1 // RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-checker=core,alpha.core -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions
2 // RUN: %clang_cc1 -triple x86_64-apple-darwin9 -analyze -analyzer-checker=core,alpha.core -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions
3
4 // Test basic handling of references.
5 char &test1_aux();
test1()6 char *test1() {
7 return &test1_aux();
8 }
9
10 // Test test1_aux() evaluates to char &.
test1_as_rvalue()11 char test1_as_rvalue() {
12 return test1_aux();
13 }
14
15 // Test passing a value as a reference. The 'const' in test2_aux() adds
16 // an ImplicitCastExpr, which is evaluated as an lvalue.
17 int test2_aux(const int &n);
test2(int n)18 int test2(int n) {
19 return test2_aux(n);
20 }
21
22 int test2_b_aux(const short &n);
test2_b(int n)23 int test2_b(int n) {
24 return test2_b_aux(n);
25 }
26
27 // Test getting the lvalue of a derived and converting it to a base. This
28 // previously crashed.
29 class Test3_Base {};
30 class Test3_Derived : public Test3_Base {};
31
32 int test3_aux(Test3_Base &x);
test3(Test3_Derived x)33 int test3(Test3_Derived x) {
34 return test3_aux(x);
35 }
36
37 //===---------------------------------------------------------------------===//
38 // Test CFG support for C++ condition variables.
39 //===---------------------------------------------------------------------===//
40
41 int test_init_in_condition_aux();
test_init_in_condition()42 int test_init_in_condition() {
43 if (int x = test_init_in_condition_aux()) { // no-warning
44 return 1;
45 }
46 return 0;
47 }
48
test_init_in_condition_switch()49 int test_init_in_condition_switch() {
50 switch (int x = test_init_in_condition_aux()) { // no-warning
51 case 1:
52 return 0;
53 case 2:
54 if (x == 2)
55 return 0;
56 else {
57 // Unreachable.
58 int *p = 0;
59 *p = 0xDEADBEEF; // no-warning
60 }
61 default:
62 break;
63 }
64 return 0;
65 }
66
test_init_in_condition_while()67 int test_init_in_condition_while() {
68 int z = 0;
69 while (int x = ++z) { // no-warning
70 if (x == 2)
71 break;
72 }
73
74 if (z == 2)
75 return 0;
76
77 int *p = 0;
78 *p = 0xDEADBEEF; // no-warning
79 return 0;
80 }
81
82
test_init_in_condition_for()83 int test_init_in_condition_for() {
84 int z = 0;
85 for (int x = 0; int y = ++z; ++x) {
86 if (x == y) // no-warning
87 break;
88 }
89 if (z == 1)
90 return 0;
91
92 int *p = 0;
93 *p = 0xDEADBEEF; // no-warning
94 return 0;
95 }
96
97 //===---------------------------------------------------------------------===//
98 // Test handling of 'this' pointer.
99 //===---------------------------------------------------------------------===//
100
101 class TestHandleThis {
102 int x;
103
104 TestHandleThis();
105 int foo();
106 int null_deref_negative();
107 int null_deref_positive();
108 };
109
foo()110 int TestHandleThis::foo() {
111 // Assume that 'x' is initialized.
112 return x + 1; // no-warning
113 }
114
null_deref_negative()115 int TestHandleThis::null_deref_negative() {
116 x = 10;
117 if (x == 10) {
118 return 1;
119 }
120 int *p = 0;
121 *p = 0xDEADBEEF; // no-warning
122 return 0;
123 }
124
null_deref_positive()125 int TestHandleThis::null_deref_positive() {
126 x = 10;
127 if (x == 9) {
128 return 1;
129 }
130 int *p = 0;
131 *p = 0xDEADBEEF; // expected-warning{{null pointer}}
132 return 0;
133 }
134
135 // PR 7675 - passing literals by-reference
136 void pr7675(const double &a);
137 void pr7675(const int &a);
138 void pr7675(const char &a);
139 void pr7675_i(const _Complex double &a);
140
pr7675_test()141 void pr7675_test() {
142 pr7675(10.0);
143 pr7675(10);
144 pr7675('c');
145 pr7675_i(4.0i);
146 // Add null deref to ensure we are analyzing the code up to this point.
147 int *p = 0;
148 *p = 0xDEADBEEF; // expected-warning{{null pointer}}
149 }
150
151 // <rdar://problem/8375510> - CFGBuilder should handle temporaries.
