llvm-project/clang/test/Analysis/ptr-arith.c

// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.core.FixedAddr,experimental.core.PointerArithm,experimental.core.PointerSub,debug.ExprInspection -analyzer-store=region -verify -triple x86_64-apple-darwin9 %s
// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.core.FixedAddr,experimental.core.PointerArithm,experimental.core.PointerSub,debug.ExprInspection -analyzer-store=region -verify -triple i686-apple-darwin9 %s

void clang_analyzer_eval(int);

void f1() {
  int a[10];
  int *p = a;
  ++p;
}

char* foo();

void f2() {
  char *p = foo();
  ++p;
}

// This test case checks if we get the right rvalue type of a TypedViewRegion.
// The ElementRegion's type depends on the array region's rvalue type. If it was
// a pointer type, we would get a loc::SymbolVal for '*p'.
void* memchr();
static int
domain_port (const char *domain_b, const char *domain_e,
             const char **domain_e_ptr)
{
  int port = 0;
  
  const char *p;
  const char *colon = memchr (domain_b, ':', domain_e - domain_b);
  
  for (p = colon + 1; p < domain_e ; p++)
    port = 10 * port + (*p - '0');
  return port;
}

void f3() {
  int x, y;
  int d = &y - &x; // expected-warning{{Subtraction of two pointers that do not point to the same memory chunk may cause incorrect result.}}

  int a[10];
  int *p = &a[2];
  int *q = &a[8];
  d = q-p; // no-warning
}

void f4() {
  int *p;
  p = (int*) 0x10000; // expected-warning{{Using a fixed address is not portable because that address will probably not be valid in all environments or platforms.}}
}

void f5() {
  int x, y;
  int *p;
  p = &x + 1;  // expected-warning{{Pointer arithmetic done on non-array variables means reliance on memory layout, which is dangerous.}}

  int a[10];
  p = a + 1; // no-warning
}

// Allow arithmetic on different symbolic regions.
void f6(int *p, int *q) {
  int d = q - p; // no-warning
}

void null_operand(int *a) {
start:
  // LHS is a label, RHS is NULL
  clang_analyzer_eval(&&start != 0); // expected-warning{{TRUE}}
  clang_analyzer_eval(&&start >= 0); // expected-warning{{TRUE}}
  clang_analyzer_eval(&&start > 0); // expected-warning{{TRUE}}
  clang_analyzer_eval((&&start - 0) != 0); // expected-warning{{TRUE}}

  // LHS is a non-symbolic value, RHS is NULL
  clang_analyzer_eval(&a != 0); // expected-warning{{TRUE}}
  clang_analyzer_eval(&a >= 0); // expected-warning{{TRUE}}
  clang_analyzer_eval(&a > 0); // expected-warning{{TRUE}}
  clang_analyzer_eval((&a - 0) != 0); // expected-warning{{TRUE}} expected-warning{{Pointer arithmetic done on non-array variables}}

  // LHS is NULL, RHS is non-symbolic
  // The same code is used for labels and non-symbolic values.
  clang_analyzer_eval(0 != &a); // expected-warning{{TRUE}}
  clang_analyzer_eval(0 <= &a); // expected-warning{{TRUE}}
  clang_analyzer_eval(0 < &a); // expected-warning{{TRUE}}

  // LHS is a symbolic value, RHS is NULL
  clang_analyzer_eval(a != 0); // expected-warning{{UNKNOWN}}
  clang_analyzer_eval(a >= 0); // expected-warning{{TRUE}}
  clang_analyzer_eval(a <= 0); // expected-warning{{UNKNOWN}}
  clang_analyzer_eval((a - 0) != 0); // expected-warning{{UNKNOWN}}

