1// NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued.
2// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,alpha.deadcode.IdempotentOperations,alpha.core,osx.cocoa.AtSync -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s
3// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-checker=core,alpha.deadcode.IdempotentOperations,alpha.core,osx.cocoa.AtSync -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s
4
5#ifndef __clang_analyzer__
6#error __clang_analyzer__ not defined
7#endif
8
9typedef struct objc_ivar *Ivar;
10typedef struct objc_selector *SEL;
11typedef signed char BOOL;
12typedef int NSInteger;
13typedef unsigned int NSUInteger;
14typedef struct _NSZone NSZone;
15@class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator;
16@protocol NSObject
17- (BOOL)isEqual:(id)object;
18- (id)autorelease;
19@end
20@protocol NSCopying
21- (id)copyWithZone:(NSZone *)zone;
22@end
23@protocol NSMutableCopying  - (id)mutableCopyWithZone:(NSZone *)zone; @end
24@protocol NSCoding
25- (void)encodeWithCoder:(NSCoder *)aCoder;
26@end
27@interface NSObject <NSObject> {}
28- (id)init;
29+ (id)allocWithZone:(NSZone *)zone;
30@end
31extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone);
32@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding>
33- (NSUInteger)length;
34+ (id)stringWithUTF8String:(const char *)nullTerminatedCString;
35@end extern NSString * const NSBundleDidLoadNotification;
36@interface NSValue : NSObject <NSCopying, NSCoding>
37- (void)getValue:(void *)value;
38@end
39@interface NSNumber : NSValue
40- (char)charValue;
41- (id)initWithBool:(BOOL)value;
42@end
43@interface NSAssertionHandler : NSObject {}
44+ (NSAssertionHandler *)currentHandler;
45- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...;
46@end
47extern NSString * const NSConnectionReplyMode;
48typedef float CGFloat;
49typedef struct _NSPoint {
50    CGFloat x;
51    CGFloat y;
52} NSPoint;
53typedef struct _NSSize {
54    CGFloat width;
55    CGFloat height;
56} NSSize;
57typedef struct _NSRect {
58    NSPoint origin;
59    NSSize size;
60} NSRect;
61
62// Reduced test case from crash in <rdar://problem/6253157>
63@interface A @end
64@implementation A
65- (void)foo:(void (^)(NSObject *x))block {
66  if (!((block != ((void *)0)))) {}
67}
68@end
69
70// Reduced test case from crash in PR 2796;
71//  http://llvm.org/bugs/show_bug.cgi?id=2796
72
73unsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); }
74
75// Improvement to path-sensitivity involving compound assignments.
76//  Addresses false positive in <rdar://problem/6268365>
77//
78
79unsigned r6268365Aux();
80
81void r6268365() {
82  unsigned x = 0;
83  x &= r6268365Aux(); // expected-warning{{The left operand to '&=' is always 0}}
84  unsigned j = 0;
85
86  if (x == 0) ++j;
87  if (x == 0) x = x / j; // expected-warning{{Assigned value is always the same as the existing value}} expected-warning{{The right operand to '/' is always 1}}
88}
89
90void divzeroassume(unsigned x, unsigned j) {
91  x /= j;
92  if (j == 0) x /= 0;     // no static-analyzer warning    expected-warning {{division by zero is undefined}}
93  if (j == 0) x /= j;     // no static-analyzer warning
94  if (j == 0) x = x / 0;  // no static-analyzer warning    expected-warning {{division by zero is undefined}}
95}
96
97void divzeroassumeB(unsigned x, unsigned j) {
98  x = x / j;
99  if (j == 0) x /= 0;     // no static-analyzer warning     expected-warning {{division by zero is undefined}}
100  if (j == 0) x /= j;     // no static-analyzer warning
101  if (j == 0) x = x / 0;  // no static-analyzer warning     expected-warning {{division by zero is undefined}}
102}
103
104// InitListExpr processing
105
106typedef float __m128 __attribute__((__vector_size__(16), __may_alias__));
107__m128 return128() {
108  // This compound literal has a Vector type.  We currently just
109  // return UnknownVal.
110  return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f };
111}
112
113typedef long long __v2di __attribute__ ((__vector_size__ (16)));
114typedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__));
115__m128i vec128i(long long __q1, long long __q0) {
116  // This compound literal returns true for both isVectorType() and
117  // isIntegerType().
118  return __extension__ (__m128i)(__v2di){ __q0, __q1 };
119}
120
121// Zero-sized VLAs.
122void check_zero_sized_VLA(int x) {
123  if (x)
124    return;
125
126  int vla[x]; // expected-warning{{Declared variable-length array (VLA) has zero size}}
127}
128
129void check_uninit_sized_VLA() {
130  int x;
131  int vla[x]; // expected-warning{{Declared variable-length array (VLA) uses a garbage value as its size}}
132}
133
134// sizeof(void)
135// - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211
136void handle_sizeof_void(unsigned flag) {
137  int* p = 0;
138
139  if (flag) {
140    if (sizeof(void) == 1)
141      return;
142    // Infeasible.
143    *p = 1; // no-warning
144  }
145
146  void* q;
147
148  if (!flag) {
149    if (sizeof(*q) == 1)
150      return;
151    // Infeasibe.
152    *p = 1; // no-warning
153  }
154
155  // Infeasible.
