blob: 0fdab83d7f8a6d490c0a4f5bc01413758112e0e2 [file] [log] [blame]
Ted Kremenek033a07e2011-08-03 23:14:55 +00001// RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-checker=core,deadcode.IdempotentOperations,experimental.core.CastToStruct,experimental.security.ReturnPtrRange,experimental.security.ArrayBound -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s
2// RUN: %clang_cc1 -triple x86_64-apple-darwin9 -DTEST_64 -analyze -analyzer-checker=core,deadcode.IdempotentOperations,experimental.core.CastToStruct,experimental.security.ReturnPtrRange,experimental.security.ArrayBound -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s
Ted Kremenek2dabd422009-01-22 18:53:15 +00003
Ted Kremenek786cc722010-02-23 07:17:57 +00004typedef long unsigned int size_t;
5void *memcpy(void *, const void *, size_t);
6void *alloca(size_t);
7
Ted Kremenekaad45e02009-03-05 04:55:08 +00008typedef struct objc_selector *SEL;
9typedef signed char BOOL;
10typedef int NSInteger;
11typedef unsigned int NSUInteger;
12typedef struct _NSZone NSZone;
13@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator;
14@protocol NSObject - (BOOL)isEqual:(id)object; @end
15@protocol NSCopying - (id)copyWithZone:(NSZone *)zone; @end
16@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end
17@protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder; @end
18@interface NSObject <NSObject> {} - (id)init; @end
19extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone);
20@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding>
21- (NSUInteger)length;
22+ (id)stringWithUTF8String:(const char *)nullTerminatedCString;
23@end extern NSString * const NSBundleDidLoadNotification;
24@interface NSAssertionHandler : NSObject {}
25+ (NSAssertionHandler *)currentHandler;
26- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...;
27@end
28extern NSString * const NSConnectionReplyMode;
29
Ted Kremenek5bbc8e72009-12-23 02:52:14 +000030#ifdef TEST_64
31typedef long long int64_t;
32typedef int64_t intptr_t;
33#else
34typedef int int32_t;
35typedef int32_t intptr_t;
36#endif
Ted Kremenekaad45e02009-03-05 04:55:08 +000037
Ted Kremenek2dabd422009-01-22 18:53:15 +000038//---------------------------------------------------------------------------
39// Test case 'checkaccess_union' differs for region store and basic store.
40// The basic store doesn't reason about compound literals, so the code
41// below won't fire an "uninitialized value" warning.
42//---------------------------------------------------------------------------
43
44// PR 2948 (testcase; crash on VisitLValue for union types)
45// http://llvm.org/bugs/show_bug.cgi?id=2948
Ted Kremenek2dabd422009-01-22 18:53:15 +000046void checkaccess_union() {
47 int ret = 0, status;
Ted Kremenekd4e5a602009-08-06 21:43:54 +000048 // Since RegionStore doesn't handle unions yet,
49 // this branch condition won't be triggered
50 // as involving an uninitialized value.
51 if (((((__extension__ (((union { // no-warning
Ted Kremenek2dabd422009-01-22 18:53:15 +000052 __typeof (status) __in; int __i;}
53 )
54 {
55 .__in = (status)}
56 ).__i))) & 0xff00) >> 8) == 1)
57 ret = 1;
58}
Ted Kremenekd104a092009-03-04 22:56:43 +000059
Ted Kremenekd104a092009-03-04 22:56:43 +000060// Check our handling of fields being invalidated by function calls.
61struct test2_struct { int x; int y; char* s; };
Chris Lattnere0303582010-01-09 20:43:19 +000062void test2_help(struct test2_struct* p);
Ted Kremenekd104a092009-03-04 22:56:43 +000063
64char test2() {
65 struct test2_struct s;
66 test2_help(&s);
67 char *p = 0;
68
69 if (s.x > 1) {
70 if (s.s != 0) {
71 p = "hello";
72 }
73 }
74
75 if (s.x > 1) {
76 if (s.s != 0) {
77 return *p;
78 }
79 }
80
81 return 'a';
82}
Ted Kremenekaad45e02009-03-05 04:55:08 +000083
Ted Kremenek54ca9b12009-07-13 21:55:12 +000084// BasicStore handles this case incorrectly because it doesn't reason about
85// the value pointed to by 'x' and thus creates different symbolic values
86// at the declarations of 'a' and 'b' respectively. RegionStore handles
87// it correctly. See the companion test in 'misc-ps-basic-store.m'.
88void test_trivial_symbolic_comparison_pointer_parameter(int *x) {
89 int a = *x;
90 int b = *x;
91 if (a != b) {
92 int *p = 0;
93 *p = 0xDEADBEEF; // no-warning
94 }
95}
96
Ted Kremenek60fbe8f2009-07-14 20:48:22 +000097// This is a modified test from 'misc-ps.m'. Here we have the extra
98// NULL dereferences which are pruned out by RegionStore's symbolic reasoning
99// of fields.
100typedef struct _BStruct { void *grue; } BStruct;
101void testB_aux(void *ptr);
Ted Kremenek0c106992009-07-14 23:17:22 +0000102
Ted Kremenek60fbe8f2009-07-14 20:48:22 +0000103void testB(BStruct *b) {
Ted Kremeneka6275a52009-07-15 02:31:43 +0000104 {
105 int *__gruep__ = ((int *)&((b)->grue));
106 int __gruev__ = *__gruep__;
107 int __gruev2__ = *__gruep__;
108 if (__gruev__ != __gruev2__) {
109 int *p = 0;
110 *p = 0xDEADBEEF; // no-warning
111 }
112
113 testB_aux(__gruep__);
114 }
115 {
116 int *__gruep__ = ((int *)&((b)->grue));
117 int __gruev__ = *__gruep__;
118 int __gruev2__ = *__gruep__;
119 if (__gruev__ != __gruev2__) {
120 int *p = 0;
121 *p = 0xDEADBEEF; // no-warning
122 }
123
124 if (~0 != __gruev__) {}
125 }
Ted Kremenek60fbe8f2009-07-14 20:48:22 +0000126}
127
128void testB_2(BStruct *b) {
129 {
130 int **__gruep__ = ((int **)&((b)->grue));
131 int *__gruev__ = *__gruep__;
132 testB_aux(__gruep__);
133 }
134 {
135 int **__gruep__ = ((int **)&((b)->grue));
136 int *__gruev__ = *__gruep__;
137 if ((int*)~0 != __gruev__) {}
138 }
139}
Ted Kremenek386af0a2009-07-18 05:02:33 +0000140
141// This test case is a reduced case of a caching bug discovered by an
142// assertion failure in RegionStoreManager::BindArray. Essentially the
143// DeclStmt is evaluated twice, but on the second loop iteration the
144// engine caches out. Previously a false transition would cause UnknownVal
145// to bind to the variable, firing an assertion failure. This bug was fixed
146// in r76262.
