1 // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -verify -Wno-null-dereference -Wno-tautological-undefined-compare -analyzer-config eagerly-assume=false %s
2
3 void clang_analyzer_eval(bool);
4
5 typedef typeof(sizeof(int)) size_t;
6 void malloc (size_t);
7
f1()8 void f1() {
9 int const &i = 3;
10 int b = i;
11
12 int *p = 0;
13
14 if (b != 3)
15 *p = 1; // no-warning
16 }
17
18 char* ptr();
19 char& ref();
20
21 // These next two tests just shouldn't crash.
t1()22 char t1 () {
23 ref() = 'c';
24 return '0';
25 }
26
27 // just a sanity test, the same behavior as t1()
t2()28 char t2 () {
29 *ptr() = 'c';
30 return '0';
31 }
32
33 // Each of the tests below is repeated with pointers as well as references.
34 // This is mostly a sanity check, but then again, both should work!
t3()35 char t3 () {
36 char& r = ref();
37 r = 'c'; // no-warning
38 if (r) return r;
39 return *(char*)0; // no-warning
40 }
41
t4()42 char t4 () {
43 char* p = ptr();
44 *p = 'c'; // no-warning
45 if (*p) return *p;
46 return *(char*)0; // no-warning
47 }
48
t5(char & r)49 char t5 (char& r) {
50 r = 'c'; // no-warning
51 if (r) return r;
52 return *(char*)0; // no-warning
53 }
54
t6(char * p)55 char t6 (char* p) {
56 *p = 'c'; // no-warning
57 if (*p) return *p;
58 return *(char*)0; // no-warning
59 }
60
61
62 // PR13440 / <rdar://problem/11977113>
63 // Test that the array-to-pointer decay works for array references as well.
64 // More generally, when we want an lvalue for a reference field, we still need
65 // to do one level of load.
66 namespace PR13440 {
67 typedef int T[1];
68 struct S {
69 T &x;
70
mPR13440::S71 int *m() { return x; }
72 };
73
74 struct S2 {
75 int (&x)[1];
76
mPR13440::S277 int *m() { return x; }
78
testArrayToPointerDecayWithNonTypedValueRegionPR13440::S279 void testArrayToPointerDecayWithNonTypedValueRegion() {
80 int *p = x;
81 int *q = x;
82 clang_analyzer_eval(p[0] == q[0]); // expected-warning{{TRUE}}
83 }
84
85 };
86
test()87 void test() {
88 int a[1];
89 S s = { a };
90 S2 s2 = { a };
91
92 if (s.x != a) return;
93 if (s2.x != a) return;
94
95 a[0] = 42;
96 clang_analyzer_eval(s.x[0] == 42); // expected-warning{{TRUE}}
97 clang_analyzer_eval(s2.x[0] == 42); // expected-warning{{TRUE}}
98 }
99 }
100
testNullReference()101 void testNullReference() {
102 int *x = 0;
103 int &y = *x; // expected-warning{{Dereference of null pointer}}
104 y = 5;
105 }
106
testRetroactiveNullReference(int * x)107 void testRetroactiveNullReference(int *x) {
108 // According to the C++ standard, there is no such thing as a
109 // "null reference". So the 'if' statement ought to be dead code.
110 // However, Clang (and other compilers) don't actually check that a pointer
111 // value is non-null in the implementation of references, so it is possible
112 // to produce a supposed "null reference" at runtime. The analyzer should
113 // still warn when it can prove such errors.
