1*67e74705SXin Li // RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,deadcode,alpha.core -std=gnu99 -analyzer-store=region -analyzer-constraints=range -analyzer-purge=none -verify %s -Wno-error=return-type
2*67e74705SXin Li // RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,deadcode,alpha.core -std=gnu99 -analyzer-store=region -analyzer-constraints=range -verify %s -Wno-error=return-type
3*67e74705SXin Li
4*67e74705SXin Li typedef unsigned uintptr_t;
5*67e74705SXin Li
6*67e74705SXin Li extern void __assert_fail (__const char *__assertion, __const char *__file,
7*67e74705SXin Li unsigned int __line, __const char *__function)
8*67e74705SXin Li __attribute__ ((__noreturn__));
9*67e74705SXin Li
10*67e74705SXin Li #define assert(expr) \
11*67e74705SXin Li ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
12*67e74705SXin Li
f1(int * p)13*67e74705SXin Li void f1(int *p) {
14*67e74705SXin Li if (p) *p = 1;
15*67e74705SXin Li else *p = 0; // expected-warning{{ereference}}
16*67e74705SXin Li }
17*67e74705SXin Li
18*67e74705SXin Li struct foo_struct {
19*67e74705SXin Li int x;
20*67e74705SXin Li };
21*67e74705SXin Li
f2(struct foo_struct * p)22*67e74705SXin Li int f2(struct foo_struct* p) {
23*67e74705SXin Li
24*67e74705SXin Li if (p)
25*67e74705SXin Li p->x = 1;
26*67e74705SXin Li
27*67e74705SXin Li return p->x++; // expected-warning{{Access to field 'x' results in a dereference of a null pointer (loaded from variable 'p')}}
28*67e74705SXin Li }
29*67e74705SXin Li
f3(char * x)30*67e74705SXin Li int f3(char* x) {
31*67e74705SXin Li
32*67e74705SXin Li int i = 2;
33*67e74705SXin Li
34*67e74705SXin Li if (x)
35*67e74705SXin Li return x[i - 1];
36*67e74705SXin Li
37*67e74705SXin Li return x[i+1]; // expected-warning{{Array access (from variable 'x') results in a null pointer dereference}}
38*67e74705SXin Li }
39*67e74705SXin Li
f3_b(char * x)40*67e74705SXin Li int f3_b(char* x) {
41*67e74705SXin Li
42*67e74705SXin Li int i = 2;
43*67e74705SXin Li
44*67e74705SXin Li if (x)
45*67e74705SXin Li return x[i - 1];
46*67e74705SXin Li
47*67e74705SXin Li return x[i+1]++; // expected-warning{{Array access (from variable 'x') results in a null pointer dereference}}
48*67e74705SXin Li }
49*67e74705SXin Li
f4(int * p)50*67e74705SXin Li int f4(int *p) {
51*67e74705SXin Li
52*67e74705SXin Li uintptr_t x = (uintptr_t) p;
53*67e74705SXin Li
54*67e74705SXin Li if (x)
55*67e74705SXin Li return 1;
56*67e74705SXin Li
57*67e74705SXin Li int *q = (int*) x;
58*67e74705SXin Li return *q; // expected-warning{{Dereference of null pointer (loaded from variable 'q')}}
59*67e74705SXin Li }
60*67e74705SXin Li
f4_b()61*67e74705SXin Li int f4_b() {
62*67e74705SXin Li short array[2];
63*67e74705SXin Li uintptr_t x = array; // expected-warning{{incompatible pointer to integer conversion}}
64*67e74705SXin Li short *p = x; // expected-warning{{incompatible integer to pointer conversion}}
65*67e74705SXin Li
66*67e74705SXin Li // The following branch should be infeasible.
