1*67e74705SXin Li // RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core.builtin,debug.ExprInspection,unix.cstring -verify %s
2*67e74705SXin Li
3*67e74705SXin Li typedef unsigned long size_t;
4*67e74705SXin Li
5*67e74705SXin Li struct S {
6*67e74705SXin Li struct S3 {
7*67e74705SXin Li int y[10];
8*67e74705SXin Li };
9*67e74705SXin Li struct S2 : S3 {
10*67e74705SXin Li int *x;
11*67e74705SXin Li } s2[10];
12*67e74705SXin Li int z;
13*67e74705SXin Li };
14*67e74705SXin Li
15*67e74705SXin Li
16*67e74705SXin Li void clang_analyzer_explain(int);
17*67e74705SXin Li void clang_analyzer_explain(void *);
18*67e74705SXin Li void clang_analyzer_explain(S);
19*67e74705SXin Li
20*67e74705SXin Li size_t clang_analyzer_getExtent(void *);
21*67e74705SXin Li
22*67e74705SXin Li size_t strlen(const char *);
23*67e74705SXin Li
24*67e74705SXin Li int conjure();
25*67e74705SXin Li S conjure_S();
26*67e74705SXin Li
27*67e74705SXin Li int glob;
28*67e74705SXin Li static int stat_glob;
29*67e74705SXin Li void *glob_ptr;
30*67e74705SXin Li
31*67e74705SXin Li // Test strings are regex'ed because we need to match exact string
32*67e74705SXin Li // rather than a substring.
33*67e74705SXin Li
test_1(int param,void * ptr)34*67e74705SXin Li void test_1(int param, void *ptr) {
35*67e74705SXin Li clang_analyzer_explain(&glob); // expected-warning-re{{{{^pointer to global variable 'glob'$}}}}
36*67e74705SXin Li clang_analyzer_explain(param); // expected-warning-re{{{{^argument 'param'$}}}}
37*67e74705SXin Li clang_analyzer_explain(ptr); // expected-warning-re{{{{^argument 'ptr'$}}}}
38*67e74705SXin Li if (param == 42)
39*67e74705SXin Li clang_analyzer_explain(param); // expected-warning-re{{{{^signed 32-bit integer '42'$}}}}
40*67e74705SXin Li }
41*67e74705SXin Li
test_2(char * ptr,int ext)42*67e74705SXin Li void test_2(char *ptr, int ext) {
43*67e74705SXin Li clang_analyzer_explain((void *) "asdf"); // expected-warning-re{{{{^pointer to element of type 'char' with index 0 of string literal "asdf"$}}}}
44*67e74705SXin Li clang_analyzer_explain(strlen(ptr)); // expected-warning-re{{{{^metadata of type 'unsigned long' tied to pointee of argument 'ptr'$}}}}
45*67e74705SXin Li clang_analyzer_explain(conjure()); // expected-warning-re{{{{^symbol of type 'int' conjured at statement 'conjure\(\)'$}}}}
46*67e74705SXin Li clang_analyzer_explain(glob); // expected-warning-re{{{{^value derived from \(symbol of type 'int' conjured at statement 'conjure\(\)'\) for global variable 'glob'$}}}}
47*67e74705SXin Li clang_analyzer_explain(glob_ptr); // expected-warning-re{{{{^value derived from \(symbol of type 'int' conjured at statement 'conjure\(\)'\) for global variable 'glob_ptr'$}}}}
48*67e74705SXin Li clang_analyzer_explain(clang_analyzer_getExtent(ptr)); // expected-warning-re{{{{^extent of pointee of argument 'ptr'$}}}}
49*67e74705SXin Li int *x = new int[ext];
50*67e74705SXin Li clang_analyzer_explain(x); // expected-warning-re{{{{^pointer to element of type 'int' with index 0 of pointee of symbol of type 'int \*' conjured at statement 'new int \[ext\]'$}}}}
51*67e74705SXin Li // Sic! What gets computed is the extent of the element-region.
