1*67e74705SXin Li// RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-checker=core,alpha.core.CastToStruct,alpha.security.ReturnPtrRange,alpha.security.ArrayBound -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks -Wno-objc-root-class %s 2*67e74705SXin Li// RUN: %clang_cc1 -triple x86_64-apple-darwin9 -DTEST_64 -analyze -analyzer-checker=core,alpha.core.CastToStruct,alpha.security.ReturnPtrRange,alpha.security.ArrayBound -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks -Wno-objc-root-class %s 3*67e74705SXin Li 4*67e74705SXin Litypedef long unsigned int size_t; 5*67e74705SXin Livoid *memcpy(void *, const void *, size_t); 6*67e74705SXin Livoid *alloca(size_t); 7*67e74705SXin Li 8*67e74705SXin Litypedef struct objc_selector *SEL; 9*67e74705SXin Litypedef signed char BOOL; 10*67e74705SXin Litypedef int NSInteger; 11*67e74705SXin Litypedef unsigned int NSUInteger; 12*67e74705SXin Litypedef struct _NSZone NSZone; 13*67e74705SXin Li@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator; 14*67e74705SXin Li@protocol NSObject - (BOOL)isEqual:(id)object; @end 15*67e74705SXin Li@protocol NSCopying - (id)copyWithZone:(NSZone *)zone; @end 16*67e74705SXin Li@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 17*67e74705SXin Li@protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder; @end 18*67e74705SXin Li@interface NSObject <NSObject> {} - (id)init; @end 19*67e74705SXin Liextern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 20*67e74705SXin Li@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 21*67e74705SXin Li- (NSUInteger)length; 22*67e74705SXin Li+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 23*67e74705SXin Li@end extern NSString * const NSBundleDidLoadNotification; 24*67e74705SXin Li@interface NSAssertionHandler : NSObject {} 25*67e74705SXin Li+ (NSAssertionHandler *)currentHandler; 26*67e74705SXin Li- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 27*67e74705SXin Li@end 28*67e74705SXin Liextern NSString * const NSConnectionReplyMode; 29*67e74705SXin Li 30*67e74705SXin Li#ifdef TEST_64 31*67e74705SXin Litypedef long long int64_t; 32*67e74705SXin Litypedef int64_t intptr_t; 33*67e74705SXin Li#else 34*67e74705SXin Litypedef int int32_t; 35*67e74705SXin Litypedef int32_t intptr_t; 36*67e74705SXin Li#endif 37*67e74705SXin Li 38*67e74705SXin Li//--------------------------------------------------------------------------- 39*67e74705SXin Li// Test case 'checkaccess_union' differs for region store and basic store. 40*67e74705SXin Li// The basic store doesn't reason about compound literals, so the code 41*67e74705SXin Li// below won't fire an "uninitialized value" warning. 42*67e74705SXin Li//--------------------------------------------------------------------------- 43*67e74705SXin Li 44*67e74705SXin Li// PR 2948 (testcase; crash on VisitLValue for union types) 45*67e74705SXin Li// http://llvm.org/bugs/show_bug.cgi?id=2948 46*67e74705SXin Livoid checkaccess_union() { 47*67e74705SXin Li int ret = 0, status; 48*67e74705SXin Li // Since RegionStore doesn't handle unions yet, 49*67e74705SXin Li // this branch condition won't be triggered 50*67e74705SXin Li // as involving an uninitialized value. 51*67e74705SXin Li if (((((__extension__ (((union { // no-warning 52*67e74705SXin Li __typeof (status) __in; int __i;} 53*67e74705SXin Li ) 54*67e74705SXin Li { 55*67e74705SXin Li .__in = (status)} 56*67e74705SXin Li ).__i))) & 0xff00) >> 8) == 1) 57*67e74705SXin Li ret = 1; 58*67e74705SXin Li} 59*67e74705SXin Li 60*67e74705SXin Li// Check our handling of fields being invalidated by function calls. 61*67e74705SXin Listruct test2_struct { int x; int y; char* s; }; 62*67e74705SXin Livoid test2_help(struct test2_struct* p); 63*67e74705SXin Li 64*67e74705SXin Lichar test2() { 65*67e74705SXin Li struct test2_struct s; 66*67e74705SXin Li test2_help(&s); 67*67e74705SXin Li char *p = 0; 68*67e74705SXin Li 69*67e74705SXin Li if (s.x > 1) { 70*67e74705SXin Li if (s.s != 0) { 71*67e74705SXin Li p = "hello"; 72*67e74705SXin Li } 73*67e74705SXin Li } 74*67e74705SXin Li 75*67e74705SXin Li if (s.x > 1) { 76*67e74705SXin Li if (s.s != 0) { 77*67e74705SXin Li return *p; 78*67e74705SXin Li } 79*67e74705SXin Li } 80*67e74705SXin Li 81*67e74705SXin Li return 'a'; 82*67e74705SXin Li} 83*67e74705SXin Li 84*67e74705SXin Li// BasicStore handles this case incorrectly because it doesn't reason about 85*67e74705SXin Li// the value pointed to by 'x' and thus creates different symbolic values 86*67e74705SXin Li// at the declarations of 'a' and 'b' respectively. RegionStore handles 87*67e74705SXin Li// it correctly. See the companion test in 'misc-ps-basic-store.m'. 88*67e74705SXin Livoid test_trivial_symbolic_comparison_pointer_parameter(int *x) { 89*67e74705SXin Li int a = *x; 90*67e74705SXin Li int b = *x; 91*67e74705SXin Li if (a != b) { 92*67e74705SXin Li int *p = 0; 93*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 94*67e74705SXin Li } 95*67e74705SXin Li} 96*67e74705SXin Li 97*67e74705SXin Li// This is a modified test from 'misc-ps.m'. Here we have the extra 98*67e74705SXin Li// NULL dereferences which are pruned out by RegionStore's symbolic reasoning 99*67e74705SXin Li// of fields. 100*67e74705SXin Litypedef struct _BStruct { void *grue; } BStruct; 101*67e74705SXin Livoid testB_aux(void *ptr); 102*67e74705SXin Li 103*67e74705SXin Livoid testB(BStruct *b) { 104*67e74705SXin Li { 105*67e74705SXin Li int *__gruep__ = ((int *)&((b)->grue)); 106*67e74705SXin Li int __gruev__ = *__gruep__; 107*67e74705SXin Li int __gruev2__ = *__gruep__; 108*67e74705SXin Li if (__gruev__ != __gruev2__) { 109*67e74705SXin Li int *p = 0; 110*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 111*67e74705SXin Li } 112*67e74705SXin Li 113*67e74705SXin Li testB_aux(__gruep__); 114*67e74705SXin Li } 115*67e74705SXin Li { 116*67e74705SXin Li int *__gruep__ = ((int *)&((b)->grue)); 117*67e74705SXin Li int __gruev__ = *__gruep__; 118*67e74705SXin Li int __gruev2__ = *__gruep__; 119*67e74705SXin Li if (__gruev__ != __gruev2__) { 120*67e74705SXin Li int *p = 0; 121*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 122*67e74705SXin Li } 123*67e74705SXin Li 124*67e74705SXin Li if (~0 != __gruev__) {} 125*67e74705SXin Li } 126*67e74705SXin Li} 127*67e74705SXin Li 128*67e74705SXin Livoid testB_2(BStruct *b) { 129*67e74705SXin Li { 130*67e74705SXin Li int **__gruep__ = ((int **)&((b)->grue)); 131*67e74705SXin Li int *__gruev__ = *__gruep__; 132*67e74705SXin Li testB_aux(__gruep__); 133*67e74705SXin Li } 134*67e74705SXin Li { 135*67e74705SXin Li int **__gruep__ = ((int **)&((b)->grue)); 136*67e74705SXin Li int *__gruev__ = *__gruep__; 137*67e74705SXin Li if ((int*)~0 != __gruev__) {} 138*67e74705SXin Li } 139*67e74705SXin Li} 140*67e74705SXin Li 141*67e74705SXin Li// This test case is a reduced case of a caching bug discovered by an 142*67e74705SXin Li// assertion failure in RegionStoreManager::BindArray. Essentially the 143*67e74705SXin Li// DeclStmt is evaluated twice, but on the second loop iteration the 144*67e74705SXin Li// engine caches out. Previously a false transition would cause UnknownVal 145*67e74705SXin Li// to bind to the variable, firing an assertion failure. This bug was fixed 146*67e74705SXin Li// in r76262. 