1// RUN: %clang_analyze_cc1 -triple i386-apple-darwin9 -analyzer-checker=core,alpha.core.CastToStruct,alpha.security.ReturnPtrRange,alpha.security.ArrayBound -verify -fblocks -Wno-objc-root-class -Wno-strict-prototypes -Wno-error=implicit-function-declaration %s 2// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin9 -DTEST_64 -analyzer-checker=core,alpha.core.CastToStruct,alpha.security.ReturnPtrRange,alpha.security.ArrayBound -verify -fblocks -Wno-objc-root-class -Wno-strict-prototypes -Wno-error=implicit-function-declaration %s 3 4typedef long unsigned int size_t; 5void *memcpy(void *, const void *, size_t); 6void *alloca(size_t); 7 8typedef struct objc_selector *SEL; 9typedef signed char BOOL; 10typedef int NSInteger; 11typedef unsigned int NSUInteger; 12typedef struct _NSZone NSZone; 13@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator; 14@protocol NSObject - (BOOL)isEqual:(id)object; @end 15@protocol NSCopying - (id)copyWithZone:(NSZone *)zone; @end 16@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 17@protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder; @end 18@interface NSObject <NSObject> {} - (id)init; @end 19extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 20@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 21- (NSUInteger)length; 22+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 23@end extern NSString * const NSBundleDidLoadNotification; 24@interface NSAssertionHandler : NSObject {} 25+ (NSAssertionHandler *)currentHandler; 26- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 27@end 28extern NSString * const NSConnectionReplyMode; 29 30#ifdef TEST_64 31typedef long long int64_t; 32typedef int64_t intptr_t; 33#else 34typedef int int32_t; 35typedef int32_t intptr_t; 36#endif 37 38//--------------------------------------------------------------------------- 39// Test case 'checkaccess_union' differs for region store and basic store. 40// The basic store doesn't reason about compound literals, so the code 41// below won't fire an "uninitialized value" warning. 42//--------------------------------------------------------------------------- 43 44// PR 2948 (testcase; crash on VisitLValue for union types) 45// http://llvm.org/bugs/show_bug.cgi?id=2948 46void checkaccess_union(void) { 47 int ret = 0, status; 48 // Since RegionStore doesn't handle unions yet, 49 // this branch condition won't be triggered 50 // as involving an uninitialized value. 51 if (((((__extension__ (((union { // no-warning 52 __typeof (status) __in; int __i;} 53 ) 54 { 55 .__in = (status)} 56 ).__i))) & 0xff00) >> 8) == 1) 57 ret = 1; 58} 59 60// Check our handling of fields being invalidated by function calls. 61struct test2_struct { int x; int y; char* s; }; 62void test2_help(struct test2_struct* p); 63 64char test2(void) { 65 struct test2_struct s; 66 test2_help(&s); 67 char *p = 0; 68 69 if (s.x > 1) { 70 if (s.s != 0) { 71 p = "hello"; 72 } 73 } 74 75 if (s.x > 1) { 76 if (s.s != 0) { 77 return *p; 78 } 79 } 80 81 return 'a'; 82} 83 84// BasicStore handles this case incorrectly because it doesn't reason about 85// the value pointed to by 'x' and thus creates different symbolic values 86// at the declarations of 'a' and 'b' respectively. RegionStore handles 87// it correctly. See the companion test in 'misc-ps-basic-store.m'. 88void test_trivial_symbolic_comparison_pointer_parameter(int *x) { 89 int a = *x; 90 int b = *x; 91 if (a != b) { 92 int *p = 0; 93 *p = 0xDEADBEEF; // no-warning 94 } 95} 96 97// This is a modified test from 'misc-ps.m'. Here we have the extra 98// NULL dereferences which are pruned out by RegionStore's symbolic reasoning 99// of fields. 100typedef struct _BStruct { void *grue; } BStruct; 101void testB_aux(void *ptr); 102 103void testB(BStruct *b) { 104 { 105 int *__gruep__ = ((int *)&((b)->grue)); 106 int __gruev__ = *__gruep__; 107 int __gruev2__ = *__gruep__; 108 if (__gruev__ != __gruev2__) { 109 int *p = 0; 110 *p = 0xDEADBEEF; // no-warning 111 } 112 113 testB_aux(__gruep__); 114 } 115 { 116 int *__gruep__ = ((int *)&((b)->grue)); 117 int __gruev__ = *__gruep__; 118 int __gruev2__ = *__gruep__; 119 if (__gruev__ != __gruev2__) { 120 int *p = 0; 121 *p = 0xDEADBEEF; // no-warning 122 } 123 124 if (~0 != __gruev__) {} 125 } 126} 127 128void testB_2(BStruct *b) { 129 { 130 int **__gruep__ = ((int **)&((b)->grue)); 131 int *__gruev__ = *__gruep__; 132 testB_aux(__gruep__); 133 } 134 { 135 int **__gruep__ = ((int **)&((b)->grue)); 136 int *__gruev__ = *__gruep__; 137 if ((int*)~0 != __gruev__) {} 138 } 139} 140 141// This test case is a reduced case of a caching bug discovered by an 142// assertion failure in RegionStoreManager::BindArray. Essentially the 143// DeclStmt is evaluated twice, but on the second loop iteration the 144// engine caches out. Previously a false transition would cause UnknownVal 145// to bind to the variable, firing an assertion failure. This bug was fixed 146// in r76262. 147void test_declstmt_caching(void) { 148again: 149 { 150 const char a[] = "I like to crash"; 151 goto again; 152 } 153} 154 155//===----------------------------------------------------------------------===// 156// Basically a null check is performed on the field value, which is then 157// assigned to a variable and then checked again. 158//===----------------------------------------------------------------------===// 159struct s_7114618 { int *p; }; 160void test_rdar_7114618(struct s_7114618 *s) { 161 if (s->p) { 162 int *p = s->p; 163 if (!p) { 164 // Infeasible 165 int *dead = 0; 166 *dead = 0xDEADBEEF; // no-warning 167 } 168 } 169} 170 171// Test pointers increment correctly. 