  // LHS is NULL, RHS is a symbolic value
  clang_analyzer_eval(0 != a); // expected-warning{{UNKNOWN}}
  clang_analyzer_eval(0 <= a); // expected-warning{{TRUE}}
  clang_analyzer_eval(0 < a); // expected-warning{{UNKNOWN}}
}

void const_locs() {
  char *a = (char*)0x1000;
  char *b = (char*)0x1100;
start:
  clang_analyzer_eval(a != b); // expected-warning{{TRUE}}
  clang_analyzer_eval(a < b); // expected-warning{{TRUE}}
  clang_analyzer_eval(a <= b); // expected-warning{{TRUE}}
  clang_analyzer_eval((b-a) == 0x100); // expected-warning{{TRUE}}

  clang_analyzer_eval(&&start == a); // expected-warning{{UNKNOWN}}
  clang_analyzer_eval(a == &&start); // expected-warning{{UNKNOWN}}
  clang_analyzer_eval(&a == (char**)a); // expected-warning{{UNKNOWN}}
  clang_analyzer_eval((char**)a == &a); // expected-warning{{UNKNOWN}}
}

void array_matching_types() {
  int array[10];
  int *a = &array[2];
  int *b = &array[5];

  clang_analyzer_eval(a != b); // expected-warning{{TRUE}}
  clang_analyzer_eval(a < b); // expected-warning{{TRUE}}
  clang_analyzer_eval(a <= b); // expected-warning{{TRUE}}
  clang_analyzer_eval((b-a) != 0); // expected-warning{{TRUE}}
}

// This takes a different code path than array_matching_types()
void array_different_types() {
  int array[10];
  int *a = &array[2];
  char *b = (char*)&array[5];

  clang_analyzer_eval(a != b); // expected-warning{{TRUE}} expected-warning{{comparison of distinct pointer types}}
  clang_analyzer_eval(a < b); // expected-warning{{TRUE}} expected-warning{{comparison of distinct pointer types}}
  clang_analyzer_eval(a <= b); // expected-warning{{TRUE}} expected-warning{{comparison of distinct pointer types}}
}

struct test { int x; int y; };
void struct_fields() {
  struct test a, b;

  clang_analyzer_eval(&a.x != &a.y); // expected-warning{{TRUE}}
  clang_analyzer_eval(&a.x < &a.y); // expected-warning{{TRUE}}
  clang_analyzer_eval(&a.x <= &a.y); // expected-warning{{TRUE}}

  clang_analyzer_eval(&a.x != &b.x); // expected-warning{{TRUE}}
  clang_analyzer_eval(&a.x > &b.x); // expected-warning{{UNKNOWN}}
  clang_analyzer_eval(&a.x >= &b.x); // expected-warning{{UNKNOWN}}
}

void mixed_region_types() {
  struct test s;
  int array[2];
  void *a = &array, *b = &s;

  clang_analyzer_eval(&a != &b); // expected-warning{{TRUE}}
  clang_analyzer_eval(&a > &b); // expected-warning{{UNKNOWN}}
  clang_analyzer_eval(&a >= &b); // expected-warning{{UNKNOWN}}
}

void symbolic_region(int *p) {
  int a;

  clang_analyzer_eval(&a != p); // expected-warning{{TRUE}}
  clang_analyzer_eval(&a > p); // expected-warning{{UNKNOWN}}
  clang_analyzer_eval(&a >= p); // expected-warning{{UNKNOWN}}
}

void PR7527 (int *p) {
  if (((int) p) & 1) // not crash
    return;
}
[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.core.FixedAddr,experimental.core.PointerArithm,experimental.core.PointerSub,debug.ExprInspection -analyzer-store=region -verify -triple x86_64-apple-darwin9 %s`
			`// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.core.FixedAddr,experimental.core.PointerArithm,experimental.core.PointerSub,debug.ExprInspection -analyzer-store=region -verify -triple i686-apple-darwin9 %s`
Add test case for pointer arithmetic. llvm-svn: 65907 2009-03-03 08:28:42 +08:00
[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`void clang_analyzer_eval(int);`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00
Add test case for pointer arithmetic. llvm-svn: 65907 2009-03-03 08:28:42 +08:00			`void f1() {`
			`int a[10];`
			`int *p = a;`
			`++p;`
			`}`
Fix crash when LHS of pointer arithmetic is not ElementRegion. llvm-svn: 66649 2009-03-11 15:43:49 +08:00
			`char* foo();`