147*67e74705SXin Livoid test_declstmt_caching() { 148*67e74705SXin Liagain: 149*67e74705SXin Li { 150*67e74705SXin Li const char a[] = "I like to crash"; 151*67e74705SXin Li goto again; 152*67e74705SXin Li } 153*67e74705SXin Li} 154*67e74705SXin Li 155*67e74705SXin Li//===----------------------------------------------------------------------===// 156*67e74705SXin Li// Reduced test case from <rdar://problem/7114618>. 157*67e74705SXin Li// Basically a null check is performed on the field value, which is then 158*67e74705SXin Li// assigned to a variable and then checked again. 159*67e74705SXin Li//===----------------------------------------------------------------------===// 160*67e74705SXin Listruct s_7114618 { int *p; }; 161*67e74705SXin Livoid test_rdar_7114618(struct s_7114618 *s) { 162*67e74705SXin Li if (s->p) { 163*67e74705SXin Li int *p = s->p; 164*67e74705SXin Li if (!p) { 165*67e74705SXin Li // Infeasible 166*67e74705SXin Li int *dead = 0; 167*67e74705SXin Li *dead = 0xDEADBEEF; // no-warning 168*67e74705SXin Li } 169*67e74705SXin Li } 170*67e74705SXin Li} 171*67e74705SXin Li 172*67e74705SXin Li// Test pointers increment correctly. 173*67e74705SXin Livoid f() { 174*67e74705SXin Li int a[2]; 175*67e74705SXin Li a[1] = 3; 176*67e74705SXin Li int *p = a; 177*67e74705SXin Li p++; 178*67e74705SXin Li if (*p != 3) { 179*67e74705SXin Li int *q = 0; 180*67e74705SXin Li *q = 3; // no-warning 181*67e74705SXin Li } 182*67e74705SXin Li} 183*67e74705SXin Li 184*67e74705SXin Li//===----------------------------------------------------------------------===// 185*67e74705SXin Li// <rdar://problem/7185607> 186*67e74705SXin Li// Bit-fields of a struct should be invalidated when blasting the entire 187*67e74705SXin Li// struct with an integer constant. 188*67e74705SXin Li//===----------------------------------------------------------------------===// 189*67e74705SXin Listruct test_7185607 { 190*67e74705SXin Li int x : 10; 191*67e74705SXin Li int y : 22; 192*67e74705SXin Li}; 193*67e74705SXin Liint rdar_test_7185607() { 194*67e74705SXin Li struct test_7185607 s; // Uninitialized. 195*67e74705SXin Li *((unsigned *) &s) = 0U; 196*67e74705SXin Li return s.x; // no-warning 197*67e74705SXin Li} 198*67e74705SXin Li 199*67e74705SXin Li//===----------------------------------------------------------------------===// 200*67e74705SXin Li// <rdar://problem/7242006> [RegionStore] compound literal assignment with 201*67e74705SXin Li// floats not honored 202*67e74705SXin Li// This test case is mirrored in misc-ps.m, but this case is a negative. 203*67e74705SXin Li//===----------------------------------------------------------------------===// 204*67e74705SXin Litypedef float CGFloat; 205*67e74705SXin Litypedef struct _NSSize { 206*67e74705SXin Li CGFloat width; 207*67e74705SXin Li CGFloat height; 208*67e74705SXin Li} NSSize; 209*67e74705SXin Li 210*67e74705SXin LiCGFloat rdar7242006_negative(CGFloat x) { 211*67e74705SXin Li NSSize y; 212*67e74705SXin Li return y.width; // expected-warning{{garbage}} 213*67e74705SXin Li} 214*67e74705SXin Li 215*67e74705SXin Li//===----------------------------------------------------------------------===// 216*67e74705SXin Li// <rdar://problem/7249340> - Allow binding of values to symbolic regions. 217*67e74705SXin Li// This test case shows how RegionStore tracks the value bound to 'x' 218*67e74705SXin Li// after the assignment. 219*67e74705SXin Li//===----------------------------------------------------------------------===// 220*67e74705SXin Litypedef int* ptr_rdar_7249340; 221*67e74705SXin Livoid rdar_7249340(ptr_rdar_7249340 x) { 222*67e74705SXin Li *x = 1; 223*67e74705SXin Li if (*x) 224*67e74705SXin Li return; 225*67e74705SXin Li int *p = 0; // This is unreachable. 226*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 227*67e74705SXin Li} 228*67e74705SXin Li 229*67e74705SXin Li//===----------------------------------------------------------------------===// 230*67e74705SXin Li// <rdar://problem/7249327> - This test case tests both value tracking of 231*67e74705SXin Li// array values and that we handle symbolic values that are casted 232*67e74705SXin Li// between different integer types. Note the assignment 'n = *a++'; here 233*67e74705SXin Li// 'n' is and 'int' and '*a' is 'unsigned'. Previously we got a false positive 234*67e74705SXin Li// at 'x += *b++' (undefined value) because we got a false path. 235*67e74705SXin Li//===----------------------------------------------------------------------===// 236*67e74705SXin Liint rdar_7249327_aux(void); 237*67e74705SXin Li 238*67e74705SXin Livoid rdar_7249327(unsigned int A[2*32]) { 239*67e74705SXin Li int B[2*32]; 240*67e74705SXin Li int *b; 241*67e74705SXin Li unsigned int *a; 242*67e74705SXin Li int x = 0; 243*67e74705SXin Li 244*67e74705SXin Li int n; 245*67e74705SXin Li 246*67e74705SXin Li a = A; 247*67e74705SXin Li b = B; 248*67e74705SXin Li 249*67e74705SXin Li n = *a++; 250*67e74705SXin Li if (n) 251*67e74705SXin Li *b++ = rdar_7249327_aux(); 252*67e74705SXin Li 253*67e74705SXin Li a = A; 254*67e74705SXin Li b = B; 255*67e74705SXin Li 256*67e74705SXin Li n = *a++; 257*67e74705SXin Li if (n) 258*67e74705SXin Li x += *b++; // no-warning 259*67e74705SXin Li} 260*67e74705SXin Li 261*67e74705SXin Li//===----------------------------------------------------------------------===// 262*67e74705SXin Li// <rdar://problem/6914474> - Check that 'x' is invalidated because its 263*67e74705SXin Li// address is passed in as a value to a struct. 264*67e74705SXin Li//===----------------------------------------------------------------------===// 265*67e74705SXin Listruct doodad_6914474 { int *v; }; 266*67e74705SXin Liextern void prod_6914474(struct doodad_6914474 *d); 267*67e74705SXin Liint rdar_6914474(void) { 268*67e74705SXin Li int x; 269*67e74705SXin Li struct doodad_6914474 d; 270*67e74705SXin Li d.v = &x; 271*67e74705SXin Li prod_6914474(&d); 272*67e74705SXin Li return x; // no-warning 273*67e74705SXin Li} 274*67e74705SXin Li 275*67e74705SXin Li// Test invalidation of a single field. 276*67e74705SXin Listruct s_test_field_invalidate { 277*67e74705SXin Li int x; 278*67e74705SXin Li}; 279*67e74705SXin Liextern void test_invalidate_field(int *x); 280*67e74705SXin Liint test_invalidate_field_test() { 281*67e74705SXin Li struct s_test_field_invalidate y; 282*67e74705SXin Li test_invalidate_field(&y.x); 283*67e74705SXin Li return y.x; // no-warning 284*67e74705SXin Li} 285*67e74705SXin Liint test_invalidate_field_test_positive() { 286*67e74705SXin Li struct s_test_field_invalidate y; 287*67e74705SXin Li return y.x; // expected-warning{{garbage}} 288*67e74705SXin Li} 289*67e74705SXin Li 290*67e74705SXin Li// This test case illustrates how a typeless array of bytes casted to a 291*67e74705SXin Li// struct should be treated as initialized. RemoveDeadBindings previously 292*67e74705SXin Li// had a bug that caused 'x' to lose its default symbolic value after the 293*67e74705SXin Li// assignment to 'p', thus causing 'p->z' to evaluate to "undefined". 