llvm-project/clang/test/Analysis/misc-ps-region-store.cpp

729 lines
16 KiB
C++

// RUN: %clang_analyze_cc1 -triple i386-apple-darwin9 -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions -Wno-tautological-undefined-compare
// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin9 -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s -fexceptions -fcxx-exceptions -Wno-tautological-undefined-compare
void clang_analyzer_warnIfReached();
// Test basic handling of references.
char &test1_aux();
char *test1() {
return &test1_aux();
}
// Test test1_aux() evaluates to char &.
char test1_as_rvalue() {
return test1_aux();
}
// Test passing a value as a reference. The 'const' in test2_aux() adds
// an ImplicitCastExpr, which is evaluated as an lvalue.
int test2_aux(const int &n);
int test2(int n) {
return test2_aux(n);
}
int test2_b_aux(const short &n);
int test2_b(int n) {
return test2_b_aux(n);
}
// Test getting the lvalue of a derived and converting it to a base. This
// previously crashed.
class Test3_Base {};
class Test3_Derived : public Test3_Base {};
int test3_aux(Test3_Base &x);
int test3(Test3_Derived x) {
return test3_aux(x);
}
//===---------------------------------------------------------------------===//
// Test CFG support for C++ condition variables.
//===---------------------------------------------------------------------===//
int test_init_in_condition_aux();
int test_init_in_condition() {
if (int x = test_init_in_condition_aux()) { // no-warning
return 1;
}
return 0;
}
int test_init_in_condition_switch() {
switch (int x = test_init_in_condition_aux()) { // no-warning
case 1:
return 0;
case 2:
if (x == 2)
return 0;
else {
clang_analyzer_warnIfReached(); // unreachable
}
default:
break;
}
return 0;
}
int test_init_in_condition_while() {
int z = 0;
while (int x = ++z) { // no-warning
if (x == 2)
break;
}
if (z == 2)
return 0;
clang_analyzer_warnIfReached(); // unreachable
return 0;
}
int test_init_in_condition_for() {
int z = 0;
for (int x = 0; int y = ++z; ++x) {
if (x == y) // no-warning
break;
}
if (z == 1)
return 0;
clang_analyzer_warnIfReached(); // unreachable
return 0;
}
//===---------------------------------------------------------------------===//
// Test handling of 'this' pointer.
//===---------------------------------------------------------------------===//
class TestHandleThis {
int x;
TestHandleThis();
int foo();
int null_deref_negative();
int null_deref_positive();
};
int TestHandleThis::foo() {
// Assume that 'x' is initialized.
return x + 1; // no-warning
}
int TestHandleThis::null_deref_negative() {
x = 10;
if (x == 10) {
return 1;
}
clang_analyzer_warnIfReached(); // unreachable
return 0;
}
int TestHandleThis::null_deref_positive() {
x = 10;
if (x == 9) {
return 1;
}
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
return 0;
}
// PR 7675 - passing literals by-reference
void pr7675(const double &a);
void pr7675(const int &a);
void pr7675(const char &a);
void pr7675_i(const _Complex double &a);
void pr7675_test() {
pr7675(10.0);
pr7675(10);
pr7675('c');
pr7675_i(4.0j);
// Add check to ensure we are analyzing the code up to this point.
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
}
// <rdar://problem/8375510> - CFGBuilder should handle temporaries.
struct R8375510 {
R8375510();
~R8375510();
R8375510 operator++(int);
};
int r8375510(R8375510 x, R8375510 y) {
for (; ; x++) { }
}
// PR8419 -- this used to crash.
class String8419 {
public:
char& get(int n);
char& operator[](int n);
};
char& get8419();
void Test8419() {
String8419 s;
++(s.get(0));
get8419()--; // used to crash
--s[0]; // used to crash
s[0] &= 1; // used to crash
s[0]++; // used to crash
}
// PR8426 -- this used to crash.
void Use(void* to);
template <class T> class Foo {
~Foo();
struct Bar;
Bar* bar_;
};
template <class T> Foo<T>::~Foo() {
Use(bar_);
T::DoSomething();
bar_->Work();
}
// PR8427 -- this used to crash.
class Dummy {};
bool operator==(Dummy, int);
template <typename T>
class Foo2 {
bool Bar();
};
template <typename T>
bool Foo2<T>::Bar() {
return 0 == T();
}
// PR8433 -- this used to crash.
template <typename T>
class Foo3 {
public:
void Bar();
void Baz();
T value_;
};
template <typename T>
void Foo3<T>::Bar() {
Baz();
value_();
}
//===---------------------------------------------------------------------===//
// Handle misc. C++ constructs.
