misc-ps.m source code [clang_source_code/test/Analysis/misc-ps.m]

1	// NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued.
2	// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -analyzer-checker=core,alpha.core,osx.cocoa.AtSync -analyzer-store=region -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s
3	// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -analyzer-checker=core,alpha.core,osx.cocoa.AtSync -analyzer-store=region -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s
4
5	#ifndef __clang_analyzer__
6	#error __clang_analyzer__ not defined
7	#endif
8
9	typedef struct objc_ivar *Ivar;
10	typedef struct objc_selector *SEL;
11	typedef signed char BOOL;
12	typedef int NSInteger;
13	typedef unsigned int NSUInteger;
14	typedef struct _NSZone NSZone;
15	@class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator;
16	@protocol NSObject
17	- (BOOL)isEqual:(id)object;
18	- (id)autorelease;
19	@end
20	@protocol NSCopying
21	- (id)copyWithZone:(NSZone *)zone;
22	@end
23	@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end
24	@protocol NSCoding
25	- (void)encodeWithCoder:(NSCoder *)aCoder;
26	@end
27	@interface NSObject <NSObject> {}
28	- (id)init;
29	+ (id)allocWithZone:(NSZone *)zone;
30	@end
31	extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone);
32	@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding>
33	- (NSUInteger)length;
34	+ (id)stringWithUTF8String:(const char *)nullTerminatedCString;
35	@end extern NSString * const NSBundleDidLoadNotification;
36	@interface NSValue : NSObject <NSCopying, NSCoding>
37	- (void)getValue:(void *)value;
38	@end
39	@interface NSNumber : NSValue
40	- (char)charValue;
41	- (id)initWithBool:(BOOL)value;
42	@end
43	@interface NSAssertionHandler : NSObject {}
44	+ (NSAssertionHandler *)currentHandler;
45	- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString )fileName lineNumber:(NSInteger)line description:(NSString )format,...;
46	@end
47	extern NSString * const NSConnectionReplyMode;
48	typedef float CGFloat;
49	typedef struct _NSPoint {
50	CGFloat x;
51	CGFloat y;
52	} NSPoint;
53	typedef struct _NSSize {
54	CGFloat width;
55	CGFloat height;
56	} NSSize;
57	typedef struct _NSRect {
58	NSPoint origin;
59	NSSize size;
60	} NSRect;
61
62	// Reduced test case from crash in <rdar://problem/6253157>
63	@interface A @end
64	@implementation A
65	- (void)foo:(void (^)(NSObject *x))block {
66	if (!((block != ((void *)0)))) {}
67	}
68	@end
69
70	// Reduced test case from crash in PR 2796;
71	// http://llvm.org/bugs/show_bug.cgi?id=2796
72
73	unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); }
74
75	// Improvement to path-sensitivity involving compound assignments.
76	// Addresses false positive in <rdar://problem/6268365>
77	//
78
79	unsigned r6268365Aux();
80
81	void r6268365() {
82	unsigned x = 0;
83	x &= r6268365Aux();
84	unsigned j = 0;
85
86	if (x == 0) ++j;
87	if (x == 0) x = x / j;
88	}
89
90	void divzeroassume(unsigned x, unsigned j) {
91	x /= j;
92	if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}}
93	if (j == 0) x /= j; // no static-analyzer warning
94	if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}}
95	}
96
97	void divzeroassumeB(unsigned x, unsigned j) {
98	x = x / j;
99	if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}}
100	if (j == 0) x /= j; // no static-analyzer warning
101	if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}}
102	}
103
104	// InitListExpr processing
105
106	typedef float __m128 __attribute__((__vector_size__(16), __may_alias__));
107	__m128 return128() {
108	// This compound literal has a Vector type. We currently just
109	// return UnknownVal.
110	return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f };
111	}
112
113	typedef long long __v2di __attribute__ ((__vector_size__ (16)));
114	typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__));
115	__m128i vec128i(long long __q1, long long __q0) {
116	// This compound literal returns true for both isVectorType() and
117	// isIntegerType().
118	return __extension__ (__m128i)(__v2di){ __q0, __q1 };
119	}
120
121	// sizeof(void)
122	// - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211
123	void handle_sizeof_void(unsigned flag) {
124	int* p = 0;
125
126	if (flag) {
127	if (sizeof(void) == 1)
128	return;
129	// Infeasible.
130	*p = 1; // no-warning
131	}
132
133	void* q;
134
135	if (!flag) {
136	if (sizeof(*q) == 1)
137	return;
138	// Infeasibe.
139	*p = 1; // no-warning
140	}
141
142	// Infeasible.
143	*p = 1; // no-warning
144	}
145
146	// check deference of undefined values
147	void check_deref_undef(void) {
148	int *p;
149	*p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}}
150	}
151
152	// PR 3422
153	void pr3422_helper(char *p);
154	void pr3422() {
155	char buf[100];
156	char *q = &buf[10];
157	pr3422_helper(&q[1]);
158	}
159
160	// PR 3543 (handle empty statement expressions)
161	void pr_3543(void) {
162	({});
163	}
164
165	// <rdar://problem/6611677>
166	// This test case test the use of a vector type within an array subscript
167	// expression.
168	typedef long long __a64vector __attribute__((__vector_size__(8)));
169	typedef long long __a128vector __attribute__((__vector_size__(16)));
170	static inline __a64vector __attribute__((__always_inline__, __nodebug__))
171	my_test_mm_movepi64_pi64(__a128vector a) {
172	return (__a64vector)a[0];
173	}
174
175	// Test basic tracking of ivars associated with 'self'.
