1 // RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions 2 // RUN: %clang_cc1 -triple x86_64-apple-darwin9 -analyze -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions 3 4 void clang_analyzer_warnIfReached(); 5 6 // Test basic handling of references. 7 char &test1_aux(); 8 char *test1() { 9 return &test1_aux(); 10 } 11 12 // Test test1_aux() evaluates to char &. 13 char test1_as_rvalue() { 14 return test1_aux(); 15 } 16 17 // Test passing a value as a reference. The 'const' in test2_aux() adds 18 // an ImplicitCastExpr, which is evaluated as an lvalue. 19 int test2_aux(const int &n); 20 int test2(int n) { 21 return test2_aux(n); 22 } 23 24 int test2_b_aux(const short &n); 25 int test2_b(int n) { 26 return test2_b_aux(n); 27 } 28 29 // Test getting the lvalue of a derived and converting it to a base. This 30 // previously crashed. 31 class Test3_Base {}; 32 class Test3_Derived : public Test3_Base {}; 33 34 int test3_aux(Test3_Base &x); 35 int test3(Test3_Derived x) { 36 return test3_aux(x); 37 } 38 39 //===---------------------------------------------------------------------===// 40 // Test CFG support for C++ condition variables. 41 //===---------------------------------------------------------------------===// 42 43 int test_init_in_condition_aux(); 44 int test_init_in_condition() { 45 if (int x = test_init_in_condition_aux()) { // no-warning 46 return 1; 47 } 48 return 0; 49 } 50 51 int test_init_in_condition_switch() { 52 switch (int x = test_init_in_condition_aux()) { // no-warning 53 case 1: 54 return 0; 55 case 2: 56 if (x == 2) 57 return 0; 58 else { 59 clang_analyzer_warnIfReached(); // unreachable 60 } 61 default: 62 break; 63 } 64 return 0; 65 } 66 67 int test_init_in_condition_while() { 68 int z = 0; 69 while (int x = ++z) { // no-warning 70 if (x == 2) 71 break; 72 } 73 74 if (z == 2) 75 return 0; 76 77 clang_analyzer_warnIfReached(); // unreachable 78 return 0; 79 } 80 81 82 int test_init_in_condition_for() { 83 int z = 0; 84 for (int x = 0; int y = ++z; ++x) { 85 if (x == y) // no-warning 86 break; 87 } 88 if (z == 1) 89 return 0; 90 91 clang_analyzer_warnIfReached(); // unreachable 92 return 0; 93 } 94 95 //===---------------------------------------------------------------------===// 96 // Test handling of 'this' pointer. 97 //===---------------------------------------------------------------------===// 98 99 class TestHandleThis { 100 int x; 101 102 TestHandleThis(); 103 int foo(); 104 int null_deref_negative(); 105 int null_deref_positive(); 106 }; 107 108 int TestHandleThis::foo() { 109 // Assume that 'x' is initialized. 110 return x + 1; // no-warning 111 } 112 113 int TestHandleThis::null_deref_negative() { 114 x = 10; 115 if (x == 10) { 116 return 1; 117 } 118 clang_analyzer_warnIfReached(); // unreachable 119 return 0; 120 } 121 122 int TestHandleThis::null_deref_positive() { 123 x = 10; 124 if (x == 9) { 125 return 1; 126 } 127 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} 128 return 0; 129 } 130 131 // PR 7675 - passing literals by-reference 132 void pr7675(const double &a); 133 void pr7675(const int &a); 134 void pr7675(const char &a); 135 void pr7675_i(const _Complex double &a); 136 137 void pr7675_test() { 138 pr7675(10.0); 139 pr7675(10); 140 pr7675('c'); 141 pr7675_i(4.0i); 142 143 // Add check to ensure we are analyzing the code up to this point. 144 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} 145 } 146 147 // <rdar://problem/8375510> - CFGBuilder should handle temporaries. 