//===---------------------------------------------------------------------===//
namespace fum {
int i = 3;
};
void test_namespace() {
// Previously triggered a crash.
using namespace fum;
int x = i;
}
// Test handling methods that accept references as parameters, and that
// variables are properly invalidated.
class RDar9203355 {
bool foo(unsigned valA, long long &result) const;
bool foo(unsigned valA, int &result) const;
};
bool RDar9203355::foo(unsigned valA, int &result) const {
long long val;
if (foo(valA, val) ||
(int)val != val) // no-warning
return true;
result = val; // no-warning
return false;
}
// Test handling of new[].
void rdar9212512() {
int *x = new int[10];
for (unsigned i = 0 ; i < 2 ; ++i) {
// This previously triggered an uninitialized values warning.
x[i] = 1; // no-warning
}
}
// Test basic support for dynamic_cast<>.
struct Rdar9212495_C { virtual void bar() const; };
class Rdar9212495_B : public Rdar9212495_C {};
class Rdar9212495_A : public Rdar9212495_B {};
const Rdar9212495_A& rdar9212495(const Rdar9212495_C* ptr) {
const Rdar9212495_A& val = dynamic_cast<const Rdar9212495_A&>(*ptr);
// This is not valid C++; dynamic_cast with a reference type will throw an
// exception if the pointer does not match the expected type. However, our
// implementation of dynamic_cast will pass through a null pointer...or a
// "null reference"! So this branch is actually possible.
if (&val == 0) {
val.bar(); // expected-warning{{Called C++ object pointer is null}}
}
return val;
}
const Rdar9212495_A* rdar9212495_ptr(const Rdar9212495_C* ptr) {
const Rdar9212495_A* val = dynamic_cast<const Rdar9212495_A*>(ptr);
if (val == 0) {
val->bar(); // expected-warning{{Called C++ object pointer is null}}
}
return val;
}
// Test constructors invalidating arguments. Previously this raised
// an uninitialized value warning.
extern "C" void __attribute__((noreturn)) PR9645_exit(int i);
class PR9645_SideEffect
{
public:
PR9645_SideEffect(int *pi); // caches pi in i_
void Read(int *pi); // copies *pi into *i_
private:
int *i_;
};
void PR9645() {
int i;
PR9645_SideEffect se(&i);
int j = 1;
se.Read(&j); // this has a side-effect of initializing i.
PR9645_exit(i); // no-warning
}
PR9645_SideEffect::PR9645_SideEffect(int *pi) : i_(pi) {}
void PR9645_SideEffect::Read(int *pi) { *i_ = *pi; }
// Invalidate fields during C++ method calls.
class RDar9267815 {
int x;
void test();
void test_pos();
void test2();
void invalidate();
};
void RDar9267815::test_pos() {
if (x == 42)
return;
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
}
void RDar9267815::test() {
if (x == 42)
return;
if (x == 42)
clang_analyzer_warnIfReached(); // no-warning
}
void RDar9267815::test2() {
if (x == 42)
return;
invalidate();
if (x == 42)
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
}
// Test reference parameters.
void test_ref_double_aux(double &Value);
float test_ref_double() {
double dVal;
test_ref_double_aux(dVal);
// This previously warned because 'dVal' was thought to be uninitialized.
float Val = (float)dVal; // no-warning
return Val;
}
// Test invalidation of class fields.
class TestInvalidateClass {
public:
int x;
};
void test_invalidate_class_aux(TestInvalidateClass &x);
int test_invalidate_class() {
TestInvalidateClass y;
test_invalidate_class_aux(y);
return y.x; // no-warning
}
// Test correct pointer arithmetic using 'p--'. This is to warn that we
// were loading beyond the written characters in buf.
