constant (because of the return value of 720// test_symbol_fold_3_aux()) which would not get properly promoted to an 721// integer. 722char test_symbol_fold_3_aux(void); 723unsigned test_symbol_fold_3(void) { 724 unsigned x = test_symbol_fold_3_aux(); 725 if (x == 54) 726 return (x << 8) | 0x5; 727 return 0; 728} 729 730//===----------------------------------------------------------------------===// 731// Tests for the warning of casting a non-struct type to a struct type 732//===----------------------------------------------------------------------===// 733 734typedef struct {unsigned int v;} NSSwappedFloat; 735 736NSSwappedFloat test_cast_nonstruct_to_struct(float x) { 737 struct hodor { 738 float number; 739 NSSwappedFloat sf; 740 }; 741 return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 742} 743 744NSSwappedFloat test_cast_nonstruct_to_union(float x) { 745 union bran { 746 float number; 747 NSSwappedFloat sf; 748 }; 749 return ((union bran *)&x)->sf; // no-warning 750} 751 752void test_undefined_array_subscript(void) { 753 int i, a[10]; 754 int *p = &a[i]; // expected-warning{{Array subscript is undefined}} 755} 756@end 757 758//===----------------------------------------------------------------------===// 759// Test using an uninitialized value as a branch condition. 760//===----------------------------------------------------------------------===// 761 762int test_uninit_branch(void) { 763 int x; 764 if (x) // expected-warning{{Branch condition evaluates to a garbage value}} 765 return 1; 766 return 0; 767} 768 769int test_uninit_branch_b(void) { 770 int x; 771 return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}} 772} 773 774int test_uninit_branch_c(void) { 775 int x; 776 if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}} 777 return 1; 778 return 0; 779} 780 781//===----------------------------------------------------------------------===// 782// Test passing an undefined value in a message or function call. 783//===----------------------------------------------------------------------===// 784 785void test_bad_call_aux(int x); 786void test_bad_call(void) { 787 int y; 788 test_bad_call_aux(y); // expected-warning{{1st function call argument is an uninitialized value}} 789} 790 791@interface TestBadArg {} 792- (void) testBadArg:(int) x; 793@end 794 795void test_bad_msg(TestBadArg *p) { 796 int y; 797 [p testBadArg:y]; // expected-warning{{1st argument in message expression is an uninitialized value}} 798} 799 800//===----------------------------------------------------------------------===// 801// PR 6033 - Test emitting the correct output in a warning where we use '%' 802// with operands that are undefined. 803//===----------------------------------------------------------------------===// 804 805int pr6033(int x) { 806 int y; 807 return x % y; // expected-warning{{The right operand of '%' is a garbage value}} 808} 809 810struct trie { 811 struct trie* next; 812}; 813 814struct kwset { 815 struct trie *trie; 816 unsigned char y[10]; 817 struct trie* next[10]; 818 int d; 819}; 820 821typedef struct trie trie_t; 822typedef struct kwset kwset_t; 823 824void f(kwset_t *kws, char const *p, char const *q) { 825 struct trie const *trie; 826 struct trie * const *next = kws->next; 827 register unsigned char c; 828 register char const *end = p; 829 register char const *lim = q; 830 register int d = 1; 831 register unsigned char const *y = kws->y; 832 833 d = y[c = (end+=d)[-1]]; // no-warning 834 trie = next[c]; 835} 836 837//===----------------------------------------------------------------------===// 838// When handling sizeof(VLA) it leads to a hole in the ExplodedGraph (causing a 839// false positive). 