172void f(void) { 173 int a[2]; 174 a[1] = 3; 175 int *p = a; 176 p++; 177 if (*p != 3) { 178 int *q = 0; 179 *q = 3; // no-warning 180 } 181} 182 183//===----------------------------------------------------------------------===// 184// Bit-fields of a struct should be invalidated when blasting the entire 185// struct with an integer constant. 186//===----------------------------------------------------------------------===// 187struct test_7185607 { 188 int x : 10; 189 int y : 22; 190}; 191int rdar_test_7185607(void) { 192 struct test_7185607 s; // Uninitialized. 193 *((unsigned *) &s) = 0U; 194 return s.x; // no-warning 195} 196 197//===----------------------------------------------------------------------===// 198// [RegionStore] compound literal assignment with floats not honored 199// This test case is mirrored in misc-ps.m, but this case is a negative. 200//===----------------------------------------------------------------------===// 201typedef float CGFloat; 202typedef struct _NSSize { 203 CGFloat width; 204 CGFloat height; 205} NSSize; 206 207CGFloat rdar7242006_negative(CGFloat x) { 208 NSSize y; 209 return y.width; // expected-warning{{garbage}} 210} 211 212//===----------------------------------------------------------------------===// 213// Allow binding of values to symbolic regions. This test case shows how 214// RegionStore tracks the value bound to 'x' after the assignment. 215//===----------------------------------------------------------------------===// 216typedef int* ptr_rdar_7249340; 217void rdar_7249340(ptr_rdar_7249340 x) { 218 *x = 1; 219 if (*x) 220 return; 221 int *p = 0; // This is unreachable. 222 *p = 0xDEADBEEF; // no-warning 223} 224 225//===----------------------------------------------------------------------===// 226// This test case tests both value tracking of array values and that we handle 227// symbolic values that are casted between different integer types. Note the 228// assignment 'n = *a++'; here 'n' is and 'int' and '*a' is 'unsigned'. 229// Previously we got a false positive at 'x += *b++' (undefined value) because 230// we got a false path. 231//===----------------------------------------------------------------------===// 232int rdar_7249327_aux(void); 233 234void rdar_7249327(unsigned int A[2*32]) { 235 int B[2*32]; 236 int *b; 237 unsigned int *a; 238 int x = 0; 239 240 int n; 241 242 a = A; 243 b = B; 244 245 n = *a++; 246 if (n) 247 *b++ = rdar_7249327_aux(); 248 249 a = A; 250 b = B; 251 252 n = *a++; 253 if (n) 254 x += *b++; // no-warning 255} 256 257//===----------------------------------------------------------------------===// 258// Check that 'x' is invalidated because its address is passed in as a value to 259// a struct. 260//===----------------------------------------------------------------------===// 261struct doodad_6914474 { int *v; }; 262extern void prod_6914474(struct doodad_6914474 *d); 263int rdar_6914474(void) { 264 int x; 265 struct doodad_6914474 d; 266 d.v = &x; 267 prod_6914474(&d); 268 return x; // no-warning 269} 270 271// Test invalidation of a single field. 272struct s_test_field_invalidate { 273 int x; 274}; 275extern void test_invalidate_field(int *x); 276int test_invalidate_field_test(void) { 277 struct s_test_field_invalidate y; 278 test_invalidate_field(&y.x); 279 return y.x; // no-warning 280} 281int test_invalidate_field_test_positive(void) { 282 struct s_test_field_invalidate y; 283 return y.x; // expected-warning{{garbage}} 284} 285 286// This test case illustrates how a typeless array of bytes casted to a 287// struct should be treated as initialized. RemoveDeadBindings previously 288// had a bug that caused 'x' to lose its default symbolic value after the 289// assignment to 'p', thus causing 'p->z' to evaluate to "undefined". 290struct ArrayWrapper { unsigned char y[16]; }; 291struct WrappedStruct { unsigned z; }; 292 293void test_handle_array_wrapper_helper(); 294 295int test_handle_array_wrapper(void) { 296 struct ArrayWrapper x; 297 test_handle_array_wrapper_helper(&x); 298 struct WrappedStruct *p = (struct WrappedStruct*) x.y; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 299 return p->z; // no-warning 300} 301 302//===----------------------------------------------------------------------===// 303// [RegionStore] crash when handling load: '*((unsigned int *)"????")' 304//===----------------------------------------------------------------------===// 305 306int rdar_7261075(void) { 307 unsigned int var = 0; 308 if (var == *((unsigned int *)"????")) 309 return 1; 310 return 0; 311} 312 313//===----------------------------------------------------------------------===// 314// False path due to limited pointer arithmetic constraints. 315//===----------------------------------------------------------------------===// 316 317void rdar_7275774(void *data, unsigned n) { 318 if (!(data || n == 0)) 319 return; 320 321 unsigned short *p = (unsigned short*) data; 322 unsigned short *q = p + (n / 2); 323 324 if (p < q) { 325 // If we reach here, 'p' cannot be null. If 'p' is null, then 'n' must 326 // be '0', meaning that this branch is not feasible. 327 *p = *q; // no-warning 328 } 329} 330 331//===----------------------------------------------------------------------===// 332// Test that Objective-C instance variables aren't prematurely pruned 333// from the analysis state. 