1 // RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions -Wno-tautological-undefined-compare
2 // RUN: %clang_cc1 -triple x86_64-apple-darwin9 -analyze -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions -Wno-tautological-undefined-compare
3
4 void clang_analyzer_warnIfReached();
5
6 // Test basic handling of references.
7 char &test1_aux();
test1()8 char *test1() {
9 return &test1_aux();
10 }
11
12 // Test test1_aux() evaluates to char &.
test1_as_rvalue()13 char test1_as_rvalue() {
14 return test1_aux();
15 }
16
17 // Test passing a value as a reference. The 'const' in test2_aux() adds
18 // an ImplicitCastExpr, which is evaluated as an lvalue.
19 int test2_aux(const int &n);
test2(int n)20 int test2(int n) {
21 return test2_aux(n);
22 }
23
24 int test2_b_aux(const short &n);
test2_b(int n)25 int test2_b(int n) {
26 return test2_b_aux(n);
27 }
28
29 // Test getting the lvalue of a derived and converting it to a base. This
30 // previously crashed.
31 class Test3_Base {};
32 class Test3_Derived : public Test3_Base {};
33
34 int test3_aux(Test3_Base &x);
test3(Test3_Derived x)35 int test3(Test3_Derived x) {
36 return test3_aux(x);
37 }
38
39 //===---------------------------------------------------------------------===//
40 // Test CFG support for C++ condition variables.
41 //===---------------------------------------------------------------------===//
42
43 int test_init_in_condition_aux();
test_init_in_condition()44 int test_init_in_condition() {
45 if (int x = test_init_in_condition_aux()) { // no-warning
46 return 1;
47 }
48 return 0;
49 }
50
test_init_in_condition_switch()51 int test_init_in_condition_switch() {
52 switch (int x = test_init_in_condition_aux()) { // no-warning
53 case 1:
54 return 0;
55 case 2:
56 if (x == 2)
57 return 0;
58 else {
59 clang_analyzer_warnIfReached(); // unreachable
60 }
61 default:
62 break;
63 }
64 return 0;
65 }
66
test_init_in_condition_while()67 int test_init_in_condition_while() {
68 int z = 0;
69 while (int x = ++z) { // no-warning
70 if (x == 2)
71 break;
72 }
73
74 if (z == 2)
75 return 0;
76
77 clang_analyzer_warnIfReached(); // unreachable
78 return 0;
79 }
80
81
test_init_in_condition_for()82 int test_init_in_condition_for() {
83 int z = 0;
84 for (int x = 0; int y = ++z; ++x) {
85 if (x == y) // no-warning
86 break;
87 }
88 if (z == 1)
89 return 0;
90
91 clang_analyzer_warnIfReached(); // unreachable
92 return 0;
93 }
94
95 //===---------------------------------------------------------------------===//
96 // Test handling of 'this' pointer.
97 //===---------------------------------------------------------------------===//
98
99 class TestHandleThis {
100 int x;
101
102 TestHandleThis();
103 int foo();
104 int null_deref_negative();
105 int null_deref_positive();
106 };
107
foo()108 int TestHandleThis::foo() {
109 // Assume that 'x' is initialized.
110 return x + 1; // no-warning
111 }
112
null_deref_negative()113 int TestHandleThis::null_deref_negative() {
114 x = 10;
115 if (x == 10) {
116 return 1;
117 }
118 clang_analyzer_warnIfReached(); // unreachable
119 return 0;
120 }
121
null_deref_positive()122 int TestHandleThis::null_deref_positive() {
123 x = 10;
124 if (x == 9) {
125 return 1;
126 }
127 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
128 return 0;
129 }
130
131 // PR 7675 - passing literals by-reference
132 void pr7675(const double &a);
133 void pr7675(const int &a);
134 void pr7675(const char &a);
135 void pr7675_i(const _Complex double &a);
136
pr7675_test()137 void pr7675_test() {
138 pr7675(10.0);
139 pr7675(10);
140 pr7675('c');
141 pr7675_i(4.0i);
142
143 // Add check to ensure we are analyzing the code up to this point.
144 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
145 }
146
147 // <rdar://problem/8375510> - CFGBuilder should handle temporaries.
