misc-ps-region-store.cpp source code [clang_source_code/test/Analysis/misc-ps-region-store.cpp]

1	// RUN: %clang_analyze_cc1 -triple i386-apple-darwin9 -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions -Wno-tautological-undefined-compare
2	// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin9 -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions -Wno-tautological-undefined-compare
3
4	void clang_analyzer_warnIfReached();
5
6	// Test basic handling of references.
7	char &test1_aux();
8	char *test1() {
9	return &test1_aux();
10	}
11
12	// Test test1_aux() evaluates to char &.
13	char test1_as_rvalue() {
14	return test1_aux();
15	}
16
17	// Test passing a value as a reference. The 'const' in test2_aux() adds
18	// an ImplicitCastExpr, which is evaluated as an lvalue.
19	int test2_aux(const int &n);
20	int test2(int n) {
21	return test2_aux(n);
22	}
23
24	int test2_b_aux(const short &n);
25	int test2_b(int n) {
26	return test2_b_aux(n);
27	}
28
29	// Test getting the lvalue of a derived and converting it to a base. This
30	// previously crashed.
31	class Test3_Base {};
32	class Test3_Derived : public Test3_Base {};
33
34	int test3_aux(Test3_Base &x);
35	int test3(Test3_Derived x) {
36	return test3_aux(x);
37	}
38
39	//===---------------------------------------------------------------------===//
40	// Test CFG support for C++ condition variables.
41	//===---------------------------------------------------------------------===//
42
43	int test_init_in_condition_aux();
44	int test_init_in_condition() {
45	if (int x = test_init_in_condition_aux()) { // no-warning
46	return 1;
47	}
48	return 0;
49	}
50
51	int test_init_in_condition_switch() {
52	switch (int x = test_init_in_condition_aux()) { // no-warning
53	case 1:
54	return 0;
55	case 2:
56	if (x == 2)
57	return 0;
58	else {
59	clang_analyzer_warnIfReached(); // unreachable
60	}
61	default:
62	break;
63	}
64	return 0;
65	}
66
67	int test_init_in_condition_while() {
68	int z = 0;
69	while (int x = ++z) { // no-warning
70	if (x == 2)
71	break;
72	}
73
74	if (z == 2)
75	return 0;
76
77	clang_analyzer_warnIfReached(); // unreachable
78	return 0;
79	}
80
81
82	int test_init_in_condition_for() {
83	int z = 0;
84	for (int x = 0; int y = ++z; ++x) {
85	if (x == y) // no-warning
86	break;
87	}
88	if (z == 1)
89	return 0;
90
91	clang_analyzer_warnIfReached(); // unreachable
92	return 0;
93	}
94
95	//===---------------------------------------------------------------------===//
96	// Test handling of 'this' pointer.
97	//===---------------------------------------------------------------------===//
98
99	class TestHandleThis {
100	int x;
101
102	TestHandleThis();
103	int foo();
104	int null_deref_negative();
105	int null_deref_positive();
106	};
107
108	int TestHandleThis::foo() {
109	// Assume that 'x' is initialized.
110	return x + 1; // no-warning
111	}
112
113	int TestHandleThis::null_deref_negative() {
114	x = 10;
115	if (x == 10) {
116	return 1;
117	}
118	clang_analyzer_warnIfReached(); // unreachable
119	return 0;
120	}
121
122	int TestHandleThis::null_deref_positive() {
123	x = 10;
124	if (x == 9) {
125	return 1;
126	}
127	clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
128	return 0;
129	}
130
131	// PR 7675 - passing literals by-reference
132	void pr7675(const double &a);
133	void pr7675(const int &a);
134	void pr7675(const char &a);
135	void pr7675_i(const _Complex double &a);
136
137	void pr7675_test() {
138	pr7675(10.0);
139	pr7675(10);
140	pr7675('c');
141	pr7675_i(4.0j);
142
143	// Add check to ensure we are analyzing the code up to this point.
144	clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
145	}
146
147	// <rdar://problem/8375510> - CFGBuilder should handle temporaries.