334//===----------------------------------------------------------------------===// 335 336struct rdar_7312221_value { int x; }; 337 338@interface RDar7312221 339{ 340 struct rdar_7312221_value *y; 341} 342- (void) doSomething_7312221; 343@end 344 345extern struct rdar_7312221_value *rdar_7312221_helper(void); 346extern int rdar_7312221_helper_2(id o); 347extern void rdar_7312221_helper_3(int z); 348 349@implementation RDar7312221 350- (void) doSomething_7312221 { 351 if (y == 0) { 352 y = rdar_7312221_helper(); 353 if (y != 0) { 354 y->x = rdar_7312221_helper_2(self); 355 // The following use of 'y->x' previously triggered a null dereference, as the value of 'y' 356 // before 'y = rdar_7312221_helper()' would be used. 357 rdar_7312221_helper_3(y->x); // no-warning 358 } 359 } 360} 361@end 362 363struct rdar_7312221_container { 364 struct rdar_7312221_value *y; 365}; 366 367extern int rdar_7312221_helper_4(struct rdar_7312221_container *s); 368 369// This test case essentially matches the one in [RDar7312221 doSomething_7312221]. 370void doSomething_7312221_with_struct(struct rdar_7312221_container *Self) { 371 if (Self->y == 0) { 372 Self->y = rdar_7312221_helper(); 373 if (Self->y != 0) { 374 Self->y->x = rdar_7312221_helper_4(Self); 375 rdar_7312221_helper_3(Self->y->x); // no-warning 376 } 377 } 378} 379 380//===----------------------------------------------------------------------===// 381// Just more tests cases for regions 382//===----------------------------------------------------------------------===// 383 384void rdar_7332673_test1(void) { 385 char value[1]; 386 if ( *(value) != 1 ) {} // expected-warning{{The left operand of '!=' is a garbage value}} 387} 388int rdar_7332673_test2_aux(char *x); 389void rdar_7332673_test2(void) { 390 char *value; 391 if ( rdar_7332673_test2_aux(value) != 1 ) {} // expected-warning{{1st function call argument is an uninitialized value}} 392} 393 394//===----------------------------------------------------------------------===// 395// Because of a bug in RegionStoreManager::RemoveDeadBindings(), the symbol for 396// s->session->p would incorrectly be pruned from the state after the call to 397// rdar7347252_malloc1(), and would incorrectly result in a warning about 398// passing a null pointer to rdar7347252_memcpy(). 399//===----------------------------------------------------------------------===// 400 401struct rdar7347252_AA { char *p;}; 402typedef struct { 403 struct rdar7347252_AA *session; 404 int t; 405 char *q; 406} rdar7347252_SSL1; 407 408int rdar7347252_f(rdar7347252_SSL1 *s); 409char *rdar7347252_malloc1(int); 410char *rdar7347252_memcpy1(char *d, char *s, int n) __attribute__((nonnull (1,2))); 411 412int rdar7347252(rdar7347252_SSL1 *s) { 413 rdar7347252_f(s); // the SymbolicRegion of 's' is set a default binding of conjured symbol 414 if (s->session->p == ((void*)0)) { 415 if ((s->session->p = rdar7347252_malloc1(10)) == ((void*)0)) { 416 return 0; 417 } 418 rdar7347252_memcpy1(s->session->p, "aa", 2); // no-warning 419 } 420 return 0; 421} 422 423//===----------------------------------------------------------------------===// 424// PR 5316 - "crash when accessing field of lazy compound value" 425// Previously this caused a crash at the MemberExpr '.chr' when loading 426// a field value from a LazyCompoundVal 427//===----------------------------------------------------------------------===// 428 429typedef unsigned int pr5316_wint_t; 430typedef pr5316_wint_t pr5316_REFRESH_CHAR; 431typedef struct { 432 pr5316_REFRESH_CHAR chr; 433} 434pr5316_REFRESH_ELEMENT; 435static void pr5316(pr5316_REFRESH_ELEMENT *dst, const pr5316_REFRESH_ELEMENT *src) { 436 while ((*dst++ = *src++).chr != L'\0') ; 437} 438 439//===----------------------------------------------------------------------===// 440// Exercise creating ElementRegion with symbolic super region. 441//===----------------------------------------------------------------------===// 442void element_region_with_symbolic_superregion(int* p) { 443 int *x; 444 int a; 445 if (p[0] == 1) 446 x = &a; 447 if (p[0] == 1) 448 (void)*x; // no-warning 449} 450 451//===----------------------------------------------------------------------===// 452// Test returning an out-of-bounds pointer (CWE-466) 453//===----------------------------------------------------------------------===// 454 455static int test_cwe466_return_outofbounds_pointer_a[10]; // expected-note{{Original object declared here}} 456int *test_cwe466_return_outofbounds_pointer(void) { 457 int *p = test_cwe466_return_outofbounds_pointer_a+11; 458 return p; // expected-warning{{Returned pointer value points outside the original object}} 459 // expected-note@-1{{Original object 'test_cwe466_return_outofbounds_pointer_a' is an array of 10 'int' objects, returned pointer points at index 11}} 460} 461 462//===----------------------------------------------------------------------===// 463// PR 3135 - Test case that shows that a variable may get invalidated when its 464// address is included in a structure that is passed-by-value to an unknown function. 465//===----------------------------------------------------------------------===// 466 467typedef struct { int *a; } pr3135_structure; 468int pr3135_bar(pr3135_structure *x); 469int pr3135(void) { 470 int x; 471 pr3135_structure y = { &x }; 472 // the call to pr3135_bar may initialize x 473 if (pr3135_bar(&y) && x) // no-warning 474 return 1; 475 return 0; 476} 477 478//===----------------------------------------------------------------------===// 479// Test that we handle compound initializers with partially unspecified array 480// values. Previously this caused a crash. 