152 struct R8375510 {
153 R8375510();
154 ~R8375510();
155 R8375510 operator++(int);
156 };
157
r8375510(R8375510 x,R8375510 y)158 int r8375510(R8375510 x, R8375510 y) {
159 for (; ; x++) { }
160 }
161
162 // PR8419 -- this used to crash.
163
164 class String8419 {
165 public:
166 char& get(int n);
167 char& operator[](int n);
168 };
169
170 char& get8419();
171
Test8419()172 void Test8419() {
173 String8419 s;
174 ++(s.get(0));
175 get8419()--; // used to crash
176 --s[0]; // used to crash
177 s[0] &= 1; // used to crash
178 s[0]++; // used to crash
179 }
180
181 // PR8426 -- this used to crash.
182
183 void Use(void* to);
184
185 template <class T> class Foo {
186 ~Foo();
187 struct Bar;
188 Bar* bar_;
189 };
190
~Foo()191 template <class T> Foo<T>::~Foo() {
192 Use(bar_);
193 T::DoSomething();
194 bar_->Work();
195 }
196
197 // PR8427 -- this used to crash.
198
199 class Dummy {};
200
201 bool operator==(Dummy, int);
202
203 template <typename T>
204 class Foo2 {
205 bool Bar();
206 };
207
208 template <typename T>
Bar()209 bool Foo2<T>::Bar() {
210 return 0 == T();
211 }
212
213 // PR8433 -- this used to crash.
214
215 template <typename T>
216 class Foo3 {
217 public:
218 void Bar();
219 void Baz();
220 T value_;
221 };
222
223 template <typename T>
Bar()224 void Foo3<T>::Bar() {
225 Baz();
226 value_();
227 }
228
229 //===---------------------------------------------------------------------===//
230 // Handle misc. C++ constructs.
231 //===---------------------------------------------------------------------===//
232
233 namespace fum {
234 int i = 3;
235 };
236
test_namespace()237 void test_namespace() {
238 // Previously triggered a crash.
239 using namespace fum;
240 int x = i;
241 }
242
243 // Test handling methods that accept references as parameters, and that
244 // variables are properly invalidated.
245 class RDar9203355 {
246 bool foo(unsigned valA, long long &result) const;
247 bool foo(unsigned valA, int &result) const;
248 };
foo(unsigned valA,int & result) const249 bool RDar9203355::foo(unsigned valA, int &result) const {
250 long long val;
251 if (foo(valA, val) ||
252 (int)val != val) // no-warning
253 return true;
254 result = val; // no-warning
255 return false;
256 }
257
258 // Test handling of new[].
rdar9212512()259 void rdar9212512() {
260 int *x = new int[10];
261 for (unsigned i = 0 ; i < 2 ; ++i) {
262 // This previously triggered an uninitialized values warning.
263 x[i] = 1; // no-warning
264 }
265 }
266
267 // Test basic support for dynamic_cast<>.
268 struct Rdar9212495_C { virtual void bar() const; };
269 class Rdar9212495_B : public Rdar9212495_C {};
270 class Rdar9212495_A : public Rdar9212495_B {};
rdar9212495(const Rdar9212495_C * ptr)271 const Rdar9212495_A& rdar9212495(const Rdar9212495_C* ptr) {
272 const Rdar9212495_A& val = dynamic_cast<const Rdar9212495_A&>(*ptr);
273
274 // This is not valid C++; dynamic_cast with a reference type will throw an
275 // exception if the pointer does not match the expected type. However, our
276 // implementation of dynamic_cast will pass through a null pointer...or a
277 // "null reference"! So this branch is actually possible.
278 if (&val == 0) {
279 val.bar(); // expected-warning{{Called C++ object pointer is null}}
280 }
281
282 return val;
283 }
284
rdar9212495_ptr(const Rdar9212495_C * ptr)285 const Rdar9212495_A* rdar9212495_ptr(const Rdar9212495_C* ptr) {
286 const Rdar9212495_A* val = dynamic_cast<const Rdar9212495_A*>(ptr);
287
288 if (val == 0) {
289 val->bar(); // expected-warning{{Called C++ object pointer is null}}
290 }
291
292 return val;
293 }
294
295 // Test constructors invalidating arguments. Previously this raised
296 // an uninitialized value warning.