148 struct R8375510 {
149 R8375510();
150 ~R8375510();
151 R8375510 operator++(int);
152 };
153
r8375510(R8375510 x,R8375510 y)154 int r8375510(R8375510 x, R8375510 y) {
155 for (; ; x++) { }
156 }
157
158 // PR8419 -- this used to crash.
159
160 class String8419 {
161 public:
162 char& get(int n);
163 char& operator[](int n);
164 };
165
166 char& get8419();
167
Test8419()168 void Test8419() {
169 String8419 s;
170 ++(s.get(0));
171 get8419()--; // used to crash
172 --s[0]; // used to crash
173 s[0] &= 1; // used to crash
174 s[0]++; // used to crash
175 }
176
177 // PR8426 -- this used to crash.
178
179 void Use(void* to);
180
181 template <class T> class Foo {
182 ~Foo();
183 struct Bar;
184 Bar* bar_;
185 };
186
~Foo()187 template <class T> Foo<T>::~Foo() {
188 Use(bar_);
189 T::DoSomething();
190 bar_->Work();
191 }
192
193 // PR8427 -- this used to crash.
194
195 class Dummy {};
196
197 bool operator==(Dummy, int);
198
199 template <typename T>
200 class Foo2 {
201 bool Bar();
202 };
203
204 template <typename T>
Bar()205 bool Foo2<T>::Bar() {
206 return 0 == T();
207 }
208
209 // PR8433 -- this used to crash.
210
211 template <typename T>
212 class Foo3 {
213 public:
214 void Bar();
215 void Baz();
216 T value_;
217 };
218
219 template <typename T>
Bar()220 void Foo3<T>::Bar() {
221 Baz();
222 value_();
223 }
224
225 //===---------------------------------------------------------------------===//
226 // Handle misc. C++ constructs.
227 //===---------------------------------------------------------------------===//
228
229 namespace fum {
230 int i = 3;
231 };
232
test_namespace()233 void test_namespace() {
234 // Previously triggered a crash.
235 using namespace fum;
236 int x = i;
237 }
238
239 // Test handling methods that accept references as parameters, and that
240 // variables are properly invalidated.
241 class RDar9203355 {
242 bool foo(unsigned valA, long long &result) const;
243 bool foo(unsigned valA, int &result) const;
244 };
foo(unsigned valA,int & result) const245 bool RDar9203355::foo(unsigned valA, int &result) const {
246 long long val;
247 if (foo(valA, val) ||
248 (int)val != val) // no-warning
249 return true;
250 result = val; // no-warning
251 return false;
252 }
253
254 // Test handling of new[].
rdar9212512()255 void rdar9212512() {
256 int *x = new int[10];
257 for (unsigned i = 0 ; i < 2 ; ++i) {
258 // This previously triggered an uninitialized values warning.
259 x[i] = 1; // no-warning
260 }
261 }
262
263 // Test basic support for dynamic_cast<>.
264 struct Rdar9212495_C { virtual void bar() const; };
265 class Rdar9212495_B : public Rdar9212495_C {};
266 class Rdar9212495_A : public Rdar9212495_B {};
rdar9212495(const Rdar9212495_C * ptr)267 const Rdar9212495_A& rdar9212495(const Rdar9212495_C* ptr) {
268 const Rdar9212495_A& val = dynamic_cast<const Rdar9212495_A&>(*ptr);
269
270 // This is not valid C++; dynamic_cast with a reference type will throw an
271 // exception if the pointer does not match the expected type. However, our
272 // implementation of dynamic_cast will pass through a null pointer...or a
273 // "null reference"! So this branch is actually possible.
274 if (&val == 0) {
275 val.bar(); // expected-warning{{Called C++ object pointer is null}}
276 }
277
278 return val;
279 }
280
rdar9212495_ptr(const Rdar9212495_C * ptr)281 const Rdar9212495_A* rdar9212495_ptr(const Rdar9212495_C* ptr) {
282 const Rdar9212495_A* val = dynamic_cast<const Rdar9212495_A*>(ptr);
283
284 if (val == 0) {
285 val->bar(); // expected-warning{{Called C++ object pointer is null}}
286 }
287
288 return val;
289 }
290
291 // Test constructors invalidating arguments. Previously this raised
292 // an uninitialized value warning.
