1 // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core,debug.ExprInspection -analyzer-store=region -verify -Wno-null-dereference -Wno-tautological-undefined-compare %s 2 3 void clang_analyzer_eval(bool); 4 5 typedef typeof(sizeof(int)) size_t; 6 void malloc (size_t); 7 8 void f1() { 9 int const &i = 3; 10 int b = i; 11 12 int *p = 0; 13 14 if (b != 3) 15 *p = 1; // no-warning 16 } 17 18 char* ptr(); 19 char& ref(); 20 21 // These next two tests just shouldn't crash. 22 char t1 () { 23 ref() = 'c'; 24 return '0'; 25 } 26 27 // just a sanity test, the same behavior as t1() 28 char t2 () { 29 *ptr() = 'c'; 30 return '0'; 31 } 32 33 // Each of the tests below is repeated with pointers as well as references. 34 // This is mostly a sanity check, but then again, both should work! 35 char t3 () { 36 char& r = ref(); 37 r = 'c'; // no-warning 38 if (r) return r; 39 return *(char*)0; // no-warning 40 } 41 42 char t4 () { 43 char* p = ptr(); 44 *p = 'c'; // no-warning 45 if (*p) return *p; 46 return *(char*)0; // no-warning 47 } 48 49 char t5 (char& r) { 50 r = 'c'; // no-warning 51 if (r) return r; 52 return *(char*)0; // no-warning 53 } 54 55 char t6 (char* p) { 56 *p = 'c'; // no-warning 57 if (*p) return *p; 58 return *(char*)0; // no-warning 59 } 60 61 62 // PR13440 / <rdar://problem/11977113> 63 // Test that the array-to-pointer decay works for array references as well. 64 // More generally, when we want an lvalue for a reference field, we still need 65 // to do one level of load. 66 namespace PR13440 { 67 typedef int T[1]; 68 struct S { 69 T &x; 70 71 int *m() { return x; } 72 }; 73 74 struct S2 { 75 int (&x)[1]; 76 77 int *m() { return x; } 78 79 void testArrayToPointerDecayWithNonTypedValueRegion() { 80 int *p = x; 81 int *q = x; 82 clang_analyzer_eval(p[0] == q[0]); // expected-warning{{TRUE}} 83 } 84 85 }; 86 87 void test() { 88 int a[1]; 89 S s = { a }; 90 S2 s2 = { a }; 91 92 if (s.x != a) return; 93 if (s2.x != a) return; 94 95 a[0] = 42; 96 clang_analyzer_eval(s.x[0] == 42); // expected-warning{{TRUE}} 97 clang_analyzer_eval(s2.x[0] == 42); // expected-warning{{TRUE}} 98 } 99 } 100 101 void testNullReference() { 102 int *x = 0; 103 int &y = *x; // expected-warning{{Dereference of null pointer}} 104 y = 5; 105 } 106 107 void testRetroactiveNullReference(int *x) { 108 // According to the C++ standard, there is no such thing as a 109 // "null reference". So the 'if' statement ought to be dead code. 110 // However, Clang (and other compilers) don't actually check that a pointer 111 // value is non-null in the implementation of references, so it is possible 112 // to produce a supposed "null reference" at runtime. The analyzer should 113 // still warn when it can prove such errors. 114 int &y = *x; 115 if (x != 0) 116 return; 117 y = 5; // expected-warning{{Dereference of null pointer}} 118 } 119 120 void testReferenceAddress(int &x) { 121 // FIXME: Move non-zero reference assumption out of RangeConstraintManager.cpp:422 122 #ifdef ANALYZER_CM_Z3 123 clang_analyzer_eval(&x != 0); // expected-warning{{UNKNOWN}} 124 clang_analyzer_eval(&ref() != 0); // expected-warning{{UNKNOWN}} 125 #else 126 clang_analyzer_eval(&x != 0); // expected-warning{{TRUE}} 127 clang_analyzer_eval(&ref() != 0); // expected-warning{{TRUE}} 128 #endif 129 130 struct S { int &x; }; 131 132 extern S getS(); 133 #ifdef ANALYZER_CM_Z3 134 clang_analyzer_eval(&getS().x != 0); // expected-warning{{UNKNOWN}} 135 #else 136 clang_analyzer_eval(&getS().x != 0); // expected-warning{{TRUE}} 137 #endif 138 139 extern S *getSP(); 140 #ifdef ANALYZER_CM_Z3 141 clang_analyzer_eval(&getSP()->x != 0); // expected-warning{{UNKNOWN}} 142 #else 143 clang_analyzer_eval(&getSP()->x != 0); // expected-warning{{TRUE}} 144 #endif 145 } 146 147 148 void testFunctionPointerReturn(void *opaque) { 149 typedef int &(*RefFn)(); 150 151 RefFn getRef = (RefFn)opaque; 152 153 // Don't crash writing to or reading from this reference. 154 int &x = getRef(); 155 x = 42; 156 clang_analyzer_eval(x == 42); // expected-warning{{TRUE}} 157 } 158 159 int &testReturnNullReference() { 160 int *x = 0; 161 return *x; // expected-warning{{Returning null reference}} 162 } 163 164 char &refFromPointer() { 165 return *ptr(); 166 } 167 168 void testReturnReference() { 169 clang_analyzer_eval(ptr() == 0); // expected-warning{{UNKNOWN}} 170 clang_analyzer_eval(&refFromPointer() == 0); // expected-warning{{FALSE}} 171 } 172 173 void intRefParam(int &r) { 174 ; 175 } 176 177 void test(int *ptr) { 178 clang_analyzer_eval(ptr == 0); // expected-warning{{UNKNOWN}} 179 180 extern void use(int &ref); 181 use(*ptr); 182 183 clang_analyzer_eval(ptr == 0); // expected-warning{{FALSE}} 184 } 185 186 void testIntRefParam() { 187 int i = 0; 188 intRefParam(i); // no-warning 189 } 190 191 int refParam(int &byteIndex) { 192 return byteIndex; 193 } 194 195 void testRefParam(int *p) { 196 if (p) 197 ; 198 refParam(*p); // expected-warning {{Forming reference to null pointer}} 199 } 200 201 int ptrRefParam(int *&byteIndex) { 202 return *byteIndex; // expected-warning {{Dereference of null pointer}} 203 } 204 void testRefParam2() { 205 int *p = 0; 206 int *&rp = p; 207 ptrRefParam(rp); 208 } 209 210 int *maybeNull() { 211 extern bool coin(); 212 static int x; 213 return coin() ? &x : 0; 214 } 215 216 void use(int &x) { 217 x = 1; // no-warning 218 } 219 220 void testSuppression() { 221 use(*maybeNull()); 222 } 223 224 namespace rdar11212286 { 225 class B{}; 226 227 B test() { 228 B *x = 0; 229 return *x; // expected-warning {{Forming reference to null pointer}} 230 } 231 232 B testif(B *x) { 233 if (x) 234 ; 235 return *x; // expected-warning {{Forming reference to null pointer}} 236 } 237 238 void idc(B *x) { 239 if (x) 240 ; 241 } 242 243 B testidc(B *x) { 244 idc(x); 245 return *x; // no-warning 246 } 247 } 248 249 namespace PR15694 { 250 class C { 251 bool bit : 1; 252 template <class T> void bar(const T &obj) {} 253 void foo() { 254 bar(bit); // don't crash 255 } 256 }; 257 } 258