481//===----------------------------------------------------------------------===// 482 483typedef struct RDar7403269 { 484 unsigned x[10]; 485 unsigned y; 486} RDar7403269; 487 488void rdar7403269(void) { 489 RDar7403269 z = { .y = 0 }; 490 if (z.x[4] == 0) 491 return; 492 int *p = 0; 493 *p = 0xDEADBEEF; // no-warning 494} 495 496typedef struct RDar7403269_b { 497 struct zorg { int w; int k; } x[10]; 498 unsigned y; 499} RDar7403269_b; 500 501void rdar7403269_b(void) { 502 RDar7403269_b z = { .y = 0 }; 503 if (z.x[5].w == 0) 504 return; 505 int *p = 0; 506 *p = 0xDEADBEEF; // no-warning 507} 508 509void rdar7403269_b_pos(void) { 510 RDar7403269_b z = { .y = 0 }; 511 if (z.x[5].w == 1) 512 return; 513 int *p = 0; 514 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 515} 516 517 518//===----------------------------------------------------------------------===// 519// Test that incrementing a non-null pointer results in a non-null pointer. 520//===----------------------------------------------------------------------===// 521 522void test_increment_nonnull_rdar_7191542(const char *path) { 523 const char *alf = 0; 524 525 for (;;) { 526 // When using basic-store, we get a null dereference here because we lose information 527 // about path after the pointer increment. 528 char c = *path++; // no-warning 529 if (c == 'a') { 530 alf = path; 531 } 532 533 if (alf) 534 return; 535 } 536} 537 538//===----------------------------------------------------------------------===// 539// Test that the store (implicitly) tracks values for doubles/floats that are 540// uninitialized. 541//===----------------------------------------------------------------------===// 542 543double rdar_6811085(void) { 544 double u; 545 return u + 10; // expected-warning{{The left operand of '+' is a garbage value}} 546} 547 548//===----------------------------------------------------------------------===// 549// Path-sensitive tests for blocks. 550//===----------------------------------------------------------------------===// 551 552void indirect_block_call(void (^f)(void)); 553 554int blocks_1(int *p, int z) { 555 __block int *q = 0; 556 void (^bar)(void) = ^{ q = p; }; 557 558 if (z == 1) { 559 // The call to 'bar' might cause 'q' to be invalidated. 560 bar(); 561 *q = 0x1; // no-warning 562 } 563 else if (z == 2) { 564 // The function 'indirect_block_call' might invoke bar, thus causing 565 // 'q' to possibly be invalidated. 566 indirect_block_call(bar); 567 *q = 0x1; // no-warning 568 } 569 else { 570 *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 571 } 572 return z; 573} 574 575int blocks_2(int *p, int z) { 576 int *q = 0; 577 void (^bar)(int **) = ^(int **r){ *r = p; }; 578 579 if (z) { 580 // The call to 'bar' might cause 'q' to be invalidated. 581 bar(&q); 582 *q = 0x1; // no-warning 583 } 584 else { 585 *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 586 } 587 return z; 588} 589 590// Test that the value of 'x' is considered invalidated after the block 591// is passed as an argument to the message expression. 592typedef void (^RDar7582031CB)(void); 593@interface RDar7582031 594- rdar7582031:RDar7582031CB; 595- rdar7582031_b:RDar7582031CB; 596@end 597 598// Test with one block. 599unsigned rdar7582031(RDar7582031 *o) { 600 __block unsigned x; 601 [o rdar7582031:^{ x = 1; }]; 602 return x; // no-warning 603} 604 605// Test with two blocks. 606unsigned long rdar7582031_b(RDar7582031 *o) { 607 __block unsigned y; 608 __block unsigned long x; 609 [o rdar7582031:^{ y = 1; }]; 610 [o rdar7582031_b:^{ x = 1LL; }]; 611 return x + (unsigned long) y; // no-warning 612} 613 614// Show we get an error when 'o' is null because the message 615// expression has no effect. 616unsigned long rdar7582031_b2(RDar7582031 *o) { 617 __block unsigned y; 618 __block unsigned long x; 619 if (o) 620 return 1; 621 [o rdar7582031:^{ y = 1; }]; 622 [o rdar7582031_b:^{ x = 1LL; }]; 623 return x + (unsigned long) y; // expected-warning{{The left operand of '+' is a garbage value}} 624} 625 626// Show that we handle static variables also getting invalidated. 627void rdar7582031_aux(void (^)(void)); 628RDar7582031 *rdar7582031_aux_2(void); 629 630unsigned rdar7582031_static(void) { 631 static RDar7582031 *o = 0; 632 rdar7582031_aux(^{ o = rdar7582031_aux_2(); }); 633 634 __block unsigned x; 635 [o rdar7582031:^{ x = 1; }]; 636 return x; // no-warning 637} 638 639//===----------------------------------------------------------------------===// 640// Test that variables passed using __blocks are not treated as being 641// uninitialized. 642//===----------------------------------------------------------------------===// 643 644typedef void (^RDar_7462324_Callback)(id obj); 645 646@interface RDar7462324 647- (void) foo:(id)target; 648- (void) foo_positive:(id)target; 649 650@end 651 652@implementation RDar7462324 653- (void) foo:(id)target { 654 __block RDar_7462324_Callback builder = ((void*) 0); 655 builder = ^(id object) { 656 if (object) { 657 builder(self); // no-warning 658 } 659 }; 660 builder(target); 661} 662- (void) foo_positive:(id)target { 663 __block RDar_7462324_Callback builder = ((void*) 0); 664 builder = ^(id object) { 665 id x; 666 if (object) { 667 builder(x); // expected-warning{{1st block call argument is an uninitialized value}} 668 } 669 }; 670 builder(target); 671} 672@end 673 674//===----------------------------------------------------------------------===// 675// Scanning for live variables within a block should not crash on variables 676// passed by reference via __block. 