147void test_declstmt_caching() {
148again:
149 {
150 const char a[] = "I like to crash";
151 goto again;
152 }
153}
Ted Kremenek28ba10c2009-08-03 22:23:24 +0000154
Ted Kremenekab22ee92009-10-20 01:20:57 +0000155//===----------------------------------------------------------------------===//
Ted Kremenek28ba10c2009-08-03 22:23:24 +0000156// Reduced test case from <rdar://problem/7114618>.
157// Basically a null check is performed on the field value, which is then
158// assigned to a variable and then checked again.
Ted Kremenekab22ee92009-10-20 01:20:57 +0000159//===----------------------------------------------------------------------===//
Ted Kremenek28ba10c2009-08-03 22:23:24 +0000160struct s_7114618 { int *p; };
161void test_rdar_7114618(struct s_7114618 *s) {
162 if (s->p) {
163 int *p = s->p;
164 if (!p) {
165 // Infeasible
166 int *dead = 0;
167 *dead = 0xDEADBEEF; // no-warning
168 }
169 }
170}
Zhongxing Xubfc81682009-08-05 03:45:09 +0000171
172// Test pointers increment correctly.
173void f() {
174 int a[2];
175 a[1] = 3;
176 int *p = a;
177 p++;
178 if (*p != 3) {
179 int *q = 0;
180 *q = 3; // no-warning
181 }
182}
Ted Kremenek69181a82009-09-21 22:58:52 +0000183
Ted Kremenekab22ee92009-10-20 01:20:57 +0000184//===----------------------------------------------------------------------===//
Ted Kremenek69181a82009-09-21 22:58:52 +0000185// <rdar://problem/7185607>
186// Bit-fields of a struct should be invalidated when blasting the entire
187// struct with an integer constant.
Ted Kremenekab22ee92009-10-20 01:20:57 +0000188//===----------------------------------------------------------------------===//
Ted Kremenek69181a82009-09-21 22:58:52 +0000189struct test_7185607 {
190 int x : 10;
191 int y : 22;
192};
193int rdar_test_7185607() {
194 struct test_7185607 s; // Uninitialized.
195 *((unsigned *) &s) = 0U;
196 return s.x; // no-warning
197}
198
Ted Kremenekab22ee92009-10-20 01:20:57 +0000199//===----------------------------------------------------------------------===//
Ted Kremenekcf549592009-09-22 21:19:14 +0000200// <rdar://problem/7242006> [RegionStore] compound literal assignment with
201// floats not honored
202// This test case is mirrored in misc-ps.m, but this case is a negative.
Ted Kremenekab22ee92009-10-20 01:20:57 +0000203//===----------------------------------------------------------------------===//
Ted Kremenekcf549592009-09-22 21:19:14 +0000204typedef float CGFloat;
205typedef struct _NSSize {
206 CGFloat width;
207 CGFloat height;
208} NSSize;
209
210CGFloat rdar7242006_negative(CGFloat x) {
211 NSSize y;
212 return y.width; // expected-warning{{garbage}}
213}
Ted Kremenek69181a82009-09-21 22:58:52 +0000214
Ted Kremenekab22ee92009-10-20 01:20:57 +0000215//===----------------------------------------------------------------------===//
Ted Kremenek0954cde2009-09-24 04:11:44 +0000216// <rdar://problem/7249340> - Allow binding of values to symbolic regions.
217// This test case shows how RegionStore tracks the value bound to 'x'
218// after the assignment.
Ted Kremenekab22ee92009-10-20 01:20:57 +0000219//===----------------------------------------------------------------------===//
Ted Kremenek35dcad82009-09-24 06:24:32 +0000220typedef int* ptr_rdar_7249340;
221void rdar_7249340(ptr_rdar_7249340 x) {
Ted Kremenek0954cde2009-09-24 04:11:44 +0000222 *x = 1;
223 if (*x)
224 return;
225 int *p = 0; // This is unreachable.
226 *p = 0xDEADBEEF; // no-warning
227}
228
Ted Kremenekab22ee92009-10-20 01:20:57 +0000229//===----------------------------------------------------------------------===//
Ted Kremenek80417472009-09-25 00:18:15 +0000230// <rdar://problem/7249327> - This test case tests both value tracking of
231// array values and that we handle symbolic values that are casted
232// between different integer types. Note the assignment 'n = *a++'; here
233// 'n' is and 'int' and '*a' is 'unsigned'. Previously we got a false positive
234// at 'x += *b++' (undefined value) because we got a false path.
Ted Kremenekab22ee92009-10-20 01:20:57 +0000235//===----------------------------------------------------------------------===//
Ted Kremenek80417472009-09-25 00:18:15 +0000236int rdar_7249327_aux(void);
237
238void rdar_7249327(unsigned int A[2*32]) {
239 int B[2*32];
240 int *b;
241 unsigned int *a;
242 int x = 0;
243
244 int n;
245
246 a = A;
247 b = B;
248
249 n = *a++;
250 if (n)
251 *b++ = rdar_7249327_aux();
252
253 a = A;
254 b = B;
255
Tom Care6d0e6ce2010-08-27 22:46:32 +0000256 n = *a++; // expected-warning{{Assigned value is always the same as the existing value}}
Ted Kremenek80417472009-09-25 00:18:15 +0000257 if (n)
258 x += *b++; // no-warning
259}
260
Ted Kremenekab22ee92009-10-20 01:20:57 +0000261//===----------------------------------------------------------------------===//
Ted Kremenek87806792009-09-27 20:45:21 +0000262// <rdar://problem/6914474> - Check that 'x' is invalidated because its
263// address is passed in as a value to a struct.
Ted Kremenekab22ee92009-10-20 01:20:57 +0000264//===----------------------------------------------------------------------===//
Ted Kremenek87806792009-09-27 20:45:21 +0000265struct doodad_6914474 { int *v; };
266extern void prod_6914474(struct doodad_6914474 *d);
267int rdar_6914474(void) {
268 int x;
269 struct doodad_6914474 d;
270 d.v = &x;
271 prod_6914474(&d);
272 return x; // no-warning
273}
274
Ted Kremeneka5971b32009-09-29 03:34:03 +0000275// Test invalidation of a single field.
276struct s_test_field_invalidate {
277 int x;
278};
279extern void test_invalidate_field(int *x);
280int test_invalidate_field_test() {
281 struct s_test_field_invalidate y;
282 test_invalidate_field(&y.x);
283 return y.x; // no-warning
284}
285int test_invalidate_field_test_positive() {
286 struct s_test_field_invalidate y;
287 return y.x; // expected-warning{{garbage}}
288}
289
Ted Kremenek9e17cc62009-09-29 06:35:00 +0000290// This test case illustrates how a typeless array of bytes casted to a
291// struct should be treated as initialized. RemoveDeadBindings previously
292// had a bug that caused 'x' to lose its default symbolic value after the
293// assignment to 'p', thus causing 'p->z' to evaluate to "undefined".