char *RDar9269695(char *dst, unsigned int n)
{
char buff[40], *p;
p = buff;
do
*p++ = '0' + n % 10;
while (n /= 10);
do
*dst++ = *--p; // no-warning
while (p != buff);
return dst;
}
// Test that we invalidate byref arguments passed to constructors.
class TestInvalidateInCtor {
public:
TestInvalidateInCtor(unsigned &x);
};
unsigned test_invalidate_in_ctor() {
unsigned x;
TestInvalidateInCtor foo(x);
return x; // no-warning
}
unsigned test_invalidate_in_ctor_new() {
unsigned x;
delete (new TestInvalidateInCtor(x));
return x; // no-warning
}
// Test assigning into a symbolic offset.
struct TestAssignIntoSymbolicOffset {
int **stuff[100];
void test(int x, int y);
};
void TestAssignIntoSymbolicOffset::test(int x, int y) {
x--;
if (x > 8 || x < 0)
return;
if (stuff[x])
return;
if (!stuff[x]) {
stuff[x] = new int*[y+1];
// Previously triggered a null dereference.
stuff[x][y] = 0; // no-warning
}
}
// Test loads from static fields. This previously triggered an uninitialized
// value warning.
class ClassWithStatic {
public:
static const unsigned value = 1;
};
int rdar9948787_negative() {
ClassWithStatic classWithStatic;
unsigned value = classWithStatic.value;
if (value == 1)
return 1;
clang_analyzer_warnIfReached(); // no-warning
return 0;
}
int rdar9948787_positive() {
ClassWithStatic classWithStatic;
unsigned value = classWithStatic.value;
if (value == 0)
return 1;
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
return 0;
}
// Regression test against global constants and switches.
enum rdar10202899_ValT { rdar10202899_ValTA, rdar10202899_ValTB, rdar10202899_ValTC };
const rdar10202899_ValT val = rdar10202899_ValTA;
void rdar10202899_test1() {
switch (val) {
case rdar10202899_ValTA: {}
};
}
void rdar10202899_test2() {
if (val == rdar10202899_ValTA)
return;
clang_analyzer_warnIfReached(); // no-warning
}
void rdar10202899_test3() {
switch (val) {
case rdar10202899_ValTA: return;
default: ;
};
clang_analyzer_warnIfReached(); // no-warning
}
// This used to crash the analyzer because of the unnamed bitfield.
void PR11249()
{
struct {
char f1:4;
char :4;
char f2[1];
char f3;
} V = { 1, {2}, 3 };
if (V.f1 != 1)
clang_analyzer_warnIfReached(); // no-warning
if (V.f2[0] != 2)
clang_analyzer_warnIfReached(); // no-warning
if (V.f3 != 3)
clang_analyzer_warnIfReached(); // no-warning
}
// Handle doing a load from the memory associated with the code for
// a function.
extern double nan( const char * );
double PR11450() {
double NaN = *(double*) nan;
return NaN;
}
// Test that 'this' is assumed non-null upon analyzing the entry to a "top-level"
// function (i.e., when not analyzing from a specific caller).
struct TestNullThis {
int field;
void test();
};
void TestNullThis::test() {
int *p = &field;
if (p)
return;
field = 2; // no-warning
}
// Test handling of 'catch' exception variables, and not warning
// about uninitialized values.
enum MyEnum { MyEnumValue };
MyEnum rdar10892489() {
try {
throw MyEnumValue;
} catch (MyEnum e) {
return e; // no-warning
}
return MyEnumValue;
}
MyEnum rdar10892489_positive() {
try {
throw MyEnumValue;
} catch (MyEnum e) {
int *p = 0;
// FALSE NEGATIVE
*p = 0xDEADBEEF; // {{null}}
return e;
}
return MyEnumValue;
}
// Test handling of catch with no condition variable.
void PR11545() {
try
{
throw;
}
catch (...)
{
}
}
void PR11545_positive() {
try
{
throw;
}
catch (...)