297 extern "C" void __attribute__((noreturn)) PR9645_exit(int i);
298
299 class PR9645_SideEffect
300 {
301 public:
302 PR9645_SideEffect(int *pi); // caches pi in i_
303 void Read(int *pi); // copies *pi into *i_
304 private:
305 int *i_;
306 };
307
PR9645()308 void PR9645() {
309 int i;
310
311 PR9645_SideEffect se(&i);
312 int j = 1;
313 se.Read(&j); // this has a side-effect of initializing i.
314
315 PR9645_exit(i); // no-warning
316 }
317
PR9645_SideEffect(int * pi)318 PR9645_SideEffect::PR9645_SideEffect(int *pi) : i_(pi) {}
Read(int * pi)319 void PR9645_SideEffect::Read(int *pi) { *i_ = *pi; }
320
321 // Invalidate fields during C++ method calls.
322 class RDar9267815 {
323 int x;
324 void test();
325 void test_pos();
326 void test2();
327 void invalidate();
328 };
329
test_pos()330 void RDar9267815::test_pos() {
331 int *p = 0;
332 if (x == 42)
333 return;
334 *p = 0xDEADBEEF; // expected-warning {{null}}
335 }
test()336 void RDar9267815::test() {
337 int *p = 0;
338 if (x == 42)
339 return;
340 if (x == 42)
341 *p = 0xDEADBEEF; // no-warning
342 }
343
test2()344 void RDar9267815::test2() {
345 int *p = 0;
346 if (x == 42)
347 return;
348 invalidate();
349 if (x == 42)
350 *p = 0xDEADBEEF; // expected-warning {{null}}
351 }
352
353 // Test reference parameters.
354 void test_ref_double_aux(double &Value);
test_ref_double()355 float test_ref_double() {
356 double dVal;
357 test_ref_double_aux(dVal);
358 // This previously warned because 'dVal' was thought to be uninitialized.
359 float Val = (float)dVal; // no-warning
360 return Val;
361 }
362
363 // Test invalidation of class fields.
364 class TestInvalidateClass {
365 public:
366 int x;
367 };
368
369 void test_invalidate_class_aux(TestInvalidateClass &x);
370
test_invalidate_class()371 int test_invalidate_class() {
372 TestInvalidateClass y;
373 test_invalidate_class_aux(y);
374 return y.x; // no-warning
375 }
376
377 // Test correct pointer arithmetic using 'p--'. This is to warn that we
378 // were loading beyond the written characters in buf.
RDar9269695(char * dst,unsigned int n)379 char *RDar9269695(char *dst, unsigned int n)
380 {
381 char buff[40], *p;
382
383 p = buff;
384 do
385 *p++ = '0' + n % 10;
386 while (n /= 10);
387
388 do
389 *dst++ = *--p; // no-warning
390 while (p != buff);
391
392 return dst;
393 }
394
395 // Test that we invalidate byref arguments passed to constructors.
396 class TestInvalidateInCtor {
397 public:
398 TestInvalidateInCtor(unsigned &x);
399 };
400
test_invalidate_in_ctor()401 unsigned test_invalidate_in_ctor() {
402 unsigned x;
403 TestInvalidateInCtor foo(x);
404 return x; // no-warning
405 }
test_invalidate_in_ctor_new()406 unsigned test_invalidate_in_ctor_new() {
407 unsigned x;
408 delete (new TestInvalidateInCtor(x));
409 return x; // no-warning
410 }
411
412 // Test assigning into a symbolic offset.
413 struct TestAssignIntoSymbolicOffset {
414 int **stuff[100];
415 void test(int x, int y);
416 };
417
test(int x,int y)418 void TestAssignIntoSymbolicOffset::test(int x, int y) {
419 x--;
420 if (x > 8 || x < 0)
421 return;
422 if (stuff[x])
423 return;
424 if (!stuff[x]) {
425 stuff[x] = new int*[y+1];
426 // Previously triggered a null dereference.
427 stuff[x][y] = 0; // no-warning
428 }
429 }
430
431 // Test loads from static fields. This previously triggered an uninitialized
432 // value warning.