294struct ArrayWrapper { unsigned char y[16]; };
295struct WrappedStruct { unsigned z; };
Ted Kremeneka5971b32009-09-29 03:34:03 +0000296
Ted Kremenek9e17cc62009-09-29 06:35:00 +0000297int test_handle_array_wrapper() {
298 struct ArrayWrapper x;
299 test_handle_array_wrapper(&x);
Zhongxing Xu4f3dc692009-11-09 08:07:38 +0000300 struct WrappedStruct *p = (struct WrappedStruct*) x.y; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.}}
Ted Kremenek9e17cc62009-09-29 06:35:00 +0000301 return p->z; // no-warning
302}
Ted Kremeneka5971b32009-09-29 03:34:03 +0000303
Ted Kremenekab22ee92009-10-20 01:20:57 +0000304//===----------------------------------------------------------------------===//
Ted Kremenek95efe0f2009-09-29 16:36:48 +0000305// <rdar://problem/7261075> [RegionStore] crash when
306// handling load: '*((unsigned int *)"????")'
Ted Kremenekab22ee92009-10-20 01:20:57 +0000307//===----------------------------------------------------------------------===//
308
Ted Kremenek95efe0f2009-09-29 16:36:48 +0000309int rdar_7261075(void) {
310 unsigned int var = 0;
311 if (var == *((unsigned int *)"????"))
312 return 1;
313 return 0;
314}
315
Ted Kremenekab22ee92009-10-20 01:20:57 +0000316//===----------------------------------------------------------------------===//
Ted Kremenekcd8f6ac2009-10-06 01:39:48 +0000317// <rdar://problem/7275774> false path due to limited pointer
318// arithmetic constraints
Ted Kremenekab22ee92009-10-20 01:20:57 +0000319//===----------------------------------------------------------------------===//
320
Ted Kremenekcd8f6ac2009-10-06 01:39:48 +0000321void rdar_7275774(void *data, unsigned n) {
322 if (!(data || n == 0))
323 return;
324
325 unsigned short *p = (unsigned short*) data;
326 unsigned short *q = p + (n / 2);
327
328 if (p < q) {
329 // If we reach here, 'p' cannot be null. If 'p' is null, then 'n' must
330 // be '0', meaning that this branch is not feasible.
331 *p = *q; // no-warning
332 }
333}
334
Ted Kremenekab22ee92009-10-20 01:20:57 +0000335//===----------------------------------------------------------------------===//
336// <rdar://problem/7312221>
337//
338// Test that Objective-C instance variables aren't prematurely pruned
339// from the analysis state.
340//===----------------------------------------------------------------------===//
341
342struct rdar_7312221_value { int x; };
343
344@interface RDar7312221
345{
346 struct rdar_7312221_value *y;
347}
348- (void) doSomething_7312221;
349@end
350
351extern struct rdar_7312221_value *rdar_7312221_helper();
352extern int rdar_7312221_helper_2(id o);
353extern void rdar_7312221_helper_3(int z);
354
355@implementation RDar7312221
356- (void) doSomething_7312221 {
357 if (y == 0) {
358 y = rdar_7312221_helper();
359 if (y != 0) {
360 y->x = rdar_7312221_helper_2(self);
361 // The following use of 'y->x' previously triggered a null dereference, as the value of 'y'
362 // before 'y = rdar_7312221_helper()' would be used.
363 rdar_7312221_helper_3(y->x); // no-warning
364 }
365 }
366}
367@end
368
369struct rdar_7312221_container {
370 struct rdar_7312221_value *y;
371};
372
373extern int rdar_7312221_helper_4(struct rdar_7312221_container *s);
374
375// This test case essentially matches the one in [RDar7312221 doSomething_7312221].
376void doSomething_7312221_with_struct(struct rdar_7312221_container *Self) {
377 if (Self->y == 0) {
378 Self->y = rdar_7312221_helper();
379 if (Self->y != 0) {
380 Self->y->x = rdar_7312221_helper_4(Self);
381 rdar_7312221_helper_3(Self->y->x); // no-warning
382 }
383 }
384}
385
Ted Kremeneka65c3872009-10-27 01:05:20 +0000386//===----------------------------------------------------------------------===//
387// <rdar://problem/7332673> - Just more tests cases for regions
388//===----------------------------------------------------------------------===//
389
390void rdar_7332673_test1() {
391 char value[1];
392 if ( *(value) != 1 ) {} // expected-warning{{The left operand of '!=' is a garbage value}}
393}
Chris Lattnere0303582010-01-09 20:43:19 +0000394int rdar_7332673_test2_aux(char *x);
Ted Kremeneka65c3872009-10-27 01:05:20 +0000395void rdar_7332673_test2() {
396 char *value;
Ted Kremenek818b4332010-09-09 22:51:55 +0000397 if ( rdar_7332673_test2_aux(value) != 1 ) {} // expected-warning{{Function call argument is an uninitialized value}}
Ted Kremeneka65c3872009-10-27 01:05:20 +0000398}
399
Ted Kremenek01756192009-10-29 05:14:17 +0000400//===----------------------------------------------------------------------===//
401// <rdar://problem/7347252>: Because of a bug in
402// RegionStoreManager::RemoveDeadBindings(), the symbol for s->session->p
403// would incorrectly be pruned from the state after the call to
404// rdar7347252_malloc1(), and would incorrectly result in a warning about
405// passing a null pointer to rdar7347252_memcpy().
406//===----------------------------------------------------------------------===//
407
408struct rdar7347252_AA { char *p;};
409typedef struct {
410 struct rdar7347252_AA *session;
411 int t;
412 char *q;
413} rdar7347252_SSL1;
414
415int rdar7347252_f(rdar7347252_SSL1 *s);
416char *rdar7347252_malloc1(int);
417char *rdar7347252_memcpy1(char *d, char *s, int n) __attribute__((nonnull (1,2)));
418
419int rdar7347252(rdar7347252_SSL1 *s) {
420 rdar7347252_f(s); // the SymbolicRegion of 's' is set a default binding of conjured symbol
421 if (s->session->p == ((void*)0)) {
422 if ((s->session->p = rdar7347252_malloc1(10)) == ((void*)0)) {
423 return 0;
424 }
425 rdar7347252_memcpy1(s->session->p, "aa", 2); // no-warning
426 }
427 return 0;
428}
Ted Kremenek5bbe7892009-10-30 05:48:30 +0000429
430//===----------------------------------------------------------------------===//
431// PR 5316 - "crash when accessing field of lazy compound value"
432// Previously this caused a crash at the MemberExpr '.chr' when loading
433// a field value from a LazyCompoundVal
434//===----------------------------------------------------------------------===//
435
436typedef unsigned int pr5316_wint_t;
437typedef pr5316_wint_t pr5316_REFRESH_CHAR;
438typedef struct {
439 pr5316_REFRESH_CHAR chr;
440}
441pr5316_REFRESH_ELEMENT;
442static void pr5316(pr5316_REFRESH_ELEMENT *dst, const pr5316_REFRESH_ELEMENT *src) {
443 while ((*dst++ = *src++).chr != L'\0') ;
444}
Ted Kremenek6f516f52009-11-06 20:16:31 +0000445
446//===----------------------------------------------------------------------===//
447// Exercise creating ElementRegion with symbolic super region.
