1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -analyzer-constraints=range -verify -Wno-null-dereference %s
2
3 void clang_analyzer_eval(bool);
4
5 typedef typeof(sizeof(int)) size_t;
6 void malloc (size_t);
7
f1()8 void f1() {
9 int const &i = 3;
10 int b = i;
11
12 int *p = 0;
13
14 if (b != 3)
15 *p = 1; // no-warning
16 }
17
18 char* ptr();
19 char& ref();
20
21 // These next two tests just shouldn't crash.
t1()22 char t1 () {
23 ref() = 'c';
24 return '0';
25 }
26
27 // just a sanity test, the same behavior as t1()
t2()28 char t2 () {
29 *ptr() = 'c';
30 return '0';
31 }
32
33 // Each of the tests below is repeated with pointers as well as references.
34 // This is mostly a sanity check, but then again, both should work!
t3()35 char t3 () {
36 char& r = ref();
37 r = 'c'; // no-warning
38 if (r) return r;
39 return *(char*)0; // no-warning
40 }
41
t4()42 char t4 () {
43 char* p = ptr();
44 *p = 'c'; // no-warning
45 if (*p) return *p;
46 return *(char*)0; // no-warning
47 }
48
t5(char & r)49 char t5 (char& r) {
50 r = 'c'; // no-warning
51 if (r) return r;
52 return *(char*)0; // no-warning
53 }
54
t6(char * p)55 char t6 (char* p) {
56 *p = 'c'; // no-warning
57 if (*p) return *p;
58 return *(char*)0; // no-warning
59 }
60
61
62 // PR13440 / <rdar://problem/11977113>
63 // Test that the array-to-pointer decay works for array references as well.
64 // More generally, when we want an lvalue for a reference field, we still need
65 // to do one level of load.
66 namespace PR13440 {
67 typedef int T[1];
68 struct S {
69 T &x;
70
mPR13440::S71 int *m() { return x; }
72 };
73
74 struct S2 {
75 int (&x)[1];
76
mPR13440::S277 int *m() { return x; }
78 };
79
test()80 void test() {
81 int a[1];
82 S s = { a };
83 S2 s2 = { a };
84
85 if (s.x != a) return;
86 if (s2.x != a) return;
87
88 a[0] = 42;
89 clang_analyzer_eval(s.x[0] == 42); // expected-warning{{TRUE}}
90 clang_analyzer_eval(s2.x[0] == 42); // expected-warning{{TRUE}}
91 }
92 }
93
testNullReference()94 void testNullReference() {
95 int *x = 0;
96 int &y = *x; // expected-warning{{Dereference of null pointer}}
97 y = 5;
98 }
99
testRetroactiveNullReference(int * x)100 void testRetroactiveNullReference(int *x) {
101 // According to the C++ standard, there is no such thing as a
102 // "null reference". So the 'if' statement ought to be dead code.
103 // However, Clang (and other compilers) don't actually check that a pointer
104 // value is non-null in the implementation of references, so it is possible
105 // to produce a supposed "null reference" at runtime. The analyzer shoeuld
106 // still warn when it can prove such errors.
107 int &y = *x;
108 if (x != 0)
109 return;
110 y = 5; // expected-warning{{Dereference of null pointer}}
111 }
112
testReferenceAddress(int & x)113 void testReferenceAddress(int &x) {
114 clang_analyzer_eval(&x != 0); // expected-warning{{TRUE}}
115 clang_analyzer_eval(&ref() != 0); // expected-warning{{TRUE}}
116
117 struct S { int &x; };
118
119 // FIXME: Should be TRUE. Fields of return-by-value structs are not yet
120 // symbolicated. Tracked by <rdar://problem/12137950>.
121 extern S getS();
122 clang_analyzer_eval(&getS().x != 0); // expected-warning{{UNKNOWN}}
123
124 extern S *getSP();
125 clang_analyzer_eval(&getSP()->x != 0); // expected-warning{{TRUE}}
126 }
127
128
testFunctionPointerReturn(void * opaque)129 void testFunctionPointerReturn(void *opaque) {
130 typedef int &(*RefFn)();
131
132 RefFn getRef = (RefFn)opaque;
133
134 // Don't crash writing to or reading from this reference.
135 int &x = getRef();
136 x = 42;
137 clang_analyzer_eval(x == 42); // expected-warning{{TRUE}}
138 }
139
140
141 // ------------------------------------
142 // False negatives
143 // ------------------------------------
144
145 namespace rdar11212286 {
146 class B{};
147
test()148 B test() {
149 B *x = 0;
150 return *x; // should warn here!
151 }
152
testRef()153 B &testRef() {
154 B *x = 0;
155 return *x; // should warn here!
156 }
157 }
158