148 struct R8375510 { 149 R8375510(); 150 ~R8375510(); 151 R8375510 operator++(int); 152 }; 153 154 int r8375510(R8375510 x, R8375510 y) { 155 for (; ; x++) { } 156 } 157 158 // PR8419 -- this used to crash. 159 160 class String8419 { 161 public: 162 char& get(int n); 163 char& operator[](int n); 164 }; 165 166 char& get8419(); 167 168 void Test8419() { 169 String8419 s; 170 ++(s.get(0)); 171 get8419()--; // used to crash 172 --s[0]; // used to crash 173 s[0] &= 1; // used to crash 174 s[0]++; // used to crash 175 } 176 177 // PR8426 -- this used to crash. 178 179 void Use(void* to); 180 181 template <class T> class Foo { 182 ~Foo(); 183 struct Bar; 184 Bar* bar_; 185 }; 186 187 template <class T> Foo<T>::~Foo() { 188 Use(bar_); 189 T::DoSomething(); 190 bar_->Work(); 191 } 192 193 // PR8427 -- this used to crash. 194 195 class Dummy {}; 196 197 bool operator==(Dummy, int); 198 199 template <typename T> 200 class Foo2 { 201 bool Bar(); 202 }; 203 204 template <typename T> 205 bool Foo2<T>::Bar() { 206 return 0 == T(); 207 } 208 209 // PR8433 -- this used to crash. 210 211 template <typename T> 212 class Foo3 { 213 public: 214 void Bar(); 215 void Baz(); 216 T value_; 217 }; 218 219 template <typename T> 220 void Foo3<T>::Bar() { 221 Baz(); 222 value_(); 223 } 224 225 //===---------------------------------------------------------------------===// 226 // Handle misc. C++ constructs. 227 //===---------------------------------------------------------------------===// 228 229 namespace fum { 230 int i = 3; 231 }; 232 233 void test_namespace() { 234 // Previously triggered a crash. 235 using namespace fum; 236 int x = i; 237 } 238 239 // Test handling methods that accept references as parameters, and that 240 // variables are properly invalidated. 241 class RDar9203355 { 242 bool foo(unsigned valA, long long &result) const; 243 bool foo(unsigned valA, int &result) const; 244 }; 245 bool RDar9203355::foo(unsigned valA, int &result) const { 246 long long val; 247 if (foo(valA, val) || 248 (int)val != val) // no-warning 249 return true; 250 result = val; // no-warning 251 return false; 252 } 253 254 // Test handling of new[]. 255 void rdar9212512() { 256 int *x = new int[10]; 257 for (unsigned i = 0 ; i < 2 ; ++i) { 258 // This previously triggered an uninitialized values warning. 259 x[i] = 1; // no-warning 260 } 261 } 262 263 // Test basic support for dynamic_cast<>. 264 struct Rdar9212495_C { virtual void bar() const; }; 265 class Rdar9212495_B : public Rdar9212495_C {}; 266 class Rdar9212495_A : public Rdar9212495_B {}; 267 const Rdar9212495_A& rdar9212495(const Rdar9212495_C* ptr) { 268 const Rdar9212495_A& val = dynamic_cast<const Rdar9212495_A&>(*ptr); 269 270 // This is not valid C++; dynamic_cast with a reference type will throw an 271 // exception if the pointer does not match the expected type. However, our 272 // implementation of dynamic_cast will pass through a null pointer...or a 273 // "null reference"! So this branch is actually possible. 274 if (&val == 0) { 275 val.bar(); // expected-warning{{Called C++ object pointer is null}} 276 } 277 278 return val; 279 } 280 281 const Rdar9212495_A* rdar9212495_ptr(const Rdar9212495_C* ptr) { 282 const Rdar9212495_A* val = dynamic_cast<const Rdar9212495_A*>(ptr); 283 284 if (val == 0) { 285 val->bar(); // expected-warning{{Called C++ object pointer is null}} 286 } 287 288 return val; 289 } 290 291 // Test constructors invalidating arguments. Previously this raised 292 // an uninitialized value warning. 