677//===----------------------------------------------------------------------===// 678 679int rdar7468209_aux(void); 680void rdar7468209_aux_2(void); 681 682void rdar7468209(void) { 683 __block int x = 0; 684 ^{ 685 x = rdar7468209_aux(); 686 // We need a second statement so that 'x' would be removed from the store if it wasn't 687 // passed by reference. 688 rdar7468209_aux_2(); 689 }(); 690} 691 692//===----------------------------------------------------------------------===// 693// PR 5857 - Test loading an integer from a byte array that has also been 694// reinterpreted to be loaded as a field. 695//===----------------------------------------------------------------------===// 696 697typedef struct { int x; } TestFieldLoad; 698int pr5857(char *src) { 699 TestFieldLoad *tfl = (TestFieldLoad *) (intptr_t) src; 700 int y = tfl->x; 701 long long *z = (long long *) (intptr_t) src; 702 long long w = 0; 703 int n = 0; 704 for (n = 0; n < y; ++n) { 705 // Previously we crashed analyzing this statement. 706 w = *z++; 707 } 708 return 1; 709} 710 711//===----------------------------------------------------------------------===// 712// PR 4358 - Without field-sensitivity, this code previously triggered 713// a false positive that 'uninit' could be uninitialized at the call 714// to pr4358_aux(). 715//===----------------------------------------------------------------------===// 716 717struct pr4358 { 718 int bar; 719 int baz; 720}; 721void pr4358_aux(int x); 722void pr4358(struct pr4358 *pnt) { 723 int uninit; 724 if (pnt->bar < 3) { 725 uninit = 1; 726 } else if (pnt->baz > 2) { 727 uninit = 3; 728 } else if (pnt->baz <= 2) { 729 uninit = 2; 730 } 731 pr4358_aux(uninit); // no-warning 732} 733 734//===----------------------------------------------------------------------===// 735// Test handling fields of values returned from function calls or 736// message expressions. 737//===----------------------------------------------------------------------===// 738 739typedef struct testReturn_rdar_7526777 { 740 int x; 741 int y; 742} testReturn_rdar_7526777; 743 744@interface TestReturnStruct_rdar_7526777 745- (testReturn_rdar_7526777) foo; 746@end 747 748int test_return_struct(TestReturnStruct_rdar_7526777 *x) { 749 return [x foo].x; 750} 751 752testReturn_rdar_7526777 test_return_struct_2_aux_rdar_7526777(void); 753 754int test_return_struct_2_rdar_7526777(void) { 755 return test_return_struct_2_aux_rdar_7526777().x; 756} 757 758//===----------------------------------------------------------------------===// 759// Assertion failed: (Op == BinaryOperator::Add || Op == BinaryOperator::Sub) 760// This test case previously triggered an assertion failure due to a discrepancy 761// been the loaded/stored value in the array 762//===----------------------------------------------------------------------===// 763 764_Bool OSAtomicCompareAndSwapPtrBarrier( void *__oldValue, void *__newValue, void * volatile *__theValue ); 765 766void rdar_7527292(void) { 767 static id Cache7527292[32]; 768 for (signed long idx = 0; 769 idx < 32; 770 idx++) { 771 id v = Cache7527292[idx]; 772 if (v && OSAtomicCompareAndSwapPtrBarrier(v, ((void*)0), (void * volatile *)(Cache7527292 + idx))) { 773 } 774 } 775} 776 777//===----------------------------------------------------------------------===// 778// Handle initialization of incomplete arrays in structures using a compound 779// value. Previously this crashed. 780//===----------------------------------------------------------------------===// 781 782struct rdar_7515938 { 783 int x; 784 int y[]; 785}; 786 787const struct rdar_7515938 *rdar_7515938(void) { 788 static const struct rdar_7515938 z = { 0, { 1, 2 } }; 789 if (z.y[0] != 1) { 790 int *p = 0; 791 *p = 0xDEADBEEF; // no-warning 792 } 793 return &z; 794} 795 796struct rdar_7515938_str { 797 int x; 798 char y[]; 799}; 800 801const struct rdar_7515938_str *rdar_7515938_str(void) { 802 static const struct rdar_7515938_str z = { 0, "hello" }; 803 return &z; 804} 805 806//===----------------------------------------------------------------------===// 807// Assorted test cases from PR 4172. 808//===----------------------------------------------------------------------===// 809 810struct PR4172A_s { int *a; }; 811 812void PR4172A_f2(struct PR4172A_s *p); 813 814int PR4172A_f1(void) { 815 struct PR4172A_s m; 816 int b[4]; 817 m.a = b; 818 PR4172A_f2(&m); 819 return b[3]; // no-warning 820} 821 822struct PR4172B_s { int *a; }; 823 824void PR4172B_f2(struct PR4172B_s *p); 825 826int PR4172B_f1(void) { 827 struct PR4172B_s m; 828 int x; 829 m.a = &x; 830 PR4172B_f2(&m); 831 return x; // no-warning 832} 833 834//===----------------------------------------------------------------------===// 835// Test invalidation of values in struct literals. 