448//===----------------------------------------------------------------------===//
449void element_region_with_symbolic_superregion(int* p) {
450 int *x;
451 int a;
452 if (p[0] == 1)
453 x = &a;
454 if (p[0] == 1)
455 (void)*x; // no-warning
456}
457
458//===----------------------------------------------------------------------===//
459// Test returning an out-of-bounds pointer (CWE-466)
460//===----------------------------------------------------------------------===//
461
462static int test_cwe466_return_outofbounds_pointer_a[10];
463int *test_cwe466_return_outofbounds_pointer() {
464 int *p = test_cwe466_return_outofbounds_pointer_a+10;
465 return p; // expected-warning{{Returned pointer value points outside the original object}}
466}
467
Ted Kremenek7344c872009-11-06 20:32:38 +0000468//===----------------------------------------------------------------------===//
469// PR 3135 - Test case that shows that a variable may get invalidated when its
470// address is included in a structure that is passed-by-value to an unknown function.
471//===----------------------------------------------------------------------===//
472
473typedef struct { int *a; } pr3135_structure;
474int pr3135_bar(pr3135_structure *x);
475int pr3135() {
476 int x;
477 pr3135_structure y = { &x };
478 // the call to pr3135_bar may initialize x
479 if (pr3135_bar(&y) && x) // no-warning
480 return 1;
481 return 0;
482}
483
Ted Kremenek027e2662009-11-19 20:20:24 +0000484//===----------------------------------------------------------------------===//
485// <rdar://problem/7403269> - Test that we handle compound initializers with
486// partially unspecified array values. Previously this caused a crash.
487//===----------------------------------------------------------------------===//
488
489typedef struct RDar7403269 {
490 unsigned x[10];
491 unsigned y;
492} RDar7403269;
493
494void rdar7403269() {
495 RDar7403269 z = { .y = 0 };
496 if (z.x[4] == 0)
497 return;
498 int *p = 0;
499 *p = 0xDEADBEEF; // no-warning
500}
501
502typedef struct RDar7403269_b {
503 struct zorg { int w; int k; } x[10];
504 unsigned y;
505} RDar7403269_b;
506
507void rdar7403269_b() {
508 RDar7403269_b z = { .y = 0 };
509 if (z.x[5].w == 0)
510 return;
511 int *p = 0;
512 *p = 0xDEADBEEF; // no-warning
513}
514
515void rdar7403269_b_pos() {
516 RDar7403269_b z = { .y = 0 };
517 if (z.x[5].w == 1)
518 return;
519 int *p = 0;
520 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
521}
522
Ted Kremenek8ea06e92009-11-21 02:17:47 +0000523
524//===----------------------------------------------------------------------===//
525// Test that incrementing a non-null pointer results in a non-null pointer.
526// (<rdar://problem/7191542>)
527//===----------------------------------------------------------------------===//
528
529void test_increment_nonnull_rdar_7191542(const char *path) {
530 const char *alf = 0;
531
532 for (;;) {
533 // When using basic-store, we get a null dereference here because we lose information
534 // about path after the pointer increment.
535 char c = *path++; // no-warning
536 if (c == 'a') {
537 alf = path;
538 }
539
540 if (alf)
541 return;
542 }
543}
544
Ted Kremenek7c5c9652009-11-21 02:52:12 +0000545//===----------------------------------------------------------------------===//
546// Test that the store (implicitly) tracks values for doubles/floats that are
547// uninitialized (<rdar://problem/6811085>)
548//===----------------------------------------------------------------------===//
549
550double rdar_6811085(void) {
551 double u;
552 return u + 10; // expected-warning{{The left operand of '+' is a garbage value}}
553}
Ted Kremenek8ea06e92009-11-21 02:17:47 +0000554
Ted Kremenek2ffbfd92009-12-03 08:25:47 +0000555//===----------------------------------------------------------------------===//
556// Path-sensitive tests for blocks.
557//===----------------------------------------------------------------------===//
558
559void indirect_block_call(void (^f)());
560
561int blocks_1(int *p, int z) {
562 __block int *q = 0;
563 void (^bar)() = ^{ q = p; };
564
565 if (z == 1) {
566 // The call to 'bar' might cause 'q' to be invalidated.
567 bar();
568 *q = 0x1; // no-warning
569 }
570 else if (z == 2) {
571 // The function 'indirect_block_call' might invoke bar, thus causing
572 // 'q' to possibly be invalidated.
573 indirect_block_call(bar);
574 *q = 0x1; // no-warning
575 }
576 else {
577 *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
578 }
579 return z;
580}
581
Ted Kremenek9f303be2009-12-03 18:29:20 +0000582int blocks_2(int *p, int z) {
583 int *q = 0;
584 void (^bar)(int **) = ^(int **r){ *r = p; };
585
586 if (z) {
587 // The call to 'bar' might cause 'q' to be invalidated.
588 bar(&q);
589 *q = 0x1; // no-warning
590 }
591 else {
592 *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
593 }
594 return z;
595}
596
Ted Kremenekcada3052010-02-05 06:10:46 +0000597// Test that the value of 'x' is considered invalidated after the block
598// is passed as an argument to the message expression.
599typedef void (^RDar7582031CB)(void);
600@interface RDar7582031
601- rdar7582031:RDar7582031CB;
Ted Kremenek85248732010-02-06 00:30:00 +0000602- rdar7582031_b:RDar7582031CB;
Ted Kremenekcada3052010-02-05 06:10:46 +0000603@end
604
Ted Kremenek85248732010-02-06 00:30:00 +0000605// Test with one block.
Ted Kremenekcada3052010-02-05 06:10:46 +0000606unsigned rdar7582031(RDar7582031 *o) {
607 __block unsigned x;
608 [o rdar7582031:^{ x = 1; }];
609 return x; // no-warning
610}
611
Ted Kremenek85248732010-02-06 00:30:00 +0000612// Test with two blocks.
613unsigned long rdar7582031_b(RDar7582031 *o) {
614 __block unsigned y;
615 __block unsigned long x;
616 [o rdar7582031:^{ y = 1; }];
617 [o rdar7582031_b:^{ x = 1LL; }];
618 return x + (unsigned long) y; // no-warning
619}
620
621// Show we get an error when 'o' is null because the message
622// expression has no effect.
623unsigned long rdar7582031_b2(RDar7582031 *o) {
624 __block unsigned y;
625 __block unsigned long x;
626 if (o)
627 return 1;
628 [o rdar7582031:^{ y = 1; }];
629 [o rdar7582031_b:^{ x = 1LL; }];
630 return x + (unsigned long) y; // expected-warning{{The left operand of '+' is a garbage value}}
631}
632
633// Show that we handle static variables also getting invalidated.
634void rdar7582031_aux(void (^)(void));
635RDar7582031 *rdar7582031_aux_2();
636
637unsigned rdar7582031_static() {
638 static RDar7582031 *o = 0;
639 rdar7582031_aux(^{ o = rdar7582031_aux_2(); });
640
641 __block unsigned x;
642 [o rdar7582031:^{ x = 1; }];
643 return x; // no-warning
644}
645
Ted Kremenek2b87ae42009-12-11 06:43:27 +0000646//===----------------------------------------------------------------------===//
647// <rdar://problem/7462324> - Test that variables passed using __blocks
648// are not treated as being uninitialized.