148	struct R8375510 {
149	R8375510();
150	~R8375510();
151	R8375510 operator++(int);
152	};
153
154	int r8375510(R8375510 x, R8375510 y) {
155	for (; ; x++) { }
156	}
157
158	// PR8419 -- this used to crash.
159
160	class String8419 {
161	public:
162	char& get(int n);
163	char& operator[](int n);
164	};
165
166	char& get8419();
167
168	void Test8419() {
169	String8419 s;
170	++(s.get(0));
171	get8419()--; // used to crash
172	--s[0]; // used to crash
173	s[0] &= 1; // used to crash
174	s[0]++; // used to crash
175	}
176
177	// PR8426 -- this used to crash.
178
179	void Use(void* to);
180
181	template <class T> class Foo {
182	~Foo();
183	struct Bar;
184	Bar* bar_;
185	};
186
187	template <class T> Foo<T>::~Foo() {
188	Use(bar_);
189	T::DoSomething();
190	bar_->Work();
191	}
192
193	// PR8427 -- this used to crash.
194
195	class Dummy {};
196
197	bool operator==(Dummy, int);
198
199	template <typename T>
200	class Foo2 {
201	bool Bar();
202	};
203
204	template <typename T>
205	bool Foo2<T>::Bar() {
206	return 0 == T();
207	}
208
209	// PR8433 -- this used to crash.
210
211	template <typename T>
212	class Foo3 {
213	public:
214	void Bar();
215	void Baz();
216	T value_;
217	};
218
219	template <typename T>
220	void Foo3<T>::Bar() {
221	Baz();
222	value_();
223	}
224
225	//===---------------------------------------------------------------------===//
226	// Handle misc. C++ constructs.
227	//===---------------------------------------------------------------------===//
228
229	namespace fum {
230	int i = 3;
231	};
232
233	void test_namespace() {
234	// Previously triggered a crash.
235	using namespace fum;
236	int x = i;
237	}
238
239	// Test handling methods that accept references as parameters, and that
240	// variables are properly invalidated.
241	class RDar9203355 {
242	bool foo(unsigned valA, long long &result) const;
243	bool foo(unsigned valA, int &result) const;
244	};
245	bool RDar9203355::foo(unsigned valA, int &result) const {
246	long long val;
247	if (foo(valA, val) \|\|
248	(int)val != val) // no-warning
249	return true;
250	result = val; // no-warning
251	return false;
252	}
253
254	// Test handling of new[].
255	void rdar9212512() {
256	int *x = new int[10];
257	for (unsigned i = 0 ; i < 2 ; ++i) {
258	// This previously triggered an uninitialized values warning.
259	x[i] = 1; // no-warning
260	}
261	}
262
263	// Test basic support for dynamic_cast<>.
264	struct Rdar9212495_C { virtual void bar() const; };
265	class Rdar9212495_B : public Rdar9212495_C {};
266	class Rdar9212495_A : public Rdar9212495_B {};
267	const Rdar9212495_A& rdar9212495(const Rdar9212495_C* ptr) {
268	const Rdar9212495_A& val = dynamic_cast<const Rdar9212495_A&>(*ptr);
269
270	// This is not valid C++; dynamic_cast with a reference type will throw an
271	// exception if the pointer does not match the expected type. However, our
272	// implementation of dynamic_cast will pass through a null pointer...or a
273	// "null reference"! So this branch is actually possible.
274	if (&val == 0) {
275	val.bar(); // expected-warning{{Called C++ object pointer is null}}
276	}
277
278	return val;
279	}
280
281	const Rdar9212495_A* rdar9212495_ptr(const Rdar9212495_C* ptr) {
282	const Rdar9212495_A* val = dynamic_cast<const Rdar9212495_A*>(ptr);
283
284	if (val == 0) {
285	val->bar(); // expected-warning{{Called C++ object pointer is null}}
286	}
287
288	return val;
289	}
290
291	// Test constructors invalidating arguments. Previously this raised
292	// an uninitialized value warning.