114 int &y = *x;
115 if (x != 0)
116 return;
117 y = 5; // expected-warning{{Dereference of null pointer}}
118 }
119
120 namespace TestReferenceAddress {
121 struct S { int &x; };
122 S getS();
123 S *getSP();
124
testReferenceAddress(int & x)125 void testReferenceAddress(int &x) {
126 // FIXME: Move non-zero reference assumption out of RangeConstraintManager.cpp:422
127 #ifdef ANALYZER_CM_Z3
128 clang_analyzer_eval(&x != 0); // expected-warning{{UNKNOWN}}
129 clang_analyzer_eval(&ref() != 0); // expected-warning{{UNKNOWN}}
130 #else
131 clang_analyzer_eval(&x != 0); // expected-warning{{TRUE}}
132 clang_analyzer_eval(&ref() != 0); // expected-warning{{TRUE}}
133 #endif
134
135 #ifdef ANALYZER_CM_Z3
136 clang_analyzer_eval(&getS().x != 0); // expected-warning{{UNKNOWN}}
137 #else
138 clang_analyzer_eval(&getS().x != 0); // expected-warning{{TRUE}}
139 #endif
140
141 #ifdef ANALYZER_CM_Z3
142 clang_analyzer_eval(&getSP()->x != 0); // expected-warning{{UNKNOWN}}
143 #else
144 clang_analyzer_eval(&getSP()->x != 0); // expected-warning{{TRUE}}
145 #endif
146 }
147 }
148
testFunctionPointerReturn(void * opaque)149 void testFunctionPointerReturn(void *opaque) {
150 typedef int &(*RefFn)();
151
152 RefFn getRef = (RefFn)opaque;
153
154 // Don't crash writing to or reading from this reference.
155 int &x = getRef();
156 x = 42;
157 clang_analyzer_eval(x == 42); // expected-warning{{TRUE}}
158 }
159
testReturnNullReference()160 int &testReturnNullReference() {
161 int *x = 0;
162 return *x; // expected-warning{{Returning null reference}}
163 }
164
refFromPointer()165 char &refFromPointer() {
166 return *ptr();
167 }
168
testReturnReference()169 void testReturnReference() {
170 clang_analyzer_eval(ptr() == 0); // expected-warning{{UNKNOWN}}
171 clang_analyzer_eval(&refFromPointer() == 0); // expected-warning{{FALSE}}
172 }
173
intRefParam(int & r)174 void intRefParam(int &r) {
175 ;
176 }
177
test(int * ptr)178 void test(int *ptr) {
179 clang_analyzer_eval(ptr == 0); // expected-warning{{UNKNOWN}}
180
181 extern void use(int &ref);
182 use(*ptr);
183
184 clang_analyzer_eval(ptr == 0); // expected-warning{{FALSE}}
185 }
186
testIntRefParam()187 void testIntRefParam() {
188 int i = 0;
189 intRefParam(i); // no-warning
190 }
191
refParam(int & byteIndex)192 int refParam(int &byteIndex) {
193 return byteIndex;
194 }
195
testRefParam(int * p)196 void testRefParam(int *p) {
197 if (p)
198 ;
199 refParam(*p); // expected-warning {{Forming reference to null pointer}}
200 }
201
ptrRefParam(int * & byteIndex)202 int ptrRefParam(int *&byteIndex) {
203 return *byteIndex; // expected-warning {{Dereference of null pointer}}
204 }
testRefParam2()205 void testRefParam2() {
206 int *p = 0;
207 int *&rp = p;
208 ptrRefParam(rp);
209 }
210
maybeNull()211 int *maybeNull() {
212 extern bool coin();
213 static int x;
214 return coin() ? &x : 0;
215 }
216
use(int & x)217 void use(int &x) {
218 x = 1; // no-warning
219 }
220
testSuppression()221 void testSuppression() {
222 use(*maybeNull());
223 }
224
225 namespace rdar11212286 {
226 class B{};
227
test()228 B test() {
229 B *x = 0;
230 return *x; // expected-warning {{Forming reference to null pointer}}
231 }
232
testif(B * x)233 B testif(B *x) {
234 if (x)
235 ;
236 return *x; // expected-warning {{Forming reference to null pointer}}
237 }
238
idc(B * x)239 void idc(B *x) {
240 if (x)
241 ;
242 }
243
testidc(B * x)244 B testidc(B *x) {
245 idc(x);
246 return *x; // no-warning
247 }
248 }
249
250 namespace PR15694 {
251 class C {
252 bool bit : 1;
bar(const T & obj)253 template <class T> void bar(const T &obj) {}
foo()254 void foo() {
255 bar(bit); // don't crash
256 }
257 };
258 }
259