156  *p = 1; // no-warning
157}
158
159// check deference of undefined values
160void check_deref_undef(void) {
161  int *p;
162  *p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}}
163}
164
165// PR 3422
166void pr3422_helper(char *p);
167void pr3422() {
168  char buf[100];
169  char *q = &buf[10];
170  pr3422_helper(&q[1]);
171}
172
173// PR 3543 (handle empty statement expressions)
174void pr_3543(void) {
175  ({});
176}
177
178// <rdar://problem/6611677>
179// This test case test the use of a vector type within an array subscript
180// expression.
181typedef long long __a64vector __attribute__((__vector_size__(8)));
182typedef long long __a128vector __attribute__((__vector_size__(16)));
183static inline __a64vector __attribute__((__always_inline__, __nodebug__))
184my_test_mm_movepi64_pi64(__a128vector a) {
185  return (__a64vector)a[0];
186}
187
188// Test basic tracking of ivars associated with 'self'.
189@interface SelfIvarTest : NSObject {
190  int flag;
191}
192- (void)test_self_tracking;
193@end
194
195@implementation SelfIvarTest
196- (void)test_self_tracking {
197  char *p = 0;
198  char c;
199
200  if (flag)
201    p = "hello";
202
203  if (flag)
204    c = *p; // no-warning
205}
206@end
207
208// PR 3770
209char pr3770(int x) {
210  int y = x & 0x2;
211  char *p = 0;
212  if (y == 1)
213    p = "hello";
214
215  if (y == 1)
216    return p[0]; // no-warning
217
218  return 'a';
219}
220
221// PR 3772
222// - We just want to test that this doesn't crash the analyzer.
223typedef struct st ST;
224struct st { char *name; };
225extern ST *Cur_Pu;
226
227void pr3772(void)
228{
229  static ST *last_Cur_Pu;
230  if (last_Cur_Pu == Cur_Pu) {
231    return;
232  }
233}
234
235// PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups.
236void pr3780(int sz) { typedef double MAT[sz][sz]; }
237
238// <rdar://problem/6695527> - Test that we don't symbolicate doubles before
239// we are ready to do something with them.
240int rdar6695527(double x) {
241  if (!x) { return 0; }
242  return 1;
243}
244
245// <rdar://problem/6708148> - Test that we properly invalidate structs
246//  passed-by-reference to a function.
247void pr6708148_invalidate(NSRect *x);
248void pr6708148_use(NSRect x);
249void pr6708148_test(void) {
250  NSRect x;
251  pr6708148_invalidate(&x);
252  pr6708148_use(x); // no-warning
253}
254
255// Handle both kinds of noreturn attributes for pruning paths.
256void rdar_6777003_noret() __attribute__((noreturn));
257void rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn));
258
259void rdar_6777003(int x) {
260  int *p = 0;
261
262  if (x == 1) {
263    rdar_6777003_noret();
264    *p = 1; // no-warning;
265  }
266
267  if (x == 2) {
268    rdar_6777003_analyzer_noret();
269    *p = 1; // no-warning;
270  }
271
272  *p = 1; // expected-warning{{Dereference of null pointer}}
273}
274
275// Check that the pointer-to-conts arguments do not get invalidated by Obj C
276// interfaces. radar://10595327
277int rdar_10595327(char *str) {
278  char fl = str[0];
279  int *p = 0;
280  NSString *s = [NSString stringWithUTF8String:str];
281  if (str[0] != fl)
282      return *p; // no-warning
283  return 0;
284}
285
286// For pointer arithmetic, --/++ should be treated as preserving non-nullness,
287// regardless of how well the underlying StoreManager reasons about pointer
288// arithmetic.
289// <rdar://problem/6777209>
290void rdar_6777209(char *p) {
291  if (p == 0)
292    return;
293
294  ++p;
295
296  // This branch should always be infeasible.
297  if (p == 0)
298    *p = 'c'; // no-warning
299}
300
301// PR 4033.  A symbolic 'void *' pointer can be used as the address for a
302// computed goto.
303typedef void *Opcode;
304Opcode pr_4033_getOpcode();
305void pr_4033(void) {
306  void *lbl = &&next_opcode;
307next_opcode:
308  {
309    Opcode op = pr_4033_getOpcode();
310    if (op) goto *op;
311  }
312}
313
314// Test invalidating pointers-to-pointers with slightly different types.  This
315// example came from a recent false positive due to a regression where the
316// branch condition was falsely reported as being uninitialized.
317void invalidate_by_ref(char **x);
318int test_invalidate_by_ref() {
319  unsigned short y;
320  invalidate_by_ref((char**) &y);
321  if (y) // no-warning
322    return 1;
323  return 0;
324}
325
326// Test for <rdar://problem/7027684>.  This just tests that the CFG is
327// constructed correctly.  Previously, the successor block of the entrance
328// was the block containing the merge for '?', which would trigger an
329// assertion failure.
330int rdar_7027684_aux();
331int rdar_7027684_aux_2() __attribute__((noreturn));
332void rdar_7027684(int x, int y) {
333  {}; // this empty compound statement is critical.
334  (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0);
335}
336
337// Test that we handle casts of string literals to arbitrary types.
338unsigned const char *string_literal_test1() {
339  return (const unsigned char*) "hello";
340}
341
342const float *string_literal_test2() {
343  return (const float*) "hello";
344}
345
346// Test that we handle casts *from* incomplete struct types.