294*67e74705SXin Listruct ArrayWrapper { unsigned char y[16]; }; 295*67e74705SXin Listruct WrappedStruct { unsigned z; }; 296*67e74705SXin Li 297*67e74705SXin Livoid test_handle_array_wrapper_helper(); 298*67e74705SXin Li 299*67e74705SXin Liint test_handle_array_wrapper() { 300*67e74705SXin Li struct ArrayWrapper x; 301*67e74705SXin Li test_handle_array_wrapper_helper(&x); 302*67e74705SXin Li struct WrappedStruct *p = (struct WrappedStruct*) x.y; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 303*67e74705SXin Li return p->z; // no-warning 304*67e74705SXin Li} 305*67e74705SXin Li 306*67e74705SXin Li//===----------------------------------------------------------------------===// 307*67e74705SXin Li// <rdar://problem/7261075> [RegionStore] crash when 308*67e74705SXin Li// handling load: '*((unsigned int *)"????")' 309*67e74705SXin Li//===----------------------------------------------------------------------===// 310*67e74705SXin Li 311*67e74705SXin Liint rdar_7261075(void) { 312*67e74705SXin Li unsigned int var = 0; 313*67e74705SXin Li if (var == *((unsigned int *)"????")) 314*67e74705SXin Li return 1; 315*67e74705SXin Li return 0; 316*67e74705SXin Li} 317*67e74705SXin Li 318*67e74705SXin Li//===----------------------------------------------------------------------===// 319*67e74705SXin Li// <rdar://problem/7275774> false path due to limited pointer 320*67e74705SXin Li// arithmetic constraints 321*67e74705SXin Li//===----------------------------------------------------------------------===// 322*67e74705SXin Li 323*67e74705SXin Livoid rdar_7275774(void *data, unsigned n) { 324*67e74705SXin Li if (!(data || n == 0)) 325*67e74705SXin Li return; 326*67e74705SXin Li 327*67e74705SXin Li unsigned short *p = (unsigned short*) data; 328*67e74705SXin Li unsigned short *q = p + (n / 2); 329*67e74705SXin Li 330*67e74705SXin Li if (p < q) { 331*67e74705SXin Li // If we reach here, 'p' cannot be null. If 'p' is null, then 'n' must 332*67e74705SXin Li // be '0', meaning that this branch is not feasible. 333*67e74705SXin Li *p = *q; // no-warning 334*67e74705SXin Li } 335*67e74705SXin Li} 336*67e74705SXin Li 337*67e74705SXin Li//===----------------------------------------------------------------------===// 338*67e74705SXin Li// <rdar://problem/7312221> 339*67e74705SXin Li// 340*67e74705SXin Li// Test that Objective-C instance variables aren't prematurely pruned 341*67e74705SXin Li// from the analysis state. 342*67e74705SXin Li//===----------------------------------------------------------------------===// 343*67e74705SXin Li 344*67e74705SXin Listruct rdar_7312221_value { int x; }; 345*67e74705SXin Li 346*67e74705SXin Li@interface RDar7312221 347*67e74705SXin Li{ 348*67e74705SXin Li struct rdar_7312221_value *y; 349*67e74705SXin Li} 350*67e74705SXin Li- (void) doSomething_7312221; 351*67e74705SXin Li@end 352*67e74705SXin Li 353*67e74705SXin Liextern struct rdar_7312221_value *rdar_7312221_helper(); 354*67e74705SXin Liextern int rdar_7312221_helper_2(id o); 355*67e74705SXin Liextern void rdar_7312221_helper_3(int z); 356*67e74705SXin Li 357*67e74705SXin Li@implementation RDar7312221 358*67e74705SXin Li- (void) doSomething_7312221 { 359*67e74705SXin Li if (y == 0) { 360*67e74705SXin Li y = rdar_7312221_helper(); 361*67e74705SXin Li if (y != 0) { 362*67e74705SXin Li y->x = rdar_7312221_helper_2(self); 363*67e74705SXin Li // The following use of 'y->x' previously triggered a null dereference, as the value of 'y' 364*67e74705SXin Li // before 'y = rdar_7312221_helper()' would be used. 365*67e74705SXin Li rdar_7312221_helper_3(y->x); // no-warning 366*67e74705SXin Li } 367*67e74705SXin Li } 368*67e74705SXin Li} 369*67e74705SXin Li@end 370*67e74705SXin Li 371*67e74705SXin Listruct rdar_7312221_container { 372*67e74705SXin Li struct rdar_7312221_value *y; 373*67e74705SXin Li}; 374*67e74705SXin Li 375*67e74705SXin Liextern int rdar_7312221_helper_4(struct rdar_7312221_container *s); 376*67e74705SXin Li 377*67e74705SXin Li// This test case essentially matches the one in [RDar7312221 doSomething_7312221]. 378*67e74705SXin Livoid doSomething_7312221_with_struct(struct rdar_7312221_container *Self) { 379*67e74705SXin Li if (Self->y == 0) { 380*67e74705SXin Li Self->y = rdar_7312221_helper(); 381*67e74705SXin Li if (Self->y != 0) { 382*67e74705SXin Li Self->y->x = rdar_7312221_helper_4(Self); 383*67e74705SXin Li rdar_7312221_helper_3(Self->y->x); // no-warning 384*67e74705SXin Li } 385*67e74705SXin Li } 386*67e74705SXin Li} 387*67e74705SXin Li 388*67e74705SXin Li//===----------------------------------------------------------------------===// 389*67e74705SXin Li// <rdar://problem/7332673> - Just more tests cases for regions 390*67e74705SXin Li//===----------------------------------------------------------------------===// 391*67e74705SXin Li 392*67e74705SXin Livoid rdar_7332673_test1() { 393*67e74705SXin Li char value[1]; 394*67e74705SXin Li if ( *(value) != 1 ) {} // expected-warning{{The left operand of '!=' is a garbage value}} 395*67e74705SXin Li} 396*67e74705SXin Liint rdar_7332673_test2_aux(char *x); 397*67e74705SXin Livoid rdar_7332673_test2() { 398*67e74705SXin Li char *value; 399*67e74705SXin Li if ( rdar_7332673_test2_aux(value) != 1 ) {} // expected-warning{{Function call argument is an uninitialized value}} 400*67e74705SXin Li} 401*67e74705SXin Li 402*67e74705SXin Li//===----------------------------------------------------------------------===// 403*67e74705SXin Li// <rdar://problem/7347252>: Because of a bug in 404*67e74705SXin Li// RegionStoreManager::RemoveDeadBindings(), the symbol for s->session->p 405*67e74705SXin Li// would incorrectly be pruned from the state after the call to 406*67e74705SXin Li// rdar7347252_malloc1(), and would incorrectly result in a warning about 407*67e74705SXin Li// passing a null pointer to rdar7347252_memcpy(). 408*67e74705SXin Li//===----------------------------------------------------------------------===// 409*67e74705SXin Li 410*67e74705SXin Listruct rdar7347252_AA { char *p;}; 411*67e74705SXin Litypedef struct { 412*67e74705SXin Li struct rdar7347252_AA *session; 413*67e74705SXin Li int t; 414*67e74705SXin Li char *q; 415*67e74705SXin Li} rdar7347252_SSL1; 416*67e74705SXin Li 417*67e74705SXin Liint rdar7347252_f(rdar7347252_SSL1 *s); 418*67e74705SXin Lichar *rdar7347252_malloc1(int); 419*67e74705SXin Lichar *rdar7347252_memcpy1(char *d, char *s, int n) __attribute__((nonnull (1,2))); 420*67e74705SXin Li 421*67e74705SXin Liint rdar7347252(rdar7347252_SSL1 *s) { 422*67e74705SXin Li rdar7347252_f(s); // the SymbolicRegion of 's' is set a default binding of conjured symbol 423*67e74705SXin Li if (s->session->p == ((void*)0)) { 424*67e74705SXin Li if ((s->session->p = rdar7347252_malloc1(10)) == ((void*)0)) { 425*67e74705SXin Li return 0; 426*67e74705SXin Li } 427*67e74705SXin Li rdar7347252_memcpy1(s->session->p, "aa", 2); // no-warning 428*67e74705SXin Li } 429*67e74705SXin Li return 0; 430*67e74705SXin Li} 431*67e74705SXin Li 432*67e74705SXin Li//===----------------------------------------------------------------------===// 433*67e74705SXin Li// PR 5316 - "crash when accessing field of lazy compound value" 434*67e74705SXin Li// Previously this caused a crash at the MemberExpr '.chr' when loading 435*67e74705SXin Li// a field value from a LazyCompoundVal 436*67e74705SXin Li//===----------------------------------------------------------------------===// 437*67e74705SXin Li 438*67e74705SXin Litypedef unsigned int pr5316_wint_t; 439*67e74705SXin Litypedef pr5316_wint_t pr5316_REFRESH_CHAR; 440*67e74705SXin Litypedef struct { 441*67e74705SXin Li pr5316_REFRESH_CHAR chr; 442*67e74705SXin Li} 443*67e74705SXin Lipr5316_REFRESH_ELEMENT; 444*67e74705SXin Listatic void pr5316(pr5316_REFRESH_ELEMENT *dst, const pr5316_REFRESH_ELEMENT *src) { 445*67e74705SXin Li while ((*dst++ = *src++).chr != L'\0') ; 446*67e74705SXin Li} 447*67e74705SXin Li 448*67e74705SXin Li//===----------------------------------------------------------------------===// 449*67e74705SXin Li// Exercise creating ElementRegion with symbolic super region. 