llvm-project/clang/test/Analysis/new-ctor-null.cpp

// RUN: %clang_analyze_cc1 -std=c++14 \
// RUN:  -analyzer-checker=core,debug.ExprInspection \
// RUN:  -verify %s

void clang_analyzer_eval(bool);
void clang_analyzer_warnIfReached();

typedef __typeof__(sizeof(int)) size_t;

void *operator new(size_t size) throw() {
  return nullptr;
  // expected-warning@-1 {{null returned from function that requires a non-null return value}}
}
void *operator new[](size_t size) throw() {
  return nullptr;
  // expected-warning@-1 {{null returned from function that requires a non-null return value}}
}

struct S {
  int x;
  S() : x(1) {
    // FIXME: Constructor should not be called with null this, even if it was
    // returned by operator new().
    clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
  }
  ~S() {}
};

void testArrays() {
  S *s = new S[10]; // no-crash
  s[0].x = 2;
  // no-warning: 'Dereference of null pointer' suppressed by ReturnVisitor.
}

int global;
void testInvalidationOnConstructionIntoNull() {
  global = 0;
  S *s = new S();
  // FIXME: Should be FALSE - we should not invalidate globals.
  clang_analyzer_eval(global); // expected-warning{{UNKNOWN}}
}
[analyzer] Specify the C++ standard in more tests. Makes life easier for downstream developers with different default standard. llvm-svn: 375308 2019-10-19 08:08:17 +08:00			`// RUN: %clang_analyze_cc1 -std=c++14 \`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`// RUN: -analyzer-checker=core,debug.ExprInspection \`
			`// RUN: -verify %s`
[analyzer] operator new: Fix memory space for the returned region. Make sure that with c++-allocator-inlining=true we have the return value of conservatively evaluated operator new() in the correct memory space (heap). This is a regression/omission that worked well in c++-allocator-inlining=false. Heap regions are superior to regular symbolic regions because they have stricter aliasing constraints: heap regions do not alias each other or global variables. Differential Revision: https://reviews.llvm.org/D41266 rdar://problem/12180598 llvm-svn: 322780 2018-01-18 06:58:35 +08:00
			`void clang_analyzer_eval(bool);`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`void clang_analyzer_warnIfReached();`
[analyzer] operator new: Fix memory space for the returned region. Make sure that with c++-allocator-inlining=true we have the return value of conservatively evaluated operator new() in the correct memory space (heap). This is a regression/omission that worked well in c++-allocator-inlining=false. Heap regions are superior to regular symbolic regions because they have stricter aliasing constraints: heap regions do not alias each other or global variables. Differential Revision: https://reviews.llvm.org/D41266 rdar://problem/12180598 llvm-svn: 322780 2018-01-18 06:58:35 +08:00
			`typedef __typeof__(sizeof(int)) size_t;`