347extern const struct _FooAssertStruct _cmd;
348void test_cast_from_incomplete_struct_aux(volatile const void *x);
349void test_cast_from_incomplete_struct() {
350  test_cast_from_incomplete_struct_aux(&_cmd);
351}
352
353// Test for <rdar://problem/7034511>
354//  "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc'
355//   when 'T' is a pointer"
356//
357// Previously this case would crash.
358void test_rdar_7034511(NSArray *y) {
359  NSObject *x;
360  for (x in y) {}
361  if (x == ((void*) 0)) {}
362}
363
364// Handle casts of function pointers (CodeTextRegions) to arbitrary pointer
365// types. This was previously causing a crash in CastRegion.
366void handle_funcptr_voidptr_casts() {
367  void **ptr;
368  typedef void *PVOID;
369  typedef void *PCHAR;
370  typedef long INT_PTR, *PINT_PTR;
371  typedef INT_PTR (*FARPROC)();
372  FARPROC handle_funcptr_voidptr_casts_aux();
373  PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x);
374  PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x);
375
376  ptr = (void**) handle_funcptr_voidptr_casts_aux();
377  handle_funcptr_voidptr_casts_aux_2(ptr);
378  handle_funcptr_voidptr_casts_aux_3(ptr);
379}
380
381// RegionStore::Retrieve previously crashed on this example.  This example
382// was previously in the test file 'xfail_regionstore_wine_crash.c'.
383void testA() {
384  long x = 0;
385  char *y = (char *) &x;
386  if (!*y)
387    return;
388}
389
390// RegionStoreManager previously crashed on this example.  The problem is that
391// the value bound to the field of b->grue after the call to testB_aux is
392// a symbolic region.  The second '*__gruep__' involves performing a load
393// from a 'int*' that really is a 'void**'.  The loaded location must be
394// implicitly converted to an integer that wraps a location.  Previosly we would
395// get a crash here due to an assertion failure.
396typedef struct _BStruct { void *grue; } BStruct;
397void testB_aux(void *ptr);
398void testB(BStruct *b) {
399  {
400    int *__gruep__ = ((int *)&((b)->grue));
401    int __gruev__ = *__gruep__;
402    testB_aux(__gruep__);
403  }
404  {
405    int *__gruep__ = ((int *)&((b)->grue));
406    int __gruev__ = *__gruep__;
407    if (~0 != __gruev__) {}
408  }
409}
410
411void test_trivial_symbolic_comparison(int *x) {
412  int test_trivial_symbolic_comparison_aux();
413  int a = test_trivial_symbolic_comparison_aux();
414  int b = a;
415  if (a != b) { // expected-warning{{Both operands to '!=' always have the same value}}
416    int *p = 0;
417    *p = 0xDEADBEEF;     // no-warning
418  }
419
420  a = a == 1;
421  b = b == 1;
422  if (a != b) { // expected-warning{{Both operands to '!=' always have the same value}}
423    int *p = 0;
424    *p = 0xDEADBEEF;     // no-warning
425  }
426}
427
428// Test for:
429//  <rdar://problem/7062158> false positive null dereference due to
430//   BasicStoreManager not tracking *static* globals
431//
432// This just tests the proper tracking of symbolic values for globals (both
433// static and non-static).
434//
435static int* x_rdar_7062158;
436void rdar_7062158() {
437  int *current = x_rdar_7062158;
438  if (current == x_rdar_7062158)
439    return;
440
441  int *p = 0;
442  *p = 0xDEADBEEF; // no-warning
443}
444
445int* x_rdar_7062158_2;
446void rdar_7062158_2() {
447  int *current = x_rdar_7062158_2;
448  if (current == x_rdar_7062158_2)
449    return;
450
451  int *p = 0;
452  *p = 0xDEADBEEF; // no-warning
453}
454
455// This test reproduces a case for a crash when analyzing ClamAV using
456// RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because
457// it isn't doing anything smart about arrays).  The problem is that on the
458// second line, 'p = &p[i]', p is assigned an ElementRegion whose index
459// is a 16-bit integer.  On the third line, a new ElementRegion is created
460// based on the previous region, but there the region uses a 32-bit integer,
461// resulting in a clash of values (an assertion failure at best).  We resolve
462// this problem by implicitly converting index values to 'int' when the
463// ElementRegion is created.
464unsigned char test_array_index_bitwidth(const unsigned char *p) {
465  unsigned short i = 0;
466  for (i = 0; i < 2; i++) p = &p[i];
467  return p[i+1];
468}
469
470// This case tests that CastRegion handles casts involving BlockPointerTypes.
471// It should not crash.
472void test_block_cast() {
473  id test_block_cast_aux();
474  (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}}
475}
476
477int OSAtomicCompareAndSwap32Barrier();
478
479// Test comparison of 'id' instance variable to a null void* constant after
480// performing an OSAtomicCompareAndSwap32Barrier.
481// This previously was a crash in RegionStoreManager.
482@interface TestIdNull {
483  id x;
484}
485-(int)foo;
486@end
487@implementation TestIdNull
488-(int)foo {
489  OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x);
490  if (x == (void*) 0) { return 0; }
491  return 1;
492}
493@end
494
495// Do not crash when performing compare and swap on symbolic values.
496typedef int int32_t;
497typedef int int32;
498typedef int32 Atomic32;
499int OSAtomicCompareAndSwap32( int32_t __oldValue, int32_t __newValue, volatile int32_t *__theValue);
500void radar11390991_NoBarrier_CompareAndSwap(volatile Atomic32 *ptr,
501                              Atomic32 old_value,
502                              Atomic32 new_value) {
503  OSAtomicCompareAndSwap32(old_value, new_value, ptr);
504}
505
506// PR 4594 - This was a crash when handling casts in SimpleSValuator.