176	@interface SelfIvarTest : NSObject {
177	int flag;
178	}
179	- (void)test_self_tracking;
180	@end
181
182	@implementation SelfIvarTest
183	- (void)test_self_tracking {
184	char *p = 0;
185	char c;
186
187	if (flag)
188	p = "hello";
189
190	if (flag)
191	c = *p; // no-warning
192	}
193	@end
194
195	// PR 3770
196	char pr3770(int x) {
197	int y = x & 0x2;
198	char *p = 0;
199	if (y == 1)
200	p = "hello";
201
202	if (y == 1)
203	return p[0]; // no-warning
204
205	return 'a';
206	}
207
208	// PR 3772
209	// - We just want to test that this doesn't crash the analyzer.
210	typedef struct st ST;
211	struct st { char *name; };
212	extern ST *Cur_Pu;
213
214	void pr3772(void)
215	{
216	static ST *last_Cur_Pu;
217	if (last_Cur_Pu == Cur_Pu) {
218	return;
219	}
220	}
221
222	// PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups.
223	void pr3780(int sz) { typedef double MAT[sz][sz]; }
224
225	// <rdar://problem/6695527> - Test that we don't symbolicate doubles before
226	// we are ready to do something with them.
227	int rdar6695527(double x) {
228	if (!x) { return 0; }
229	return 1;
230	}
231
232	// <rdar://problem/6708148> - Test that we properly invalidate structs
233	// passed-by-reference to a function.
234	void pr6708148_invalidate(NSRect *x);
235	void pr6708148_use(NSRect x);
236	void pr6708148_test(void) {
237	NSRect x;
238	pr6708148_invalidate(&x);
239	pr6708148_use(x); // no-warning
240	}
241
242	// Handle both kinds of noreturn attributes for pruning paths.
243	void rdar_6777003_noret() __attribute__((noreturn));
244	void rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn));
245
246	void rdar_6777003(int x) {
247	int *p = 0;
248
249	if (x == 1) {
250	rdar_6777003_noret();
251	*p = 1; // no-warning;
252	}
253
254	if (x == 2) {
255	rdar_6777003_analyzer_noret();
256	*p = 1; // no-warning;
257	}
258
259	*p = 1; // expected-warning{{Dereference of null pointer}}
260	}
261
262	// Check that the pointer-to-conts arguments do not get invalidated by Obj C
263	// interfaces. radar://10595327
264	int rdar_10595327(char *str) {
265	char fl = str[0];
266	int *p = 0;
267	NSString *s = [NSString stringWithUTF8String:str];
268	if (str[0] != fl)
269	return *p; // no-warning
270	return 0;
271	}
272
273	// For pointer arithmetic, --/++ should be treated as preserving non-nullness,
274	// regardless of how well the underlying StoreManager reasons about pointer
275	// arithmetic.
276	// <rdar://problem/6777209>
277	void rdar_6777209(char *p) {
278	if (p == 0)
279	return;
280
281	++p;
282
283	// This branch should always be infeasible.
284	if (p == 0)
285	*p = 'c'; // no-warning
286	}
287
288	// PR 4033. A symbolic 'void *' pointer can be used as the address for a
289	// computed goto.
290	typedef void *Opcode;
291	Opcode pr_4033_getOpcode();
292	void pr_4033(void) {
293	void *lbl = &&next_opcode;
294	next_opcode:
295	{
296	Opcode op = pr_4033_getOpcode();
297	if (op) goto *op;
298	}
299	}
300
301	// Test invalidating pointers-to-pointers with slightly different types. This
302	// example came from a recent false positive due to a regression where the
303	// branch condition was falsely reported as being uninitialized.
304	void invalidate_by_ref(char **x);
305	int test_invalidate_by_ref() {
306	unsigned short y;
307	invalidate_by_ref((char**) &y);
308	if (y) // no-warning
309	return 1;
310	return 0;
311	}
312
313	// Test for <rdar://problem/7027684>. This just tests that the CFG is
314	// constructed correctly. Previously, the successor block of the entrance
315	// was the block containing the merge for '?', which would trigger an
316	// assertion failure.
317	int rdar_7027684_aux();
318	int rdar_7027684_aux_2() __attribute__((noreturn));
319	void rdar_7027684(int x, int y) {
320	{}; // this empty compound statement is critical.
321	(rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0);
322	}
323
324	// Test that we handle casts of string literals to arbitrary types.
325	unsigned const char *string_literal_test1() {
326	return (const unsigned char*) "hello";
327	}
328
329	const float *string_literal_test2() {
330	return (const float*) "hello";
331	}
332
333	// Test that we handle casts from incomplete struct types.
334	extern const struct _FooAssertStruct _cmd;
335	void test_cast_from_incomplete_struct_aux(volatile const void *x);
336	void test_cast_from_incomplete_struct() {
337	test_cast_from_incomplete_struct_aux(&_cmd);
338	}
339
340	// Test for <rdar://problem/7034511>
341	// "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc'
342	// when 'T' is a pointer"
343	//
344	// Previously this case would crash.
345	void test_rdar_7034511(NSArray *y) {
346	NSObject *x;
347	for (x in y) {}
348	if (x == ((void*) 0)) {}
349	}
350
351	// Handle casts of function pointers (CodeTextRegions) to arbitrary pointer
352	// types. This was previously causing a crash in CastRegion.