836//===----------------------------------------------------------------------===// 837 838struct s_rev96062 { int *x; int *y; }; 839struct s_rev96062_nested { struct s_rev96062 z; }; 840 841void test_a_rev96062_aux(struct s_rev96062 *s); 842void test_a_rev96062_aux2(struct s_rev96062_nested *s); 843 844int test_a_rev96062(void) { 845 int a, b; 846 struct s_rev96062 x = { &a, &b }; 847 test_a_rev96062_aux(&x); 848 return a + b; // no-warning 849} 850int test_b_rev96062(void) { 851 int a, b; 852 struct s_rev96062 x = { &a, &b }; 853 struct s_rev96062 z = x; 854 test_a_rev96062_aux(&z); 855 return a + b; // no-warning 856} 857int test_c_rev96062(void) { 858 int a, b; 859 struct s_rev96062 x = { &a, &b }; 860 struct s_rev96062_nested w = { x }; 861 struct s_rev96062_nested z = w; 862 test_a_rev96062_aux2(&z); 863 return a + b; // no-warning 864} 865 866//===----------------------------------------------------------------------===// 867// The access to y[0] at the bottom previously was reported as an uninitialized 868// value. 869//===----------------------------------------------------------------------===// 870 871char *rdar_7242010(int count, char **y) { 872 char **x = alloca((count + 4) * sizeof(*x)); 873 x[0] = "hi"; 874 x[1] = "there"; 875 x[2] = "every"; 876 x[3] = "body"; 877 memcpy(x + 4, y, count * sizeof(*x)); 878 y = x; 879 return y[0]; // no-warning 880} 881 882struct rdar_7770737_s { intptr_t p; }; 883void rdar_7770737_aux(struct rdar_7770737_s *p); 884int rdar_7770737(void) 885{ 886 int x; 887 888 // Previously 'f' was not properly invalidated, causing the use of 889 // an uninitailized value below. 890 struct rdar_7770737_s f = { .p = (intptr_t)&x }; 891 rdar_7770737_aux(&f); 892 return x; // no-warning 893} 894int rdar_7770737_pos(void) 895{ 896 int x; 897 struct rdar_7770737_s f = { .p = (intptr_t)&x }; 898 return x; // expected-warning{{Undefined or garbage value returned to caller}} 899} 900 901//===----------------------------------------------------------------------===// 902// Test handling of the implicit 'isa' field. For now we don't do anything 903// interesting. 904//===----------------------------------------------------------------------===// 905 906void pr6302(id x, Class y) { 907 // This previously crashed the analyzer (reported in PR 6302) 908 x->isa = y; // expected-warning {{assignment to Objective-C's isa is deprecated in favor of object_setClass()}} 909} 910 911//===----------------------------------------------------------------------===// 912// Specially handle global variables that are declared constant. In the 913// example below, this forces the loop to take exactly 1 iteration. 914//===----------------------------------------------------------------------===// 915 916const int pr6288_L_N = 1; 917void pr6288_(void) { 918 int x[1]; 919 int *px[1]; 920 int i; 921 for (i = 0; i < pr6288_L_N; i++) 922 px[i] = &x[i]; 923 *(px[0]) = 0; // no-warning 924} 925 926void pr6288_pos(int z) { 927 int x[1]; 928 int *px[1]; 929 int i; 930 for (i = 0; i < z; i++) 931 px[i] = &x[i]; // expected-warning{{Access out-of-bound array element (buffer overflow)}} 932 *(px[0]) = 0; // expected-warning{{Dereference of undefined pointer value}} 933} 934 935void pr6288_b(void) { 936 const int L_N = 1; 937 int x[1]; 938 int *px[1]; 939 int i; 940 for (i = 0; i < L_N; i++) 941 px[i] = &x[i]; 942 *(px[0]) = 0; // no-warning 943} 944 945void pr6288_no_third_iter(int z) { 946 int x[2]; 947 int *px[2]; 948 int i; 949 // If the loop condition is opaque, we assume that there may be two 950 // iterations (becasuse otherwise the loop could be replaced by an if); but 951 // we do not assume that there may be a third iteration. Therefore, 952 // unlike 'pr6288_pos', this testcase does not produce an out-of-bounds error. 953 for (i = 0; i < z; i++) 954 px[i] = &x[i]; 955 *(px[0]) = 0; // expected-warning{{Dereference of undefined pointer value}} 956} 957 958// A bug in RemoveDeadBindings was causing instance variable bindings to get 959// prematurely pruned from the state. 960@interface Rdar7817800 { 961 char *x; 962} 963- (void) rdar7817800_baz; 964@end 965 966char *rdar7817800_foobar(void); 967void rdar7817800_qux(void*); 968 969@implementation Rdar7817800 970- (void) rdar7817800_baz { 971 if (x) 972 rdar7817800_qux(x); 973 x = rdar7817800_foobar(); 974 // Previously this triggered a bogus null dereference warning. 975 x[1] = 'a'; // no-warning 976} 977@end 978 979// PR 6036 - This test case triggered a crash inside StoreManager::CastRegion because the size 980// of 'unsigned long (*)[0]' is 0. 981struct pr6036_a { int pr6036_b; }; 982struct pr6036_c; 983void u132monitk (struct pr6036_c *pr6036_d) { 984 (void) ((struct pr6036_a *) (unsigned long (*)[0]) ((char *) pr6036_d - 1))->pr6036_b; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 985} 986 987// ?-expressions used as a base of a member expression should be treated as an lvalue 988typedef struct rdar7813989_NestedVal { int w; } rdar7813989_NestedVal; 989typedef struct rdar7813989_Val { rdar7813989_NestedVal nv; } rdar7813989_Val; 990 991int rdar7813989(int x, rdar7813989_Val *a, rdar7813989_Val *b) { 992 // This previously crashed with an assertion failure. 993 int z = (x ? a->nv : b->nv).w; 994 return z + 1; 995} 996 997// PR 6844 - Don't crash on vaarg expression. 998typedef __builtin_va_list va_list; 999void map(int srcID, ...) { 1000 va_list ap; 1001 int i; 1002 for (i = 0; i < srcID; i++) { 1003 int v = __builtin_va_arg(ap, int); 1004 } 1005} 1006 1007// PR 6854 - crash when casting symbolic memory address to a float 1008// Handle casting from a symbolic region to a 'float'. This isn't 1009// really all that intelligent, but previously this caused a crash 1010// in SimpleSValuator. 