840//===----------------------------------------------------------------------===// 841 842int rdar_7593875_aux(int x); 843int rdar_7593875(int n) { 844 int z[n > 10 ? 10 : n]; // VLA. 845 int v; 846 v = rdar_7593875_aux(sizeof(z)); 847 // Previously we got a false positive about 'v' being uninitialized. 848 return v; // no-warning 849} 850 851//===----------------------------------------------------------------------===// 852// Handle casts from symbolic regions (packaged as integers) to doubles. 853// Previously this caused an assertion failure. 854//===----------------------------------------------------------------------===// 855 856void *foo_rev95119(void); 857void baz_rev95119(double x); 858void bar_rev95119(void) { 859 // foo_rev95119() returns a symbolic pointer. It is then 860 // cast to an int which is then cast to a double. 861 int value = (int) foo_rev95119(); 862 baz_rev95119((double)value); 863} 864 865//===----------------------------------------------------------------------===// 866// Handle loading a symbolic pointer from a symbolic region that was 867// invalidated by a call to an unknown function. 868//===----------------------------------------------------------------------===// 869 870void bar_rev95192(int **x); 871void foo_rev95192(int **x) { 872 *x = 0; 873 bar_rev95192(x); 874 // Not a null dereference. 875 **x = 1; // no-warning 876} 877 878//===----------------------------------------------------------------------===// 879// Handle casts of a function to a function pointer with a different return 880// value. We don't yet emit an error for such cases, but we now we at least 881// don't crash when the return value gets interpreted in a way that 882// violates our invariants. 883//===----------------------------------------------------------------------===// 884 885void *foo_rev95267(void); 886int bar_rev95267(void) { 887 char (*Callback_rev95267)(void) = (char (*)(void)) foo_rev95267; 888 if ((*Callback_rev95267)() == (char) 0) 889 return 1; 890 return 0; 891} 892 893// Same as previous case, but handle casts to 'void'. 894int bar_rev95274(void) { 895 void (*Callback_rev95274)(void) = (void (*)(void)) foo_rev95267; 896 (*Callback_rev95274)(); 897 return 0; 898} 899 900void rdar7582031_test_static_init_zero(void) { 901 static unsigned x; 902 if (x == 0) 903 return; 904 int *p = 0; 905 *p = 0xDEADBEEF; 906} 907void rdar7582031_test_static_init_zero_b(void) { 908 static void* x; 909 if (x == 0) 910 return; 911 int *p = 0; 912 *p = 0xDEADBEEF; 913} 914 915//===----------------------------------------------------------------------===// 916// Test handling of parameters that are structs that contain floats and // 917// nested fields. // 918//===----------------------------------------------------------------------===// 919 920struct s_rev95547_nested { float x, y; }; 921struct s_rev95547 { 922 struct s_rev95547_nested z1; 923 struct s_rev95547_nested z2; 924}; 925float foo_rev95547(struct s_rev95547 w) { 926 return w.z1.x + 20.0; // no-warning 927} 928void foo_rev95547_b(struct s_rev95547 w) { 929 struct s_rev95547 w2 = w; 930 w2.z1.x += 20.0; // no-warning 931} 932 933//===----------------------------------------------------------------------===// 934// Test handling statement expressions that don't populate a CFG block that 935// is used to represent the computation of the RHS of a logical operator. 936// This previously triggered a crash. 