353	void handle_funcptr_voidptr_casts() {
354	void **ptr;
355	typedef void *PVOID;
356	typedef void *PCHAR;
357	typedef long INT_PTR, *PINT_PTR;
358	typedef INT_PTR (*FARPROC)();
359	FARPROC handle_funcptr_voidptr_casts_aux();
360	PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x);
361	PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x);
362
363	ptr = (void**) handle_funcptr_voidptr_casts_aux();
364	handle_funcptr_voidptr_casts_aux_2(ptr);
365	handle_funcptr_voidptr_casts_aux_3(ptr);
366	}
367
368	// RegionStore::Retrieve previously crashed on this example. This example
369	// was previously in the test file 'xfail_regionstore_wine_crash.c'.
370	void testA() {
371	long x = 0;
372	char y = (char ) &x;
373	if (!*y)
374	return;
375	}
376
377	// RegionStoreManager previously crashed on this example. The problem is that
378	// the value bound to the field of b->grue after the call to testB_aux is
379	// a symbolic region. The second '*__gruep__' involves performing a load
380	// from a 'int' that really is a 'void*'. The loaded location must be
381	// implicitly converted to an integer that wraps a location. Previosly we would
382	// get a crash here due to an assertion failure.
383	typedef struct _BStruct { void *grue; } BStruct;
384	void testB_aux(void *ptr);
385	void testB(BStruct *b) {
386	{
387	int __gruep__ = ((int )&((b)->grue));
388	int __gruev__ = *__gruep__;
389	testB_aux(__gruep__);
390	}
391	{
392	int __gruep__ = ((int )&((b)->grue));
393	int __gruev__ = *__gruep__;
394	if (~0 != __gruev__) {}
395	}
396	}
397
398	void test_trivial_symbolic_comparison(int *x) {
399	int test_trivial_symbolic_comparison_aux();
400	int a = test_trivial_symbolic_comparison_aux();
401	int b = a;
402	if (a != b) {
403	int *p = 0;
404	*p = 0xDEADBEEF; // no-warning
405	}
406
407	a = a == 1;
408	b = b == 1;
409	if (a != b) {
410	int *p = 0;
411	*p = 0xDEADBEEF; // no-warning
412	}
413	}
414
415	// Test for:
416	// <rdar://problem/7062158> false positive null dereference due to
417	// BasicStoreManager not tracking static globals
418	//
419	// This just tests the proper tracking of symbolic values for globals (both
420	// static and non-static).
421	//
422	static int* x_rdar_7062158;
423	void rdar_7062158() {
424	int *current = x_rdar_7062158;
425	if (current == x_rdar_7062158)
426	return;
427
428	int *p = 0;
429	*p = 0xDEADBEEF; // no-warning
430	}
431
432	int* x_rdar_7062158_2;
433	void rdar_7062158_2() {
434	int *current = x_rdar_7062158_2;
435	if (current == x_rdar_7062158_2)
436	return;
437
438	int *p = 0;
439	*p = 0xDEADBEEF; // no-warning
440	}
441
442	// This test reproduces a case for a crash when analyzing ClamAV using
443	// RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because
444	// it isn't doing anything smart about arrays). The problem is that on the
445	// second line, 'p = &p[i]', p is assigned an ElementRegion whose index
446	// is a 16-bit integer. On the third line, a new ElementRegion is created
447	// based on the previous region, but there the region uses a 32-bit integer,
448	// resulting in a clash of values (an assertion failure at best). We resolve
449	// this problem by implicitly converting index values to 'int' when the
450	// ElementRegion is created.
451	unsigned char test_array_index_bitwidth(const unsigned char *p) {
452	unsigned short i = 0;
453	for (i = 0; i < 2; i++) p = &p[i];
454	return p[i+1];
455	}
456
457	// This case tests that CastRegion handles casts involving BlockPointerTypes.
458	// It should not crash.
459	void test_block_cast() {
460	id test_block_cast_aux();
461	(void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}}
462	}
463
464	int OSAtomicCompareAndSwap32Barrier();
465
466	// Test comparison of 'id' instance variable to a null void* constant after
467	// performing an OSAtomicCompareAndSwap32Barrier.
468	// This previously was a crash in RegionStoreManager.
469	@interface TestIdNull {
470	id x;
471	}
472	-(int)foo;
473	@end
474	@implementation TestIdNull
475	-(int)foo {
476	OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x);
477	if (x == (void*) 0) { return 0; }
478	return 1;
479	}
480	@end
481
482	// Do not crash when performing compare and swap on symbolic values.
483	typedef int int32_t;
484	typedef int int32;
485	typedef int32 Atomic32;
486	int OSAtomicCompareAndSwap32( int32_t __oldValue, int32_t __newValue, volatile int32_t *__theValue);
487	void radar11390991_NoBarrier_CompareAndSwap(volatile Atomic32 *ptr,
488	Atomic32 old_value,
489	Atomic32 new_value) {
490	OSAtomicCompareAndSwap32(old_value, new_value, ptr);
491	}
492
493	// PR 4594 - This was a crash when handling casts in SimpleSValuator.
494	void PR4594() {
495	char *buf[1];
496	char **foo = buf;
497	*foo = "test";
498	}
499
500	// Test invalidation logic where an integer is casted to an array with a
501	// different sign and then invalidated.