507void PR4594() {
508  char *buf[1];
509  char **foo = buf;
510  *foo = "test";
511}
512
513// Test invalidation logic where an integer is casted to an array with a
514// different sign and then invalidated.
515void test_invalidate_cast_int() {
516  void test_invalidate_cast_int_aux(unsigned *i);
517  signed i;
518  test_invalidate_cast_int_aux((unsigned*) &i);
519  if (i < 0)
520    return;
521}
522
523int ivar_getOffset();
524
525// Reduced from a crash involving the cast of an Objective-C symbolic region to
526// 'char *'
527static NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) {
528  return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease];
529}
530
531// Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero.
532// This resulted from not properly handling region casts to 'const void*'.
533void test_cast_const_voidptr() {
534  char x[10];
535  char *p = &x[1];
536  const void* q = p;
537}
538
539// Reduced from a crash when analyzing Wine.  This test handles loads from
540// function addresses.
541typedef long (*FARPROC)();
542FARPROC test_load_func(FARPROC origfun) {
543  if (!*(unsigned char*) origfun)
544    return origfun;
545  return 0;
546}
547
548// Test passing-by-value an initialized struct variable.
549struct test_pass_val {
550  int x;
551  int y;
552};
553void test_pass_val_aux(struct test_pass_val s);
554void test_pass_val() {
555  struct test_pass_val s;
556  s.x = 1;
557  s.y = 2;
558  test_pass_val_aux(s);
559}
560
561// This is a reduced test case of a false positive that previously appeared
562// in RegionStoreManager.  Previously the array access resulted in dereferencing
563// an undefined value.
564int test_array_compound(int *q, int *r, int *z) {
565  int *array[] = { q, r, z };
566  int j = 0;
567  for (unsigned i = 0; i < 3 ; ++i)
568    if (*array[i]) ++j; // no-warning
569  return j;
570}
571
572// symbolic value stored in 'x' wouldn't be implicitly casted to a signed value
573// during the comparison.
574int rdar_7124210(unsigned int x) {
575  enum { SOME_CONSTANT = 123 };
576  int compare = ((signed) SOME_CONSTANT) == *((signed *) &x);
577  return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint.
578}
579
580void pr4781(unsigned long *raw1) {
581  unsigned long *cook, *raw0;
582  unsigned long dough[32];
583  int i;
584  cook = dough;
585  for( i = 0; i < 16; i++, raw1++ ) {
586    raw0 = raw1++;
587    *cook = (*raw0 & 0x00fc0000L) << 6;
588    *cook |= (*raw0 & 0x00000fc0L) << 10;
589  }
590}
591
592// <rdar://problem/7185647> - 'self' should be treated as being non-null
593// upon entry to an objective-c method.
594@interface RDar7185647
595- (id)foo;
596@end
597@implementation RDar7185647
598- (id) foo {
599  if (self)
600    return self;
601  *((volatile int *) 0x0) = 0xDEADBEEF; // no-warning
602  return self;
603}
604@end
605
606// Test reasoning of __builtin_offsetof;
607struct test_offsetof_A {
608  int x;
609  int y;
610};
611struct test_offsetof_B {
612  int w;
613  int z;
614};
615void test_offsetof_1() {
616  if (__builtin_offsetof(struct test_offsetof_A, x) ==
617      __builtin_offsetof(struct test_offsetof_B, w))
618    return;
619  int *p = 0;
620  *p = 0xDEADBEEF; // no-warning
621}
622void test_offsetof_2() {
623  if (__builtin_offsetof(struct test_offsetof_A, y) ==
624      __builtin_offsetof(struct test_offsetof_B, z))
625    return;
626  int *p = 0;
627  *p = 0xDEADBEEF; // no-warning
628}
629void test_offsetof_3() {
630  if (__builtin_offsetof(struct test_offsetof_A, y) -
631      __builtin_offsetof(struct test_offsetof_A, x)
632      ==
633      __builtin_offsetof(struct test_offsetof_B, z) -
634      __builtin_offsetof(struct test_offsetof_B, w))
635    return;
636  int *p = 0;
637  *p = 0xDEADBEEF; // no-warning
638}
639void test_offsetof_4() {
640  if (__builtin_offsetof(struct test_offsetof_A, y) ==
641      __builtin_offsetof(struct test_offsetof_B, w))
642    return;
643  int *p = 0;
644  *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
645}
646
647// <rdar://problem/6829164> "nil receiver" false positive: make tracking
648// of the MemRegion for 'self' path-sensitive
649@interface RDar6829164 : NSObject {
650  double x; int y;
651}
652- (id) init;
653@end
654
655id rdar_6829164_1();
656double rdar_6829164_2();
657
658@implementation RDar6829164
659- (id) init {
660  if((self = [super init]) != 0) {
661    id z = rdar_6829164_1();
662    y = (z != 0);
663    if (y)
664      x = rdar_6829164_2();
665  }
666  return self;
667}
668@end
669
670// <rdar://problem/7242015> - Invalidate values passed-by-reference
671// to functions when the pointer to the value is passed as an integer.
672void test_7242015_aux(unsigned long);
673int rdar_7242015() {
674  int x;
675  test_7242015_aux((unsigned long) &x); // no-warning
676  return x; // Previously we return and uninitialized value when
677            // using RegionStore.