			`void f2() {`
			`char *p = foo();`
			`++p;`
			`}`
This test case checks if we get the right rvalue type of a TypedViewRegion. The ElementRegion's type depends on the array region's rvalue type. If it was a pointer type, we would get a loc::SymbolVal for '*p'. llvm-svn: 66656 2009-03-11 17:15:38 +08:00
Add comments to test case. llvm-svn: 66760 2009-03-12 09:55:38 +08:00			`// This test case checks if we get the right rvalue type of a TypedViewRegion.`
			`// The ElementRegion's type depends on the array region's rvalue type. If it was`
			`// a pointer type, we would get a loc::SymbolVal for '*p'.`
Clean up builtin lists, add a few new builtins. (I re-sorted the string.h builtins to be in the same order as the list in the C99 standard.) llvm-svn: 72882 2009-06-05 03:35:30 +08:00			`void* memchr();`
This test case checks if we get the right rvalue type of a TypedViewRegion. The ElementRegion's type depends on the array region's rvalue type. If it was a pointer type, we would get a loc::SymbolVal for '*p'. llvm-svn: 66656 2009-03-11 17:15:38 +08:00			`static int`
			`domain_port (const char domain_b, const char domain_e,`
			`const char **domain_e_ptr)`
			`{`
			`int port = 0;`

			`const char *p;`
			`const char *colon = memchr (domain_b, ':', domain_e - domain_b);`

			`for (p = colon + 1; p < domain_e ; p++)`
			`port = 10 * port + (*p - '0');`
			`return port;`
			`}`
Add checker for CWE-469: Use of Pointer Subtraction to Determine Size. This checker does not build sink nodes. Because svaluator computes an unknown value for the subtraction now. llvm-svn: 86517 2009-11-09 13:34:10 +08:00
			`void f3() {`
			`int x, y;`
			`int d = &y - &x; // expected-warning{{Subtraction of two pointers that do not point to the same memory chunk may cause incorrect result.}}`
Refine PointerSubChecker: compare the base region instead of the original region, so that arithmetic within a memory chunk is allowed. llvm-svn: 86652 2009-11-10 10:37:53 +08:00
			`int a[10];`
			`int *p = &a[2];`
			`int *q = &a[8];`
			`d = q-p; // no-warning`
Add checker for CWE-469: Use of Pointer Subtraction to Determine Size. This checker does not build sink nodes. Because svaluator computes an unknown value for the subtraction now. llvm-svn: 86517 2009-11-09 13:34:10 +08:00			`}`
Add checker for CWE-587: Assignment of a Fixed Address to a Pointer. llvm-svn: 86523 2009-11-09 14:52:44 +08:00
			`void f4() {`
			`int *p;`
			`p = (int*) 0x10000; // expected-warning{{Using a fixed address is not portable because that address will probably not be valid in all environments or platforms.}}`
			`}`
Add check for pointer arithmetic on non-array variables. llvm-svn: 86538 2009-11-09 21:23:31 +08:00
			`void f5() {`
			`int x, y;`
			`int *p;`
update test case. llvm-svn: 86541 2009-11-09 21:56:44 +08:00			`p = &x + 1; // expected-warning{{Pointer arithmetic done on non-array variables means reliance on memory layout, which is dangerous.}}`
Add check for pointer arithmetic on non-array variables. llvm-svn: 86538 2009-11-09 21:23:31 +08:00
			`int a[10];`
			`p = a + 1; // no-warning`
			`}`
Add test case for PointerSubChecker. llvm-svn: 86657 2009-11-10 10:45:49 +08:00
			`// Allow arithmetic on different symbolic regions.`
			`void f6(int p, int q) {`
			`int d = q - p; // no-warning`
			`}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00
			`void null_operand(int *a) {`
			`start:`
			`// LHS is a label, RHS is NULL`
[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(&&start != 0); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(&&start >= 0); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(&&start > 0); // expected-warning{{TRUE}}`
			`clang_analyzer_eval((&&start - 0) != 0); // expected-warning{{TRUE}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00
			`// LHS is a non-symbolic value, RHS is NULL`
[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(&a != 0); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(&a >= 0); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(&a > 0); // expected-warning{{TRUE}}`
			`clang_analyzer_eval((&a - 0) != 0); // expected-warning{{TRUE}} expected-warning{{Pointer arithmetic done on non-array variables}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00
			`// LHS is NULL, RHS is non-symbolic`
			`// The same code is used for labels and non-symbolic values.`
[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(0 != &a); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(0 <= &a); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(0 < &a); // expected-warning{{TRUE}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00
			`// LHS is a symbolic value, RHS is NULL`
[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(a != 0); // expected-warning{{UNKNOWN}}`
			`clang_analyzer_eval(a >= 0); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(a <= 0); // expected-warning{{UNKNOWN}}`
			`clang_analyzer_eval((a - 0) != 0); // expected-warning{{UNKNOWN}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00
			`// LHS is NULL, RHS is a symbolic value`
[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(0 != a); // expected-warning{{UNKNOWN}}`
			`clang_analyzer_eval(0 <= a); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(0 < a); // expected-warning{{UNKNOWN}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00			`}`