293 extern "C" void __attribute__((noreturn)) PR9645_exit(int i);
294
295 class PR9645_SideEffect
296 {
297 public:
298 PR9645_SideEffect(int *pi); // caches pi in i_
299 void Read(int *pi); // copies *pi into *i_
300 private:
301 int *i_;
302 };
303
PR9645()304 void PR9645() {
305 int i;
306
307 PR9645_SideEffect se(&i);
308 int j = 1;
309 se.Read(&j); // this has a side-effect of initializing i.
310
311 PR9645_exit(i); // no-warning
312 }
313
PR9645_SideEffect(int * pi)314 PR9645_SideEffect::PR9645_SideEffect(int *pi) : i_(pi) {}
Read(int * pi)315 void PR9645_SideEffect::Read(int *pi) { *i_ = *pi; }
316
317 // Invalidate fields during C++ method calls.
318 class RDar9267815 {
319 int x;
320 void test();
321 void test_pos();
322 void test2();
323 void invalidate();
324 };
325
test_pos()326 void RDar9267815::test_pos() {
327 if (x == 42)
328 return;
329 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
330 }
test()331 void RDar9267815::test() {
332 if (x == 42)
333 return;
334 if (x == 42)
335 clang_analyzer_warnIfReached(); // no-warning
336 }
337
test2()338 void RDar9267815::test2() {
339 if (x == 42)
340 return;
341 invalidate();
342 if (x == 42)
343 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
344 }
345
346 // Test reference parameters.
347 void test_ref_double_aux(double &Value);
test_ref_double()348 float test_ref_double() {
349 double dVal;
350 test_ref_double_aux(dVal);
351 // This previously warned because 'dVal' was thought to be uninitialized.
352 float Val = (float)dVal; // no-warning
353 return Val;
354 }
355
356 // Test invalidation of class fields.
357 class TestInvalidateClass {
358 public:
359 int x;
360 };
361
362 void test_invalidate_class_aux(TestInvalidateClass &x);
363
test_invalidate_class()364 int test_invalidate_class() {
365 TestInvalidateClass y;
366 test_invalidate_class_aux(y);
367 return y.x; // no-warning
368 }
369
370 // Test correct pointer arithmetic using 'p--'. This is to warn that we
371 // were loading beyond the written characters in buf.
RDar9269695(char * dst,unsigned int n)372 char *RDar9269695(char *dst, unsigned int n)
373 {
374 char buff[40], *p;
375
376 p = buff;
377 do
378 *p++ = '0' + n % 10;
379 while (n /= 10);
380
381 do
382 *dst++ = *--p; // no-warning
383 while (p != buff);
384
385 return dst;
386 }
387
388 // Test that we invalidate byref arguments passed to constructors.
389 class TestInvalidateInCtor {
390 public:
391 TestInvalidateInCtor(unsigned &x);
392 };
393
test_invalidate_in_ctor()394 unsigned test_invalidate_in_ctor() {
395 unsigned x;
396 TestInvalidateInCtor foo(x);
397 return x; // no-warning
398 }
test_invalidate_in_ctor_new()399 unsigned test_invalidate_in_ctor_new() {
400 unsigned x;
401 delete (new TestInvalidateInCtor(x));
402 return x; // no-warning
403 }
404
405 // Test assigning into a symbolic offset.
406 struct TestAssignIntoSymbolicOffset {
407 int **stuff[100];
408 void test(int x, int y);
409 };
410
test(int x,int y)411 void TestAssignIntoSymbolicOffset::test(int x, int y) {
412 x--;
413 if (x > 8 || x < 0)
414 return;
415 if (stuff[x])
416 return;
417 if (!stuff[x]) {
418 stuff[x] = new int*[y+1];
419 // Previously triggered a null dereference.
420 stuff[x][y] = 0; // no-warning
421 }
422 }
423
424 // Test loads from static fields. This previously triggered an uninitialized
425 // value warning.
426 class ClassWithStatic {
427 public:
428 static const unsigned value = 1;
429 };
430
rdar9948787_negative()431 int rdar9948787_negative() {
432 ClassWithStatic classWithStatic;
433 unsigned value = classWithStatic.value;
434 if (value == 1)
435 return 1;
436 clang_analyzer_warnIfReached(); // no-warning
437 return 0;
438 }
439
rdar9948787_positive()440 int rdar9948787_positive() {
441 ClassWithStatic classWithStatic;
442 unsigned value = classWithStatic.value;
443 if (value == 0)
444 return 1;
445 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
446 return 0;
447 }
448
449 // Regression test against global constants and switches.