1011void pr6854(void * arg) { 1012 void * a = arg; 1013 *(void**)a = arg; 1014 float f = *(float*) a; 1015} 1016 1017// False positive due to symbolic store not find value because of 'const' 1018// qualifier 1019double rdar_8032791_2(void); 1020double rdar_8032791_1(void) { 1021 struct R8032791 { double x[2]; double y; } 1022 data[3] = { 1023 {{1.0, 3.0}, 3.0}, // 1 2 3 1024 {{1.0, 1.0}, 0.0}, // 1 1 2 2 3 3 1025 {{1.0, 3.0}, 1.0} // 1 2 3 1026 }; 1027 1028 double x = 0.0; 1029 for (unsigned i = 0 ; i < 3; i++) { 1030 const struct R8032791 *p = &data[i]; 1031 x += p->y + rdar_8032791_2(); // no-warning 1032 } 1033 return x; 1034} 1035 1036// PR 7450 - Handle pointer arithmetic with __builtin_alloca 1037void pr_7450_aux(void *x); 1038void pr_7450(void) { 1039 void *p = __builtin_alloca(10); 1040 // Don't crash when analyzing the following statement. 1041 pr_7450_aux(p + 8); 1042} 1043 1044// Symbolicate struct values returned by value. 1045struct s_rdar_8243408 { int x; }; 1046extern struct s_rdar_8243408 rdar_8243408_aux(void); 1047void rdar_8243408(void) { 1048 struct s_rdar_8243408 a = { 1 }, *b = 0; 1049 while (a.x && !b) 1050 a = rdar_8243408_aux(); 1051 1052 // Previously there was a false error here with 'b' being null. 1053 (void) (a.x && b->x); // no-warning 1054 1055 // Introduce a null deref to ensure we are checking this path. 1056 int *p = 0; 1057 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 1058} 1059 1060int r8258814(void) 1061{ 1062 int foo; 1063 int * a = &foo; 1064 a[0] = 10; 1065 // Do not warn that the value of 'foo' is uninitialized. 1066 return foo; // no-warning 1067} 1068 1069// PR 8052 - Don't crash when reasoning about loads from a function address.\n 1070typedef unsigned int __uint32_t; 1071typedef unsigned long vm_offset_t; 1072typedef __uint32_t pd_entry_t; 1073typedef unsigned char u_char; 1074typedef unsigned int u_int; 1075typedef unsigned long u_long; 1076extern int bootMP_size; 1077void bootMP(void); 1078static void 1079pr8052(u_int boot_addr) 1080{ 1081 int x; 1082 int size = *(int *) ((u_long) & bootMP_size); 1083 u_char *src = (u_char *) ((u_long) bootMP); 1084 u_char *dst = (u_char *) boot_addr + ((vm_offset_t) ((((((((1 << 108512) / (sizeof(pd_entry_t))) - 1) - 1) - (260 - 2))) << 22) | ((0) << 12))); 1086#ifdef TEST_64 1087// expected-warning@-3 {{cast to 'u_char *' (aka 'unsigned char *') from smaller integer type 'u_int' (aka 'unsigned int')}} 1088#endif 1089 for (x = 0; 1090 x < size; 1091 ++x) 1092 *dst++ = *src++; 1093} 1094 1095// PR 8015 - don't return undefined values for arrays when using a valid 1096// symbolic index 1097int pr8015_A(void); 1098void pr8015_B(const char *); 1099 1100void pr8015_C(void) { 1101 int number = pr8015_A(); 1102 const char *numbers[] = { "zero" }; 1103 if (number == 0) { 1104 pr8015_B(numbers[number]); // no-warning 1105 } 1106} 1107 1108// Tests that we correctly handle that 'number' is perfectly constrained 1109// after 'if (number == 0)', allowing us to resolve that 1110// numbers[number] == numbers[0]. 1111void pr8015_D_FIXME(void) { 1112 int number = pr8015_A(); 1113 const char *numbers[] = { "zero" }; 1114 if (number == 0) { 1115 if (numbers[number] == numbers[0]) 1116 return; 1117 // Unreachable. 1118 int *p = 0; 1119 *p = 0xDEADBEEF; // no-warnng 1120 } 1121} 1122 1123void pr8015_E(void) { 1124 // Similar to pr8015_C, but number is allowed to be a valid range. 1125 unsigned number = pr8015_A(); 1126 const char *numbers[] = { "zero", "one", "two" }; 1127 if (number < 3) { 1128 pr8015_B(numbers[number]); // no-warning 1129 } 1130} 1131 1132void pr8015_F_FIXME(void) { 1133 // Similar to pr8015_E, but like pr8015_D we check if the pointer 1134 // is the same as one of the string literals. The null dereference 1135 // here is not feasible in practice, so this is a false positive. 1136 int number = pr8015_A(); 1137 const char *numbers[] = { "zero", "one", "two" }; 1138 if (number < 3) { 1139 const char *p = numbers[number]; 1140 if (p == numbers[0] || p == numbers[1] || p == numbers[2]) 1141 return; 1142 int *q = 0; 1143 *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 1144 } 1145} 1146 1147// PR 8141. Previously the statement expression in the for loop caused 1148// the CFG builder to crash. 1149struct list_pr8141 1150{ 1151 struct list_pr8141 *tail; 1152}; 1153 1154struct list_pr8141 * 1155pr8141 (void) { 1156 struct list_pr8141 *items; 1157 for (;; items = ({ do { } while (0); items->tail; })) // expected-warning{{dereference of an undefined pointer value}} 1158 { 1159 } 1160} 1161 1162// Don't crash when building the CFG. 1163void do_not_crash(int x) { 1164 while (x - ({do {} while (0); x; })) { 1165 } 1166} 1167 1168// Handle looking at the size of a VLA in ArrayBoundChecker. Nothing 1169// intelligent (yet); just don't crash. 1170typedef struct RDar8424269_A { 1171 int RDar8424269_C; 1172} RDar8424269_A; 1173static void RDar8424269_B(RDar8424269_A *p, unsigned char *RDar8424269_D, 1174 const unsigned char *RDar8424269_E, int RDar8424269_F, 1175 int b_w, int b_h, int dx, int dy) { 1176 int x, y, b, r, l; 1177 unsigned char tmp2t[3][RDar8424269_F * (32 + 8)]; 1178 unsigned char *tmp2 = tmp2t[0]; 1179 if (p && !p->RDar8424269_C) 1180 b = 15; 1181 tmp2 = tmp2t[1]; 1182 if (b & 2) { // expected-warning{{The left operand of '&' is a garbage value}} 1183 for (y = 0; y < b_h; y++) { 1184 for (x = 0; x < b_w + 1; x++) { 1185 int am = 0; 1186 tmp2[x] = am; 1187 } 1188 } 1189 } 1190 tmp2 = tmp2t[2]; 1191} 1192 1193// Handle transparent unions with the NonNullParamChecker. 