649//===----------------------------------------------------------------------===//
650
651typedef void (^RDar_7462324_Callback)(id obj);
652
653@interface RDar7462324
654- (void) foo:(id)target;
655- (void) foo_positive:(id)target;
656
657@end
658
659@implementation RDar7462324
660- (void) foo:(id)target {
661 __block RDar_7462324_Callback builder = ((void*) 0);
662 builder = ^(id object) {
663 if (object) {
664 builder(self); // no-warning
665 }
666 };
667 builder(target);
668}
669- (void) foo_positive:(id)target {
670 __block RDar_7462324_Callback builder = ((void*) 0);
671 builder = ^(id object) {
672 id x;
673 if (object) {
Ted Kremenek818b4332010-09-09 22:51:55 +0000674 builder(x); // expected-warning{{Function call argument is an uninitialized value}}
Ted Kremenek2b87ae42009-12-11 06:43:27 +0000675 }
676 };
677 builder(target);
678}
679@end
680
Ted Kremenek5348f942009-12-14 22:15:06 +0000681//===----------------------------------------------------------------------===//
682// <rdar://problem/7468209> - Scanning for live variables within a block should
683// not crash on variables passed by reference via __block.
684//===----------------------------------------------------------------------===//
685
686int rdar7468209_aux();
Chris Lattnere0303582010-01-09 20:43:19 +0000687void rdar7468209_aux_2();
Ted Kremenek5348f942009-12-14 22:15:06 +0000688
689void rdar7468209() {
690 __block int x = 0;
691 ^{
692 x = rdar7468209_aux();
693 // We need a second statement so that 'x' would be removed from the store if it wasn't
694 // passed by reference.
695 rdar7468209_aux_2();
696 }();
697}
698
Ted Kremenek5bbc8e72009-12-23 02:52:14 +0000699//===----------------------------------------------------------------------===//
700// PR 5857 - Test loading an integer from a byte array that has also been
701// reinterpreted to be loaded as a field.
702//===----------------------------------------------------------------------===//
703
704typedef struct { int x; } TestFieldLoad;
705int pr5857(char *src) {
706 TestFieldLoad *tfl = (TestFieldLoad *) (intptr_t) src;
707 int y = tfl->x;
708 long long *z = (long long *) (intptr_t) src;
709 long long w = 0;
710 int n = 0;
Tom Care6216dc02010-08-30 19:25:43 +0000711 for (n = 0; n < y; ++n) {
Ted Kremenek5bbc8e72009-12-23 02:52:14 +0000712 // Previously we crashed analyzing this statement.
713 w = *z++;
714 }
715 return 1;
716}
717
Ted Kremenekcafefbe2009-12-24 00:48:11 +0000718//===----------------------------------------------------------------------===//
719// PR 4358 - Without field-sensitivity, this code previously triggered
720// a false positive that 'uninit' could be uninitialized at the call
721// to pr4358_aux().
722//===----------------------------------------------------------------------===//
723
724struct pr4358 {
725 int bar;
726 int baz;
727};
728void pr4358_aux(int x);
729void pr4358(struct pr4358 *pnt) {
730 int uninit;
731 if (pnt->bar < 3) {
732 uninit = 1;
733 } else if (pnt->baz > 2) {
734 uninit = 3;
735 } else if (pnt->baz <= 2) {
736 uninit = 2;
737 }
738 pr4358_aux(uninit); // no-warning
739}
Ted Kremenek4a749b92010-01-09 22:58:54 +0000740
741//===----------------------------------------------------------------------===//
742// <rdar://problem/7526777>
743// Test handling fields of values returned from function calls or
744// message expressions.
745//===----------------------------------------------------------------------===//
746
747typedef struct testReturn_rdar_7526777 {
748 int x;
749 int y;
750} testReturn_rdar_7526777;
751
752@interface TestReturnStruct_rdar_7526777
753- (testReturn_rdar_7526777) foo;
754@end
755
756int test_return_struct(TestReturnStruct_rdar_7526777 *x) {
757 return [x foo].x;
758}
759
760testReturn_rdar_7526777 test_return_struct_2_aux_rdar_7526777();
761
762int test_return_struct_2_rdar_7526777() {
763 return test_return_struct_2_aux_rdar_7526777().x;
764}
765
Ted Kremenekc50e6df2010-01-11 02:33:26 +0000766//===----------------------------------------------------------------------===//
767// <rdar://problem/7527292> Assertion failed: (Op == BinaryOperator::Add ||
768// Op == BinaryOperator::Sub)
769// This test case previously triggered an assertion failure due to a discrepancy
770// been the loaded/stored value in the array
771//===----------------------------------------------------------------------===//
772
773_Bool OSAtomicCompareAndSwapPtrBarrier( void *__oldValue, void *__newValue, void * volatile *__theValue );
774
775void rdar_7527292() {
776 static id Cache7527292[32];
777 for (signed long idx = 0;
778 idx < 32;
779 idx++) {
780 id v = Cache7527292[idx];
781 if (v && OSAtomicCompareAndSwapPtrBarrier(v, ((void*)0), (void * volatile *)(Cache7527292 + idx))) {
782 }
783 }
784}
785
Ted Kremenekfee90812010-01-26 23:51:00 +0000786//===----------------------------------------------------------------------===//
787// <rdar://problem/7515938> - Handle initialization of incomplete arrays
788// in structures using a compound value. Previously this crashed.
789//===----------------------------------------------------------------------===//
790
791struct rdar_7515938 {
792 int x;
793 int y[];
794};
795
796const struct rdar_7515938 *rdar_7515938() {
797 static const struct rdar_7515938 z = { 0, { 1, 2 } };
798 if (z.y[0] != 1) {
799 int *p = 0;
800 *p = 0xDEADBEEF; // no-warning
801 }
802 return &z;
803}
804
805struct rdar_7515938_str {
806 int x;
807 char y[];
808};
809
810const struct rdar_7515938_str *rdar_7515938_str() {
811 static const struct rdar_7515938_str z = { 0, "hello" };
812 return &z;
813}
Ted Kremenek68ebd832010-02-04 07:25:56 +0000814
815//===----------------------------------------------------------------------===//
816// Assorted test cases from PR 4172.
817//===----------------------------------------------------------------------===//
818
819struct PR4172A_s { int *a; };
820
821void PR4172A_f2(struct PR4172A_s *p);
822
823int PR4172A_f1(void) {
824 struct PR4172A_s m;
825 int b[4];
826 m.a = b;
827 PR4172A_f2(&m);
828 return b[3]; // no-warning
829}
830
831struct PR4172B_s { int *a; };
832
833void PR4172B_f2(struct PR4172B_s *p);
834
835int PR4172B_f1(void) {
836 struct PR4172B_s m;
837 int x;
838 m.a = &x;
839 PR4172B_f2(&m);
840 return x; // no-warning
841}
842
Ted Kremenek24c37ad2010-02-13 01:52:33 +0000843//===----------------------------------------------------------------------===//
844// Test invalidation of values in struct literals.