450 enum rdar10202899_ValT { rdar10202899_ValTA, rdar10202899_ValTB, rdar10202899_ValTC };
451 const rdar10202899_ValT val = rdar10202899_ValTA;
rdar10202899_test1()452 void rdar10202899_test1() {
453 switch (val) {
454 case rdar10202899_ValTA: {}
455 };
456 }
457
rdar10202899_test2()458 void rdar10202899_test2() {
459 if (val == rdar10202899_ValTA)
460 return;
461 clang_analyzer_warnIfReached(); // no-warning
462 }
463
rdar10202899_test3()464 void rdar10202899_test3() {
465 switch (val) {
466 case rdar10202899_ValTA: return;
467 default: ;
468 };
469 clang_analyzer_warnIfReached(); // no-warning
470 }
471
472 // This used to crash the analyzer because of the unnamed bitfield.
PR11249()473 void PR11249()
474 {
475 struct {
476 char f1:4;
477 char :4;
478 char f2[1];
479 char f3;
480 } V = { 1, {2}, 3 };
481 if (V.f1 != 1)
482 clang_analyzer_warnIfReached(); // no-warning
483 if (V.f2[0] != 2)
484 clang_analyzer_warnIfReached(); // no-warning
485 if (V.f3 != 3)
486 clang_analyzer_warnIfReached(); // no-warning
487 }
488
489 // Handle doing a load from the memory associated with the code for
490 // a function.
491 extern double nan( const char * );
PR11450()492 double PR11450() {
493 double NaN = *(double*) nan;
494 return NaN;
495 }
496
497 // Test that 'this' is assumed non-null upon analyzing the entry to a "top-level"
498 // function (i.e., when not analyzing from a specific caller).
499 struct TestNullThis {
500 int field;
501 void test();
502 };
503
test()504 void TestNullThis::test() {
505 int *p = &field;
506 if (p)
507 return;
508 field = 2; // no-warning
509 }
510
511 // Test handling of 'catch' exception variables, and not warning
512 // about uninitialized values.
513 enum MyEnum { MyEnumValue };
rdar10892489()514 MyEnum rdar10892489() {
515 try {
516 throw MyEnumValue;
517 } catch (MyEnum e) {
518 return e; // no-warning
519 }
520 return MyEnumValue;
521 }
522
rdar10892489_positive()523 MyEnum rdar10892489_positive() {
524 try {
525 throw MyEnumValue;
526 } catch (MyEnum e) {
527 int *p = 0;
528 // FALSE NEGATIVE
529 *p = 0xDEADBEEF; // {{null}}
530 return e;
531 }
532 return MyEnumValue;
533 }
534
535 // Test handling of catch with no condition variable.
PR11545()536 void PR11545() {
537 try
538 {
539 throw;
540 }
541 catch (...)
542 {
543 }
544 }
545
PR11545_positive()546 void PR11545_positive() {
547 try
548 {
549 throw;
550 }
551 catch (...)
552 {
553 int *p = 0;
554 // FALSE NEGATIVE
555 *p = 0xDEADBEEF; // {{null}}
556 }
557 }
558
559 // Test handling taking the address of a field. While the analyzer
560 // currently doesn't do anything intelligent here, this previously
561 // resulted in a crash.
562 class PR11146 {
563 public:
564 struct Entry;
565 void baz();
566 };
567
568 struct PR11146::Entry {
569 int x;
570 };
571
baz()572 void PR11146::baz() {
573 (void) &Entry::x;
574 }
575
576 // Test symbolicating a reference. In this example, the
577 // analyzer (originally) didn't know how to handle x[index - index2],
578 // returning an UnknownVal. The conjured symbol wasn't a location,
579 // and would result in a crash.
rdar10924675(unsigned short x[],int index,int index2)580 void rdar10924675(unsigned short x[], int index, int index2) {
581 unsigned short &y = x[index - index2];
582 if (y == 0)
583 return;
584 }
585
586 // Test handling CXXScalarValueInitExprs.
rdar11401827()587 void rdar11401827() {
588 int x = int();
589 if (!x) {
590 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
591 ; // Suppress warning that both branches are identical
592 }
593 else {
594 clang_analyzer_warnIfReached(); // no-warning
595 }
596 }
597
598 //===---------------------------------------------------------------------===//
599 // Handle inlining of C++ method calls.