450*67e74705SXin Li//===----------------------------------------------------------------------===// 451*67e74705SXin Livoid element_region_with_symbolic_superregion(int* p) { 452*67e74705SXin Li int *x; 453*67e74705SXin Li int a; 454*67e74705SXin Li if (p[0] == 1) 455*67e74705SXin Li x = &a; 456*67e74705SXin Li if (p[0] == 1) 457*67e74705SXin Li (void)*x; // no-warning 458*67e74705SXin Li} 459*67e74705SXin Li 460*67e74705SXin Li//===----------------------------------------------------------------------===// 461*67e74705SXin Li// Test returning an out-of-bounds pointer (CWE-466) 462*67e74705SXin Li//===----------------------------------------------------------------------===// 463*67e74705SXin Li 464*67e74705SXin Listatic int test_cwe466_return_outofbounds_pointer_a[10]; 465*67e74705SXin Liint *test_cwe466_return_outofbounds_pointer() { 466*67e74705SXin Li int *p = test_cwe466_return_outofbounds_pointer_a+10; 467*67e74705SXin Li return p; // expected-warning{{Returned pointer value points outside the original object}} 468*67e74705SXin Li} 469*67e74705SXin Li 470*67e74705SXin Li//===----------------------------------------------------------------------===// 471*67e74705SXin Li// PR 3135 - Test case that shows that a variable may get invalidated when its 472*67e74705SXin Li// address is included in a structure that is passed-by-value to an unknown function. 473*67e74705SXin Li//===----------------------------------------------------------------------===// 474*67e74705SXin Li 475*67e74705SXin Litypedef struct { int *a; } pr3135_structure; 476*67e74705SXin Liint pr3135_bar(pr3135_structure *x); 477*67e74705SXin Liint pr3135() { 478*67e74705SXin Li int x; 479*67e74705SXin Li pr3135_structure y = { &x }; 480*67e74705SXin Li // the call to pr3135_bar may initialize x 481*67e74705SXin Li if (pr3135_bar(&y) && x) // no-warning 482*67e74705SXin Li return 1; 483*67e74705SXin Li return 0; 484*67e74705SXin Li} 485*67e74705SXin Li 486*67e74705SXin Li//===----------------------------------------------------------------------===// 487*67e74705SXin Li// <rdar://problem/7403269> - Test that we handle compound initializers with 488*67e74705SXin Li// partially unspecified array values. Previously this caused a crash. 489*67e74705SXin Li//===----------------------------------------------------------------------===// 490*67e74705SXin Li 491*67e74705SXin Litypedef struct RDar7403269 { 492*67e74705SXin Li unsigned x[10]; 493*67e74705SXin Li unsigned y; 494*67e74705SXin Li} RDar7403269; 495*67e74705SXin Li 496*67e74705SXin Livoid rdar7403269() { 497*67e74705SXin Li RDar7403269 z = { .y = 0 }; 498*67e74705SXin Li if (z.x[4] == 0) 499*67e74705SXin Li return; 500*67e74705SXin Li int *p = 0; 501*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 502*67e74705SXin Li} 503*67e74705SXin Li 504*67e74705SXin Litypedef struct RDar7403269_b { 505*67e74705SXin Li struct zorg { int w; int k; } x[10]; 506*67e74705SXin Li unsigned y; 507*67e74705SXin Li} RDar7403269_b; 508*67e74705SXin Li 509*67e74705SXin Livoid rdar7403269_b() { 510*67e74705SXin Li RDar7403269_b z = { .y = 0 }; 511*67e74705SXin Li if (z.x[5].w == 0) 512*67e74705SXin Li return; 513*67e74705SXin Li int *p = 0; 514*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 515*67e74705SXin Li} 516*67e74705SXin Li 517*67e74705SXin Livoid rdar7403269_b_pos() { 518*67e74705SXin Li RDar7403269_b z = { .y = 0 }; 519*67e74705SXin Li if (z.x[5].w == 1) 520*67e74705SXin Li return; 521*67e74705SXin Li int *p = 0; 522*67e74705SXin Li *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 523*67e74705SXin Li} 524*67e74705SXin Li 525*67e74705SXin Li 526*67e74705SXin Li//===----------------------------------------------------------------------===// 527*67e74705SXin Li// Test that incrementing a non-null pointer results in a non-null pointer. 528*67e74705SXin Li// (<rdar://problem/7191542>) 529*67e74705SXin Li//===----------------------------------------------------------------------===// 530*67e74705SXin Li 531*67e74705SXin Livoid test_increment_nonnull_rdar_7191542(const char *path) { 532*67e74705SXin Li const char *alf = 0; 533*67e74705SXin Li 534*67e74705SXin Li for (;;) { 535*67e74705SXin Li // When using basic-store, we get a null dereference here because we lose information 536*67e74705SXin Li // about path after the pointer increment. 537*67e74705SXin Li char c = *path++; // no-warning 538*67e74705SXin Li if (c == 'a') { 539*67e74705SXin Li alf = path; 540*67e74705SXin Li } 541*67e74705SXin Li 542*67e74705SXin Li if (alf) 543*67e74705SXin Li return; 544*67e74705SXin Li } 545*67e74705SXin Li} 546*67e74705SXin Li 547*67e74705SXin Li//===----------------------------------------------------------------------===// 548*67e74705SXin Li// Test that the store (implicitly) tracks values for doubles/floats that are 549*67e74705SXin Li// uninitialized (<rdar://problem/6811085>) 550*67e74705SXin Li//===----------------------------------------------------------------------===// 551*67e74705SXin Li 552*67e74705SXin Lidouble rdar_6811085(void) { 553*67e74705SXin Li double u; 554*67e74705SXin Li return u + 10; // expected-warning{{The left operand of '+' is a garbage value}} 555*67e74705SXin Li} 556*67e74705SXin Li 557*67e74705SXin Li//===----------------------------------------------------------------------===// 558*67e74705SXin Li// Path-sensitive tests for blocks. 559*67e74705SXin Li//===----------------------------------------------------------------------===// 560*67e74705SXin Li 561*67e74705SXin Livoid indirect_block_call(void (^f)()); 562*67e74705SXin Li 563*67e74705SXin Liint blocks_1(int *p, int z) { 564*67e74705SXin Li __block int *q = 0; 565*67e74705SXin Li void (^bar)() = ^{ q = p; }; 566*67e74705SXin Li 567*67e74705SXin Li if (z == 1) { 568*67e74705SXin Li // The call to 'bar' might cause 'q' to be invalidated. 569*67e74705SXin Li bar(); 570*67e74705SXin Li *q = 0x1; // no-warning 571*67e74705SXin Li } 572*67e74705SXin Li else if (z == 2) { 573*67e74705SXin Li // The function 'indirect_block_call' might invoke bar, thus causing 574*67e74705SXin Li // 'q' to possibly be invalidated. 