845//===----------------------------------------------------------------------===//
846
847struct s_rev96062 { int *x; int *y; };
848struct s_rev96062_nested { struct s_rev96062 z; };
849
850void test_a_rev96062_aux(struct s_rev96062 *s);
851void test_a_rev96062_aux2(struct s_rev96062_nested *s);
852
853int test_a_rev96062() {
854 int a, b;
855 struct s_rev96062 x = { &a, &b };
856 test_a_rev96062_aux(&x);
857 return a + b; // no-warning
858}
859int test_b_rev96062() {
860 int a, b;
861 struct s_rev96062 x = { &a, &b };
862 struct s_rev96062 z = x;
863 test_a_rev96062_aux(&z);
864 return a + b; // no-warning
865}
866int test_c_rev96062() {
867 int a, b;
868 struct s_rev96062 x = { &a, &b };
869 struct s_rev96062_nested w = { x };
870 struct s_rev96062_nested z = w;
871 test_a_rev96062_aux2(&z);
872 return a + b; // no-warning
873}
Ted Kremenek786cc722010-02-23 07:17:57 +0000874
875//===----------------------------------------------------------------------===//
876// <rdar://problem/7242010> - The access to y[0] at the bottom previously
877// was reported as an uninitialized value.
878//===----------------------------------------------------------------------===//
879
880char *rdar_7242010(int count, char **y) {
881 char **x = alloca((count + 4) * sizeof(*x));
882 x[0] = "hi";
883 x[1] = "there";
884 x[2] = "every";
885 x[3] = "body";
886 memcpy(x + 4, y, count * sizeof(*x));
887 y = x;
888 return y[0]; // no-warning
889}
890
Ted Kremenek86d07a12010-03-19 19:45:03 +0000891//===----------------------------------------------------------------------===//
892// <rdar://problem/7770737>
893//===----------------------------------------------------------------------===//
894
895struct rdar_7770737_s { intptr_t p; };
896void rdar_7770737_aux(struct rdar_7770737_s *p);
897int rdar_7770737(void)
898{
899 int x;
900
901 // Previously 'f' was not properly invalidated, causing the use of
902 // an uninitailized value below.
903 struct rdar_7770737_s f = { .p = (intptr_t)&x };
904 rdar_7770737_aux(&f);
905 return x; // no-warning
906}
907int rdar_7770737_pos(void)
908{
909 int x;
910 struct rdar_7770737_s f = { .p = (intptr_t)&x };
911 return x; // expected-warning{{Undefined or garbage value returned to caller}}
912}
Ted Kremenek8891c422010-03-30 18:24:54 +0000913
914//===----------------------------------------------------------------------===//
915// Test handling of the implicit 'isa' field. For now we don't do anything
916// interesting.
917//===----------------------------------------------------------------------===//
918
919void pr6302(id x, Class y) {
920 // This previously crashed the analyzer (reported in PR 6302)
921 x->isa = y;
922}
Ted Kremenek4552ff02010-03-30 20:31:04 +0000923
924//===----------------------------------------------------------------------===//
925// Specially handle global variables that are declared constant. In the
926// example below, this forces the loop to take exactly 2 iterations.
927//===----------------------------------------------------------------------===//
928
929const int pr6288_L_N = 2;
930void pr6288_(void) {
931 int x[2];
932 int *px[2];
933 int i;
934 for (i = 0; i < pr6288_L_N; i++)
935 px[i] = &x[i];
936 *(px[0]) = 0; // no-warning
937}
938
939void pr6288_pos(int z) {
940 int x[2];
941 int *px[2];
942 int i;
943 for (i = 0; i < z; i++)
944 px[i] = &x[i]; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
945 *(px[0]) = 0; // expected-warning{{Dereference of undefined pointer value}}
946}
947
948void pr6288_b(void) {
949 const int L_N = 2;
950 int x[2];
951 int *px[2];
952 int i;
953 for (i = 0; i < L_N; i++)
954 px[i] = &x[i];
955 *(px[0]) = 0; // no-warning
956}
957
Ted Kremenek68b9a592010-04-06 22:06:03 +0000958// <rdar://problem/7817800> - A bug in RemoveDeadBindings was causing instance variable bindings
959// to get prematurely pruned from the state.
960@interface Rdar7817800 {
961 char *x;
962}
963- (void) rdar7817800_baz;
964@end
965
966char *rdar7817800_foobar();
967void rdar7817800_qux(void*);
968
969@implementation Rdar7817800
970- (void) rdar7817800_baz {
971 if (x)
972 rdar7817800_qux(x);
973 x = rdar7817800_foobar();
974 // Previously this triggered a bogus null dereference warning.
975 x[1] = 'a'; // no-warning
976}
977@end
978
Ted Kremenek974d97b2010-04-07 00:46:49 +0000979// PR 6036 - This test case triggered a crash inside StoreManager::CastRegion because the size
980// of 'unsigned long (*)[0]' is 0.
981struct pr6036_a { int pr6036_b; };
982struct pr6036_c;
983void u132monitk (struct pr6036_c *pr6036_d) {
984 (void) ((struct pr6036_a *) (unsigned long (*)[0]) ((char *) pr6036_d - 1))->pr6036_b; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
985}
986
Ted Kremenek115c1b92010-04-11 17:02:10 +0000987// <rdar://problem/7813989> - ?-expressions used as a base of a member expression should be treated as an lvalue
988typedef struct rdar7813989_NestedVal { int w; } rdar7813989_NestedVal;
989typedef struct rdar7813989_Val { rdar7813989_NestedVal nv; } rdar7813989_Val;
990
991int rdar7813989(int x, rdar7813989_Val *a, rdar7813989_Val *b) {
992 // This previously crashed with an assertion failure.
993 int z = (x ? a->nv : b->nv).w;
994 return z + 1;
995}
996
Ted Kremenek1b49d762010-04-15 17:33:31 +0000997// PR 6844 - Don't crash on vaarg expression.
998typedef __builtin_va_list va_list;
999void map(int srcID, ...) {
1000 va_list ap;
1001 int i;
1002 for (i = 0; i < srcID; i++) {
1003 int v = __builtin_va_arg(ap, int);
1004 }
1005}
1006
Ted Kremenekd617b852010-04-16 17:54:33 +00001007// PR 6854 - crash when casting symbolic memory address to a float
1008// Handle casting from a symbolic region to a 'float'. This isn't
1009// really all that intelligent, but previously this caused a crash
1010// in SimpleSValuator.