67*67e74705SXin Li if (!(p == &array[0])) {
68*67e74705SXin Li p = 0;
69*67e74705SXin Li *p = 1; // no-warning
70*67e74705SXin Li }
71*67e74705SXin Li
72*67e74705SXin Li if (p) {
73*67e74705SXin Li *p = 5; // no-warning
74*67e74705SXin Li p = 0;
75*67e74705SXin Li }
76*67e74705SXin Li else return; // expected-warning {{non-void function 'f4_b' should return a value}}
77*67e74705SXin Li
78*67e74705SXin Li *p += 10; // expected-warning{{Dereference of null pointer}}
79*67e74705SXin Li return 0;
80*67e74705SXin Li }
81*67e74705SXin Li
f5()82*67e74705SXin Li int f5() {
83*67e74705SXin Li
84*67e74705SXin Li char *s = "hello world";
85*67e74705SXin Li return s[0]; // no-warning
86*67e74705SXin Li }
87*67e74705SXin Li
88*67e74705SXin Li int bar(int* p, int q) __attribute__((nonnull));
89*67e74705SXin Li
f6(int * p)90*67e74705SXin Li int f6(int *p) {
91*67e74705SXin Li return !p ? bar(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
92*67e74705SXin Li : bar(p, 0); // no-warning
93*67e74705SXin Li }
94*67e74705SXin Li
95*67e74705SXin Li int bar2(int* p, int q) __attribute__((nonnull(1)));
96*67e74705SXin Li
f6b(int * p)97*67e74705SXin Li int f6b(int *p) {
98*67e74705SXin Li return !p ? bar2(p, 1) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
99*67e74705SXin Li : bar2(p, 0); // no-warning
100*67e74705SXin Li }
101*67e74705SXin Li
102*67e74705SXin Li int bar3(int*p, int q, int *r) __attribute__((nonnull(1,3)));
103*67e74705SXin Li
f6c(int * p,int * q)104*67e74705SXin Li int f6c(int *p, int *q) {
105*67e74705SXin Li return !p ? bar3(q, 2, p) // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
106*67e74705SXin Li : bar3(p, 2, q); // no-warning
107*67e74705SXin Li }
108*67e74705SXin Li
f6d(int * p)109*67e74705SXin Li void f6d(int *p) {
110*67e74705SXin Li bar(p, 0);
111*67e74705SXin Li // At this point, 'p' cannot be null.
112*67e74705SXin Li if (!p) {
113*67e74705SXin Li int *q = 0;
114*67e74705SXin Li *q = 0xDEADBEEF; // no-warning
115*67e74705SXin Li }
116*67e74705SXin Li }
117*67e74705SXin Li
f6e(int * p,int offset)118*67e74705SXin Li void f6e(int *p, int offset) {
119*67e74705SXin Li // PR7406 - crash from treating an UnknownVal as defined, to see if it's 0.
120*67e74705SXin Li bar((p+offset)+1, 0); // not crash
121*67e74705SXin Li }
122*67e74705SXin Li
123*67e74705SXin Li int* qux();
124*67e74705SXin Li
f7(int x)125*67e74705SXin Li int f7(int x) {
126*67e74705SXin Li
127*67e74705SXin Li int* p = 0;
128*67e74705SXin Li
129*67e74705SXin Li if (0 == x)
130*67e74705SXin Li p = qux();
131*67e74705SXin Li
132*67e74705SXin Li if (0 == x)
133*67e74705SXin Li *p = 1; // no-warning
134*67e74705SXin Li
135*67e74705SXin Li return x;
136*67e74705SXin Li }
137*67e74705SXin Li
f7b(int * x)138*67e74705SXin Li int* f7b(int *x) {
139*67e74705SXin Li
140*67e74705SXin Li int* p = 0;
141*67e74705SXin Li
142*67e74705SXin Li if (((void*)0) == x)
143*67e74705SXin Li p = qux();
144*67e74705SXin Li
145*67e74705SXin Li if (((void*)0) == x)
146*67e74705SXin Li *p = 1; // no-warning
147*67e74705SXin Li
148*67e74705SXin Li return x;
149*67e74705SXin Li }
150*67e74705SXin Li
f7c(int * x)151*67e74705SXin Li int* f7c(int *x) {
152*67e74705SXin Li
153*67e74705SXin Li int* p = 0;
154*67e74705SXin Li
155*67e74705SXin Li if (((void*)0) == x)
156*67e74705SXin Li p = qux();
157*67e74705SXin Li
158*67e74705SXin Li if (((void*)0) != x)
159*67e74705SXin Li return x;
160*67e74705SXin Li
161*67e74705SXin Li // If we reach here then 'p' is not null.