575*67e74705SXin Li indirect_block_call(bar); 576*67e74705SXin Li *q = 0x1; // no-warning 577*67e74705SXin Li } 578*67e74705SXin Li else { 579*67e74705SXin Li *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 580*67e74705SXin Li } 581*67e74705SXin Li return z; 582*67e74705SXin Li} 583*67e74705SXin Li 584*67e74705SXin Liint blocks_2(int *p, int z) { 585*67e74705SXin Li int *q = 0; 586*67e74705SXin Li void (^bar)(int **) = ^(int **r){ *r = p; }; 587*67e74705SXin Li 588*67e74705SXin Li if (z) { 589*67e74705SXin Li // The call to 'bar' might cause 'q' to be invalidated. 590*67e74705SXin Li bar(&q); 591*67e74705SXin Li *q = 0x1; // no-warning 592*67e74705SXin Li } 593*67e74705SXin Li else { 594*67e74705SXin Li *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 595*67e74705SXin Li } 596*67e74705SXin Li return z; 597*67e74705SXin Li} 598*67e74705SXin Li 599*67e74705SXin Li// Test that the value of 'x' is considered invalidated after the block 600*67e74705SXin Li// is passed as an argument to the message expression. 601*67e74705SXin Litypedef void (^RDar7582031CB)(void); 602*67e74705SXin Li@interface RDar7582031 603*67e74705SXin Li- rdar7582031:RDar7582031CB; 604*67e74705SXin Li- rdar7582031_b:RDar7582031CB; 605*67e74705SXin Li@end 606*67e74705SXin Li 607*67e74705SXin Li// Test with one block. 608*67e74705SXin Liunsigned rdar7582031(RDar7582031 *o) { 609*67e74705SXin Li __block unsigned x; 610*67e74705SXin Li [o rdar7582031:^{ x = 1; }]; 611*67e74705SXin Li return x; // no-warning 612*67e74705SXin Li} 613*67e74705SXin Li 614*67e74705SXin Li// Test with two blocks. 615*67e74705SXin Liunsigned long rdar7582031_b(RDar7582031 *o) { 616*67e74705SXin Li __block unsigned y; 617*67e74705SXin Li __block unsigned long x; 618*67e74705SXin Li [o rdar7582031:^{ y = 1; }]; 619*67e74705SXin Li [o rdar7582031_b:^{ x = 1LL; }]; 620*67e74705SXin Li return x + (unsigned long) y; // no-warning 621*67e74705SXin Li} 622*67e74705SXin Li 623*67e74705SXin Li// Show we get an error when 'o' is null because the message 624*67e74705SXin Li// expression has no effect. 625*67e74705SXin Liunsigned long rdar7582031_b2(RDar7582031 *o) { 626*67e74705SXin Li __block unsigned y; 627*67e74705SXin Li __block unsigned long x; 628*67e74705SXin Li if (o) 629*67e74705SXin Li return 1; 630*67e74705SXin Li [o rdar7582031:^{ y = 1; }]; 631*67e74705SXin Li [o rdar7582031_b:^{ x = 1LL; }]; 632*67e74705SXin Li return x + (unsigned long) y; // expected-warning{{The left operand of '+' is a garbage value}} 633*67e74705SXin Li} 634*67e74705SXin Li 635*67e74705SXin Li// Show that we handle static variables also getting invalidated. 636*67e74705SXin Livoid rdar7582031_aux(void (^)(void)); 637*67e74705SXin LiRDar7582031 *rdar7582031_aux_2(); 638*67e74705SXin Li 639*67e74705SXin Liunsigned rdar7582031_static() { 640*67e74705SXin Li static RDar7582031 *o = 0; 641*67e74705SXin Li rdar7582031_aux(^{ o = rdar7582031_aux_2(); }); 642*67e74705SXin Li 643*67e74705SXin Li __block unsigned x; 644*67e74705SXin Li [o rdar7582031:^{ x = 1; }]; 645*67e74705SXin Li return x; // no-warning 646*67e74705SXin Li} 647*67e74705SXin Li 648*67e74705SXin Li//===----------------------------------------------------------------------===// 649*67e74705SXin Li// <rdar://problem/7462324> - Test that variables passed using __blocks 650*67e74705SXin Li// are not treated as being uninitialized. 651*67e74705SXin Li//===----------------------------------------------------------------------===// 652*67e74705SXin Li 653*67e74705SXin Litypedef void (^RDar_7462324_Callback)(id obj); 654*67e74705SXin Li 655*67e74705SXin Li@interface RDar7462324 656*67e74705SXin Li- (void) foo:(id)target; 657*67e74705SXin Li- (void) foo_positive:(id)target; 658*67e74705SXin Li 659*67e74705SXin Li@end 660*67e74705SXin Li 661*67e74705SXin Li@implementation RDar7462324 662*67e74705SXin Li- (void) foo:(id)target { 663*67e74705SXin Li __block RDar_7462324_Callback builder = ((void*) 0); 664*67e74705SXin Li builder = ^(id object) { 665*67e74705SXin Li if (object) { 666*67e74705SXin Li builder(self); // no-warning 667*67e74705SXin Li } 668*67e74705SXin Li }; 669*67e74705SXin Li builder(target); 670*67e74705SXin Li} 671*67e74705SXin Li- (void) foo_positive:(id)target { 672*67e74705SXin Li __block RDar_7462324_Callback builder = ((void*) 0); 673*67e74705SXin Li builder = ^(id object) { 674*67e74705SXin Li id x; 675*67e74705SXin Li if (object) { 676*67e74705SXin Li builder(x); // expected-warning{{Block call argument is an uninitialized value}} 677*67e74705SXin Li } 678*67e74705SXin Li }; 679*67e74705SXin Li builder(target); 680*67e74705SXin Li} 681*67e74705SXin Li@end 682*67e74705SXin Li 683*67e74705SXin Li//===----------------------------------------------------------------------===// 684*67e74705SXin Li// <rdar://problem/7468209> - Scanning for live variables within a block should 685*67e74705SXin Li// not crash on variables passed by reference via __block. 686*67e74705SXin Li//===----------------------------------------------------------------------===// 687*67e74705SXin Li 688*67e74705SXin Liint rdar7468209_aux(); 689*67e74705SXin Livoid rdar7468209_aux_2(); 690*67e74705SXin Li 691*67e74705SXin Livoid rdar7468209() { 692*67e74705SXin Li __block int x = 0; 693*67e74705SXin Li ^{ 694*67e74705SXin Li x = rdar7468209_aux(); 695*67e74705SXin Li // We need a second statement so that 'x' would be removed from the store if it wasn't 696*67e74705SXin Li // passed by reference. 697*67e74705SXin Li rdar7468209_aux_2(); 698*67e74705SXin Li }(); 699*67e74705SXin Li} 700*67e74705SXin Li 701*67e74705SXin Li//===----------------------------------------------------------------------===// 702*67e74705SXin Li// PR 5857 - Test loading an integer from a byte array that has also been 703*67e74705SXin Li// reinterpreted to be loaded as a field. 704*67e74705SXin Li//===----------------------------------------------------------------------===// 705*67e74705SXin Li 706*67e74705SXin Litypedef struct { int x; } TestFieldLoad; 707*67e74705SXin Liint pr5857(char *src) { 708*67e74705SXin Li TestFieldLoad *tfl = (TestFieldLoad *) (intptr_t) src; 709*67e74705SXin Li int y = tfl->x; 710*67e74705SXin Li long long *z = (long long *) (intptr_t) src; 711*67e74705SXin Li long long w = 0; 712*67e74705SXin Li int n = 0; 713*67e74705SXin Li for (n = 0; n < y; ++n) { 714*67e74705SXin Li // Previously we crashed analyzing this statement. 715*67e74705SXin Li w = *z++; 716*67e74705SXin Li } 717*67e74705SXin Li return 1; 718*67e74705SXin Li} 719*67e74705SXin Li 720*67e74705SXin Li//===----------------------------------------------------------------------===// 721*67e74705SXin Li// PR 4358 - Without field-sensitivity, this code previously triggered 722*67e74705SXin Li// a false positive that 'uninit' could be uninitialized at the call 723*67e74705SXin Li// to pr4358_aux(). 724*67e74705SXin Li//===----------------------------------------------------------------------===// 725*67e74705SXin Li 726*67e74705SXin Listruct pr4358 { 727*67e74705SXin Li int bar; 728*67e74705SXin Li int baz; 729*67e74705SXin Li}; 730*67e74705SXin Livoid pr4358_aux(int x); 731*67e74705SXin Livoid pr4358(struct pr4358 *pnt) { 732*67e74705SXin Li int uninit; 733*67e74705SXin Li if (pnt->bar < 3) { 734*67e74705SXin Li uninit = 1; 735*67e74705SXin Li } else if (pnt->baz > 2) { 736*67e74705SXin Li uninit = 3; 737*67e74705SXin Li } else if (pnt->baz <= 2) { 738*67e74705SXin Li uninit = 2; 739*67e74705SXin Li } 740*67e74705SXin Li pr4358_aux(uninit); // no-warning 741*67e74705SXin Li} 742*67e74705SXin Li 743*67e74705SXin Li//===----------------------------------------------------------------------===// 744*67e74705SXin Li// <rdar://problem/7526777> 745*67e74705SXin Li// Test handling fields of values returned from function calls or 746*67e74705SXin Li// message expressions. 