			`void *operator new(size_t size) throw() {`
			`return nullptr;`
[clang] Annotating C++'s `operator new` with more attributes Summary: Right now we annotate C++'s `operator new` with `noalias` attribute, which very much is healthy for optimizations. However as per [[ http://eel.is/c++draft/basic.stc.dynamic.allocation \| `[basic.stc.dynamic.allocation]` ]], there are more promises on global `operator new`, namely: * non-`std::nothrow_t` `operator new` never returns `nullptr` * If `std::align_val_t align` parameter is taken, the pointer will also be `align`-aligned * ~~global `operator new`-returned pointer is `__STDCPP_DEFAULT_NEW_ALIGNMENT__`-aligned ~~ It's more caveated than that. Supplying this information may not cause immediate landslide effects on any specific benchmarks, but it for sure will be healthy for optimizer in the sense that the IR will better reflect the guarantees provided in the source code. The caveat is `-fno-assume-sane-operator-new`, which currently prevents emitting `noalias` attribute, and is automatically passed by Sanitizers ([[ https://bugs.llvm.org/show_bug.cgi?id=16386 \| PR16386 ]]) - should it also cover these attributes? The problem is that the flag is back-end-specific, as seen in `test/Modules/explicit-build-flags.cpp`. But while it is okay to add `noalias` metadata in backend, we really should be adding at least the alignment metadata to the AST, since that allows us to perform sema checks on it. Reviewers: erichkeane, rjmccall, jdoerfert, eugenis, rsmith Reviewed By: rsmith Subscribers: xbolva00, jrtc27, atanasyan, nlopes, cfe-commits Tags: #llvm, #clang Differential Revision: https://reviews.llvm.org/D73380 2020-02-26 06:37:17 +08:00			`// expected-warning@-1 {{null returned from function that requires a non-null return value}}`
[analyzer] operator new: Fix memory space for the returned region. Make sure that with c++-allocator-inlining=true we have the return value of conservatively evaluated operator new() in the correct memory space (heap). This is a regression/omission that worked well in c++-allocator-inlining=false. Heap regions are superior to regular symbolic regions because they have stricter aliasing constraints: heap regions do not alias each other or global variables. Differential Revision: https://reviews.llvm.org/D41266 rdar://problem/12180598 llvm-svn: 322780 2018-01-18 06:58:35 +08:00			`}`
			`void *operator new[](size_t size) throw() {`
			`return nullptr;`
[clang] Annotating C++'s `operator new` with more attributes Summary: Right now we annotate C++'s `operator new` with `noalias` attribute, which very much is healthy for optimizations. However as per [[ http://eel.is/c++draft/basic.stc.dynamic.allocation \| `[basic.stc.dynamic.allocation]` ]], there are more promises on global `operator new`, namely: * non-`std::nothrow_t` `operator new` never returns `nullptr` * If `std::align_val_t align` parameter is taken, the pointer will also be `align`-aligned * ~~global `operator new`-returned pointer is `__STDCPP_DEFAULT_NEW_ALIGNMENT__`-aligned ~~ It's more caveated than that. Supplying this information may not cause immediate landslide effects on any specific benchmarks, but it for sure will be healthy for optimizer in the sense that the IR will better reflect the guarantees provided in the source code. The caveat is `-fno-assume-sane-operator-new`, which currently prevents emitting `noalias` attribute, and is automatically passed by Sanitizers ([[ https://bugs.llvm.org/show_bug.cgi?id=16386 \| PR16386 ]]) - should it also cover these attributes? The problem is that the flag is back-end-specific, as seen in `test/Modules/explicit-build-flags.cpp`. But while it is okay to add `noalias` metadata in backend, we really should be adding at least the alignment metadata to the AST, since that allows us to perform sema checks on it. Reviewers: erichkeane, rjmccall, jdoerfert, eugenis, rsmith Reviewed By: rsmith Subscribers: xbolva00, jrtc27, atanasyan, nlopes, cfe-commits Tags: #llvm, #clang Differential Revision: https://reviews.llvm.org/D73380 2020-02-26 06:37:17 +08:00			`// expected-warning@-1 {{null returned from function that requires a non-null return value}}`
[analyzer] operator new: Fix memory space for the returned region. Make sure that with c++-allocator-inlining=true we have the return value of conservatively evaluated operator new() in the correct memory space (heap). This is a regression/omission that worked well in c++-allocator-inlining=false. Heap regions are superior to regular symbolic regions because they have stricter aliasing constraints: heap regions do not alias each other or global variables. Differential Revision: https://reviews.llvm.org/D41266 rdar://problem/12180598 llvm-svn: 322780 2018-01-18 06:58:35 +08:00			`}`

			`struct S {`
			`int x;`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00			`S() : x(1) {`
			`// FIXME: Constructor should not be called with null this, even if it was`
			`// returned by operator new().`
			`clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}`
			`}`
[analyzer] operator new: Fix memory space for the returned region. Make sure that with c++-allocator-inlining=true we have the return value of conservatively evaluated operator new() in the correct memory space (heap). This is a regression/omission that worked well in c++-allocator-inlining=false. Heap regions are superior to regular symbolic regions because they have stricter aliasing constraints: heap regions do not alias each other or global variables. Differential Revision: https://reviews.llvm.org/D41266 rdar://problem/12180598 llvm-svn: 322780 2018-01-18 06:58:35 +08:00			`~S() {}`
			`};`

			`void testArrays() {`
			`S *s = new S[10]; // no-crash`
[analyzer] ReturnVisitor: Bypass everything to see inlined calls Summary: When we traversed backwards on ExplodedNodes to see where processed the given statement we `break` too early. With the current approach we do not miss the CallExitEnd ProgramPoint which stands for an inlined call. Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D62926 llvm-svn: 363491 2019-06-15 18:05:49 +08:00			`s[0].x = 2;`
			`// no-warning: 'Dereference of null pointer' suppressed by ReturnVisitor.`
[analyzer] operator new: Fix memory space for the returned region. Make sure that with c++-allocator-inlining=true we have the return value of conservatively evaluated operator new() in the correct memory space (heap). This is a regression/omission that worked well in c++-allocator-inlining=false. Heap regions are superior to regular symbolic regions because they have stricter aliasing constraints: heap regions do not alias each other or global variables. Differential Revision: https://reviews.llvm.org/D41266 rdar://problem/12180598 llvm-svn: 322780 2018-01-18 06:58:35 +08:00			`}`
[analyzer] Assume that the allocated value is non-null before construction. I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370 2018-01-25 04:32:26 +08:00
			`int global;`
			`void testInvalidationOnConstructionIntoNull() {`
			`global = 0;`
			`S *s = new S();`
			`// FIXME: Should be FALSE - we should not invalidate globals.`
			`clang_analyzer_eval(global); // expected-warning{{UNKNOWN}}`
			`}`