52*67e74705SXin Li clang_analyzer_explain(clang_analyzer_getExtent(x)); // expected-warning-re{{{{^signed 32-bit integer '4'$}}}}
53*67e74705SXin Li delete[] x;
54*67e74705SXin Li }
55*67e74705SXin Li
test_3(S s)56*67e74705SXin Li void test_3(S s) {
57*67e74705SXin Li clang_analyzer_explain(&s); // expected-warning-re{{{{^pointer to parameter 's'$}}}}
58*67e74705SXin Li clang_analyzer_explain(s.z); // expected-warning-re{{{{^initial value of field 'z' of parameter 's'$}}}}
59*67e74705SXin Li clang_analyzer_explain(&s.s2[5].y[3]); // expected-warning-re{{{{^pointer to element of type 'int' with index 3 of field 'y' of base object 'S::S3' inside element of type 'struct S::S2' with index 5 of field 's2' of parameter 's'$}}}}
60*67e74705SXin Li if (!s.s2[7].x) {
61*67e74705SXin Li clang_analyzer_explain(s.s2[7].x); // expected-warning-re{{{{^concrete memory address '0'$}}}}
62*67e74705SXin Li // FIXME: we need to be explaining '1' rather than '0' here; not explainer bug.
63*67e74705SXin Li clang_analyzer_explain(s.s2[7].x + 1); // expected-warning-re{{{{^concrete memory address '0'$}}}}
64*67e74705SXin Li }
65*67e74705SXin Li }
66*67e74705SXin Li
test_4(int x,int y)67*67e74705SXin Li void test_4(int x, int y) {
68*67e74705SXin Li int z;
69*67e74705SXin Li static int stat;
70*67e74705SXin Li clang_analyzer_explain(x + 1); // expected-warning-re{{{{^\(argument 'x'\) \+ 1$}}}}
71*67e74705SXin Li clang_analyzer_explain(1 + y); // expected-warning-re{{{{^\(argument 'y'\) \+ 1$}}}}
72*67e74705SXin Li clang_analyzer_explain(x + y); // expected-warning-re{{{{^unknown value$}}}}
73*67e74705SXin Li clang_analyzer_explain(z); // expected-warning-re{{{{^undefined value$}}}}
74*67e74705SXin Li clang_analyzer_explain(&z); // expected-warning-re{{{{^pointer to local variable 'z'$}}}}
75*67e74705SXin Li clang_analyzer_explain(stat); // expected-warning-re{{{{^signed 32-bit integer '0'$}}}}
76*67e74705SXin Li clang_analyzer_explain(&stat); // expected-warning-re{{{{^pointer to static local variable 'stat'$}}}}
77*67e74705SXin Li clang_analyzer_explain(stat_glob); // expected-warning-re{{{{^initial value of global variable 'stat_glob'$}}}}
78*67e74705SXin Li clang_analyzer_explain(&stat_glob); // expected-warning-re{{{{^pointer to global variable 'stat_glob'$}}}}
79*67e74705SXin Li clang_analyzer_explain((int[]){1, 2, 3}); // expected-warning-re{{{{^pointer to element of type 'int' with index 0 of compound literal \(int \[3\]\)\{1, 2, 3\}$}}}}
80*67e74705SXin Li }
81*67e74705SXin Li
82*67e74705SXin Li namespace {
83*67e74705SXin Li class C {
84*67e74705SXin Li int x[10];
85*67e74705SXin Li
86*67e74705SXin Li public:
test_5(int i)87*67e74705SXin Li void test_5(int i) {
88*67e74705SXin Li clang_analyzer_explain(this); // expected-warning-re{{{{^pointer to 'this' object$}}}}
89*67e74705SXin Li clang_analyzer_explain(&x[i]); // expected-warning-re{{{{^pointer to element of type 'int' with index 'argument 'i'' of field 'x' of 'this' object$}}}}
90*67e74705SXin Li clang_analyzer_explain(__builtin_alloca(i)); // expected-warning-re{{{{^pointer to region allocated by '__builtin_alloca\(i\)'$}}}}
91*67e74705SXin Li }
92*67e74705SXin Li };
93*67e74705SXin Li } // end of anonymous namespace
94*67e74705SXin Li
test_6()95*67e74705SXin Li void test_6() {
96*67e74705SXin Li clang_analyzer_explain(conjure_S()); // expected-warning-re{{{{^lazily frozen compound value of temporary object constructed at statement 'conjure_S\(\)'$}}}}
97*67e74705SXin Li clang_analyzer_explain(conjure_S().z); // expected-warning-re{{{{^value derived from \(symbol of type 'struct S' conjured at statement 'conjure_S\(\)'\) for field 'z' of temporary object constructed at statement 'conjure_S\(\)'$}}}}
98*67e74705SXin Li }
99