162*67e74705SXin Li *p = 1; // no-warning
163*67e74705SXin Li return x;
164*67e74705SXin Li }
165*67e74705SXin Li
f7c2(int * x)166*67e74705SXin Li int* f7c2(int *x) {
167*67e74705SXin Li
168*67e74705SXin Li int* p = 0;
169*67e74705SXin Li
170*67e74705SXin Li if (((void*)0) == x)
171*67e74705SXin Li p = qux();
172*67e74705SXin Li
173*67e74705SXin Li if (((void*)0) == x)
174*67e74705SXin Li return x;
175*67e74705SXin Li
176*67e74705SXin Li *p = 1; // expected-warning{{null}}
177*67e74705SXin Li return x;
178*67e74705SXin Li }
179*67e74705SXin Li
180*67e74705SXin Li
f8(int * p,int * q)181*67e74705SXin Li void f8(int *p, int *q) {
182*67e74705SXin Li if (!p)
183*67e74705SXin Li if (p)
184*67e74705SXin Li *p = 1; // no-warning
185*67e74705SXin Li
186*67e74705SXin Li if (q)
187*67e74705SXin Li if (!q)
188*67e74705SXin Li *q = 1; // no-warning
189*67e74705SXin Li }
190*67e74705SXin Li
191*67e74705SXin Li int* qux();
192*67e74705SXin Li
f9(unsigned len)193*67e74705SXin Li int f9(unsigned len) {
194*67e74705SXin Li assert (len != 0);
195*67e74705SXin Li int *p = 0;
196*67e74705SXin Li unsigned i;
197*67e74705SXin Li
198*67e74705SXin Li for (i = 0; i < len; ++i)
199*67e74705SXin Li p = qux(i);
200*67e74705SXin Li
201*67e74705SXin Li return *p++; // no-warning
202*67e74705SXin Li }
203*67e74705SXin Li
f9b(unsigned len)204*67e74705SXin Li int f9b(unsigned len) {
205*67e74705SXin Li assert (len > 0); // note use of '>'
206*67e74705SXin Li int *p = 0;
207*67e74705SXin Li unsigned i;
208*67e74705SXin Li
209*67e74705SXin Li for (i = 0; i < len; ++i)
210*67e74705SXin Li p = qux(i);
211*67e74705SXin Li
212*67e74705SXin Li return *p++; // no-warning
213*67e74705SXin Li }
214*67e74705SXin Li
f10(int * p,signed char x,int y)215*67e74705SXin Li int* f10(int* p, signed char x, int y) {
216*67e74705SXin Li // This line tests symbolication with compound assignments where the
217*67e74705SXin Li // LHS and RHS have different bitwidths. The new symbolic value
218*67e74705SXin Li // for 'x' should have a bitwidth of 8.
219*67e74705SXin Li x &= y;
220*67e74705SXin Li
221*67e74705SXin Li // This tests that our symbolication worked, and that we correctly test
222*67e74705SXin Li // x against 0 (with the same bitwidth).
223*67e74705SXin Li if (!x) {
224*67e74705SXin Li if (!p) return 0;
225*67e74705SXin Li *p = 10;
226*67e74705SXin Li }
227*67e74705SXin Li else p = 0;
228*67e74705SXin Li
229*67e74705SXin Li if (!x)
230*67e74705SXin Li *p = 5; // no-warning
231*67e74705SXin Li
232*67e74705SXin Li return p;
233*67e74705SXin Li }
234*67e74705SXin Li
235*67e74705SXin Li // Test case from <rdar://problem/6407949>
f11(unsigned i)236*67e74705SXin Li void f11(unsigned i) {
237*67e74705SXin Li int *x = 0;
238*67e74705SXin Li if (i >= 0) { // expected-warning{{always true}}
239*67e74705SXin Li // always true
240*67e74705SXin Li } else {
241*67e74705SXin Li *x = 42; // no-warning
242*67e74705SXin Li }
243*67e74705SXin Li }
244*67e74705SXin Li
f11b(unsigned i)245*67e74705SXin Li void f11b(unsigned i) {
246*67e74705SXin Li int *x = 0;
247*67e74705SXin Li if (i <= ~(unsigned)0) {
248*67e74705SXin Li // always true
249*67e74705SXin Li } else {
250*67e74705SXin Li *x = 42; // no-warning
251*67e74705SXin Li }
252*67e74705SXin Li }
253*67e74705SXin Li
254*67e74705SXin Li // Test case for switch statements with weird case arms.