678}
679
680// <rdar://problem/7242006> [RegionStore] compound literal assignment with
681//  floats not honored
682CGFloat rdar7242006(CGFloat x) {
683  NSSize y = (NSSize){x, 10};
684  return y.width; // no-warning
685}
686
687// PR 4988 - This test exhibits a case where a function can be referenced
688//  when not explicitly used in an "lvalue" context (as far as the analyzer is
689//  concerned). This previously triggered a crash due to an invalid assertion.
690void pr_4988(void) {
691  pr_4988; // expected-warning{{expression result unused}}
692}
693
694// <rdar://problem/7152418> - A 'signed char' is used as a flag, which is
695//  implicitly converted to an int.
696void *rdar7152418_bar();
697@interface RDar7152418 {
698  signed char x;
699}
700-(char)foo;
701@end;
702@implementation RDar7152418
703-(char)foo {
704  char *p = 0;
705  void *result = 0;
706  if (x) {
707    result = rdar7152418_bar();
708    p = "hello";
709  }
710  if (!result) {
711    result = rdar7152418_bar();
712    if (result && x)
713      return *p; // no-warning
714  }
715  return 1;
716}
717
718//===----------------------------------------------------------------------===//
719// Test constant-folding of symbolic values, automatically handling type
720// conversions of the symbol as necessary.
721//===----------------------------------------------------------------------===//
722
723// Previously this would crash once we started eagerly evaluating symbols whose
724// values were constrained to a single value.
725void test_symbol_fold_1(signed char x) {
726  while (1) {
727    if (x == ((signed char) 0)) {}
728  }
729}
730
731// This previously caused a crash because it triggered an assertion in APSInt.
732void test_symbol_fold_2(unsigned int * p, unsigned int n,
733                        const unsigned int * grumpkin, unsigned int dn) {
734  unsigned int i;
735  unsigned int tempsub[8];
736  unsigned int *solgrumpkin = tempsub + n;
737  for (i = 0; i < n; i++)
738    solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF;
739  for (i <<= 5; i < (n << 5); i++) {}
740}
741
742// This previously caused a crash because it triggered an assertion in APSInt.
743// 'x' would evaluate to a 8-bit constant (because of the return value of
744// test_symbol_fold_3_aux()) which would not get properly promoted to an
745// integer.
746char test_symbol_fold_3_aux(void);
747unsigned test_symbol_fold_3(void) {
748  unsigned x = test_symbol_fold_3_aux();
749  if (x == 54)
750    return (x << 8) | 0x5;
751  return 0;
752}
753
754//===----------------------------------------------------------------------===//
755// Tests for the warning of casting a non-struct type to a struct type
756//===----------------------------------------------------------------------===//
757
758typedef struct {unsigned int v;} NSSwappedFloat;
759
760NSSwappedFloat test_cast_nonstruct_to_struct(float x) {
761  struct hodor {
762    float number;
763    NSSwappedFloat sf;
764  };
765  return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
766}
767
768NSSwappedFloat test_cast_nonstruct_to_union(float x) {
769  union bran {
770    float number;
771    NSSwappedFloat sf;
772  };
773  return ((union bran *)&x)->sf; // no-warning
774}
775
776void test_undefined_array_subscript() {
777  int i, a[10];
778  int *p = &a[i]; // expected-warning{{Array subscript is undefined}}
779}
780@end
781
782//===----------------------------------------------------------------------===//
783// Test using an uninitialized value as a branch condition.
784//===----------------------------------------------------------------------===//
785
786int test_uninit_branch(void) {
787  int x;
788  if (x) // expected-warning{{Branch condition evaluates to a garbage value}}
789    return 1;
790  return 0;
791}
792
793int test_uninit_branch_b(void) {
794  int x;
795  return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}}
796}
797
798int test_uninit_branch_c(void) {
799  int x;
800  if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}}
801    return 1;
802  return 0;
803}
804
805//===----------------------------------------------------------------------===//
806// Test passing an undefined value in a message or function call.
807//===----------------------------------------------------------------------===//
808
809void test_bad_call_aux(int x);
810void test_bad_call(void) {
811  int y;
812  test_bad_call_aux(y); // expected-warning{{Function call argument is an uninitialized value}}
813}
814
815@interface TestBadArg {}
816- (void) testBadArg:(int) x;
817@end
818
819void test_bad_msg(TestBadArg *p) {
820  int y;
821  [p testBadArg:y]; // expected-warning{{Argument in message expression is an uninitialized value}}
822}
823
824//===----------------------------------------------------------------------===//
825// PR 6033 - Test emitting the correct output in a warning where we use '%'
826//  with operands that are undefined.
827//===----------------------------------------------------------------------===//
828
829int pr6033(int x) {
830  int y;
831  return x % y; // expected-warning{{The right operand of '%' is a garbage value}}
832}
833
834struct trie {
835  struct trie* next;
836};
837
838struct kwset {
839  struct trie *trie;
840  unsigned char y[10];
841  struct trie* next[10];
842  int d;
843};
844
845typedef struct trie trie_t;
846typedef struct kwset kwset_t;
847
848void f(kwset_t *kws, char const *p, char const *q) {
849  struct trie const *trie;
850  struct trie * const *next = kws->next;
851  register unsigned char c;
852  register char const *end = p;
853  register char const *lim = q;
854  register int d = 1;
855  register unsigned char const *y = kws->y;
856
857  d = y[c = (end+=d)[-1]]; // no-warning
858  trie = next[c];
859}
860
861//===----------------------------------------------------------------------===//
862// <rdar://problem/7593875> When handling sizeof(VLA) it leads to a hole in
863// the ExplodedGraph (causing a false positive)
864//===----------------------------------------------------------------------===//
865
866int rdar_7593875_aux(int x);
867int rdar_7593875(int n) {
868  int z[n > 10 ? 10 : n]; // VLA.