502	void test_invalidate_cast_int() {
503	void test_invalidate_cast_int_aux(unsigned *i);
504	signed i;
505	test_invalidate_cast_int_aux((unsigned*) &i);
506	if (i < 0)
507	return;
508	}
509
510	int ivar_getOffset();
511
512	// Reduced from a crash involving the cast of an Objective-C symbolic region to
513	// 'char *'
514	static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) {
515	return [[[NSNumber allocWithZone:((void)0)] initWithBool:(_Bool )((char )self + ivar_getOffset(inIvar))] autorelease];
516	}
517
518	// Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero.
519	// This resulted from not properly handling region casts to 'const void*'.
520	void test_cast_const_voidptr() {
521	char x[10];
522	char *p = &x[1];
523	const void* q = p;
524	}
525
526	// Reduced from a crash when analyzing Wine. This test handles loads from
527	// function addresses.
528	typedef long (*FARPROC)();
529	FARPROC test_load_func(FARPROC origfun) {
530	if (!(unsigned char) origfun)
531	return origfun;
532	return 0;
533	}
534
535	// Test passing-by-value an initialized struct variable.
536	struct test_pass_val {
537	int x;
538	int y;
539	};
540	void test_pass_val_aux(struct test_pass_val s);
541	void test_pass_val() {
542	struct test_pass_val s;
543	s.x = 1;
544	s.y = 2;
545	test_pass_val_aux(s);
546	}
547
548	// This is a reduced test case of a false positive that previously appeared
549	// in RegionStoreManager. Previously the array access resulted in dereferencing
550	// an undefined value.
551	int test_array_compound(int q, int r, int *z) {
552	int *array[] = { q, r, z };
553	int j = 0;
554	for (unsigned i = 0; i < 3 ; ++i)
555	if (*array[i]) ++j; // no-warning
556	return j;
557	}
558
559	// symbolic value stored in 'x' wouldn't be implicitly casted to a signed value
560	// during the comparison.
561	int rdar_7124210(unsigned int x) {
562	enum { SOME_CONSTANT = 123 };
563	int compare = ((signed) SOME_CONSTANT) == ((signed ) &x);
564	return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint.
565	}
566
567	void pr4781(unsigned long *raw1) {
568	unsigned long cook, raw0;
569	unsigned long dough[32];
570	int i;
571	cook = dough;
572	for( i = 0; i < 16; i++, raw1++ ) {
573	raw0 = raw1++;
574	cook = (raw0 & 0x00fc0000L) << 6;
575	cook \|= (raw0 & 0x00000fc0L) << 10;
576	}
577	}
578
579	// <rdar://problem/7185647> - 'self' should be treated as being non-null
580	// upon entry to an objective-c method.
581	@interface RDar7185647
582	- (id)foo;
583	@end
584	@implementation RDar7185647
585	- (id) foo {
586	if (self)
587	return self;
588	((volatile int ) 0x0) = 0xDEADBEEF; // no-warning
589	return self;
590	}
591	@end
592
593	// Test reasoning of __builtin_offsetof;
594	struct test_offsetof_A {
595	int x;
596	int y;
597	};
598	struct test_offsetof_B {
599	int w;
600	int z;
601	};
602	void test_offsetof_1() {
603	if (__builtin_offsetof(struct test_offsetof_A, x) ==
604	__builtin_offsetof(struct test_offsetof_B, w))
605	return;
606	int *p = 0;
607	*p = 0xDEADBEEF; // no-warning
608	}
609	void test_offsetof_2() {
610	if (__builtin_offsetof(struct test_offsetof_A, y) ==
611	__builtin_offsetof(struct test_offsetof_B, z))
612	return;
613	int *p = 0;
614	*p = 0xDEADBEEF; // no-warning
615	}
616	void test_offsetof_3() {
617	if (__builtin_offsetof(struct test_offsetof_A, y) -
618	__builtin_offsetof(struct test_offsetof_A, x)
619	==
620	__builtin_offsetof(struct test_offsetof_B, z) -
621	__builtin_offsetof(struct test_offsetof_B, w))
622	return;
623	int *p = 0;
624	*p = 0xDEADBEEF; // no-warning
625	}
626	void test_offsetof_4() {
627	if (__builtin_offsetof(struct test_offsetof_A, y) ==
628	__builtin_offsetof(struct test_offsetof_B, w))
629	return;
630	int *p = 0;
631	*p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
632	}
633
634	// <rdar://problem/6829164> "nil receiver" false positive: make tracking
635	// of the MemRegion for 'self' path-sensitive
636	@interface RDar6829164 : NSObject {
637	double x; int y;
638	}
639	- (id) init;
640	@end
641
642	id rdar_6829164_1();
643	double rdar_6829164_2();
644
645	@implementation RDar6829164
646	- (id) init {
647	if((self = [super init]) != 0) {
648	id z = rdar_6829164_1();
649	y = (z != 0);
650	if (y)
651	x = rdar_6829164_2();
652	}
653	return self;
654	}
655	@end
656
657	// <rdar://problem/7242015> - Invalidate values passed-by-reference
658	// to functions when the pointer to the value is passed as an integer.
659	void test_7242015_aux(unsigned long);
660	int rdar_7242015() {
661	int x;
662	test_7242015_aux((unsigned long) &x); // no-warning
663	return x; // Previously we return and uninitialized value when
664	// using RegionStore.
665	}
666
667	// <rdar://problem/7242006> [RegionStore] compound literal assignment with
668	// floats not honored
669	CGFloat rdar7242006(CGFloat x) {
670	NSSize y = (NSSize){x, 10};
671	return y.width; // no-warning
672	}
673
674	// PR 4988 - This test exhibits a case where a function can be referenced
675	// when not explicitly used in an "lvalue" context (as far as the analyzer is
676	// concerned). This previously triggered a crash due to an invalid assertion.
