[analyzer] Add missing return after function pointer null check.
Also add some tests that there is actually a message and that the bug is
actually a hard error. This actually behaved correctly before, because:
- addTransition() doesn't actually add a transition if the new state is null;
it assumes you want to propagate the predecessor forward and does nothing.
- generateSink() is called in order to emit a bug report.
- If at least one new node has been generated, the predecessor node is /not/
propagated forward.
But now it's spelled out explicitly.
Found by Richard Mazorodze, who's working on a patch that may require this.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191805 91177308-0d34-0410-b5e6-96231b3b80d8
diff --git a/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp b/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp
index d5ab479..fefcbe7 100644
--- a/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp
+++ b/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp
@@ -249,6 +249,7 @@
BT_call_null.reset(
new BuiltinBug("Called function pointer is null (null dereference)"));
emitBadCall(BT_call_null.get(), C, Callee);
+ return;
}
C.addTransition(StNonNull);
diff --git a/test/Analysis/func.c b/test/Analysis/func.c
index 9abb560..275a82d 100644
--- a/test/Analysis/func.c
+++ b/test/Analysis/func.c
@@ -25,3 +25,16 @@
(*g)();
clang_analyzer_eval(!g); // expected-warning{{FALSE}}
}
+
+void nullFunctionPointerConstant() {
+ void (*f)(void) = 0;
+ f(); // expected-warning{{Called function pointer is null}}
+ clang_analyzer_eval(0); // no-warning
+}
+
+void nullFunctionPointerConstraint(void (*f)(void)) {
+ if (f)
+ return;
+ f(); // expected-warning{{Called function pointer is null}}
+ clang_analyzer_eval(0); // no-warning
+}