{
int *p = 0;
// FALSE NEGATIVE
*p = 0xDEADBEEF; // {{null}}
}
}
// Test handling taking the address of a field. While the analyzer
// currently doesn't do anything intelligent here, this previously
// resulted in a crash.
class PR11146 {
public:
struct Entry;
void baz();
};
struct PR11146::Entry {
int x;
};
void PR11146::baz() {
(void) &Entry::x;
}
// Test symbolicating a reference. In this example, the
// analyzer (originally) didn't know how to handle x[index - index2],
// returning an UnknownVal. The conjured symbol wasn't a location,
// and would result in a crash.
void rdar10924675(unsigned short x[], int index, int index2) {
unsigned short &y = x[index - index2];
if (y == 0)
return;
}
// Test handling CXXScalarValueInitExprs.
void rdar11401827() {
int x = int();
if (!x) {
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
; // Suppress warning that both branches are identical
}
else {
clang_analyzer_warnIfReached(); // no-warning
}
}
//===---------------------------------------------------------------------===//
// Handle inlining of C++ method calls.
//===---------------------------------------------------------------------===//
struct A {
int *p;
void foo(int *q) {
p = q;
}
void bar() {
*p = 0; // expected-warning {{null pointer}}
}
};
void test_inline() {
A a;
a.foo(0);
a.bar();
}
void test_alloca_in_a_recursive_function(int p1) {
__builtin_alloca (p1);
test_alloca_in_a_recursive_function(1);
test_alloca_in_a_recursive_function(2);
}
//===---------------------------------------------------------------------===//
// Random tests.
//===---------------------------------------------------------------------===//
// Tests assigning using a C-style initializer to a struct
// variable whose sub-field is also a struct. This currently
// results in a CXXTempObjectRegion being created, but not
// properly handled. For now, we just ignore that value
// to avoid a crash (<rdar://problem/12753384>).
struct RDar12753384_ClassA {
unsigned z;
};
struct RDar12753384_ClassB {
unsigned x;
RDar12753384_ClassA y[ 8 ] ;
};
unsigned RDar12753384() {
RDar12753384_ClassB w = { 0x00 };
RDar12753384_ClassA y[8];
return w.x;
}
// This testcase tests whether we treat the anonymous union and union
// the same way. This previously resulted in a "return of stack address"
// warning because the anonymous union resulting in a temporary object
// getting put into the initializer. We still aren't handling this correctly,
// but now if a temporary object appears in an initializer we just ignore it.
// Fixes <rdar://problem/12755044>.
struct Rdar12755044_foo
{
struct Rdar12755044_bar
{
union baz
{
int i;
};
} aBar;
};
struct Rdar12755044_foo_anon
{
struct Rdar12755044_bar
{
union
{
int i;
};
} aBar;
};
const Rdar12755044_foo_anon *radar12755044_anon() {
static const Rdar12755044_foo_anon Rdar12755044_foo_list[] = { { { } } };
return Rdar12755044_foo_list; // no-warning
}
const Rdar12755044_foo *radar12755044() {
static const Rdar12755044_foo Rdar12755044_foo_list[] = { { { } } };
return Rdar12755044_foo_list; // no-warning
}
// Test the correct handling of integer to bool conversions. Previously
// this resulted in a false positive because integers were being truncated
// and not tested for non-zero.
void rdar12759044() {
int flag = 512;
if (!(flag & 512)) {
clang_analyzer_warnIfReached(); // no-warning
}
}
// The analyzer currently does not model complex types. Test that the load
// from 'x' is not flagged as being uninitialized.
typedef __complex__ float _ComplexT;
void rdar12964481(_ComplexT *y) {
_ComplexT x;
__real__ x = 1.0;
__imag__ x = 1.0;
*y *= x; // no-warning
}
void rdar12964481_b(_ComplexT *y) {
_ComplexT x;
// Eventually this should be a warning.
*y *= x; // no-warning
}
// Test case for PR 12921. This previously produced
// a bogus warning.
static const int pr12921_arr[] = { 0, 1 };
static const int pr12921_arrcount = sizeof(pr12921_arr)/sizeof(int);
int pr12921(int argc, char **argv) {
int i, retval;
for (i = 0; i < pr12921_arrcount; i++) {
if (argc == i) {
retval = i;
break;
}
}
// No match
if (i == pr12921_arrcount) return 66;
return pr12921_arr[retval];
}