677	void pr_4988(void) {
678	pr_4988; // expected-warning{{expression result unused}}
679	}
680
681	// <rdar://problem/7152418> - A 'signed char' is used as a flag, which is
682	// implicitly converted to an int.
683	void *rdar7152418_bar();
684	@interface RDar7152418 {
685	signed char x;
686	}
687	-(char)foo;
688	@end;
689	@implementation RDar7152418
690	-(char)foo {
691	char *p = 0;
692	void *result = 0;
693	if (x) {
694	result = rdar7152418_bar();
695	p = "hello";
696	}
697	if (!result) {
698	result = rdar7152418_bar();
699	if (result && x)
700	return *p; // no-warning
701	}
702	return 1;
703	}
704
705	//===----------------------------------------------------------------------===//
706	// Test constant-folding of symbolic values, automatically handling type
707	// conversions of the symbol as necessary.
708	//===----------------------------------------------------------------------===//
709
710	// Previously this would crash once we started eagerly evaluating symbols whose
711	// values were constrained to a single value.
712	void test_symbol_fold_1(signed char x) {
713	while (1) {
714	if (x == ((signed char) 0)) {}
715	}
716	}
717
718	// This previously caused a crash because it triggered an assertion in APSInt.
719	void test_symbol_fold_2(unsigned int * p, unsigned int n,
720	const unsigned int * grumpkin, unsigned int dn) {
721	unsigned int i;
722	unsigned int tempsub[8];
723	unsigned int *solgrumpkin = tempsub + n;
724	for (i = 0; i < n; i++)
725	solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF;
726	for (i <<= 5; i < (n << 5); i++) {}
727	}
728
729	// This previously caused a crash because it triggered an assertion in APSInt.
730	// 'x' would evaluate to a 8-bit constant (because of the return value of
731	// test_symbol_fold_3_aux()) which would not get properly promoted to an
732	// integer.
733	char test_symbol_fold_3_aux(void);
734	unsigned test_symbol_fold_3(void) {
735	unsigned x = test_symbol_fold_3_aux();
736	if (x == 54)
737	return (x << 8) \| 0x5;
738	return 0;
739	}
740
741	//===----------------------------------------------------------------------===//
742	// Tests for the warning of casting a non-struct type to a struct type
743	//===----------------------------------------------------------------------===//
744
745	typedef struct {unsigned int v;} NSSwappedFloat;
746
747	NSSwappedFloat test_cast_nonstruct_to_struct(float x) {
748	struct hodor {
749	float number;
750	NSSwappedFloat sf;
751	};
752	return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
753	}
754
755	NSSwappedFloat test_cast_nonstruct_to_union(float x) {
756	union bran {
757	float number;
758	NSSwappedFloat sf;
759	};
760	return ((union bran *)&x)->sf; // no-warning
761	}
762
763	void test_undefined_array_subscript() {
764	int i, a[10];
765	int *p = &a[i]; // expected-warning{{Array subscript is undefined}}
766	}
767	@end
768
769	//===----------------------------------------------------------------------===//
770	// Test using an uninitialized value as a branch condition.
771	//===----------------------------------------------------------------------===//
772
773	int test_uninit_branch(void) {
774	int x;
775	if (x) // expected-warning{{Branch condition evaluates to a garbage value}}
776	return 1;
777	return 0;
778	}
779
780	int test_uninit_branch_b(void) {
781	int x;
782	return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}}
783	}
784
785	int test_uninit_branch_c(void) {
786	int x;
787	if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}}
788	return 1;
789	return 0;
790	}
791
792	//===----------------------------------------------------------------------===//
793	// Test passing an undefined value in a message or function call.
794	//===----------------------------------------------------------------------===//
795
796	void test_bad_call_aux(int x);
797	void test_bad_call(void) {
798	int y;
799	test_bad_call_aux(y); // expected-warning{{1st function call argument is an uninitialized value}}
800	}
801
802	@interface TestBadArg {}
803	- (void) testBadArg:(int) x;
804	@end
805
806	void test_bad_msg(TestBadArg *p) {
807	int y;
808	[p testBadArg:y]; // expected-warning{{1st argument in message expression is an uninitialized value}}
809	}
810
811	//===----------------------------------------------------------------------===//
812	// PR 6033 - Test emitting the correct output in a warning where we use '%'
813	// with operands that are undefined.
814	//===----------------------------------------------------------------------===//
815
816	int pr6033(int x) {
817	int y;
818	return x % y; // expected-warning{{The right operand of '%' is a garbage value}}
819	}
820
821	struct trie {
822	struct trie* next;
823	};
824
825	struct kwset {
826	struct trie *trie;
827	unsigned char y[10];
828	struct trie* next[10];
829	int d;
830	};
831
832	typedef struct trie trie_t;
833	typedef struct kwset kwset_t;
834
835	void f(kwset_t kws, char const p, char const *q) {
836	struct trie const *trie;
837	struct trie * const *next = kws->next;
838	register unsigned char c;
839	register char const *end = p;
840	register char const *lim = q;
841	register int d = 1;
842	register unsigned char const *y = kws->y;
843
844	d = y[c = (end+=d)[-1]]; // no-warning
845	trie = next[c];
846	}
847
848	//===----------------------------------------------------------------------===//
849	// <rdar://problem/7593875> When handling sizeof(VLA) it leads to a hole in
850	// the ExplodedGraph (causing a false positive)
851	//===----------------------------------------------------------------------===//
852
853	int rdar_7593875_aux(int x);
854	int rdar_7593875(int n) {
855	int z[n > 10 ? 10 : n]; // VLA.