293 extern "C" void __attribute__((noreturn)) PR9645_exit(int i); 294 295 class PR9645_SideEffect 296 { 297 public: 298 PR9645_SideEffect(int *pi); // caches pi in i_ 299 void Read(int *pi); // copies *pi into *i_ 300 private: 301 int *i_; 302 }; 303 304 void PR9645() { 305 int i; 306 307 PR9645_SideEffect se(&i); 308 int j = 1; 309 se.Read(&j); // this has a side-effect of initializing i. 310 311 PR9645_exit(i); // no-warning 312 } 313 314 PR9645_SideEffect::PR9645_SideEffect(int *pi) : i_(pi) {} 315 void PR9645_SideEffect::Read(int *pi) { *i_ = *pi; } 316 317 // Invalidate fields during C++ method calls. 318 class RDar9267815 { 319 int x; 320 void test(); 321 void test_pos(); 322 void test2(); 323 void invalidate(); 324 }; 325 326 void RDar9267815::test_pos() { 327 if (x == 42) 328 return; 329 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} 330 } 331 void RDar9267815::test() { 332 if (x == 42) 333 return; 334 if (x == 42) 335 clang_analyzer_warnIfReached(); // no-warning 336 } 337 338 void RDar9267815::test2() { 339 if (x == 42) 340 return; 341 invalidate(); 342 if (x == 42) 343 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} 344 } 345 346 // Test reference parameters. 347 void test_ref_double_aux(double &Value); 348 float test_ref_double() { 349 double dVal; 350 test_ref_double_aux(dVal); 351 // This previously warned because 'dVal' was thought to be uninitialized. 352 float Val = (float)dVal; // no-warning 353 return Val; 354 } 355 356 // Test invalidation of class fields. 357 class TestInvalidateClass { 358 public: 359 int x; 360 }; 361 362 void test_invalidate_class_aux(TestInvalidateClass &x); 363 364 int test_invalidate_class() { 365 TestInvalidateClass y; 366 test_invalidate_class_aux(y); 367 return y.x; // no-warning 368 } 369 370 // Test correct pointer arithmetic using 'p--'. This is to warn that we 371 // were loading beyond the written characters in buf. 372 char *RDar9269695(char *dst, unsigned int n) 373 { 374 char buff[40], *p; 375 376 p = buff; 377 do 378 *p++ = '0' + n % 10; 379 while (n /= 10); 380 381 do 382 *dst++ = *--p; // no-warning 383 while (p != buff); 384 385 return dst; 386 } 387 388 // Test that we invalidate byref arguments passed to constructors. 389 class TestInvalidateInCtor { 390 public: 391 TestInvalidateInCtor(unsigned &x); 392 }; 393 394 unsigned test_invalidate_in_ctor() { 395 unsigned x; 396 TestInvalidateInCtor foo(x); 397 return x; // no-warning 398 } 399 unsigned test_invalidate_in_ctor_new() { 400 unsigned x; 401 delete (new TestInvalidateInCtor(x)); 402 return x; // no-warning 403 } 404 405 // Test assigning into a symbolic offset. 406 struct TestAssignIntoSymbolicOffset { 407 int **stuff[100]; 408 void test(int x, int y); 409 }; 410 411 void TestAssignIntoSymbolicOffset::test(int x, int y) { 412 x--; 413 if (x > 8 || x < 0) 414 return; 415 if (stuff[x]) 416 return; 417 if (!stuff[x]) { 418 stuff[x] = new int*[y+1]; 419 // Previously triggered a null dereference. 420 stuff[x][y] = 0; // no-warning 421 } 422 } 423 424 // Test loads from static fields. This previously triggered an uninitialized 425 // value warning. 426 class ClassWithStatic { 427 public: 428 static const unsigned value = 1; 429 }; 430 431 int rdar9948787_negative() { 432 ClassWithStatic classWithStatic; 433 unsigned value = classWithStatic.value; 434 if (value == 1) 435 return 1; 436 clang_analyzer_warnIfReached(); // no-warning 437 return 0; 438 } 439 440 int rdar9948787_positive() { 441 ClassWithStatic classWithStatic; 442 unsigned value = classWithStatic.value; 443 if (value == 0) 444 return 1; 445 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} 446 return 0; 447 } 448 449 // Regression test against global constants and switches. 