293	extern "C" void __attribute__((noreturn)) PR9645_exit(int i);
294
295	class PR9645_SideEffect
296	{
297	public:
298	PR9645_SideEffect(int *pi); // caches pi in i_
299	void Read(int pi); // copies pi into *i_
300	private:
301	int *i_;
302	};
303
304	void PR9645() {
305	int i;
306
307	PR9645_SideEffect se(&i);
308	int j = 1;
309	se.Read(&j); // this has a side-effect of initializing i.
310
311	PR9645_exit(i); // no-warning
312	}
313
314	PR9645_SideEffect::PR9645_SideEffect(int *pi) : i_(pi) {}
315	void PR9645_SideEffect::Read(int pi) { i_ = *pi; }
316
317	// Invalidate fields during C++ method calls.
318	class RDar9267815 {
319	int x;
320	void test();
321	void test_pos();
322	void test2();
323	void invalidate();
324	};
325
326	void RDar9267815::test_pos() {
327	if (x == 42)
328	return;
329	clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
330	}
331	void RDar9267815::test() {
332	if (x == 42)
333	return;
334	if (x == 42)
335	clang_analyzer_warnIfReached(); // no-warning
336	}
337
338	void RDar9267815::test2() {
339	if (x == 42)
340	return;
341	invalidate();
342	if (x == 42)
343	clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
344	}
345
346	// Test reference parameters.
347	void test_ref_double_aux(double &Value);
348	float test_ref_double() {
349	double dVal;
350	test_ref_double_aux(dVal);
351	// This previously warned because 'dVal' was thought to be uninitialized.
352	float Val = (float)dVal; // no-warning
353	return Val;
354	}
355
356	// Test invalidation of class fields.
357	class TestInvalidateClass {
358	public:
359	int x;
360	};
361
362	void test_invalidate_class_aux(TestInvalidateClass &x);
363
364	int test_invalidate_class() {
365	TestInvalidateClass y;
366	test_invalidate_class_aux(y);
367	return y.x; // no-warning
368	}
369
370	// Test correct pointer arithmetic using 'p--'. This is to warn that we
371	// were loading beyond the written characters in buf.
372	char RDar9269695(char dst, unsigned int n)
373	{
374	char buff[40], *p;
375
376	p = buff;
377	do
378	*p++ = '0' + n % 10;
379	while (n /= 10);
380
381	do
382	dst++ = --p; // no-warning
383	while (p != buff);
384
385	return dst;
386	}
387
388	// Test that we invalidate byref arguments passed to constructors.
389	class TestInvalidateInCtor {
390	public:
391	TestInvalidateInCtor(unsigned &x);
392	};
393
394	unsigned test_invalidate_in_ctor() {
395	unsigned x;
396	TestInvalidateInCtor foo(x);
397	return x; // no-warning
398	}
399	unsigned test_invalidate_in_ctor_new() {
400	unsigned x;
401	delete (new TestInvalidateInCtor(x));
402	return x; // no-warning
403	}
404
405	// Test assigning into a symbolic offset.
406	struct TestAssignIntoSymbolicOffset {
407	int **stuff[100];
408	void test(int x, int y);
409	};
410
411	void TestAssignIntoSymbolicOffset::test(int x, int y) {
412	x--;
413	if (x > 8 \|\| x < 0)
414	return;
415	if (stuff[x])
416	return;
417	if (!stuff[x]) {
418	stuff[x] = new int*[y+1];
419	// Previously triggered a null dereference.
420	stuff[x][y] = 0; // no-warning
421	}
422	}
423
424	// Test loads from static fields. This previously triggered an uninitialized
425	// value warning.
426	class ClassWithStatic {
427	public:
428	static const unsigned value = 1;
429	};
430
431	int rdar9948787_negative() {
432	ClassWithStatic classWithStatic;
433	unsigned value = classWithStatic.value;
434	if (value == 1)
435	return 1;
436	clang_analyzer_warnIfReached(); // no-warning
437	return 0;
438	}
439
440	int rdar9948787_positive() {
441	ClassWithStatic classWithStatic;
442	unsigned value = classWithStatic.value;
443	if (value == 0)
444	return 1;
445	clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
446	return 0;
447	}
448
449	// Regression test against global constants and switches.