856	int v;
857	v = rdar_7593875_aux(sizeof(z));
858	// Previously we got a false positive about 'v' being uninitialized.
859	return v; // no-warning
860	}
861
862	//===----------------------------------------------------------------------===//
863	// Handle casts from symbolic regions (packaged as integers) to doubles.
864	// Previously this caused an assertion failure.
865	//===----------------------------------------------------------------------===//
866
867	void *foo_rev95119();
868	void baz_rev95119(double x);
869	void bar_rev95119() {
870	// foo_rev95119() returns a symbolic pointer. It is then
871	// cast to an int which is then cast to a double.
872	int value = (int) foo_rev95119();
873	baz_rev95119((double)value);
874	}
875
876	//===----------------------------------------------------------------------===//
877	// Handle loading a symbolic pointer from a symbolic region that was
878	// invalidated by a call to an unknown function.
879	//===----------------------------------------------------------------------===//
880
881	void bar_rev95192(int **x);
882	void foo_rev95192(int **x) {
883	*x = 0;
884	bar_rev95192(x);
885	// Not a null dereference.
886	**x = 1; // no-warning
887	}
888
889	//===----------------------------------------------------------------------===//
890	// Handle casts of a function to a function pointer with a different return
891	// value. We don't yet emit an error for such cases, but we now we at least
892	// don't crash when the return value gets interpreted in a way that
893	// violates our invariants.
894	//===----------------------------------------------------------------------===//
895
896	void *foo_rev95267();
897	int bar_rev95267() {
898	char (Callback_rev95267)(void) = (char ()(void)) foo_rev95267;
899	if ((*Callback_rev95267)() == (char) 0)
900	return 1;
901	return 0;
902	}
903
904	// Same as previous case, but handle casts to 'void'.
905	int bar_rev95274() {
906	void (Callback_rev95274)(void) = (void ()(void)) foo_rev95267;
907	(*Callback_rev95274)();
908	return 0;
909	}
910
911	void rdar7582031_test_static_init_zero() {
912	static unsigned x;
913	if (x == 0)
914	return;
915	int *p = 0;
916	*p = 0xDEADBEEF;
917	}
918	void rdar7582031_test_static_init_zero_b() {
919	static void* x;
920	if (x == 0)
921	return;
922	int *p = 0;
923	*p = 0xDEADBEEF;
924	}
925
926	//===----------------------------------------------------------------------===//
927	// Test handling of parameters that are structs that contain floats and //
928	// nested fields. //
929	//===----------------------------------------------------------------------===//
930
931	struct s_rev95547_nested { float x, y; };
932	struct s_rev95547 {
933	struct s_rev95547_nested z1;
934	struct s_rev95547_nested z2;
935	};
936	float foo_rev95547(struct s_rev95547 w) {
937	return w.z1.x + 20.0; // no-warning
938	}
939	void foo_rev95547_b(struct s_rev95547 w) {
940	struct s_rev95547 w2 = w;
941	w2.z1.x += 20.0; // no-warning
942	}
943
944	//===----------------------------------------------------------------------===//
945	// Test handling statement expressions that don't populate a CFG block that
946	// is used to represent the computation of the RHS of a logical operator.
947	// This previously triggered a crash.
948	//===----------------------------------------------------------------------===//
949
950	void pr6938() {
951	if (1 && ({
952	while (0);
953	0;
954	}) == 0) {
955	}
956	}
957
958	void pr6938_b() {
959	if (1 && *({ // expected-warning{{Dereference of null pointer}}
960	while (0) {}
961	({
962	(int *) 0;
963	});
964	}) == 0) {
965	}
966	}
967
968	//===----------------------------------------------------------------------===//
969	// <rdar://problem/7979430> - The CFG for code containing an empty
970	// @synchronized block was previously broken (and would crash the analyzer).
971	//===----------------------------------------------------------------------===//
972
973	void r7979430(id x) {
974	@synchronized(x) {}
975	}
976
977	//===----------------------------------------------------------------------===
978	// PR 7361 - Test that functions wrapped in macro instantiations are analyzed.
979	//===----------------------------------------------------------------------===
980	#define MAKE_TEST_FN() \
981	void test_pr7361 (char a) {\
982	char* b = 0x0; *b = a;\
983	}
984
985	MAKE_TEST_FN() // expected-warning{{null pointer}}
986
987	//===----------------------------------------------------------------------===
988	// PR 7491 - Test that symbolic expressions can be used as conditions.
989	//===----------------------------------------------------------------------===
990
991	void pr7491 () {
992	extern int getint();
993	int a = getint()-1;
994	if (a) {
995	return;
996	}
997	if (!a) {
998	return;
999	} else {
1000	// Should be unreachable
1001	(void)(char)0; // no-warning
1002	}
1003	}
1004
1005	//===----------------------------------------------------------------------===
1006	// PR 7475 - Test that assumptions about global variables are reset after
1007	// calling a global function.