600 //===---------------------------------------------------------------------===//
601
602 struct A {
603 int *p;
fooA604 void foo(int *q) {
605 p = q;
606 }
barA607 void bar() {
608 *p = 0; // expected-warning {{null pointer}}
609 }
610 };
611
test_inline()612 void test_inline() {
613 A a;
614 a.foo(0);
615 a.bar();
616 }
617
test_alloca_in_a_recursive_function(int p1)618 void test_alloca_in_a_recursive_function(int p1) {
619 __builtin_alloca (p1);
620 test_alloca_in_a_recursive_function(1);
621 test_alloca_in_a_recursive_function(2);
622 }
623
624 //===---------------------------------------------------------------------===//
625 // Random tests.
626 //===---------------------------------------------------------------------===//
627
628 // Tests assigning using a C-style initializer to a struct
629 // variable whose sub-field is also a struct. This currently
630 // results in a CXXTempObjectRegion being created, but not
631 // properly handled. For now, we just ignore that value
632 // to avoid a crash (<rdar://problem/12753384>).
633 struct RDar12753384_ClassA {
634 unsigned z;
635 };
636 struct RDar12753384_ClassB {
637 unsigned x;
638 RDar12753384_ClassA y[ 8 ] ;
639 };
RDar12753384()640 unsigned RDar12753384() {
641 RDar12753384_ClassB w = { 0x00 };
642 RDar12753384_ClassA y[8];
643 return w.x;
644 }
645
646 // This testcase tests whether we treat the anonymous union and union
647 // the same way. This previously resulted in a "return of stack address"
648 // warning because the anonymous union resulting in a temporary object
649 // getting put into the initializer. We still aren't handling this correctly,
650 // but now if a temporary object appears in an initializer we just ignore it.
651 // Fixes <rdar://problem/12755044>.
652
653 struct Rdar12755044_foo
654 {
655 struct Rdar12755044_bar
656 {
657 union baz
658 {
659 int i;
660 };
661 } aBar;
662 };
663
664 struct Rdar12755044_foo_anon
665 {
666 struct Rdar12755044_bar
667 {
668 union
669 {
670 int i;
671 };
672 } aBar;
673 };
674
radar12755044_anon()675 const Rdar12755044_foo_anon *radar12755044_anon() {
676 static const Rdar12755044_foo_anon Rdar12755044_foo_list[] = { { { } } };
677 return Rdar12755044_foo_list; // no-warning
678 }
679
radar12755044()680 const Rdar12755044_foo *radar12755044() {
681 static const Rdar12755044_foo Rdar12755044_foo_list[] = { { { } } };
682 return Rdar12755044_foo_list; // no-warning
683 }
684
685 // Test the correct handling of integer to bool conversions. Previously
686 // this resulted in a false positive because integers were being truncated
687 // and not tested for non-zero.
rdar12759044()688 void rdar12759044() {
689 int flag = 512;
690 if (!(flag & 512)) {
691 clang_analyzer_warnIfReached(); // no-warning
692 }
693 }
694
695 // The analyzer currently does not model complex types. Test that the load
696 // from 'x' is not flagged as being uninitialized.
697 typedef __complex__ float _ComplexT;
rdar12964481(_ComplexT * y)698 void rdar12964481(_ComplexT *y) {
699 _ComplexT x;
700 __real__ x = 1.0;
701 __imag__ x = 1.0;
702 *y *= x; // no-warning
703 }
rdar12964481_b(_ComplexT * y)704 void rdar12964481_b(_ComplexT *y) {
705 _ComplexT x;
706 // Eventually this should be a warning.
707 *y *= x; // no-warning
708 }
709
710 // Test case for PR 12921. This previously produced
711 // a bogus warning.
712 static const int pr12921_arr[] = { 0, 1 };
713 static const int pr12921_arrcount = sizeof(pr12921_arr)/sizeof(int);
714
pr12921(int argc,char ** argv)715 int pr12921(int argc, char **argv) {
716 int i, retval;
717 for (i = 0; i < pr12921_arrcount; i++) {
718 if (argc == i) {
719 retval = i;
720 break;
721 }
722 }
723
724 // No match
725 if (i == pr12921_arrcount) return 66;
726 return pr12921_arr[retval];
727 }
728
729