450	enum rdar10202899_ValT { rdar10202899_ValTA, rdar10202899_ValTB, rdar10202899_ValTC };
451	const rdar10202899_ValT val = rdar10202899_ValTA;
452	void rdar10202899_test1() {
453	switch (val) {
454	case rdar10202899_ValTA: {}
455	};
456	}
457
458	void rdar10202899_test2() {
459	if (val == rdar10202899_ValTA)
460	return;
461	clang_analyzer_warnIfReached(); // no-warning
462	}
463
464	void rdar10202899_test3() {
465	switch (val) {
466	case rdar10202899_ValTA: return;
467	default: ;
468	};
469	clang_analyzer_warnIfReached(); // no-warning
470	}
471
472	// This used to crash the analyzer because of the unnamed bitfield.
473	void PR11249()
474	{
475	struct {
476	char f1:4;
477	char :4;
478	char f2[1];
479	char f3;
480	} V = { 1, {2}, 3 };
481	if (V.f1 != 1)
482	clang_analyzer_warnIfReached(); // no-warning
483	if (V.f2[0] != 2)
484	clang_analyzer_warnIfReached(); // no-warning
485	if (V.f3 != 3)
486	clang_analyzer_warnIfReached(); // no-warning
487	}
488
489	// Handle doing a load from the memory associated with the code for
490	// a function.
491	extern double nan( const char * );
492	double PR11450() {
493	double NaN = (double) nan;
494	return NaN;
495	}
496
497	// Test that 'this' is assumed non-null upon analyzing the entry to a "top-level"
498	// function (i.e., when not analyzing from a specific caller).
499	struct TestNullThis {
500	int field;
501	void test();
502	};
503
504	void TestNullThis::test() {
505	int *p = &field;
506	if (p)
507	return;
508	field = 2; // no-warning
509	}
510
511	// Test handling of 'catch' exception variables, and not warning
512	// about uninitialized values.
513	enum MyEnum { MyEnumValue };
514	MyEnum rdar10892489() {
515	try {
516	throw MyEnumValue;
517	} catch (MyEnum e) {
518	return e; // no-warning
519	}
520	return MyEnumValue;
521	}
522
523	MyEnum rdar10892489_positive() {
524	try {
525	throw MyEnumValue;
526	} catch (MyEnum e) {
527	int *p = 0;
528	// FALSE NEGATIVE
529	*p = 0xDEADBEEF; // {{null}}
530	return e;
531	}
532	return MyEnumValue;
533	}
534
535	// Test handling of catch with no condition variable.
536	void PR11545() {
537	try
538	{
539	throw;
540	}
541	catch (...)
542	{
543	}
544	}
545
546	void PR11545_positive() {
547	try
548	{
549	throw;
550	}
551	catch (...)
552	{
553	int *p = 0;
554	// FALSE NEGATIVE
555	*p = 0xDEADBEEF; // {{null}}
556	}
557	}
558
559	// Test handling taking the address of a field. While the analyzer
560	// currently doesn't do anything intelligent here, this previously
561	// resulted in a crash.
562	class PR11146 {
563	public:
564	struct Entry;
565	void baz();
566	};
567
568	struct PR11146::Entry {
569	int x;
570	};
571
572	void PR11146::baz() {
573	(void) &Entry::x;
574	}
575
576	// Test symbolicating a reference. In this example, the
577	// analyzer (originally) didn't know how to handle x[index - index2],
578	// returning an UnknownVal. The conjured symbol wasn't a location,
579	// and would result in a crash.
580	void rdar10924675(unsigned short x[], int index, int index2) {
581	unsigned short &y = x[index - index2];
582	if (y == 0)
583	return;
584	}
585
586	// Test handling CXXScalarValueInitExprs.
587	void rdar11401827() {
588	int x = int();
589	if (!x) {
590	clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
591	; // Suppress warning that both branches are identical
592	}
593	else {
594	clang_analyzer_warnIfReached(); // no-warning
595	}
596	}
597
598	//===---------------------------------------------------------------------===//
599	// Handle inlining of C++ method calls.