450 enum rdar10202899_ValT { rdar10202899_ValTA, rdar10202899_ValTB, rdar10202899_ValTC }; 451 const rdar10202899_ValT val = rdar10202899_ValTA; 452 void rdar10202899_test1() { 453 switch (val) { 454 case rdar10202899_ValTA: {} 455 }; 456 } 457 458 void rdar10202899_test2() { 459 if (val == rdar10202899_ValTA) 460 return; 461 clang_analyzer_warnIfReached(); // no-warning 462 } 463 464 void rdar10202899_test3() { 465 switch (val) { 466 case rdar10202899_ValTA: return; 467 default: ; 468 }; 469 clang_analyzer_warnIfReached(); // no-warning 470 } 471 472 // This used to crash the analyzer because of the unnamed bitfield. 473 void PR11249() 474 { 475 struct { 476 char f1:4; 477 char :4; 478 char f2[1]; 479 char f3; 480 } V = { 1, {2}, 3 }; 481 if (V.f1 != 1) 482 clang_analyzer_warnIfReached(); // no-warning 483 if (V.f2[0] != 2) 484 clang_analyzer_warnIfReached(); // no-warning 485 if (V.f3 != 3) 486 clang_analyzer_warnIfReached(); // no-warning 487 } 488 489 // Handle doing a load from the memory associated with the code for 490 // a function. 491 extern double nan( const char * ); 492 double PR11450() { 493 double NaN = *(double*) nan; 494 return NaN; 495 } 496 497 // Test that 'this' is assumed non-null upon analyzing the entry to a "top-level" 498 // function (i.e., when not analyzing from a specific caller). 499 struct TestNullThis { 500 int field; 501 void test(); 502 }; 503 504 void TestNullThis::test() { 505 int *p = &field; 506 if (p) 507 return; 508 field = 2; // no-warning 509 } 510 511 // Test handling of 'catch' exception variables, and not warning 512 // about uninitialized values. 513 enum MyEnum { MyEnumValue }; 514 MyEnum rdar10892489() { 515 try { 516 throw MyEnumValue; 517 } catch (MyEnum e) { 518 return e; // no-warning 519 } 520 return MyEnumValue; 521 } 522 523 MyEnum rdar10892489_positive() { 524 try { 525 throw MyEnumValue; 526 } catch (MyEnum e) { 527 int *p = 0; 528 // FALSE NEGATIVE 529 *p = 0xDEADBEEF; // {{null}} 530 return e; 531 } 532 return MyEnumValue; 533 } 534 535 // Test handling of catch with no condition variable. 536 void PR11545() { 537 try 538 { 539 throw; 540 } 541 catch (...) 542 { 543 } 544 } 545 546 void PR11545_positive() { 547 try 548 { 549 throw; 550 } 551 catch (...) 552 { 553 int *p = 0; 554 // FALSE NEGATIVE 555 *p = 0xDEADBEEF; // {{null}} 556 } 557 } 558 559 // Test handling taking the address of a field. While the analyzer 560 // currently doesn't do anything intelligent here, this previously 561 // resulted in a crash. 562 class PR11146 { 563 public: 564 struct Entry; 565 void baz(); 566 }; 567 568 struct PR11146::Entry { 569 int x; 570 }; 571 572 void PR11146::baz() { 573 (void) &Entry::x; 574 } 575 576 // Test symbolicating a reference. In this example, the 577 // analyzer (originally) didn't know how to handle x[index - index2], 578 // returning an UnknownVal. The conjured symbol wasn't a location, 579 // and would result in a crash. 580 void rdar10924675(unsigned short x[], int index, int index2) { 581 unsigned short &y = x[index - index2]; 582 if (y == 0) 583 return; 584 } 585 586 // Test handling CXXScalarValueInitExprs. 587 void rdar11401827() { 588 int x = int(); 589 if (!x) { 590 clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} 591 } 592 else { 593 clang_analyzer_warnIfReached(); // no-warning 594 } 595 } 596 597 //===---------------------------------------------------------------------===// 598 // Handle inlining of C++ method calls. 