1011void pr6854(void * arg) {
1012 void * a = arg;
1013 *(void**)a = arg;
1014 float f = *(float*) a;
1015}
1016
Ted Kremenek32f90102010-05-27 00:29:00 +00001017// <rdar://problem/8032791> False positive due to symbolic store not find
1018// value because of 'const' qualifier
1019double rdar_8032791_2();
1020double rdar_8032791_1() {
1021 struct R8032791 { double x[2]; double y; }
1022 data[3] = {
1023 {{1.0, 3.0}, 3.0}, // 1 2 3
1024 {{1.0, 1.0}, 0.0}, // 1 1 2 2 3 3
1025 {{1.0, 3.0}, 1.0} // 1 2 3
1026 };
1027
1028 double x = 0.0;
1029 for (unsigned i = 0 ; i < 3; i++) {
1030 const struct R8032791 *p = &data[i];
1031 x += p->y + rdar_8032791_2(); // no-warning
1032 }
1033 return x;
1034}
1035
Ted Kremenek3f8612b2010-06-22 23:58:31 +00001036// PR 7450 - Handle pointer arithmetic with __builtin_alloca
1037void pr_7450_aux(void *x);
1038void pr_7450() {
1039 void *p = __builtin_alloca(10);
1040 // Don't crash when analyzing the following statement.
1041 pr_7450_aux(p + 8);
1042}
1043
Ted Kremenek281e9dc2010-07-29 00:28:47 +00001044// <rdar://problem/8243408> - Symbolicate struct values returned by value.
1045struct s_rdar_8243408 { int x; };
1046extern struct s_rdar_8243408 rdar_8243408_aux(void);
1047void rdar_8243408(void) {
1048 struct s_rdar_8243408 a = { 1 }, *b = 0;
1049 while (a.x && !b)
1050 a = rdar_8243408_aux();
1051
1052 // Previously there was a false error here with 'b' being null.
1053 (void) (a.x && b->x); // no-warning
1054
1055 // Introduce a null deref to ensure we are checking this path.
1056 int *p = 0;
1057 *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
1058}
1059
Ted Kremenek80776382010-08-02 20:33:00 +00001060// <rdar://problem/8258814>
1061int r8258814()
1062{
1063 int foo;
1064 int * a = &foo;
1065 a[0] = 10;
1066 // Do not warn that the value of 'foo' is uninitialized.
1067 return foo; // no-warning
1068}
Ted Kremenek1e4a32a2010-09-01 23:00:46 +00001069
1070// PR 8052 - Don't crash when reasoning about loads from a function address.\n
1071typedef unsigned int __uint32_t;
1072typedef unsigned long vm_offset_t;
1073typedef __uint32_t pd_entry_t;
1074typedef unsigned char u_char;
1075typedef unsigned int u_int;
1076typedef unsigned long u_long;
1077extern int bootMP_size;
1078void bootMP(void);
1079static void
1080pr8052(u_int boot_addr)
1081{
1082 int x;
1083 int size = *(int *) ((u_long) & bootMP_size);
1084 u_char *src = (u_char *) ((u_long) bootMP);
1085 u_char *dst = (u_char *) boot_addr + ((vm_offset_t) ((((((((1 <<
108612) / (sizeof(pd_entry_t))) - 1) - 1) - (260 - 2))) << 22) | ((0) << 12)));
1087 for (x = 0;
1088 x < size;
1089 ++x)
1090 *dst++ = *src++;
1091}
1092
Ted Kremenek41be9672010-09-01 23:27:26 +00001093// PR 8015 - don't return undefined values for arrays when using a valid
1094// symbolic index
1095int pr8015_A();
1096void pr8015_B(const char *);
1097
1098void pr8015_C() {
1099 int number = pr8015_A();
1100 const char *numbers[] = { "zero" };
1101 if (number == 0) {
1102 pr8015_B(numbers[number]); // no-warning
1103 }
1104}
1105
Ted Kremenek96ebad62010-09-09 07:13:00 +00001106// Tests that we correctly handle that 'number' is perfectly constrained
1107// after 'if (nunber == 0)', allowing us to resolve that
1108// numbers[number] == numbers[0].
Ted Kremenek41be9672010-09-01 23:27:26 +00001109void pr8015_D_FIXME() {
1110 int number = pr8015_A();
1111 const char *numbers[] = { "zero" };
1112 if (number == 0) {
Ted Kremenek96ebad62010-09-09 07:13:00 +00001113 if (numbers[number] == numbers[0]) // expected-warning{{Both operands to '==' always have the same value}}
Ted Kremenek41be9672010-09-01 23:27:26 +00001114 return;
Ted Kremenek96ebad62010-09-09 07:13:00 +00001115 // Unreachable.
Ted Kremenek41be9672010-09-01 23:27:26 +00001116 int *p = 0;
Ted Kremenek96ebad62010-09-09 07:13:00 +00001117 *p = 0xDEADBEEF; // no-warnng
Ted Kremenek41be9672010-09-01 23:27:26 +00001118 }
1119}
1120
Ted Kremenek19c74a02010-09-01 23:37:36 +00001121void pr8015_E() {
1122 // Similar to pr8015_C, but number is allowed to be a valid range.
Zhongxing Xu6610e7e2010-09-02 01:42:44 +00001123 unsigned number = pr8015_A();
Ted Kremenek19c74a02010-09-01 23:37:36 +00001124 const char *numbers[] = { "zero", "one", "two" };
1125 if (number < 3) {
1126 pr8015_B(numbers[number]); // no-warning
1127 }
1128}
1129
Ted Kremenekab9f13e2010-09-01 23:37:38 +00001130void pr8015_F_FIXME() {
1131 // Similar to pr8015_E, but like pr8015_D we check if the pointer
1132 // is the same as one of the string literals. The null dereference
1133 // here is not feasible in practice, so this is a false positive.
1134 int number = pr8015_A();
1135 const char *numbers[] = { "zero", "one", "two" };
1136 if (number < 3) {
1137 const char *p = numbers[number];
1138 if (p == numbers[0] || p == numbers[1] || p == numbers[2])
1139 return;
1140 int *q = 0;
1141 *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
1142 }
1143}
1144
Ted Kremenek44f8ef12010-09-14 01:13:32 +00001145// PR 8141. Previously the statement expression in the for loop caused
1146// the CFG builder to crash.
1147struct list_pr8141
1148{
1149 struct list_pr8141 *tail;
1150};
1151
1152struct list_pr8141 *
1153pr8141 (void) {
1154 struct list_pr8141 *items;
1155 for (;; items = ({ do { } while (0); items->tail; })) // expected-warning{{Dereference of undefined pointer value}}
1156 {
1157 }
1158}
Ted Kremenek555c77a2010-09-14 23:08:34 +00001159
Zhongxing Xua1898dd2010-10-27 03:23:10 +00001160// Don't crash when building the CFG.
1161void do_not_crash(int x) {
1162 while (x - ({do {} while (0); x; })) {
1163 }
1164}
1165
Ted Kremenek555c77a2010-09-14 23:08:34 +00001166// <rdar://problem/8424269> - Handle looking at the size of a VLA in
1167// ArrayBoundChecker. Nothing intelligent (yet); just don't crash.