937//===----------------------------------------------------------------------===// 938 939void pr6938(void) { 940 if (1 && ({ 941 while (0); 942 0; 943 }) == 0) { 944 } 945} 946 947void pr6938_b(void) { 948 if (1 && *({ // expected-warning{{Dereference of null pointer}} 949 while (0) {} 950 ({ 951 (int *) 0; 952 }); 953 }) == 0) { 954 } 955} 956 957//===----------------------------------------------------------------------===// 958// The CFG for code containing an empty @synchronized block was previously 959// broken (and would crash the analyzer). 960//===----------------------------------------------------------------------===// 961 962void r7979430(id x) { 963 @synchronized(x) {} 964} 965 966//===----------------------------------------------------------------------=== 967// PR 7361 - Test that functions wrapped in macro instantiations are analyzed. 968//===----------------------------------------------------------------------=== 969#define MAKE_TEST_FN() \ 970 void test_pr7361 (char a) {\ 971 char* b = 0x0; *b = a;\ 972 } 973 974MAKE_TEST_FN() // expected-warning{{null pointer}} 975 976//===----------------------------------------------------------------------=== 977// PR 7491 - Test that symbolic expressions can be used as conditions. 978//===----------------------------------------------------------------------=== 979 980void pr7491 (void) { 981 extern int getint(void); 982 int a = getint()-1; 983 if (a) { 984 return; 985 } 986 if (!a) { 987 return; 988 } else { 989 // Should be unreachable 990 (void)*(char*)0; // no-warning 991 } 992} 993 994//===----------------------------------------------------------------------=== 995// PR 7475 - Test that assumptions about global variables are reset after 996// calling a global function. 997//===----------------------------------------------------------------------=== 998 999int *pr7475_someGlobal; 1000void pr7475_setUpGlobal(void); 1001 1002void pr7475(void) { 1003 if (pr7475_someGlobal == 0) 1004 pr7475_setUpGlobal(); 1005 *pr7475_someGlobal = 0; // no-warning 1006} 1007 1008void pr7475_warn(void) { 1009 static int *someStatic = 0; 1010 if (someStatic == 0) 1011 pr7475_setUpGlobal(); 1012 *someStatic = 0; // expected-warning{{null pointer}} 1013} 1014 1015// __imag passed non-complex should not crash 1016float f0(_Complex float x) { 1017 float l0 = __real x; 1018 return __real l0 + __imag l0; 1019} 1020 1021 1022//===----------------------------------------------------------------------=== 1023// Test that we can reduce symbols to constants whether they are on the left 1024// or right side of an expression. 1025//===----------------------------------------------------------------------=== 1026 1027void reduce_to_constant(int x, int y) { 1028 if (x != 20) 1029 return; 1030 1031 int a = x + y; 1032 int b = y + x; 1033 1034 if (y == -20 && a != 0) 1035 (void)*(char*)0; // no-warning 1036 if (y == -20 && b != 0) 1037 (void)*(char*)0; // no-warning 1038} 1039 1040// Test that code after a switch statement with no 'case:' labels is correctly 1041// evaluated. 1042void r8360854(int n) { 1043 switch (n) { 1044 default: ; 1045 } 1046 int *p = 0; 1047 *p = 0xDEADBEEF; // expected-warning{{null pointer}} 1048} 1049 1050// PR 8050 - crash in CastSizeChecker when pointee is an incomplete type 1051typedef long unsigned int __darwin_size_t; 1052typedef __darwin_size_t size_t; 1053void *malloc(size_t); 1054 1055struct PR8050; 1056 1057void pr8050(struct PR8050 **arg) 1058{ 1059 *arg = malloc(1); 1060} 1061 1062// Switch on enum should not consider default case live if all enum values are 1063// covered. 