599 //===---------------------------------------------------------------------===// 600 601 struct A { 602 int *p; 603 void foo(int *q) { 604 p = q; 605 } 606 void bar() { 607 *p = 0; // expected-warning {{null pointer}} 608 } 609 }; 610 611 void test_inline() { 612 A a; 613 a.foo(0); 614 a.bar(); 615 } 616 617 void test_alloca_in_a_recursive_function(int p1) { 618 __builtin_alloca (p1); 619 test_alloca_in_a_recursive_function(1); 620 test_alloca_in_a_recursive_function(2); 621 } 622 623 //===---------------------------------------------------------------------===// 624 // Random tests. 625 //===---------------------------------------------------------------------===// 626 627 // Tests assigning using a C-style initializer to a struct 628 // variable whose sub-field is also a struct. This currently 629 // results in a CXXTempObjectRegion being created, but not 630 // properly handled. For now, we just ignore that value 631 // to avoid a crash (<rdar://problem/12753384>). 632 struct RDar12753384_ClassA { 633 unsigned z; 634 }; 635 struct RDar12753384_ClassB { 636 unsigned x; 637 RDar12753384_ClassA y[ 8 ] ; 638 }; 639 unsigned RDar12753384() { 640 RDar12753384_ClassB w = { 0x00 }; 641 RDar12753384_ClassA y[8]; 642 return w.x; 643 } 644 645 // This testcase tests whether we treat the anonymous union and union 646 // the same way. This previously resulted in a "return of stack address" 647 // warning because the anonymous union resulting in a temporary object 648 // getting put into the initializer. We still aren't handling this correctly, 649 // but now if a temporary object appears in an initializer we just ignore it. 650 // Fixes <rdar://problem/12755044>. 651 652 struct Rdar12755044_foo 653 { 654 struct Rdar12755044_bar 655 { 656 union baz 657 { 658 int i; 659 }; 660 } aBar; 661 }; 662 663 struct Rdar12755044_foo_anon 664 { 665 struct Rdar12755044_bar 666 { 667 union 668 { 669 int i; 670 }; 671 } aBar; 672 }; 673 674 const Rdar12755044_foo_anon *radar12755044_anon() { 675 static const Rdar12755044_foo_anon Rdar12755044_foo_list[] = { { { } } }; 676 return Rdar12755044_foo_list; // no-warning 677 } 678 679 const Rdar12755044_foo *radar12755044() { 680 static const Rdar12755044_foo Rdar12755044_foo_list[] = { { { } } }; 681 return Rdar12755044_foo_list; // no-warning 682 } 683 684 // Test the correct handling of integer to bool conversions. Previously 685 // this resulted in a false positive because integers were being truncated 686 // and not tested for non-zero. 687 void rdar12759044() { 688 int flag = 512; 689 if (!(flag & 512)) { 690 clang_analyzer_warnIfReached(); // no-warning 691 } 692 } 693 694 // The analyzer currently does not model complex types. Test that the load 695 // from 'x' is not flagged as being uninitialized. 696 typedef __complex__ float _ComplexT; 697 void rdar12964481(_ComplexT *y) { 698 _ComplexT x; 699 __real__ x = 1.0; 700 __imag__ x = 1.0; 701 *y *= x; // no-warning 702 } 703 void rdar12964481_b(_ComplexT *y) { 704 _ComplexT x; 705 // Eventually this should be a warning. 706 *y *= x; // no-warning 707 } 708 709 // Test case for PR 12921. This previously produced 710 // a bogus warning. 711 static const int pr12921_arr[] = { 0, 1 }; 712 static const int pr12921_arrcount = sizeof(pr12921_arr)/sizeof(int); 713 714 int pr12921(int argc, char **argv) { 715 int i, retval; 716 for (i = 0; i < pr12921_arrcount; i++) { 717 if (argc == i) { 718 retval = i; 719 break; 720 } 721 } 722 723 // No match 724 if (i == pr12921_arrcount) return 66; 725 return pr12921_arr[retval]; 726 } 727 728