869  int v;
870  v = rdar_7593875_aux(sizeof(z));
871  // Previously we got a false positive about 'v' being uninitialized.
872  return v; // no-warning
873}
874
875//===----------------------------------------------------------------------===//
876// Handle casts from symbolic regions (packaged as integers) to doubles.
877// Previously this caused an assertion failure.
878//===----------------------------------------------------------------------===//
879
880void *foo_rev95119();
881void baz_rev95119(double x);
882void bar_rev95119() {
883  // foo_rev95119() returns a symbolic pointer.  It is then
884  // cast to an int which is then cast to a double.
885  int value = (int) foo_rev95119();
886  baz_rev95119((double)value);
887}
888
889//===----------------------------------------------------------------------===//
890// Handle loading a symbolic pointer from a symbolic region that was
891// invalidated by a call to an unknown function.
892//===----------------------------------------------------------------------===//
893
894void bar_rev95192(int **x);
895void foo_rev95192(int **x) {
896  *x = 0;
897  bar_rev95192(x);
898  // Not a null dereference.
899  **x = 1; // no-warning
900}
901
902//===----------------------------------------------------------------------===//
903// Handle casts of a function to a function pointer with a different return
904// value.  We don't yet emit an error for such cases, but we now we at least
905// don't crash when the return value gets interpreted in a way that
906// violates our invariants.
907//===----------------------------------------------------------------------===//
908
909void *foo_rev95267();
910int bar_rev95267() {
911  char (*Callback_rev95267)(void) = (char (*)(void)) foo_rev95267;
912  if ((*Callback_rev95267)() == (char) 0)
913    return 1;
914  return 0;
915}
916
917// Same as previous case, but handle casts to 'void'.
918int bar_rev95274() {
919  void (*Callback_rev95274)(void) = (void (*)(void)) foo_rev95267;
920  (*Callback_rev95274)();
921  return 0;
922}
923
924void rdar7582031_test_static_init_zero() {
925  static unsigned x;
926  if (x == 0)
927    return;
928  int *p = 0;
929  *p = 0xDEADBEEF;
930}
931void rdar7582031_test_static_init_zero_b() {
932  static void* x;
933  if (x == 0)
934    return;
935  int *p = 0;
936  *p = 0xDEADBEEF;
937}
938
939//===----------------------------------------------------------------------===//
940// Test handling of parameters that are structs that contain floats and       //
941// nested fields.                                                             //
942//===----------------------------------------------------------------------===//
943
944struct s_rev95547_nested { float x, y; };
945struct s_rev95547 {
946  struct s_rev95547_nested z1;
947  struct s_rev95547_nested z2;
948};
949float foo_rev95547(struct s_rev95547 w) {
950  return w.z1.x + 20.0; // no-warning
951}
952void foo_rev95547_b(struct s_rev95547 w) {
953  struct s_rev95547 w2 = w;
954  w2.z1.x += 20.0; // no-warning
955}
956
957//===----------------------------------------------------------------------===//
958// Test handling statement expressions that don't populate a CFG block that
959// is used to represent the computation of the RHS of a logical operator.
960// This previously triggered a crash.
961//===----------------------------------------------------------------------===//
962
963void pr6938() {
964  if (1 && ({
965    while (0);
966    0;
967  }) == 0) {
968  }
969}
970
971void pr6938_b() {
972  if (1 && *({ // expected-warning{{Dereference of null pointer}}
973    while (0) {}
974    ({
975      (int *) 0;
976    });
977  }) == 0) {
978  }
979}
980
981//===----------------------------------------------------------------------===//
982// <rdar://problem/7979430> - The CFG for code containing an empty
983//  @synchronized block was previously broken (and would crash the analyzer).
984//===----------------------------------------------------------------------===//
985
986void r7979430(id x) {
987  @synchronized(x) {}
988}
989
990//===----------------------------------------------------------------------===
991// PR 7361 - Test that functions wrapped in macro instantiations are analyzed.
992//===----------------------------------------------------------------------===
993#define MAKE_TEST_FN() \
994  void test_pr7361 (char a) {\
995    char* b = 0x0;  *b = a;\
996  }
997
998MAKE_TEST_FN() // expected-warning{{null pointer}}
999
1000//===----------------------------------------------------------------------===
1001// PR 7491 - Test that symbolic expressions can be used as conditions.
1002//===----------------------------------------------------------------------===
1003
1004void pr7491 () {
1005  extern int getint();
1006  int a = getint()-1;
1007  if (a) {
1008    return;
1009  }
1010  if (!a) {
1011    return;
1012  } else {
1013    // Should be unreachable
1014    (void)*(char*)0; // no-warning
1015  }
1016}
1017
1018//===----------------------------------------------------------------------===
1019// PR 7475 - Test that assumptions about global variables are reset after
1020//  calling a global function.