747*67e74705SXin Li//===----------------------------------------------------------------------===// 748*67e74705SXin Li 749*67e74705SXin Litypedef struct testReturn_rdar_7526777 { 750*67e74705SXin Li int x; 751*67e74705SXin Li int y; 752*67e74705SXin Li} testReturn_rdar_7526777; 753*67e74705SXin Li 754*67e74705SXin Li@interface TestReturnStruct_rdar_7526777 755*67e74705SXin Li- (testReturn_rdar_7526777) foo; 756*67e74705SXin Li@end 757*67e74705SXin Li 758*67e74705SXin Liint test_return_struct(TestReturnStruct_rdar_7526777 *x) { 759*67e74705SXin Li return [x foo].x; 760*67e74705SXin Li} 761*67e74705SXin Li 762*67e74705SXin LitestReturn_rdar_7526777 test_return_struct_2_aux_rdar_7526777(); 763*67e74705SXin Li 764*67e74705SXin Liint test_return_struct_2_rdar_7526777() { 765*67e74705SXin Li return test_return_struct_2_aux_rdar_7526777().x; 766*67e74705SXin Li} 767*67e74705SXin Li 768*67e74705SXin Li//===----------------------------------------------------------------------===// 769*67e74705SXin Li// <rdar://problem/7527292> Assertion failed: (Op == BinaryOperator::Add || 770*67e74705SXin Li// Op == BinaryOperator::Sub) 771*67e74705SXin Li// This test case previously triggered an assertion failure due to a discrepancy 772*67e74705SXin Li// been the loaded/stored value in the array 773*67e74705SXin Li//===----------------------------------------------------------------------===// 774*67e74705SXin Li 775*67e74705SXin Li_Bool OSAtomicCompareAndSwapPtrBarrier( void *__oldValue, void *__newValue, void * volatile *__theValue ); 776*67e74705SXin Li 777*67e74705SXin Livoid rdar_7527292() { 778*67e74705SXin Li static id Cache7527292[32]; 779*67e74705SXin Li for (signed long idx = 0; 780*67e74705SXin Li idx < 32; 781*67e74705SXin Li idx++) { 782*67e74705SXin Li id v = Cache7527292[idx]; 783*67e74705SXin Li if (v && OSAtomicCompareAndSwapPtrBarrier(v, ((void*)0), (void * volatile *)(Cache7527292 + idx))) { 784*67e74705SXin Li } 785*67e74705SXin Li } 786*67e74705SXin Li} 787*67e74705SXin Li 788*67e74705SXin Li//===----------------------------------------------------------------------===// 789*67e74705SXin Li// <rdar://problem/7515938> - Handle initialization of incomplete arrays 790*67e74705SXin Li// in structures using a compound value. Previously this crashed. 791*67e74705SXin Li//===----------------------------------------------------------------------===// 792*67e74705SXin Li 793*67e74705SXin Listruct rdar_7515938 { 794*67e74705SXin Li int x; 795*67e74705SXin Li int y[]; 796*67e74705SXin Li}; 797*67e74705SXin Li 798*67e74705SXin Liconst struct rdar_7515938 *rdar_7515938() { 799*67e74705SXin Li static const struct rdar_7515938 z = { 0, { 1, 2 } }; 800*67e74705SXin Li if (z.y[0] != 1) { 801*67e74705SXin Li int *p = 0; 802*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 803*67e74705SXin Li } 804*67e74705SXin Li return &z; 805*67e74705SXin Li} 806*67e74705SXin Li 807*67e74705SXin Listruct rdar_7515938_str { 808*67e74705SXin Li int x; 809*67e74705SXin Li char y[]; 810*67e74705SXin Li}; 811*67e74705SXin Li 812*67e74705SXin Liconst struct rdar_7515938_str *rdar_7515938_str() { 813*67e74705SXin Li static const struct rdar_7515938_str z = { 0, "hello" }; 814*67e74705SXin Li return &z; 815*67e74705SXin Li} 816*67e74705SXin Li 817*67e74705SXin Li//===----------------------------------------------------------------------===// 818*67e74705SXin Li// Assorted test cases from PR 4172. 819*67e74705SXin Li//===----------------------------------------------------------------------===// 820*67e74705SXin Li 821*67e74705SXin Listruct PR4172A_s { int *a; }; 822*67e74705SXin Li 823*67e74705SXin Livoid PR4172A_f2(struct PR4172A_s *p); 824*67e74705SXin Li 825*67e74705SXin Liint PR4172A_f1(void) { 826*67e74705SXin Li struct PR4172A_s m; 827*67e74705SXin Li int b[4]; 828*67e74705SXin Li m.a = b; 829*67e74705SXin Li PR4172A_f2(&m); 830*67e74705SXin Li return b[3]; // no-warning 831*67e74705SXin Li} 832*67e74705SXin Li 833*67e74705SXin Listruct PR4172B_s { int *a; }; 834*67e74705SXin Li 835*67e74705SXin Livoid PR4172B_f2(struct PR4172B_s *p); 836*67e74705SXin Li 837*67e74705SXin Liint PR4172B_f1(void) { 838*67e74705SXin Li struct PR4172B_s m; 839*67e74705SXin Li int x; 840*67e74705SXin Li m.a = &x; 841*67e74705SXin Li PR4172B_f2(&m); 842*67e74705SXin Li return x; // no-warning 843*67e74705SXin Li} 844*67e74705SXin Li 845*67e74705SXin Li//===----------------------------------------------------------------------===// 846*67e74705SXin Li// Test invalidation of values in struct literals. 847*67e74705SXin Li//===----------------------------------------------------------------------===// 848*67e74705SXin Li 849*67e74705SXin Listruct s_rev96062 { int *x; int *y; }; 850*67e74705SXin Listruct s_rev96062_nested { struct s_rev96062 z; }; 851*67e74705SXin Li 852*67e74705SXin Livoid test_a_rev96062_aux(struct s_rev96062 *s); 853*67e74705SXin Livoid test_a_rev96062_aux2(struct s_rev96062_nested *s); 854*67e74705SXin Li 855*67e74705SXin Liint test_a_rev96062() { 856*67e74705SXin Li int a, b; 857*67e74705SXin Li struct s_rev96062 x = { &a, &b }; 858*67e74705SXin Li test_a_rev96062_aux(&x); 859*67e74705SXin Li return a + b; // no-warning 860*67e74705SXin Li} 861*67e74705SXin Liint test_b_rev96062() { 862*67e74705SXin Li int a, b; 863*67e74705SXin Li struct s_rev96062 x = { &a, &b }; 864*67e74705SXin Li struct s_rev96062 z = x; 865*67e74705SXin Li test_a_rev96062_aux(&z); 866*67e74705SXin Li return a + b; // no-warning 867*67e74705SXin Li} 868*67e74705SXin Liint test_c_rev96062() { 869*67e74705SXin Li int a, b; 870*67e74705SXin Li struct s_rev96062 x = { &a, &b }; 871*67e74705SXin Li struct s_rev96062_nested w = { x }; 872*67e74705SXin Li struct s_rev96062_nested z = w; 873*67e74705SXin Li test_a_rev96062_aux2(&z); 874*67e74705SXin Li return a + b; // no-warning 875*67e74705SXin Li} 876*67e74705SXin Li 877*67e74705SXin Li//===----------------------------------------------------------------------===// 878*67e74705SXin Li// <rdar://problem/7242010> - The access to y[0] at the bottom previously 879*67e74705SXin Li// was reported as an uninitialized value. 880*67e74705SXin Li//===----------------------------------------------------------------------===// 881*67e74705SXin Li 882*67e74705SXin Lichar *rdar_7242010(int count, char **y) { 883*67e74705SXin Li char **x = alloca((count + 4) * sizeof(*x)); 884*67e74705SXin Li x[0] = "hi"; 885*67e74705SXin Li x[1] = "there"; 886*67e74705SXin Li x[2] = "every"; 887*67e74705SXin Li x[3] = "body"; 888*67e74705SXin Li memcpy(x + 4, y, count * sizeof(*x)); 889*67e74705SXin Li y = x; 890*67e74705SXin Li return y[0]; // no-warning 891*67e74705SXin Li} 892*67e74705SXin Li 893*67e74705SXin Li//===----------------------------------------------------------------------===// 894*67e74705SXin Li// <rdar://problem/7770737> 895*67e74705SXin Li//===----------------------------------------------------------------------===// 896*67e74705SXin Li 897*67e74705SXin Listruct rdar_7770737_s { intptr_t p; }; 898*67e74705SXin Livoid rdar_7770737_aux(struct rdar_7770737_s *p); 899*67e74705SXin Liint rdar_7770737(void) 900*67e74705SXin Li{ 901*67e74705SXin Li int x; 902*67e74705SXin Li 903*67e74705SXin Li // Previously 'f' was not properly invalidated, causing the use of 904*67e74705SXin Li // an uninitailized value below. 