600	//===---------------------------------------------------------------------===//
601
602	struct A {
603	int *p;
604	void foo(int *q) {
605	p = q;
606	}
607	void bar() {
608	*p = 0; // expected-warning {{null pointer}}
609	}
610	};
611
612	void test_inline() {
613	A a;
614	a.foo(0);
615	a.bar();
616	}
617
618	void test_alloca_in_a_recursive_function(int p1) {
619	__builtin_alloca (p1);
620	test_alloca_in_a_recursive_function(1);
621	test_alloca_in_a_recursive_function(2);
622	}
623
624	//===---------------------------------------------------------------------===//
625	// Random tests.
626	//===---------------------------------------------------------------------===//
627
628	// Tests assigning using a C-style initializer to a struct
629	// variable whose sub-field is also a struct. This currently
630	// results in a CXXTempObjectRegion being created, but not
631	// properly handled. For now, we just ignore that value
632	// to avoid a crash (<rdar://problem/12753384>).
633	struct RDar12753384_ClassA {
634	unsigned z;
635	};
636	struct RDar12753384_ClassB {
637	unsigned x;
638	RDar12753384_ClassA y[ 8 ] ;
639	};
640	unsigned RDar12753384() {
641	RDar12753384_ClassB w = { 0x00 };
642	RDar12753384_ClassA y[8];
643	return w.x;
644	}
645
646	// This testcase tests whether we treat the anonymous union and union
647	// the same way. This previously resulted in a "return of stack address"
648	// warning because the anonymous union resulting in a temporary object
649	// getting put into the initializer. We still aren't handling this correctly,
650	// but now if a temporary object appears in an initializer we just ignore it.
651	// Fixes <rdar://problem/12755044>.
652
653	struct Rdar12755044_foo
654	{
655	struct Rdar12755044_bar
656	{
657	union baz
658	{
659	int i;
660	};
661	} aBar;
662	};
663
664	struct Rdar12755044_foo_anon
665	{
666	struct Rdar12755044_bar
667	{
668	union
669	{
670	int i;
671	};
672	} aBar;
673	};
674
675	const Rdar12755044_foo_anon *radar12755044_anon() {
676	static const Rdar12755044_foo_anon Rdar12755044_foo_list[] = { { { } } };
677	return Rdar12755044_foo_list; // no-warning
678	}
679
680	const Rdar12755044_foo *radar12755044() {
681	static const Rdar12755044_foo Rdar12755044_foo_list[] = { { { } } };
682	return Rdar12755044_foo_list; // no-warning
683	}
684
685	// Test the correct handling of integer to bool conversions. Previously
686	// this resulted in a false positive because integers were being truncated
687	// and not tested for non-zero.
688	void rdar12759044() {
689	int flag = 512;
690	if (!(flag & 512)) {
691	clang_analyzer_warnIfReached(); // no-warning
692	}
693	}
694
695	// The analyzer currently does not model complex types. Test that the load
696	// from 'x' is not flagged as being uninitialized.
697	typedef __complex__ float _ComplexT;
698	void rdar12964481(_ComplexT *y) {
699	_ComplexT x;
700	__real__ x = 1.0;
701	__imag__ x = 1.0;
702	y = x; // no-warning
703	}
704	void rdar12964481_b(_ComplexT *y) {
705	_ComplexT x;
706	// Eventually this should be a warning.
707	y = x; // no-warning
708	}
709
710	// Test case for PR 12921. This previously produced
711	// a bogus warning.
712	static const int pr12921_arr[] = { 0, 1 };
713	static const int pr12921_arrcount = sizeof(pr12921_arr)/sizeof(int);
714
715	int pr12921(int argc, char **argv) {
716	int i, retval;
717	for (i = 0; i < pr12921_arrcount; i++) {
718	if (argc == i) {
719	retval = i;
720	break;
721	}
722	}
723
724	// No match
725	if (i == pr12921_arrcount) return 66;
726	return pr12921_arr[retval];
727	}
728
729

Clang Project