llvm-project/clang/test/Analysis/new-ctor-null.cpp

// RUN: %clang_analyze_cc1 \
// RUN:  -analyzer-checker=core,debug.ExprInspection \
// RUN:  -verify %s

void clang_analyzer_eval(bool);
void clang_analyzer_warnIfReached();

typedef __typeof__(sizeof(int)) size_t;

void *operator new(size_t size) throw() {
  return nullptr;
}
void *operator new[](size_t size) throw() {
  return nullptr;
}

struct S {
  int x;
  S() : x(1) {
    // FIXME: Constructor should not be called with null this, even if it was
    // returned by operator new().
    clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
  }
  ~S() {}
};

void testArrays() {
  S *s = new S[10]; // no-crash
  s[0].x = 2;
  // no-warning: 'Dereference of null pointer' suppressed by ReturnVisitor.
}

int global;
void testInvalidationOnConstructionIntoNull() {
  global = 0;
  S *s = new S();
  // FIXME: Should be FALSE - we should not invalidate globals.
  clang_analyzer_eval(global); // expected-warning{{UNKNOWN}}
}
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`// RUN: %clang_analyze_cc1 \`
			`// RUN: -analyzer-checker=core,debug.ExprInspection \`
			`// RUN: -verify %s`
[analyzer] operator new: Fix memory space for the returned region. Make sure that with c++-allocator-inlining=true we have the return value of conservatively evaluated operator new() in the correct memory space (heap). This is a regression/omission that worked well in c++-allocator-inlining=false. Heap regions are superior to regular symbolic regions because they have stricter aliasing constraints: heap regions do not alias each other or global variables. Differential Revision: https://reviews.llvm.org/D41266 rdar://problem/12180598 llvm-svn: 322780 2018-01-18 06:58:35 +08:00
			`void clang_analyzer_eval(bool);`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`void clang_analyzer_warnIfReached();`
[analyzer] operator new: Fix memory space for the returned region. Make sure that with c++-allocator-inlining=true we have the return value of conservatively evaluated operator new() in the correct memory space (heap). This is a regression/omission that worked well in c++-allocator-inlining=false. Heap regions are superior to regular symbolic regions because they have stricter aliasing constraints: heap regions do not alias each other or global variables. Differential Revision: https://reviews.llvm.org/D41266 rdar://problem/12180598 llvm-svn: 322780 2018-01-18 06:58:35 +08:00
			`typedef __typeof__(sizeof(int)) size_t;`

			`void *operator new(size_t size) throw() {`
			`return nullptr;`
			`}`
			`void *operator new[](size_t size) throw() {`
			`return nullptr;`
			`}`

			`struct S {`
			`int x;`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`S() : x(1) {`
			`// FIXME: Constructor should not be called with null this, even if it was`
			`// returned by operator new().`
			`clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}`
			`}`
[analyzer] operator new: Fix memory space for the returned region. Make sure that with c++-allocator-inlining=true we have the return value of conservatively evaluated operator new() in the correct memory space (heap). This is a regression/omission that worked well in c++-allocator-inlining=false. Heap regions are superior to regular symbolic regions because they have stricter aliasing constraints: heap regions do not alias each other or global variables. Differential Revision: https://reviews.llvm.org/D41266 rdar://problem/12180598 llvm-svn: 322780 2018-01-18 06:58:35 +08:00			`~S() {}`
			`};`

			`void testArrays() {`
			`S *s = new S[10]; // no-crash`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`s[0].x = 2;`
			`// no-warning: 'Dereference of null pointer' suppressed by ReturnVisitor.`
[analyzer] operator new: Fix memory space for the returned region. Make sure that with c++-allocator-inlining=true we have the return value of conservatively evaluated operator new() in the correct memory space (heap). This is a regression/omission that worked well in c++-allocator-inlining=false. Heap regions are superior to regular symbolic regions because they have stricter aliasing constraints: heap regions do not alias each other or global variables. Differential Revision: https://reviews.llvm.org/D41266 rdar://problem/12180598 llvm-svn: 322780 2018-01-18 06:58:35 +08:00			`}`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00
			`int global;`
			`void testInvalidationOnConstructionIntoNull() {`
			`global = 0;`
			`S *s = new S();`
			`// FIXME: Should be FALSE - we should not invalidate globals.`
			`clang_analyzer_eval(global); // expected-warning{{UNKNOWN}}`
			`}`