255*67e74705SXin Li typedef int BOOL, *PBOOL, *LPBOOL;
256*67e74705SXin Li typedef long LONG_PTR, *PLONG_PTR;
257*67e74705SXin Li typedef unsigned long ULONG_PTR, *PULONG_PTR;
258*67e74705SXin Li typedef ULONG_PTR DWORD_PTR, *PDWORD_PTR;
259*67e74705SXin Li typedef LONG_PTR LRESULT;
260*67e74705SXin Li typedef struct _F12ITEM *HF12ITEM;
261*67e74705SXin Li
f12(HF12ITEM i,char * q)262*67e74705SXin Li void f12(HF12ITEM i, char *q) {
263*67e74705SXin Li char *p = 0;
264*67e74705SXin Li switch ((DWORD_PTR) i) {
265*67e74705SXin Li case 0 ... 10:
266*67e74705SXin Li p = q;
267*67e74705SXin Li break;
268*67e74705SXin Li case (DWORD_PTR) ((HF12ITEM) - 65535):
269*67e74705SXin Li return;
270*67e74705SXin Li default:
271*67e74705SXin Li return;
272*67e74705SXin Li }
273*67e74705SXin Li
274*67e74705SXin Li *p = 1; // no-warning
275*67e74705SXin Li }
276*67e74705SXin Li
277*67e74705SXin Li // Test handling of translating between integer "pointers" and back.
f13()278*67e74705SXin Li void f13() {
279*67e74705SXin Li int *x = 0;
280*67e74705SXin Li if (((((int) x) << 2) + 1) >> 1) *x = 1;
281*67e74705SXin Li }
282*67e74705SXin Li
283*67e74705SXin Li // PR 4759 - Attribute non-null checking by the analyzer was not correctly
284*67e74705SXin Li // handling pointer values that were undefined.
285*67e74705SXin Li void pr4759_aux(int *p) __attribute__((nonnull));
286*67e74705SXin Li
pr4759()287*67e74705SXin Li void pr4759() {
288*67e74705SXin Li int *p;
289*67e74705SXin Li pr4759_aux(p); // expected-warning{{Function call argument is an uninitialized value}}
290*67e74705SXin Li }
291*67e74705SXin Li
292*67e74705SXin Li // Relax function call arguments invalidation to be aware of const
293*67e74705SXin Li // arguments. Test with function pointers. radar://10595327
294*67e74705SXin Li void ttt(const int *nptr);
295*67e74705SXin Li void ttt2(const int *nptr);
296*67e74705SXin Li typedef void (*NoConstType)(int*);
foo10595327(int b)297*67e74705SXin Li int foo10595327(int b) {
298*67e74705SXin Li void (*fp)(int *);
299*67e74705SXin Li // We use path sensitivity to get the function declaration. Even when the
300*67e74705SXin Li // function pointer is cast to non-pointer-to-const parameter type, we can
301*67e74705SXin Li // find the right function declaration.
302*67e74705SXin Li if (b > 5)
303*67e74705SXin Li fp = (NoConstType)ttt2;
304*67e74705SXin Li else
305*67e74705SXin Li fp = (NoConstType)ttt;
306*67e74705SXin Li int x = 3;
307*67e74705SXin Li int y = x + 1;
308*67e74705SXin Li int *p = 0;
309*67e74705SXin Li fp(&y);
310*67e74705SXin Li if (x == y)
311*67e74705SXin Li return *p; // no-warning
312*67e74705SXin Li return 0;
313*67e74705SXin Li }
314*67e74705SXin Li
315*67e74705SXin Li #define AS_ATTRIBUTE volatile __attribute__((address_space(256)))
316*67e74705SXin Li #define _get_base() ((void * AS_ATTRIBUTE *)0)
test_address_space_array(unsigned long slot)317*67e74705SXin Li void* test_address_space_array(unsigned long slot) {
318*67e74705SXin Li return _get_base()[slot]; // no-warning
319*67e74705SXin Li }
test_address_space_condition(int AS_ATTRIBUTE * cpu_data)320*67e74705SXin Li void test_address_space_condition(int AS_ATTRIBUTE *cpu_data) {
321*67e74705SXin Li if (cpu_data == 0) {
322*67e74705SXin Li *cpu_data = 3; // no-warning
323*67e74705SXin Li }
324*67e74705SXin Li }
325*67e74705SXin Li struct X { int member; };
test_address_space_member()326*67e74705SXin Li int test_address_space_member() {
327*67e74705SXin Li struct X AS_ATTRIBUTE *data = (struct X AS_ATTRIBUTE *)0UL;
328*67e74705SXin Li int ret;
329*67e74705SXin Li ret = data->member; // no-warning
330*67e74705SXin Li return ret;
331*67e74705SXin Li }
332