905*67e74705SXin Li struct rdar_7770737_s f = { .p = (intptr_t)&x }; 906*67e74705SXin Li rdar_7770737_aux(&f); 907*67e74705SXin Li return x; // no-warning 908*67e74705SXin Li} 909*67e74705SXin Liint rdar_7770737_pos(void) 910*67e74705SXin Li{ 911*67e74705SXin Li int x; 912*67e74705SXin Li struct rdar_7770737_s f = { .p = (intptr_t)&x }; 913*67e74705SXin Li return x; // expected-warning{{Undefined or garbage value returned to caller}} 914*67e74705SXin Li} 915*67e74705SXin Li 916*67e74705SXin Li//===----------------------------------------------------------------------===// 917*67e74705SXin Li// Test handling of the implicit 'isa' field. For now we don't do anything 918*67e74705SXin Li// interesting. 919*67e74705SXin Li//===----------------------------------------------------------------------===// 920*67e74705SXin Li 921*67e74705SXin Livoid pr6302(id x, Class y) { 922*67e74705SXin Li // This previously crashed the analyzer (reported in PR 6302) 923*67e74705SXin Li x->isa = y; // expected-warning {{assignment to Objective-C's isa is deprecated in favor of object_setClass()}} 924*67e74705SXin Li} 925*67e74705SXin Li 926*67e74705SXin Li//===----------------------------------------------------------------------===// 927*67e74705SXin Li// Specially handle global variables that are declared constant. In the 928*67e74705SXin Li// example below, this forces the loop to take exactly 2 iterations. 929*67e74705SXin Li//===----------------------------------------------------------------------===// 930*67e74705SXin Li 931*67e74705SXin Liconst int pr6288_L_N = 2; 932*67e74705SXin Livoid pr6288_(void) { 933*67e74705SXin Li int x[2]; 934*67e74705SXin Li int *px[2]; 935*67e74705SXin Li int i; 936*67e74705SXin Li for (i = 0; i < pr6288_L_N; i++) 937*67e74705SXin Li px[i] = &x[i]; 938*67e74705SXin Li *(px[0]) = 0; // no-warning 939*67e74705SXin Li} 940*67e74705SXin Li 941*67e74705SXin Livoid pr6288_pos(int z) { 942*67e74705SXin Li int x[2]; 943*67e74705SXin Li int *px[2]; 944*67e74705SXin Li int i; 945*67e74705SXin Li for (i = 0; i < z; i++) 946*67e74705SXin Li px[i] = &x[i]; // expected-warning{{Access out-of-bound array element (buffer overflow)}} 947*67e74705SXin Li *(px[0]) = 0; // expected-warning{{Dereference of undefined pointer value}} 948*67e74705SXin Li} 949*67e74705SXin Li 950*67e74705SXin Livoid pr6288_b(void) { 951*67e74705SXin Li const int L_N = 2; 952*67e74705SXin Li int x[2]; 953*67e74705SXin Li int *px[2]; 954*67e74705SXin Li int i; 955*67e74705SXin Li for (i = 0; i < L_N; i++) 956*67e74705SXin Li px[i] = &x[i]; 957*67e74705SXin Li *(px[0]) = 0; // no-warning 958*67e74705SXin Li} 959*67e74705SXin Li 960*67e74705SXin Li// <rdar://problem/7817800> - A bug in RemoveDeadBindings was causing instance variable bindings 961*67e74705SXin Li// to get prematurely pruned from the state. 962*67e74705SXin Li@interface Rdar7817800 { 963*67e74705SXin Li char *x; 964*67e74705SXin Li} 965*67e74705SXin Li- (void) rdar7817800_baz; 966*67e74705SXin Li@end 967*67e74705SXin Li 968*67e74705SXin Lichar *rdar7817800_foobar(); 969*67e74705SXin Livoid rdar7817800_qux(void*); 970*67e74705SXin Li 971*67e74705SXin Li@implementation Rdar7817800 972*67e74705SXin Li- (void) rdar7817800_baz { 973*67e74705SXin Li if (x) 974*67e74705SXin Li rdar7817800_qux(x); 975*67e74705SXin Li x = rdar7817800_foobar(); 976*67e74705SXin Li // Previously this triggered a bogus null dereference warning. 977*67e74705SXin Li x[1] = 'a'; // no-warning 978*67e74705SXin Li} 979*67e74705SXin Li@end 980*67e74705SXin Li 981*67e74705SXin Li// PR 6036 - This test case triggered a crash inside StoreManager::CastRegion because the size 982*67e74705SXin Li// of 'unsigned long (*)[0]' is 0. 983*67e74705SXin Listruct pr6036_a { int pr6036_b; }; 984*67e74705SXin Listruct pr6036_c; 985*67e74705SXin Livoid u132monitk (struct pr6036_c *pr6036_d) { 986*67e74705SXin Li (void) ((struct pr6036_a *) (unsigned long (*)[0]) ((char *) pr6036_d - 1))->pr6036_b; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 987*67e74705SXin Li} 988*67e74705SXin Li 989*67e74705SXin Li// <rdar://problem/7813989> - ?-expressions used as a base of a member expression should be treated as an lvalue 990*67e74705SXin Litypedef struct rdar7813989_NestedVal { int w; } rdar7813989_NestedVal; 991*67e74705SXin Litypedef struct rdar7813989_Val { rdar7813989_NestedVal nv; } rdar7813989_Val; 992*67e74705SXin Li 993*67e74705SXin Liint rdar7813989(int x, rdar7813989_Val *a, rdar7813989_Val *b) { 994*67e74705SXin Li // This previously crashed with an assertion failure. 995*67e74705SXin Li int z = (x ? a->nv : b->nv).w; 996*67e74705SXin Li return z + 1; 997*67e74705SXin Li} 998*67e74705SXin Li 999*67e74705SXin Li// PR 6844 - Don't crash on vaarg expression. 1000*67e74705SXin Litypedef __builtin_va_list va_list; 1001*67e74705SXin Livoid map(int srcID, ...) { 1002*67e74705SXin Li va_list ap; 1003*67e74705SXin Li int i; 1004*67e74705SXin Li for (i = 0; i < srcID; i++) { 1005*67e74705SXin Li int v = __builtin_va_arg(ap, int); 1006*67e74705SXin Li } 1007*67e74705SXin Li} 1008*67e74705SXin Li 1009*67e74705SXin Li// PR 6854 - crash when casting symbolic memory address to a float 1010*67e74705SXin Li// Handle casting from a symbolic region to a 'float'. This isn't 1011*67e74705SXin Li// really all that intelligent, but previously this caused a crash 1012*67e74705SXin Li// in SimpleSValuator. 1013*67e74705SXin Livoid pr6854(void * arg) { 1014*67e74705SXin Li void * a = arg; 1015*67e74705SXin Li *(void**)a = arg; 1016*67e74705SXin Li float f = *(float*) a; 1017*67e74705SXin Li} 1018*67e74705SXin Li 1019*67e74705SXin Li// <rdar://problem/8032791> False positive due to symbolic store not find 1020*67e74705SXin Li// value because of 'const' qualifier 1021*67e74705SXin Lidouble rdar_8032791_2(); 1022*67e74705SXin Lidouble rdar_8032791_1() { 1023*67e74705SXin Li struct R8032791 { double x[2]; double y; } 1024*67e74705SXin Li data[3] = { 1025*67e74705SXin Li {{1.0, 3.0}, 3.0}, // 1 2 3 1026*67e74705SXin Li {{1.0, 1.0}, 0.0}, // 1 1 2 2 3 3 1027*67e74705SXin Li {{1.0, 3.0}, 1.0} // 1 2 3 1028*67e74705SXin Li }; 1029*67e74705SXin Li 1030*67e74705SXin Li double x = 0.0; 1031*67e74705SXin Li for (unsigned i = 0 ; i < 3; i++) { 1032*67e74705SXin Li const struct R8032791 *p = &data[i]; 1033*67e74705SXin Li x += p->y + rdar_8032791_2(); // no-warning 1034*67e74705SXin Li } 1035*67e74705SXin Li return x; 1036*67e74705SXin Li} 1037*67e74705SXin Li 1038*67e74705SXin Li// PR 7450 - Handle pointer arithmetic with __builtin_alloca 1039*67e74705SXin Livoid pr_7450_aux(void *x); 1040*67e74705SXin Livoid pr_7450() { 1041*67e74705SXin Li void *p = __builtin_alloca(10); 1042*67e74705SXin Li // Don't crash when analyzing the following statement. 