llvm-project/clang/test/Analysis/new-ctor-null-throw.cpp

// RUN: %clang_analyze_cc1 -std=c++14 -analyzer-checker=core \
// RUN:  -analyzer-config suppress-null-return-paths=false \
// RUN:  -verify %s
// RUN: %clang_analyze_cc1 -std=c++14 -analyzer-checker=core \
// RUN:  -DSUPPRESSED \
// RUN:  -verify %s

void clang_analyzer_eval(bool);

typedef __typeof__(sizeof(int)) size_t;


// These are ill-formed. One cannot return nullptr from a throwing version of an
// operator new.
void *operator new(size_t size) {
  return nullptr;
  // expected-warning@-1 {{'operator new' should not return a null pointer unless it is declared 'throw()' or 'noexcept'}}
  // expected-warning@-2 {{null returned from function that requires a non-null return value}}
}
void *operator new[](size_t size) {
  return nullptr;
  // expected-warning@-1 {{'operator new[]' should not return a null pointer unless it is declared 'throw()' or 'noexcept'}}
  // expected-warning@-2 {{null returned from function that requires a non-null return value}}
}

struct S {
  int x;
  S() : x(1) {}
  ~S() {}
  int getX() const { return x; }
};

void testArrays() {
  S *s = new S[10]; // no-crash
  s[0].x = 2;
#ifndef SUPPRESSED
  // expected-warning@-2 {{Dereference of null pointer}}
#endif
}

void testCtor() {
  S *s = new S();
  s->x = 13;
#ifndef SUPPRESSED
  // expected-warning@-2 {{Access to field 'x' results in a dereference of a null pointer (loaded from variable 's')}}
#endif
}

void testMethod() {
  S *s = new S();
  const int X = s->getX();
#ifndef SUPPRESSED
  // expected-warning@-2 {{Called C++ object pointer is null}}
#endif
}
[analyzer] Specify the C++ standard in more tests. Makes life easier for downstream developers with different default standard. llvm-svn: 375308 2019-10-19 08:08:17 +08:00			`// RUN: %clang_analyze_cc1 -std=c++14 -analyzer-checker=core \`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`// RUN: -analyzer-config suppress-null-return-paths=false \`
			`// RUN: -verify %s`
[analyzer] Specify the C++ standard in more tests. Makes life easier for downstream developers with different default standard. llvm-svn: 375308 2019-10-19 08:08:17 +08:00			`// RUN: %clang_analyze_cc1 -std=c++14 -analyzer-checker=core \`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`// RUN: -DSUPPRESSED \`
			`// RUN: -verify %s`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00
			`void clang_analyzer_eval(bool);`

			`typedef __typeof__(sizeof(int)) size_t;`


			`// These are ill-formed. One cannot return nullptr from a throwing version of an`
			`// operator new.`
			`void *operator new(size_t size) {`
			`return nullptr;`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`// expected-warning@-1 {{'operator new' should not return a null pointer unless it is declared 'throw()' or 'noexcept'}}`
[clang] Annotating C++'s `operator new` with more attributes Summary: Right now we annotate C++'s `operator new` with `noalias` attribute, which very much is healthy for optimizations. However as per [[ http://eel.is/c++draft/basic.stc.dynamic.allocation \| `[basic.stc.dynamic.allocation]` ]], there are more promises on global `operator new`, namely: * non-`std::nothrow_t` `operator new` never returns `nullptr` * If `std::align_val_t align` parameter is taken, the pointer will also be `align`-aligned * ~~global `operator new`-returned pointer is `__STDCPP_DEFAULT_NEW_ALIGNMENT__`-aligned ~~ It's more caveated than that. Supplying this information may not cause immediate landslide effects on any specific benchmarks, but it for sure will be healthy for optimizer in the sense that the IR will better reflect the guarantees provided in the source code. The caveat is `-fno-assume-sane-operator-new`, which currently prevents emitting `noalias` attribute, and is automatically passed by Sanitizers ([[ https://bugs.llvm.org/show_bug.cgi?id=16386 \| PR16386 ]]) - should it also cover these attributes? The problem is that the flag is back-end-specific, as seen in `test/Modules/explicit-build-flags.cpp`. But while it is okay to add `noalias` metadata in backend, we really should be adding at least the alignment metadata to the AST, since that allows us to perform sema checks on it. Reviewers: erichkeane, rjmccall, jdoerfert, eugenis, rsmith Reviewed By: rsmith Subscribers: xbolva00, jrtc27, atanasyan, nlopes, cfe-commits Tags: #llvm, #clang Differential Revision: https://reviews.llvm.org/D73380 2020-02-26 06:37:17 +08:00			`// expected-warning@-2 {{null returned from function that requires a non-null return value}}`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`}`
			`void *operator new[](size_t size) {`
			`return nullptr;`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`// expected-warning@-1 {{'operator new[]' should not return a null pointer unless it is declared 'throw()' or 'noexcept'}}`
[clang] Annotating C++'s `operator new` with more attributes Summary: Right now we annotate C++'s `operator new` with `noalias` attribute, which very much is healthy for optimizations. However as per [[ http://eel.is/c++draft/basic.stc.dynamic.allocation \| `[basic.stc.dynamic.allocation]` ]], there are more promises on global `operator new`, namely: * non-`std::nothrow_t` `operator new` never returns `nullptr` * If `std::align_val_t align` parameter is taken, the pointer will also be `align`-aligned * ~~global `operator new`-returned pointer is `__STDCPP_DEFAULT_NEW_ALIGNMENT__`-aligned ~~ It's more caveated than that. Supplying this information may not cause immediate landslide effects on any specific benchmarks, but it for sure will be healthy for optimizer in the sense that the IR will better reflect the guarantees provided in the source code. The caveat is `-fno-assume-sane-operator-new`, which currently prevents emitting `noalias` attribute, and is automatically passed by Sanitizers ([[ https://bugs.llvm.org/show_bug.cgi?id=16386 \| PR16386 ]]) - should it also cover these attributes? The problem is that the flag is back-end-specific, as seen in `test/Modules/explicit-build-flags.cpp`. But while it is okay to add `noalias` metadata in backend, we really should be adding at least the alignment metadata to the AST, since that allows us to perform sema checks on it. Reviewers: erichkeane, rjmccall, jdoerfert, eugenis, rsmith Reviewed By: rsmith Subscribers: xbolva00, jrtc27, atanasyan, nlopes, cfe-commits Tags: #llvm, #clang Differential Revision: https://reviews.llvm.org/D73380 2020-02-26 06:37:17 +08:00			`// expected-warning@-2 {{null returned from function that requires a non-null return value}}`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`}`

			`struct S {`
			`int x;`
			`S() : x(1) {}`
			`~S() {}`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`int getX() const { return x; }`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`};`

			`void testArrays() {`
			`S *s = new S[10]; // no-crash`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`s[0].x = 2;`
			`#ifndef SUPPRESSED`
			`// expected-warning@-2 {{Dereference of null pointer}}`
			`#endif`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`}`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00
			`void testCtor() {`
			`S *s = new S();`
			`s->x = 13;`
			`#ifndef SUPPRESSED`
			`// expected-warning@-2 {{Access to field 'x' results in a dereference of a null pointer (loaded from variable 's')}}`
			`#endif`
			`}`

			`void testMethod() {`
			`S *s = new S();`
			`const int X = s->getX();`
			`#ifndef SUPPRESSED`
			`// expected-warning@-2 {{Called C++ object pointer is null}}`
			`#endif`
			`}`