433 class ClassWithStatic {
434 public:
435 static const unsigned value = 1;
436 };
437
rdar9948787_negative()438 int rdar9948787_negative() {
439 ClassWithStatic classWithStatic;
440 unsigned value = classWithStatic.value;
441 if (value == 1)
442 return 1;
443 int *p = 0;
444 *p = 0xDEADBEEF; // no-warning
445 return 0;
446 }
447
rdar9948787_positive()448 int rdar9948787_positive() {
449 ClassWithStatic classWithStatic;
450 unsigned value = classWithStatic.value;
451 if (value == 0)
452 return 1;
453 int *p = 0;
454 *p = 0xDEADBEEF; // expected-warning {{null}}
455 return 0;
456 }
457
458 // Regression test against global constants and switches.
459 enum rdar10202899_ValT { rdar10202899_ValTA, rdar10202899_ValTB, rdar10202899_ValTC };
460 const rdar10202899_ValT val = rdar10202899_ValTA;
rdar10202899_test1()461 void rdar10202899_test1() {
462 switch (val) {
463 case rdar10202899_ValTA: {}
464 };
465 }
466
rdar10202899_test2()467 void rdar10202899_test2() {
468 if (val == rdar10202899_ValTA)
469 return;
470 int *p = 0;
471 *p = 0xDEADBEEF;
472 }
473
rdar10202899_test3()474 void rdar10202899_test3() {
475 switch (val) {
476 case rdar10202899_ValTA: return;
477 default: ;
478 };
479 int *p = 0;
480 *p = 0xDEADBEEF;
481 }
482
483 // This used to crash the analyzer because of the unnamed bitfield.
PR11249()484 void PR11249()
485 {
486 struct {
487 char f1:4;
488 char :4;
489 char f2[1];
490 char f3;
491 } V = { 1, {2}, 3 };
492 int *p = 0;
493 if (V.f1 != 1)
494 *p = 0xDEADBEEF; // no-warning
495 if (V.f2[0] != 2)
496 *p = 0xDEADBEEF; // no-warning
497 if (V.f3 != 3)
498 *p = 0xDEADBEEF; // no-warning
499 }
500
501 // Handle doing a load from the memory associated with the code for
502 // a function.
503 extern double nan( const char * );
PR11450()504 double PR11450() {
505 double NaN = *(double*) nan;
506 return NaN;
507 }
508
509 // Test that 'this' is assumed non-null upon analyzing the entry to a "top-level"
510 // function (i.e., when not analyzing from a specific caller).
511 struct TestNullThis {
512 int field;
513 void test();
514 };
515
test()516 void TestNullThis::test() {
517 int *p = &field;
518 if (p)
519 return;
520 field = 2; // no-warning
521 }
522
523 // Test handling of 'catch' exception variables, and not warning
524 // about uninitialized values.
525 enum MyEnum { MyEnumValue };
rdar10892489()526 MyEnum rdar10892489() {
527 try {
528 throw MyEnumValue;
529 } catch (MyEnum e) {
530 return e; // no-warning
531 }
532 return MyEnumValue;
533 }
534
rdar10892489_positive()535 MyEnum rdar10892489_positive() {
536 try {
537 throw MyEnumValue;
538 } catch (MyEnum e) {
539 int *p = 0;
540 // FALSE NEGATIVE
541 *p = 0xDEADBEEF; // {{null}}
542 return e;
543 }
544 return MyEnumValue;
545 }
546
547 // Test handling of catch with no condition variable.
PR11545()548 void PR11545() {
549 try
550 {
551 throw;
552 }
553 catch (...)
554 {
555 }
556 }
557
PR11545_positive()558 void PR11545_positive() {
559 try
560 {
561 throw;
562 }
563 catch (...)
564 {
565 int *p = 0;
566 // FALSE NEGATIVE
567 *p = 0xDEADBEEF; // {{null}}
568 }
569 }
570
571 // Test handling taking the address of a field. While the analyzer
572 // currently doesn't do anything intelligent here, this previously
573 // resulted in a crash.