1021//===----------------------------------------------------------------------===
1022
1023int *pr7475_someGlobal;
1024void pr7475_setUpGlobal();
1025
1026void pr7475() {
1027  if (pr7475_someGlobal == 0)
1028    pr7475_setUpGlobal();
1029  *pr7475_someGlobal = 0; // no-warning
1030}
1031
1032void pr7475_warn() {
1033  static int *someStatic = 0;
1034  if (someStatic == 0)
1035    pr7475_setUpGlobal();
1036  *someStatic = 0; // expected-warning{{null pointer}}
1037}
1038
1039// <rdar://problem/8202272> - __imag passed non-complex should not crash
1040float f0(_Complex float x) {
1041  float l0 = __real x;
1042  return  __real l0 + __imag l0;
1043}
1044
1045
1046//===----------------------------------------------------------------------===
1047// Test that we can reduce symbols to constants whether they are on the left
1048//  or right side of an expression.
1049//===----------------------------------------------------------------------===
1050
1051void reduce_to_constant(int x, int y) {
1052  if (x != 20)
1053    return;
1054
1055  int a = x + y;
1056  int b = y + x;
1057
1058  if (y == -20 && a != 0)
1059    (void)*(char*)0; // no-warning
1060  if (y == -20 && b != 0)
1061    (void)*(char*)0; // no-warning
1062}
1063
1064// <rdar://problem/8360854> - Test that code after a switch statement with no
1065// 'case:' labels is correctly evaluated.
1066void r8360854(int n) {
1067  switch (n) {
1068   default: ;
1069  }
1070  int *p = 0;
1071  *p = 0xDEADBEEF; // expected-warning{{null pointer}}
1072}
1073
1074// PR 8050 - crash in CastSizeChecker when pointee is an incomplete type
1075typedef long unsigned int __darwin_size_t;
1076typedef __darwin_size_t size_t;
1077void *malloc(size_t);
1078
1079struct PR8050;
1080
1081void pr8050(struct PR8050 **arg)
1082{
1083    *arg = malloc(1);
1084}
1085
1086// <rdar://problem/5880430> Switch on enum should not consider default case live
1087//  if all enum values are covered
1088enum Cases { C1, C2, C3, C4 };
1089void test_enum_cases(enum Cases C) {
1090  switch (C) {
1091  case C1:
1092  case C2:
1093  case C4:
1094  case C3:
1095    return;
1096  }
1097  int *p = 0;
1098  *p = 0xDEADBEEF; // no-warning
1099}
1100
1101void test_enum_cases_positive(enum Cases C) {
1102  switch (C) { // expected-warning{{enumeration value 'C4' not handled in switch}}
1103  case C1:
1104  case C2:
1105  case C3:
1106    return;
1107  }
1108  int *p = 0;
1109  *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
1110}
1111
1112// <rdar://problem/6351970> rule request: warn if synchronization mutex can be nil
1113void rdar6351970() {
1114  id x = 0;
1115  @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}}
1116}
1117
1118void rdar6351970_b(id x) {
1119  if (!x)
1120    @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}}
1121}
1122
1123void rdar6351970_c() {
1124  id x;
1125  @synchronized(x) {} // expected-warning{{Uninitialized value used as mutex for @synchronized}}
1126}
1127
1128@interface Rdar8578650
1129- (id) foo8578650;
1130@end
1131
1132void rdar8578650(id x) {
1133  @synchronized (x) {
1134    [x foo8578650];
1135  }
1136  // At this point we should assume that 'x' is not nil, not
1137  // the inverse.
1138  @synchronized (x) { // no-warning
1139  }
1140}
1141
1142// <rdar://problem/6352035> rule request: direct structure member access null pointer dereference
1143@interface RDar6352035 {
1144  int c;
1145}
1146- (void)foo;
1147- (void)bar;
1148@end
1149
1150@implementation RDar6352035
1151- (void)foo {
1152  RDar6352035 *friend = 0;
1153  friend->c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'friend')}}
1154}
1155- (void)bar {
1156  self = 0;
1157  c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'self')}}
1158}
1159@end
1160
1161// PR 8149 - GNU statement expression in condition of ForStmt.
1162// This previously triggered an assertion failure in CFGBuilder.
1163void pr8149(void) {
1164  for (; ({ do { } while (0); 0; });) { }
1165}
1166
1167// PR 8458 - Make sure @synchronized doesn't crash with properties.
1168@interface PR8458 {}
1169@property(readonly) id lock;
1170@end
1171
1172static
1173void __PR8458(PR8458 *x) {
1174  @synchronized(x.lock) {} // no-warning
1175}
1176
1177// PR 8440 - False null dereference during store to array-in-field-in-global.
1178// This test case previously resulted in a bogus null deref warning from
1179// incorrect lazy symbolication logic in RegionStore.
