llvm-project/clang/test/Analysis/new-ctor-null-throw.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core \
// RUN:  -analyzer-config suppress-null-return-paths=false \
// RUN:  -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core \
// RUN:  -DSUPPRESSED \
// RUN:  -verify %s

void clang_analyzer_eval(bool);

typedef __typeof__(sizeof(int)) size_t;


// These are ill-formed. One cannot return nullptr from a throwing version of an
// operator new.
void *operator new(size_t size) {
  return nullptr;
  // expected-warning@-1 {{'operator new' should not return a null pointer unless it is declared 'throw()' or 'noexcept'}}
}
void *operator new[](size_t size) {
  return nullptr;
  // expected-warning@-1 {{'operator new[]' should not return a null pointer unless it is declared 'throw()' or 'noexcept'}}
}

struct S {
  int x;
  S() : x(1) {}
  ~S() {}
  int getX() const { return x; }
};

void testArrays() {
  S *s = new S[10]; // no-crash
  s[0].x = 2;
#ifndef SUPPRESSED
  // expected-warning@-2 {{Dereference of null pointer}}
#endif
}

void testCtor() {
  S *s = new S();
  s->x = 13;
#ifndef SUPPRESSED
  // expected-warning@-2 {{Access to field 'x' results in a dereference of a null pointer (loaded from variable 's')}}
#endif
}

void testMethod() {
  S *s = new S();
  const int X = s->getX();
#ifndef SUPPRESSED
  // expected-warning@-2 {{Called C++ object pointer is null}}
#endif
}
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`// RUN: %clang_analyze_cc1 -analyzer-checker=core \`
			`// RUN: -analyzer-config suppress-null-return-paths=false \`
			`// RUN: -verify %s`
			`// RUN: %clang_analyze_cc1 -analyzer-checker=core \`
			`// RUN: -DSUPPRESSED \`
			`// RUN: -verify %s`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00
			`void clang_analyzer_eval(bool);`

			`typedef __typeof__(sizeof(int)) size_t;`


			`// These are ill-formed. One cannot return nullptr from a throwing version of an`
			`// operator new.`
			`void *operator new(size_t size) {`
			`return nullptr;`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`// expected-warning@-1 {{'operator new' should not return a null pointer unless it is declared 'throw()' or 'noexcept'}}`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`}`
			`void *operator new[](size_t size) {`
			`return nullptr;`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`// expected-warning@-1 {{'operator new[]' should not return a null pointer unless it is declared 'throw()' or 'noexcept'}}`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`}`

			`struct S {`
			`int x;`
			`S() : x(1) {}`
			`~S() {}`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`int getX() const { return x; }`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`};`

			`void testArrays() {`
			`S *s = new S[10]; // no-crash`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`s[0].x = 2;`
			`#ifndef SUPPRESSED`
			`// expected-warning@-2 {{Dereference of null pointer}}`
			`#endif`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`}`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00
			`void testCtor() {`
			`S *s = new S();`
			`s->x = 13;`
			`#ifndef SUPPRESSED`
			`// expected-warning@-2 {{Access to field 'x' results in a dereference of a null pointer (loaded from variable 's')}}`
			`#endif`
			`}`

			`void testMethod() {`
			`S *s = new S();`
			`const int X = s->getX();`
			`#ifndef SUPPRESSED`
			`// expected-warning@-2 {{Called C++ object pointer is null}}`
			`#endif`
			`}`