			`void const_locs() {`
			`char a = (char)0x1000;`
			`char b = (char)0x1100;`
			`start:`
[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(a != b); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(a < b); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(a <= b); // expected-warning{{TRUE}}`
			`clang_analyzer_eval((b-a) == 0x100); // expected-warning{{TRUE}}`

			`clang_analyzer_eval(&&start == a); // expected-warning{{UNKNOWN}}`
			`clang_analyzer_eval(a == &&start); // expected-warning{{UNKNOWN}}`
			`clang_analyzer_eval(&a == (char**)a); // expected-warning{{UNKNOWN}}`
			`clang_analyzer_eval((char**)a == &a); // expected-warning{{UNKNOWN}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00			`}`

			`void array_matching_types() {`
			`int array[10];`
			`int *a = &array[2];`
			`int *b = &array[5];`

[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(a != b); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(a < b); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(a <= b); // expected-warning{{TRUE}}`
			`clang_analyzer_eval((b-a) != 0); // expected-warning{{TRUE}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00			`}`

			`// This takes a different code path than array_matching_types()`
			`void array_different_types() {`
			`int array[10];`
			`int *a = &array[2];`
			`char b = (char)&array[5];`

[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(a != b); // expected-warning{{TRUE}} expected-warning{{comparison of distinct pointer types}}`
			`clang_analyzer_eval(a < b); // expected-warning{{TRUE}} expected-warning{{comparison of distinct pointer types}}`
			`clang_analyzer_eval(a <= b); // expected-warning{{TRUE}} expected-warning{{comparison of distinct pointer types}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00			`}`

			`struct test { int x; int y; };`
			`void struct_fields() {`
			`struct test a, b;`

[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(&a.x != &a.y); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(&a.x < &a.y); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(&a.x <= &a.y); // expected-warning{{TRUE}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00
[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(&a.x != &b.x); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(&a.x > &b.x); // expected-warning{{UNKNOWN}}`
			`clang_analyzer_eval(&a.x >= &b.x); // expected-warning{{UNKNOWN}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00			`}`

			`void mixed_region_types() {`
			`struct test s;`
			`int array[2];`
			`void a = &array, b = &s;`

[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(&a != &b); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(&a > &b); // expected-warning{{UNKNOWN}}`
			`clang_analyzer_eval(&a >= &b); // expected-warning{{UNKNOWN}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00			`}`

			`void symbolic_region(int *p) {`
			`int a;`

[analyzer] Convert many existing tests to use clang_analyzer_eval. llvm-svn: 156920 2012-05-17 00:01:10 +08:00			`clang_analyzer_eval(&a != p); // expected-warning{{TRUE}}`
			`clang_analyzer_eval(&a > p); // expected-warning{{UNKNOWN}}`
			`clang_analyzer_eval(&a >= p); // expected-warning{{UNKNOWN}}`
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL(). llvm-svn: 106992 2010-06-28 16:26:15 +08:00			`}`
Pointers casted as integers still count as locations to SimpleSValuator, so don't crash if we do a funny thing like ((int)ptr)&1. Fixes PR7527. llvm-svn: 107236 2010-06-30 09:35:20 +08:00
			`void PR7527 (int *p) {`
			`if (((int) p) & 1) // not crash`
			`return;`
			`}`