1194typedef union { 1195 struct rdar_8642434_typeA *_dq; 1196} 1197rdar_8642434_typeB __attribute__((transparent_union)); 1198 1199__attribute__((visibility("default"))) __attribute__((__nonnull__)) __attribute__((__nothrow__)) 1200void rdar_8642434_funcA(rdar_8642434_typeB object); 1201 1202void rdar_8642434_funcB(struct rdar_8642434_typeA *x, struct rdar_8642434_typeA *y) { 1203 rdar_8642434_funcA(x); 1204 if (!y) 1205 rdar_8642434_funcA(y); // expected-warning{{Null pointer passed to 1st parameter expecting 'nonnull'}} 1206} 1207 1208// Handle loads and stores from a symbolic index into array without warning 1209// about an uninitialized value being returned. While RegionStore can't fully 1210// reason about this example, it shouldn't warn here either. 1211typedef struct s_test_rdar8848957 { 1212 int x, y, z; 1213} s_test_rdar8848957; 1214 1215s_test_rdar8848957 foo_rdar8848957(void); 1216int rdar8848957(int index) { 1217 s_test_rdar8848957 vals[10]; 1218 vals[index] = foo_rdar8848957(); 1219 return vals[index].x; // no-warning 1220} 1221 1222// PR 9049 - crash on symbolicating unions. This test exists solely to 1223// test that the analyzer doesn't crash. 1224typedef struct pr9048_cdev *pr9048_cdev_t; 1225typedef union pr9048_abstracted_disklabel { void *opaque; } pr9048_disklabel_t; 1226struct pr9048_diskslice { pr9048_disklabel_t ds_label; }; 1227struct pr9048_diskslices { 1228 int dss_secmult; 1229 struct pr9048_diskslice dss_slices[16]; 1230}; 1231void pr9048(pr9048_cdev_t dev, struct pr9048_diskslices * ssp, unsigned int slice) 1232{ 1233 pr9048_disklabel_t lp; 1234 struct pr9048_diskslice *sp; 1235 sp = &ssp->dss_slices[slice]; 1236 if (ssp->dss_secmult == 1) { 1237 } else if ((lp = sp->ds_label).opaque != ((void *) 0)) { 1238 } 1239} 1240 1241// Test Store reference counting in the presence of Lazy compound values. 1242// This previously caused an infinite recursion. 1243typedef struct {} Rdar_9103310_A; 1244typedef struct Rdar_9103310_B Rdar_9103310_B_t; 1245struct Rdar_9103310_B { 1246 unsigned char Rdar_9103310_C[101]; 1247}; 1248void Rdar_9103310_E(Rdar_9103310_A * x, struct Rdar_9103310_C * b) { // expected-warning {{declaration of 'struct Rdar_9103310_C' will not be visible outside of this function}} 1249 char Rdar_9103310_D[4][4] = { "a", "b", "c", "d"}; 1250 int i; 1251 Rdar_9103310_B_t *y = (Rdar_9103310_B_t *) x; 1252 for (i = 0; i < 101; i++) { 1253 Rdar_9103310_F(b, "%2d%s ", (y->Rdar_9103310_C[i]) / 4, Rdar_9103310_D[(y->Rdar_9103310_C[i]) % 4]); // expected-warning {{call to undeclared function 'Rdar_9103310_F'; ISO C99 and later do not support implicit function declarations}} 1254 } 1255} 1256 1257// Test handling binding lazy compound values to a region and then have 1258// specific elements have other bindings. 1259int PR9455(void) { 1260 char arr[4] = "000"; 1261 arr[0] = '1'; 1262 if (arr[1] == '0') 1263 return 1; 1264 int *p = 0; 1265 *p = 0xDEADBEEF; // no-warning 1266 return 1; 1267} 1268int PR9455_2(void) { 1269 char arr[4] = "000"; 1270 arr[0] = '1'; 1271 if (arr[1] == '0') { 1272 int *p = 0; 1273 *p = 0xDEADBEEF; // expected-warning {{null}} 1274 } 1275 return 1; 1276} 1277 1278// Test initialization of substructs via lazy compound values. 1279typedef float RDar9163742_Float; 1280 1281typedef struct { 1282 RDar9163742_Float x, y; 1283} RDar9163742_Point; 1284typedef struct { 1285 RDar9163742_Float width, height; 1286} RDar9163742_Size; 1287typedef struct { 1288 RDar9163742_Point origin; 1289 RDar9163742_Size size; 1290} RDar9163742_Rect; 1291 1292extern RDar9163742_Rect RDar9163742_RectIntegral(RDar9163742_Rect); 1293 1294RDar9163742_Rect RDar9163742_IntegralRect(RDar9163742_Rect frame) 1295{ 1296 RDar9163742_Rect integralFrame; 1297 integralFrame.origin.x = frame.origin.x; 1298 integralFrame.origin.y = frame.origin.y; 1299 integralFrame.size = frame.size; 1300 return RDar9163742_RectIntegral(integralFrame); // no-warning; all fields initialized 1301} 1302 1303// Test correct handling of prefix '--' operator. 1304void rdar9444714(void) { 1305 int x; 1306 char str[ 32 ]; 1307 char buf[ 32 ]; 1308 char * dst; 1309 char * ptr; 1310 1311 x = 1234; 1312 dst = str; 1313 ptr = buf; 1314 do 1315 { 1316 *ptr++ = (char)( '0' + ( x % 10 ) ); 1317 x /= 10; 1318 } while( x > 0 ); 1319 1320 while( ptr > buf ) 1321 { 1322 *dst++ = *( --( ptr ) ); // no-warning 1323 } 1324 *dst = '\0'; 1325} 1326 1327// Test handling symbolic elements with field accesses. 1328typedef struct { 1329 unsigned value; 1330} RDar11127008; 1331 1332signed rdar_11127008_index(void); 1333 1334static unsigned rdar_11127008(void) { 1335 RDar11127008 values[] = {{.value = 0}, {.value = 1}}; 1336 signed index = rdar_11127008_index(); 1337 if (index < 0) return 0; 1338 if (index >= 2) return 0; 1339 return values[index].value; 1340} 1341 1342// Test handling invalidating arrays passed to a block via captured 1343// pointer value (not a __block variable). 1344typedef void (^radar11125868_cb)(int *, unsigned); 1345 1346void rdar11125868_aux(radar11125868_cb cb); 1347 1348int rdar11125868(void) { 1349 int integersStackArray[1]; 1350 int *integers = integersStackArray; 1351 rdar11125868_aux(^(int *integerValue, unsigned index) { 1352 integers[index] = integerValue[index]; 1353 }); 1354 return integers[0] == 0; // no-warning 1355} 1356 1357int rdar11125868_positive(void) { 1358 int integersStackArray[1]; 1359 int *integers = integersStackArray; 1360 return integers[0] == 0; // expected-warning {{The left operand of '==' is a}} 1361} 1362