1008	//===----------------------------------------------------------------------===
1009
1010	int *pr7475_someGlobal;
1011	void pr7475_setUpGlobal();
1012
1013	void pr7475() {
1014	if (pr7475_someGlobal == 0)
1015	pr7475_setUpGlobal();
1016	*pr7475_someGlobal = 0; // no-warning
1017	}
1018
1019	void pr7475_warn() {
1020	static int *someStatic = 0;
1021	if (someStatic == 0)
1022	pr7475_setUpGlobal();
1023	*someStatic = 0; // expected-warning{{null pointer}}
1024	}
1025
1026	// <rdar://problem/8202272> - __imag passed non-complex should not crash
1027	float f0(_Complex float x) {
1028	float l0 = __real x;
1029	return __real l0 + __imag l0;
1030	}
1031
1032
1033	//===----------------------------------------------------------------------===
1034	// Test that we can reduce symbols to constants whether they are on the left
1035	// or right side of an expression.
1036	//===----------------------------------------------------------------------===
1037
1038	void reduce_to_constant(int x, int y) {
1039	if (x != 20)
1040	return;
1041
1042	int a = x + y;
1043	int b = y + x;
1044
1045	if (y == -20 && a != 0)
1046	(void)(char)0; // no-warning
1047	if (y == -20 && b != 0)
1048	(void)(char)0; // no-warning
1049	}
1050
1051	// <rdar://problem/8360854> - Test that code after a switch statement with no
1052	// 'case:' labels is correctly evaluated.
1053	void r8360854(int n) {
1054	switch (n) {
1055	default: ;
1056	}
1057	int *p = 0;
1058	*p = 0xDEADBEEF; // expected-warning{{null pointer}}
1059	}
1060
1061	// PR 8050 - crash in CastSizeChecker when pointee is an incomplete type
1062	typedef long unsigned int __darwin_size_t;
1063	typedef __darwin_size_t size_t;
1064	void *malloc(size_t);
1065
1066	struct PR8050;
1067
1068	void pr8050(struct PR8050 **arg)
1069	{
1070	*arg = malloc(1);
1071	}
1072
1073	// <rdar://problem/5880430> Switch on enum should not consider default case live
1074	// if all enum values are covered
1075	enum Cases { C1, C2, C3, C4 };
1076	void test_enum_cases(enum Cases C) {
1077	switch (C) {
1078	case C1:
1079	case C2:
1080	case C4:
1081	case C3:
1082	return;
1083	}
1084	int *p = 0;
1085	*p = 0xDEADBEEF; // no-warning
1086	}
1087
1088	void test_enum_cases_positive(enum Cases C) {
1089	switch (C) { // expected-warning{{enumeration value 'C4' not handled in switch}}
1090	case C1:
1091	case C2:
1092	case C3:
1093	return;
1094	}
1095	int *p = 0;
1096	*p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
1097	}
1098
1099	// <rdar://problem/6351970> rule request: warn if synchronization mutex can be nil
1100	void rdar6351970() {
1101	id x = 0;
1102	@synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}}
1103	}
1104
1105	void rdar6351970_b(id x) {
1106	if (!x)
1107	@synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}}
1108	}
1109
1110	void rdar6351970_c() {
1111	id x;
1112	@synchronized(x) {} // expected-warning{{Uninitialized value used as mutex for @synchronized}}
1113	}
1114
1115	@interface Rdar8578650
1116	- (id) foo8578650;
1117	@end
1118
1119	void rdar8578650(id x) {
1120	@synchronized (x) {
1121	[x foo8578650];
1122	}
1123	// At this point we should assume that 'x' is not nil, not
1124	// the inverse.
1125	@synchronized (x) { // no-warning
1126	}
1127	}
1128
1129	// <rdar://problem/6352035> rule request: direct structure member access null pointer dereference
1130	@interface RDar6352035 {
1131	int c;
1132	}
1133	- (void)foo;
1134	- (void)bar;
1135	@end
1136
1137	@implementation RDar6352035
1138	- (void)foo {
1139	RDar6352035 *friend = 0;
1140	friend->c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'friend')}}
1141	}
1142	- (void)bar {
1143	self = 0;
1144	c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'self')}}
1145	}
1146	@end
1147
1148	// PR 8149 - GNU statement expression in condition of ForStmt.
1149	// This previously triggered an assertion failure in CFGBuilder.
1150	void pr8149(void) {
1151	for (; ({ do { } while (0); 0; });) { }
1152	}
1153
1154	// PR 8458 - Make sure @synchronized doesn't crash with properties.
1155	@interface PR8458 {}
1156	@property(readonly) id lock;
1157	@end
1158
1159	static
1160	void __PR8458(PR8458 *x) {
1161	@synchronized(x.lock) {} // no-warning
1162	}
1163
1164	// PR 8440 - False null dereference during store to array-in-field-in-global.
1165	// This test case previously resulted in a bogus null deref warning from
1166	// incorrect lazy symbolication logic in RegionStore.
1167	static struct {
1168	int num;
1169	char **data;
1170	} saved_pr8440;
1171
1172	char *foo_pr8440();
1173	char **bar_pr8440();
1174	void baz_pr8440(int n)
1175	{
1176	saved_pr8440.num = n;
1177	if (saved_pr8440.data)
1178	return;
1179	saved_pr8440.data = bar_pr8440();
1180	for (int i = 0 ; i < n ; i ++)
1181	saved_pr8440.data[i] = foo_pr8440(); // no-warning
1182	}
1183
1184	// Support direct accesses to non-null memory. Reported in:
1185	// PR 5272
1186	// <rdar://problem/6839683>
1187	int test_direct_address_load() {
1188	int p = (int) 0x4000;
1189	return *p; // no-warning
1190	}
1191
1192	void pr5272_test() {
1193	struct pr5272 { int var2; };
1194	((struct pr5272)0xBC000000).var2 = 0; // no-warning
1195	((struct pr5272)0xBC000000).var2 += 2; // no-warning
1196	}
1197
1198	// Support casting the return value of function to another different type
1199	// This previously caused a crash, although we likely need more precise
1200	// reasoning here. <rdar://problem/8663544>
1201	void* rdar8663544();
1202	typedef struct {} Val8663544;
1203	Val8663544 bazR8663544() {
1204	Val8663544(func) () = (Val8663544() ()) rdar8663544;
1205	return func();
1206	}
1207
1208	// PR 8619 - Handle ternary expressions with a call to a noreturn function.