1180static struct {
1181  int num;
1182  char **data;
1183} saved_pr8440;
1184
1185char *foo_pr8440();
1186char **bar_pr8440();
1187void baz_pr8440(int n)
1188{
1189   saved_pr8440.num = n;
1190   if (saved_pr8440.data)
1191     return;
1192   saved_pr8440.data = bar_pr8440();
1193   for (int i = 0 ; i < n ; i ++)
1194     saved_pr8440.data[i] = foo_pr8440(); // no-warning
1195}
1196
1197// Support direct accesses to non-null memory.  Reported in:
1198//  PR 5272
1199//  <rdar://problem/6839683>
1200int test_direct_address_load() {
1201  int *p = (int*) 0x4000;
1202  return *p; // no-warning
1203}
1204
1205void pr5272_test() {
1206  struct pr5272 { int var2; };
1207  (*(struct pr5272*)0xBC000000).var2 = 0; // no-warning
1208  (*(struct pr5272*)0xBC000000).var2 += 2; // no-warning
1209}
1210
1211// Support casting the return value of function to another different type
1212// This previously caused a crash, although we likely need more precise
1213// reasoning here. <rdar://problem/8663544>
1214void* rdar8663544();
1215typedef struct {} Val8663544;
1216Val8663544 bazR8663544() {
1217  Val8663544(*func) () = (Val8663544(*) ()) rdar8663544;
1218  return func();
1219}
1220
1221// PR 8619 - Handle ternary expressions with a call to a noreturn function.
1222// This previously resulted in a crash.
1223void pr8619_noreturn(int x) __attribute__((noreturn));
1224
1225void pr8619(int a, int b, int c) {
1226  a ?: pr8619_noreturn(b || c);
1227}
1228
1229
1230// PR 8646 - crash in the analyzer when handling unions.
1231union pr8648_union {
1232        signed long long pr8648_union_field;
1233};
1234void pr8648() {
1235  long long y;
1236  union pr8648_union x = { .pr8648_union_field = 0LL };
1237  y = x.pr8648_union_field;
1238
1239  union pr8648_union z;
1240  z = (union pr8648_union) { .pr8648_union_field = 0LL };
1241
1242  union pr8648_union w;
1243  w = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; });
1244
1245  // crash, no assignment
1246  (void) ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field;
1247
1248  // crash with assignment
1249  y = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field;
1250}
1251
1252// PR 9269 - don't assert when building the following CFG.  The for statement
1253// contains a condition with multiple basic blocks, and the value of the
1254// statement expression is then indexed as part of a bigger condition expression.
1255// This example exposed a bug in child traversal in the CFGBuilder.
1256void pr9269() {
1257  struct s { char *bar[10]; } baz[2] = { 0 };
1258  unsigned i = 0;
1259  for (i = 0;
1260  (* ({ while(0); ({ &baz[0]; }); })).bar[0] != 0; // expected-warning {{while loop has empty body}} expected-note {{put the semicolon on a separate line to silence this warning}}
1261       ++i) {}
1262}
1263
1264// Test evaluation of GNU-style ?:.
1265int pr9287(int type) { return type ? : 0; } // no-warning
1266
1267void pr9287_b(int type, int *p) {
1268  int x = type ? : 0;
1269  if (x) {
1270    p = 0;
1271  }
1272  if (type) {
1273    *p = 0xDEADBEEF; // expected-warning {{null pointer}}
1274  }
1275}
1276
1277void pr9287_c(int type, int *p) {
1278  int x = type ? : 0;
1279  if (x) {
1280    p = 0;
1281  }
1282  if (!type) {
1283    *p = 0xDEADBEEF; // no-warning
1284  }
1285}
1286
1287void test_switch() {
1288  switch (4) {
1289    case 1: {
1290      int *p = 0;
1291      *p = 0xDEADBEEF; // no-warning
1292      break;
1293    }
1294    case 4: {
1295      int *p = 0;
1296      *p = 0xDEADBEEF; // expected-warning {{null}}
1297      break;
1298    }
1299    default: {
1300      int *p = 0;
1301      *p = 0xDEADBEEF; // no-warning
1302      break;
1303    }
1304  }
1305}
1306
1307// PR 9467.  Tests various CFG optimizations.  This previously crashed.
1308static void test(unsigned int bit_mask)
1309{
1310  unsigned int bit_index;
1311  for (bit_index = 0;
1312       bit_index < 24;
1313       bit_index++) {
1314    switch ((0x01 << bit_index) & bit_mask) {
1315    case 0x100000: ;
1316    }
1317  }
1318}
1319
1320// Don't crash on code containing __label__.
1321int radar9414427_aux();
1322void radar9414427() {
1323  __label__ mylabel;
1324  if (radar9414427_aux()) {
1325  mylabel: do {}
1326  while (0);
1327  }
1328}
1329
1330// Analyze methods in @implementation (category)
1331@interface RDar9465344
1332@end
1333
1334@implementation RDar9465344 (MyCategory)
1335- (void) testcategoryImpl {
1336  int *p = 0x0;
1337  *p = 0xDEADBEEF; // expected-warning {{null}}
1338}
1339@end
1340
1341@implementation RDar9465344
1342@end
1343
1344// Don't crash when analyzing access to 'self' within a block.
1345@interface Rdar10380300Base
1346- (void) foo;
1347@end
1348@interface Rdar10380300 : Rdar10380300Base @end
1349@implementation Rdar10380300
1350- (void)foo {
1351  ^{
1352    [super foo];
1353  }();
1354}
1355@end
1356
1357// Don't crash when a ?: is only preceded by a statement (not an expression)
1358// in the CFG.
1359void __assert_fail();
1360
1361enum rdar1196620_e { E_A, E_B, E_C, E_D };
1362struct rdar1196620_s { int ints[E_D+1]; };
1363
1364static void rdar1196620_call_assert(struct rdar1196620_s* s) {
1365  int i = 0;
1366  s?(void)0:__assert_fail();
1367}
1368
1369static void rdar1196620(struct rdar1196620_s* s) {
1370  rdar1196620_call_assert(s);
1371}
1372
1373
1374