1064enum Cases { C1, C2, C3, C4 }; 1065void test_enum_cases(enum Cases C) { 1066 switch (C) { 1067 case C1: 1068 case C2: 1069 case C4: 1070 case C3: 1071 return; 1072 } 1073 int *p = 0; 1074 *p = 0xDEADBEEF; // no-warning 1075} 1076 1077void test_enum_cases_positive(enum Cases C) { 1078 switch (C) { // expected-warning{{enumeration value 'C4' not handled in switch}} 1079 case C1: 1080 case C2: 1081 case C3: 1082 return; 1083 } 1084 int *p = 0; 1085 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 1086} 1087 1088// Warn if synchronization mutex can be nil 1089void rdar6351970(void) { 1090 id x = 0; 1091 @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}} 1092} 1093 1094void rdar6351970_b(id x) { 1095 if (!x) 1096 @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}} 1097} 1098 1099void rdar6351970_c(void) { 1100 id x; 1101 @synchronized(x) {} // expected-warning{{Uninitialized value used as mutex for @synchronized}} 1102} 1103 1104@interface Rdar8578650 1105- (id) foo8578650; 1106@end 1107 1108void rdar8578650(id x) { 1109 @synchronized (x) { 1110 [x foo8578650]; 1111 } 1112 // At this point we should assume that 'x' is not nil, not 1113 // the inverse. 1114 @synchronized (x) { // no-warning 1115 } 1116} 1117 1118// Direct structure member access null pointer dereference 1119@interface RDar6352035 { 1120 int c; 1121} 1122- (void)foo; 1123- (void)bar; 1124@end 1125 1126@implementation RDar6352035 1127- (void)foo { 1128 RDar6352035 *friend = 0; 1129 friend->c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'friend')}} 1130} 1131- (void)bar { 1132 self = 0; 1133 c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'self')}} 1134} 1135@end 1136 1137// PR 8149 - GNU statement expression in condition of ForStmt. 1138// This previously triggered an assertion failure in CFGBuilder. 1139void pr8149(void) { 1140 for (; ({ do { } while (0); 0; });) { } 1141} 1142 1143// PR 8458 - Make sure @synchronized doesn't crash with properties. 1144@interface PR8458 {} 1145@property(readonly) id lock; 1146@end 1147 1148static 1149void __PR8458(PR8458 *x) { 1150 @synchronized(x.lock) {} // no-warning 1151} 1152 1153// PR 8440 - False null dereference during store to array-in-field-in-global. 1154// This test case previously resulted in a bogus null deref warning from 1155// incorrect lazy symbolication logic in RegionStore. 1156static struct { 1157 int num; 1158 char **data; 1159} saved_pr8440; 1160 1161char *foo_pr8440(void); 1162char **bar_pr8440(void); 1163void baz_pr8440(int n) 1164{ 1165 saved_pr8440.num = n; 1166 if (saved_pr8440.data) 1167 return; 1168 saved_pr8440.data = bar_pr8440(); 1169 for (int i = 0 ; i < n ; i ++) 1170 saved_pr8440.data[i] = foo_pr8440(); // no-warning 1171} 1172 1173// Support direct accesses to non-null memory. Reported in: 1174// PR 5272 1175int test_direct_address_load(void) { 1176 int *p = (int*) 0x4000; 1177 return *p; // no-warning 1178} 1179 1180void pr5272_test(void) { 1181 struct pr5272 { int var2; }; 1182 (*(struct pr5272*)0xBC000000).var2 = 0; // no-warning 1183 (*(struct pr5272*)0xBC000000).var2 += 2; // no-warning 1184} 1185 1186// Support casting the return value of function to another different type 1187// This previously caused a crash, although we likely need more precise 1188// reasoning here. 1189void* rdar8663544(void); 1190typedef struct {} Val8663544; 1191Val8663544 bazR8663544(void) { 1192 Val8663544(*func) (void) = (Val8663544(*) (void)) rdar8663544; 1193 return func(); 1194} 1195 1196// PR 8619 - Handle ternary expressions with a call to a noreturn function. 1197// This previously resulted in a crash. 1198void pr8619_noreturn(int x) __attribute__((noreturn)); 1199 1200void pr8619(int a, int b, int c) { 1201 a ?: pr8619_noreturn(b || c); 1202} 1203 1204 1205// PR 8646 - crash in the analyzer when handling unions. 