1209	// This previously resulted in a crash.
1210	void pr8619_noreturn(int x) __attribute__((noreturn));
1211
1212	void pr8619(int a, int b, int c) {
1213	a ?: pr8619_noreturn(b \|\| c);
1214	}
1215
1216
1217	// PR 8646 - crash in the analyzer when handling unions.
1218	union pr8648_union {
1219	signed long long pr8648_union_field;
1220	};
1221	void pr8648() {
1222	long long y;
1223	union pr8648_union x = { .pr8648_union_field = 0LL };
1224	y = x.pr8648_union_field;
1225
1226	union pr8648_union z;
1227	z = (union pr8648_union) { .pr8648_union_field = 0LL };
1228
1229	union pr8648_union w;
1230	w = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; });
1231
1232	// crash, no assignment
1233	(void) ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field;
1234
1235	// crash with assignment
1236	y = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field;
1237	}
1238
1239	// PR 9269 - don't assert when building the following CFG. The for statement
1240	// contains a condition with multiple basic blocks, and the value of the
1241	// statement expression is then indexed as part of a bigger condition expression.
1242	// This example exposed a bug in child traversal in the CFGBuilder.
1243	void pr9269() {
1244	struct s { char *bar[10]; } baz[2] = { 0 };
1245	unsigned i = 0;
1246	for (i = 0;
1247	(* ({ while(0); ({ &baz[0]; }); })).bar[0] != 0; // expected-warning {{while loop has empty body}} expected-note {{put the semicolon on a separate line to silence this warning}}
1248	++i) {}
1249	}
1250
1251	// Test evaluation of GNU-style ?:.
1252	int pr9287(int type) { return type ? : 0; } // no-warning
1253
1254	void pr9287_b(int type, int *p) {
1255	int x = type ? : 0;
1256	if (x) {
1257	p = 0;
1258	}
1259	if (type) {
1260	*p = 0xDEADBEEF; // expected-warning {{null pointer}}
1261	}
1262	}
1263
1264	void pr9287_c(int type, int *p) {
1265	int x = type ? : 0;
1266	if (x) {
1267	p = 0;
1268	}
1269	if (!type) {
1270	*p = 0xDEADBEEF; // no-warning
1271	}
1272	}
1273
1274	void test_switch() {
1275	switch (4) {
1276	case 1: {
1277	int *p = 0;
1278	*p = 0xDEADBEEF; // no-warning
1279	break;
1280	}
1281	case 4: {
1282	int *p = 0;
1283	*p = 0xDEADBEEF; // expected-warning {{null}}
1284	break;
1285	}
1286	default: {
1287	int *p = 0;
1288	*p = 0xDEADBEEF; // no-warning
1289	break;
1290	}
1291	}
1292	}
1293
1294	// PR 9467. Tests various CFG optimizations. This previously crashed.
1295	static void test(unsigned int bit_mask)
1296	{
1297	unsigned int bit_index;
1298	for (bit_index = 0;
1299	bit_index < 24;
1300	bit_index++) {
1301	switch ((0x01 << bit_index) & bit_mask) {
1302	case 0x100000: ;
1303	}
1304	}
1305	}
1306
1307	// Don't crash on code containing __label__.
1308	int radar9414427_aux();
1309	void radar9414427() {
1310	__label__ mylabel;
1311	if (radar9414427_aux()) {
1312	mylabel: do {}
1313	while (0);
1314	}
1315	}
1316
1317	// Analyze methods in @implementation (category)
1318	@interface RDar9465344
1319	@end
1320
1321	@implementation RDar9465344 (MyCategory)
1322	- (void) testcategoryImpl {
1323	int *p = 0x0;
1324	*p = 0xDEADBEEF; // expected-warning {{null}}
1325	}
1326	@end
1327
1328	@implementation RDar9465344
1329	@end
1330
1331	// Don't crash when analyzing access to 'self' within a block.
1332	@interface Rdar10380300Base
1333	- (void) foo;
1334	@end
1335	@interface Rdar10380300 : Rdar10380300Base @end
1336	@implementation Rdar10380300
1337	- (void)foo {
1338	^{
1339	[super foo];
1340	}();
1341	}
1342	@end
1343
1344	// Don't crash when a ?: is only preceded by a statement (not an expression)
1345	// in the CFG.
1346	void __assert_fail();
1347
1348	enum rdar1196620_e { E_A, E_B, E_C, E_D };
1349	struct rdar1196620_s { int ints[E_D+1]; };
1350
1351	static void rdar1196620_call_assert(struct rdar1196620_s* s) {
1352	int i = 0;
1353	s?(void)0:__assert_fail();
1354	}
1355
1356	static void rdar1196620(struct rdar1196620_s* s) {
1357	rdar1196620_call_assert(s);
1358	}
1359
1360
1361

Clang Project