1*67e74705SXin Li // RUN: %clang_cc1 -w -analyze -analyzer-eagerly-assume -fcxx-exceptions -analyzer-checker=core -analyzer-checker=alpha.core.PointerArithm,alpha.core.CastToStruct -analyzer-max-loop 64 -verify %s
2*67e74705SXin Li // RUN: %clang_cc1 -w -analyze -analyzer-checker=core -analyzer-checker=cplusplus -fcxx-exceptions -analyzer-checker alpha.core.PointerArithm,alpha.core.CastToStruct -analyzer-max-loop 63 -verify %s
3*67e74705SXin Li
4*67e74705SXin Li // These tests used to hit an assertion in the bug report. Test case from http://llvm.org/PR24184.
5*67e74705SXin Li typedef struct {
6*67e74705SXin Li int cbData;
7*67e74705SXin Li unsigned pbData;
8*67e74705SXin Li } CRYPT_DATA_BLOB;
9*67e74705SXin Li
10*67e74705SXin Li typedef enum { DT_NONCE_FIXED } DATA_TYPE;
11*67e74705SXin Li int a;
12*67e74705SXin Li typedef int *vcreate_t(int *, DATA_TYPE, int, int);
fn1(unsigned,unsigned)13*67e74705SXin Li void fn1(unsigned, unsigned) {
14*67e74705SXin Li char b = 0;
15*67e74705SXin Li for (; 1; a++, &b + a * 0)
16*67e74705SXin Li ;
17*67e74705SXin Li }
18*67e74705SXin Li
19*67e74705SXin Li vcreate_t fn2;
20*67e74705SXin Li struct A {
21*67e74705SXin Li CRYPT_DATA_BLOB value;
m_fn1A22*67e74705SXin Li int m_fn1() {
23*67e74705SXin Li int c;
24*67e74705SXin Li value.pbData == 0;
25*67e74705SXin Li fn1(0, 0);
26*67e74705SXin Li }
27*67e74705SXin Li };
28*67e74705SXin Li struct B {
29*67e74705SXin Li A IkeHashAlg;
30*67e74705SXin Li A IkeGType;
31*67e74705SXin Li A NoncePhase1_r;
32*67e74705SXin Li };
33*67e74705SXin Li class C {
34*67e74705SXin Li int m_fn2(B *);
35*67e74705SXin Li void m_fn3(B *, int, int, int);
36*67e74705SXin Li };
m_fn2(B * p1)37*67e74705SXin Li int C::m_fn2(B *p1) {
38*67e74705SXin Li int *d;
39*67e74705SXin Li int e = p1->IkeHashAlg.m_fn1();
40*67e74705SXin Li unsigned f = p1->IkeGType.m_fn1(), h;
41*67e74705SXin Li int g;
42*67e74705SXin Li d = fn2(0, DT_NONCE_FIXED, (char)0, p1->NoncePhase1_r.value.cbData);
43*67e74705SXin Li h = 0 | 0;
44*67e74705SXin Li m_fn3(p1, 0, 0, 0);
45*67e74705SXin Li }
46*67e74705SXin Li
47*67e74705SXin Li // case 2:
48*67e74705SXin Li typedef struct {
49*67e74705SXin Li int cbData;
50*67e74705SXin Li unsigned char *pbData;
51*67e74705SXin Li } CRYPT_DATA_BLOB_1;
52*67e74705SXin Li typedef unsigned uint32_t;
fn1_1(void * p1,const void * p2)53*67e74705SXin Li void fn1_1(void *p1, const void *p2) { p1 != p2; }
54*67e74705SXin Li
fn2_1(uint32_t * p1,unsigned char * p2,uint32_t p3)55*67e74705SXin Li void fn2_1(uint32_t *p1, unsigned char *p2, uint32_t p3) {
56*67e74705SXin Li unsigned i = 0;
57*67e74705SXin Li for (0; i < p3; i++)
58*67e74705SXin Li fn1_1(p1 + i, p2 + i * 0);
59*67e74705SXin Li }
60*67e74705SXin Li
61*67e74705SXin Li struct A_1 {
62*67e74705SXin Li CRYPT_DATA_BLOB_1 value;
m_fn1A_163*67e74705SXin Li uint32_t m_fn1() {
64*67e74705SXin Li uint32_t a;
65*67e74705SXin Li if (value.pbData)
66*67e74705SXin Li fn2_1(&a, value.pbData, value.cbData);
67*67e74705SXin Li return 0;
68*67e74705SXin Li }
69*67e74705SXin Li };
70*67e74705SXin Li struct {
71*67e74705SXin Li A_1 HashAlgId;
72*67e74705SXin Li } *b;
fn3()73*67e74705SXin Li void fn3() {
74*67e74705SXin Li uint32_t c, d;
75*67e74705SXin Li d = b->HashAlgId.m_fn1();
76*67e74705SXin Li d << 0 | 0 | 0;
77*67e74705SXin Li c = 0;
78*67e74705SXin Li 0 | 1 << 0 | 0 && b;
79*67e74705SXin Li }
80*67e74705SXin Li
81*67e74705SXin Li // case 3:
82*67e74705SXin Li struct ST {
83*67e74705SXin Li char c;
84*67e74705SXin Li };
85*67e74705SXin Li char *p;
86*67e74705SXin Li int foo1(ST);
foo2()87*67e74705SXin Li int foo2() {
88*67e74705SXin Li ST *p1 = (ST *)(p); // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
89*67e74705SXin Li while (p1->c & 0x0F || p1->c & 0x07)
90*67e74705SXin Li p1 = p1 + foo1(*p1);
91*67e74705SXin Li }
92*67e74705SXin Li
foo3(int * node)93*67e74705SXin Li int foo3(int *node) {
94*67e74705SXin Li int i = foo2();
95*67e74705SXin Li if (i)
96*67e74705SXin Li return foo2();
97*67e74705SXin Li }
98