574 class PR11146 {
575 public:
576 struct Entry;
577 void baz();
578 };
579
580 struct PR11146::Entry {
581 int x;
582 };
583
baz()584 void PR11146::baz() {
585 (void) &Entry::x;
586 }
587
588 // Test symbolicating a reference. In this example, the
589 // analyzer (originally) didn't know how to handle x[index - index2],
590 // returning an UnknownVal. The conjured symbol wasn't a location,
591 // and would result in a crash.
rdar10924675(unsigned short x[],int index,int index2)592 void rdar10924675(unsigned short x[], int index, int index2) {
593 unsigned short &y = x[index - index2];
594 if (y == 0)
595 return;
596 }
597
598 // Test handling CXXScalarValueInitExprs.
rdar11401827()599 void rdar11401827() {
600 int x = int();
601 if (!x) {
602 int *p = 0;
603 *p = 0xDEADBEEF; // expected-warning {{null pointer}}
604 }
605 else {
606 int *p = 0;
607 *p = 0xDEADBEEF;
608 }
609 }
610
611 //===---------------------------------------------------------------------===//
612 // Handle inlining of C++ method calls.
613 //===---------------------------------------------------------------------===//
614
615 struct A {
616 int *p;
fooA617 void foo(int *q) {
618 p = q;
619 }
barA620 void bar() {
621 *p = 0; // expected-warning {{null pointer}}
622 }
623 };
624
test_inline()625 void test_inline() {
626 A a;
627 a.foo(0);
628 a.bar();
629 }
630
test_alloca_in_a_recursive_function(int p1)631 void test_alloca_in_a_recursive_function(int p1) {
632 __builtin_alloca (p1);
633 test_alloca_in_a_recursive_function(1);
634 test_alloca_in_a_recursive_function(2);
635 }
636
637 //===---------------------------------------------------------------------===//
638 // Random tests.
639 //===---------------------------------------------------------------------===//
640
641 // Tests assigning using a C-style initializer to a struct
642 // variable whose sub-field is also a struct. This currently
643 // results in a CXXTempObjectRegion being created, but not
644 // properly handled. For now, we just ignore that value
645 // to avoid a crash (<rdar://problem/12753384>).
646 struct RDar12753384_ClassA {
647 unsigned z;
648 };
649 struct RDar12753384_ClassB {
650 unsigned x;
651 RDar12753384_ClassA y[ 8 ] ;
652 };
RDar12753384()653 unsigned RDar12753384() {
654 RDar12753384_ClassB w = { 0x00 };
655 RDar12753384_ClassA y[8];
656 return w.x;
657 }
658
659 // This testcase tests whether we treat the anonymous union and union
660 // the same way. This previously resulted in a "return of stack address"
661 // warning because the anonymous union resulting in a temporary object
662 // getting put into the initializer. We still aren't handling this correctly,
663 // but now if a temporary object appears in an initializer we just ignore it.
664 // Fixes <rdar://problem/12755044>.
665
666 struct Rdar12755044_foo
667 {
668 struct Rdar12755044_bar
669 {
670 union baz
671 {
672 int i;
673 };
674 } aBar;
675 };
676
677 struct Rdar12755044_foo_anon
678 {
679 struct Rdar12755044_bar
680 {
681 union
682 {
683 int i;
684 };
685 } aBar;
686 };
687
radar12755044_anon()688 const Rdar12755044_foo_anon *radar12755044_anon() {
689 static const Rdar12755044_foo_anon Rdar12755044_foo_list[] = { { { } } };
690 return Rdar12755044_foo_list; // no-warning
691 }
692
radar12755044()693 const Rdar12755044_foo *radar12755044() {
694 static const Rdar12755044_foo Rdar12755044_foo_list[] = { { { } } };
695 return Rdar12755044_foo_list; // no-warning
696 }
697
698 // Test the correct handling of integer to bool conversions. Previously
699 // this resulted in a false positive because integers were being truncated
700 // and not tested for non-zero.
rdar12759044()701 void rdar12759044() {
702 int flag = 512;
703 if (!(flag & 512)) {
704 int *p = 0;
705 *p = 0xDEADBEEF; // no-warning
706 }
707 }
708
709 // The analyzer currently does not model complex types. Test that the load
710 // from 'x' is not flagged as being uninitialized.
711 typedef __complex__ float _ComplexT;
rdar12964481(_ComplexT * y)712 void rdar12964481(_ComplexT *y) {
713 _ComplexT x;
714 __real__ x = 1.0;
715 __imag__ x = 1.0;
716 *y *= x; // no-warning
717 }
rdar12964481_b(_ComplexT * y)718 void rdar12964481_b(_ComplexT *y) {
719 _ComplexT x;
720 // Eventually this should be a warning.
721 *y *= x; // no-warning
722 }
723
724