1206union pr8648_union { 1207 signed long long pr8648_union_field; 1208}; 1209void pr8648(void) { 1210 long long y; 1211 union pr8648_union x = { .pr8648_union_field = 0LL }; 1212 y = x.pr8648_union_field; 1213 1214 union pr8648_union z; 1215 z = (union pr8648_union) { .pr8648_union_field = 0LL }; 1216 1217 union pr8648_union w; 1218 w = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }); 1219 1220 // crash, no assignment 1221 (void) ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field; 1222 1223 // crash with assignment 1224 y = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field; 1225} 1226 1227// PR 9269 - don't assert when building the following CFG. The for statement 1228// contains a condition with multiple basic blocks, and the value of the 1229// statement expression is then indexed as part of a bigger condition expression. 1230// This example exposed a bug in child traversal in the CFGBuilder. 1231void pr9269(void) { 1232 struct s { char *bar[10]; } baz[2] = { 0 }; 1233 unsigned i = 0; 1234 for (i = 0; 1235 (* ({ while(0); ({ &baz[0]; }); })).bar[0] != 0; // expected-warning {{while loop has empty body}} expected-note {{put the semicolon on a separate line to silence this warning}} 1236 ++i) {} 1237} 1238 1239// Test evaluation of GNU-style ?:. 1240int pr9287(int type) { return type ? : 0; } // no-warning 1241 1242void pr9287_b(int type, int *p) { 1243 int x = type ? : 0; 1244 if (x) { 1245 p = 0; 1246 } 1247 if (type) { 1248 *p = 0xDEADBEEF; // expected-warning {{null pointer}} 1249 } 1250} 1251 1252void pr9287_c(int type, int *p) { 1253 int x = type ? : 0; 1254 if (x) { 1255 p = 0; 1256 } 1257 if (!type) { 1258 *p = 0xDEADBEEF; // no-warning 1259 } 1260} 1261 1262void test_switch(void) { 1263 switch (4) { 1264 case 1: { 1265 int *p = 0; 1266 *p = 0xDEADBEEF; // no-warning 1267 break; 1268 } 1269 case 4: { 1270 int *p = 0; 1271 *p = 0xDEADBEEF; // expected-warning {{null}} 1272 break; 1273 } 1274 default: { 1275 int *p = 0; 1276 *p = 0xDEADBEEF; // no-warning 1277 break; 1278 } 1279 } 1280} 1281 1282// PR 9467. Tests various CFG optimizations. This previously crashed. 1283static void test(unsigned int bit_mask) 1284{ 1285 unsigned int bit_index; 1286 for (bit_index = 0; 1287 bit_index < 24; 1288 bit_index++) { 1289 switch ((0x01 << bit_index) & bit_mask) { 1290 case 0x100000: ; 1291 } 1292 } 1293} 1294 1295// Don't crash on code containing __label__. 1296int radar9414427_aux(void); 1297void radar9414427(void) { 1298 __label__ mylabel; 1299 if (radar9414427_aux()) { 1300 mylabel: do {} 1301 while (0); 1302 } 1303} 1304 1305// Analyze methods in @implementation (category) 1306@interface RDar9465344 1307@end 1308 1309@implementation RDar9465344 (MyCategory) 1310- (void) testcategoryImpl { 1311 int *p = 0x0; 1312 *p = 0xDEADBEEF; // expected-warning {{null}} 1313} 1314@end 1315 1316@implementation RDar9465344 1317@end 1318 1319// Don't crash when analyzing access to 'self' within a block. 1320@interface Rdar10380300Base 1321- (void) foo; 1322@end 1323@interface Rdar10380300 : Rdar10380300Base @end 1324@implementation Rdar10380300 1325- (void)foo { 1326 ^{ 1327 [super foo]; 1328 }(); 1329} 1330@end 1331 1332// Don't crash when a ?: is only preceded by a statement (not an expression) 1333// in the CFG. 1334void __assert_fail(void); 1335 1336enum rdar1196620_e { E_A, E_B, E_C, E_D }; 1337struct rdar1196620_s { int ints[E_D+1]; }; 1338 1339static void rdar1196620_call_assert(struct rdar1196620_s* s) { 1340 int i = 0; 1341 s?(void)0:__assert_fail(); 1342} 1343 1344static void rdar1196620(struct rdar1196620_s* s) { 1345 rdar1196620_call_assert(s); 1346} 1347 1348 1349