1168typedef struct RDar8424269_A {
1169 int RDar8424269_C;
1170} RDar8424269_A;
1171static void RDar8424269_B(RDar8424269_A *p, unsigned char *RDar8424269_D,
1172 const unsigned char *RDar8424269_E, int RDar8424269_F,
1173 int b_w, int b_h, int dx, int dy) {
1174 int x, y, b, r, l;
1175 unsigned char tmp2t[3][RDar8424269_F * (32 + 8)];
1176 unsigned char *tmp2 = tmp2t[0];
1177 if (p && !p->RDar8424269_C)
1178 b = 15;
1179 tmp2 = tmp2t[1];
1180 if (b & 2) { // expected-warning{{The left operand of '&' is a garbage value}}
1181 for (y = 0; y < b_h; y++) {
1182 for (x = 0; x < b_w + 1; x++) {
1183 int am = 0;
1184 tmp2[x] = am;
1185 }
1186 }
1187 }
1188 tmp2 = tmp2t[2];
1189}
1190
Ted Kremenekbb0ba0b2010-11-09 02:11:43 +00001191// <rdar://problem/8642434> - Handle transparent unions with the AttrNonNullChecker.
1192typedef union {
1193 struct rdar_8642434_typeA *_dq;
1194}
1195rdar_8642434_typeB __attribute__((transparent_union));
1196
1197__attribute__((visibility("default"))) __attribute__((__nonnull__)) __attribute__((__nothrow__))
1198void rdar_8642434_funcA(rdar_8642434_typeB object);
1199
1200void rdar_8642434_funcB(struct rdar_8642434_typeA *x, struct rdar_8642434_typeA *y) {
1201 rdar_8642434_funcA(x);
1202 if (!y)
1203 rdar_8642434_funcA(y); // expected-warning{{Null pointer passed as an argument to a 'nonnull' parameter}}
1204}
Ted Kremenek555c77a2010-09-14 23:08:34 +00001205
Ted Kremenek09323602011-01-13 06:58:15 +00001206// <rdar://problem/8848957> - Handle loads and stores from a symbolic index
1207// into array without warning about an uninitialized value being returned.
1208// While RegionStore can't fully reason about this example, it shouldn't
1209// warn here either.
1210typedef struct s_test_rdar8848957 {
1211 int x, y, z;
1212} s_test_rdar8848957;
1213
1214s_test_rdar8848957 foo_rdar8848957();
1215int rdar8848957(int index) {
1216 s_test_rdar8848957 vals[10];
1217 vals[index] = foo_rdar8848957();
1218 return vals[index].x; // no-warning
1219}
Ted Kremenekf6a19fb2011-01-25 21:08:47 +00001220
1221// PR 9049 - crash on symbolicating unions. This test exists solely to
1222// test that the analyzer doesn't crash.
1223typedef struct pr9048_cdev *pr9048_cdev_t;
1224typedef union pr9048_abstracted_disklabel { void *opaque; } pr9048_disklabel_t;
1225struct pr9048_diskslice { pr9048_disklabel_t ds_label; };
1226struct pr9048_diskslices {
1227 int dss_secmult;
1228 struct pr9048_diskslice dss_slices[16];
1229};
1230void pr9048(pr9048_cdev_t dev, struct pr9048_diskslices * ssp, unsigned int slice)
1231{
1232 pr9048_disklabel_t lp;
1233 struct pr9048_diskslice *sp;
1234 sp = &ssp->dss_slices[slice];
1235 if (ssp->dss_secmult == 1) {
1236 } else if ((lp = sp->ds_label).opaque != ((void *) 0)) {
1237 }
1238}
1239
Ted Kremenekcf333332011-03-08 23:18:00 +00001240// Test Store reference counting in the presence of Lazy compound values.
1241// This previously caused an infinite recursion.
1242typedef struct {} Rdar_9103310_A;
1243typedef struct Rdar_9103310_B Rdar_9103310_B_t;
1244struct Rdar_9103310_B {
1245 unsigned char Rdar_9103310_C[101];
1246};
1247void Rdar_9103310_E(Rdar_9103310_A * x, struct Rdar_9103310_C * b) { // expected-warning {{declaration of 'struct Rdar_9103310_C' will not be visible outside of this function}}
1248 char Rdar_9103310_D[4][4] = { "a", "b", "c", "d"};
1249 int i;
1250 Rdar_9103310_B_t *y = (Rdar_9103310_B_t *) x;
1251 for (i = 0; i < 101; i++) {
1252 Rdar_9103310_F(b, "%2d%s ", (y->Rdar_9103310_C[i]) / 4, Rdar_9103310_D[(y->Rdar_9103310_C[i]) % 4]); // expected-warning {{implicit declaration of function 'Rdar_9103310_F' is invalid in C99}}
1253 }
1254}
1255
Ted Kremenek61374412011-03-17 03:51:51 +00001256// Test handling binding lazy compound values to a region and then have
1257// specific elements have other bindings.
1258int PR9455() {
1259 char arr[4] = "000";
1260 arr[0] = '1';
1261 if (arr[1] == '0')
1262 return 1;
1263 int *p = 0;
1264 *p = 0xDEADBEEF; // no-warning
1265 return 1;
1266}
1267int PR9455_2() {
1268 char arr[4] = "000";
1269 arr[0] = '1';
1270 if (arr[1] == '0') {
1271 int *p = 0;
1272 *p = 0xDEADBEEF; // expected-warning {{null}}
1273 }
1274 return 1;
1275}
Ted Kremenekcf333332011-03-08 23:18:00 +00001276
Ted Kremenek45fa6232011-04-03 04:09:15 +00001277// Test initialization of substructs via lazy compound values.
1278typedef float RDar9163742_Float;
1279
1280typedef struct {
1281 RDar9163742_Float x, y;
1282} RDar9163742_Point;
1283typedef struct {
1284 RDar9163742_Float width, height;
1285} RDar9163742_Size;
1286typedef struct {
1287 RDar9163742_Point origin;
1288 RDar9163742_Size size;
1289} RDar9163742_Rect;
1290
1291extern RDar9163742_Rect RDar9163742_RectIntegral(RDar9163742_Rect);
1292
1293RDar9163742_Rect RDar9163742_IntegralRect(RDar9163742_Rect frame)
1294{
1295 RDar9163742_Rect integralFrame;
1296 integralFrame.origin.x = frame.origin.x;
1297 integralFrame.origin.y = frame.origin.y;
1298 integralFrame.size = frame.size;
1299 return RDar9163742_RectIntegral(integralFrame); // no-warning; all fields initialized
1300}
1301
Ted Kremenekce306882011-05-20 23:40:06 +00001302// Test correct handling of prefix '--' operator.
1303void rdar9444714() {
1304 int x;
1305 char str[ 32 ];
1306 char buf[ 32 ];
1307 char * dst;
1308 char * ptr;
1309
1310 x = 1234;
1311 dst = str;
1312 ptr = buf;
1313 do
1314 {
1315 *ptr++ = (char)( '0' + ( x % 10 ) );
1316 x /= 10;
1317 } while( x > 0 );
1318
1319 while( ptr > buf )
1320 {
1321 *dst++ = *( --( ptr ) ); // no-warning
1322 }
1323 *dst = '\0';
1324}
1325