1043*67e74705SXin Li pr_7450_aux(p + 8); 1044*67e74705SXin Li} 1045*67e74705SXin Li 1046*67e74705SXin Li// <rdar://problem/8243408> - Symbolicate struct values returned by value. 1047*67e74705SXin Listruct s_rdar_8243408 { int x; }; 1048*67e74705SXin Liextern struct s_rdar_8243408 rdar_8243408_aux(void); 1049*67e74705SXin Livoid rdar_8243408(void) { 1050*67e74705SXin Li struct s_rdar_8243408 a = { 1 }, *b = 0; 1051*67e74705SXin Li while (a.x && !b) 1052*67e74705SXin Li a = rdar_8243408_aux(); 1053*67e74705SXin Li 1054*67e74705SXin Li // Previously there was a false error here with 'b' being null. 1055*67e74705SXin Li (void) (a.x && b->x); // no-warning 1056*67e74705SXin Li 1057*67e74705SXin Li // Introduce a null deref to ensure we are checking this path. 1058*67e74705SXin Li int *p = 0; 1059*67e74705SXin Li *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 1060*67e74705SXin Li} 1061*67e74705SXin Li 1062*67e74705SXin Li// <rdar://problem/8258814> 1063*67e74705SXin Liint r8258814() 1064*67e74705SXin Li{ 1065*67e74705SXin Li int foo; 1066*67e74705SXin Li int * a = &foo; 1067*67e74705SXin Li a[0] = 10; 1068*67e74705SXin Li // Do not warn that the value of 'foo' is uninitialized. 1069*67e74705SXin Li return foo; // no-warning 1070*67e74705SXin Li} 1071*67e74705SXin Li 1072*67e74705SXin Li// PR 8052 - Don't crash when reasoning about loads from a function address.\n 1073*67e74705SXin Litypedef unsigned int __uint32_t; 1074*67e74705SXin Litypedef unsigned long vm_offset_t; 1075*67e74705SXin Litypedef __uint32_t pd_entry_t; 1076*67e74705SXin Litypedef unsigned char u_char; 1077*67e74705SXin Litypedef unsigned int u_int; 1078*67e74705SXin Litypedef unsigned long u_long; 1079*67e74705SXin Liextern int bootMP_size; 1080*67e74705SXin Livoid bootMP(void); 1081*67e74705SXin Listatic void 1082*67e74705SXin Lipr8052(u_int boot_addr) 1083*67e74705SXin Li{ 1084*67e74705SXin Li int x; 1085*67e74705SXin Li int size = *(int *) ((u_long) & bootMP_size); 1086*67e74705SXin Li u_char *src = (u_char *) ((u_long) bootMP); 1087*67e74705SXin Li u_char *dst = (u_char *) boot_addr + ((vm_offset_t) ((((((((1 << 1088*67e74705SXin Li12) / (sizeof(pd_entry_t))) - 1) - 1) - (260 - 2))) << 22) | ((0) << 12))); 1089*67e74705SXin Li#ifdef TEST_64 1090*67e74705SXin Li// expected-warning@-3 {{cast to 'u_char *' (aka 'unsigned char *') from smaller integer type 'u_int' (aka 'unsigned int')}} 1091*67e74705SXin Li#endif 1092*67e74705SXin Li for (x = 0; 1093*67e74705SXin Li x < size; 1094*67e74705SXin Li ++x) 1095*67e74705SXin Li *dst++ = *src++; 1096*67e74705SXin Li} 1097*67e74705SXin Li 1098*67e74705SXin Li// PR 8015 - don't return undefined values for arrays when using a valid 1099*67e74705SXin Li// symbolic index 1100*67e74705SXin Liint pr8015_A(); 1101*67e74705SXin Livoid pr8015_B(const char *); 1102*67e74705SXin Li 1103*67e74705SXin Livoid pr8015_C() { 1104*67e74705SXin Li int number = pr8015_A(); 1105*67e74705SXin Li const char *numbers[] = { "zero" }; 1106*67e74705SXin Li if (number == 0) { 1107*67e74705SXin Li pr8015_B(numbers[number]); // no-warning 1108*67e74705SXin Li } 1109*67e74705SXin Li} 1110*67e74705SXin Li 1111*67e74705SXin Li// Tests that we correctly handle that 'number' is perfectly constrained 1112*67e74705SXin Li// after 'if (nunber == 0)', allowing us to resolve that 1113*67e74705SXin Li// numbers[number] == numbers[0]. 1114*67e74705SXin Livoid pr8015_D_FIXME() { 1115*67e74705SXin Li int number = pr8015_A(); 1116*67e74705SXin Li const char *numbers[] = { "zero" }; 1117*67e74705SXin Li if (number == 0) { 1118*67e74705SXin Li if (numbers[number] == numbers[0]) 1119*67e74705SXin Li return; 1120*67e74705SXin Li // Unreachable. 1121*67e74705SXin Li int *p = 0; 1122*67e74705SXin Li *p = 0xDEADBEEF; // no-warnng 1123*67e74705SXin Li } 1124*67e74705SXin Li} 1125*67e74705SXin Li 1126*67e74705SXin Livoid pr8015_E() { 1127*67e74705SXin Li // Similar to pr8015_C, but number is allowed to be a valid range. 1128*67e74705SXin Li unsigned number = pr8015_A(); 1129*67e74705SXin Li const char *numbers[] = { "zero", "one", "two" }; 1130*67e74705SXin Li if (number < 3) { 1131*67e74705SXin Li pr8015_B(numbers[number]); // no-warning 1132*67e74705SXin Li } 1133*67e74705SXin Li} 1134*67e74705SXin Li 1135*67e74705SXin Livoid pr8015_F_FIXME() { 1136*67e74705SXin Li // Similar to pr8015_E, but like pr8015_D we check if the pointer 1137*67e74705SXin Li // is the same as one of the string literals. The null dereference 1138*67e74705SXin Li // here is not feasible in practice, so this is a false positive. 1139*67e74705SXin Li int number = pr8015_A(); 1140*67e74705SXin Li const char *numbers[] = { "zero", "one", "two" }; 1141*67e74705SXin Li if (number < 3) { 1142*67e74705SXin Li const char *p = numbers[number]; 1143*67e74705SXin Li if (p == numbers[0] || p == numbers[1] || p == numbers[2]) 1144*67e74705SXin Li return; 1145*67e74705SXin Li int *q = 0; 1146*67e74705SXin Li *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 1147*67e74705SXin Li } 1148*67e74705SXin Li} 1149*67e74705SXin Li 1150*67e74705SXin Li// PR 8141. Previously the statement expression in the for loop caused 1151*67e74705SXin Li// the CFG builder to crash. 1152*67e74705SXin Listruct list_pr8141 1153*67e74705SXin Li{ 1154*67e74705SXin Li struct list_pr8141 *tail; 1155*67e74705SXin Li}; 1156*67e74705SXin Li 1157*67e74705SXin Listruct list_pr8141 * 1158*67e74705SXin Lipr8141 (void) { 1159*67e74705SXin Li struct list_pr8141 *items; 1160*67e74705SXin Li for (;; items = ({ do { } while (0); items->tail; })) // expected-warning{{Dereference of undefined pointer value}} 1161*67e74705SXin Li { 1162*67e74705SXin Li } 1163*67e74705SXin Li} 1164*67e74705SXin Li 1165*67e74705SXin Li// Don't crash when building the CFG. 1166*67e74705SXin Livoid do_not_crash(int x) { 1167*67e74705SXin Li while (x - ({do {} while (0); x; })) { 1168*67e74705SXin Li } 1169*67e74705SXin Li} 1170*67e74705SXin Li 1171*67e74705SXin Li// <rdar://problem/8424269> - Handle looking at the size of a VLA in 1172*67e74705SXin Li// ArrayBoundChecker. Nothing intelligent (yet); just don't crash. 1173*67e74705SXin Litypedef struct RDar8424269_A { 1174*67e74705SXin Li int RDar8424269_C; 1175*67e74705SXin Li} RDar8424269_A; 1176*67e74705SXin Listatic void RDar8424269_B(RDar8424269_A *p, unsigned char *RDar8424269_D, 1177*67e74705SXin Li const unsigned char *RDar8424269_E, int RDar8424269_F, 1178*67e74705SXin Li int b_w, int b_h, int dx, int dy) { 1179*67e74705SXin Li int x, y, b, r, l; 1180*67e74705SXin Li unsigned char tmp2t[3][RDar8424269_F * (32 + 8)]; 1181*67e74705SXin Li unsigned char *tmp2 = tmp2t[0]; 1182*67e74705SXin Li if (p && !p->RDar8424269_C) 1183*67e74705SXin Li b = 15; 1184*67e74705SXin Li tmp2 = tmp2t[1]; 1185*67e74705SXin Li if (b & 2) { // expected-warning{{The left operand of '&' is a garbage value}} 1186*67e74705SXin Li for (y = 0; y < b_h; y++) { 1187*67e74705SXin Li for (x = 0; x < b_w + 1; x++) { 1188*67e74705SXin Li int am = 0; 1189*67e74705SXin Li tmp2[x] = am; 1190*67e74705SXin Li } 1191*67e74705SXin Li } 1192*67e74705SXin Li } 1193*67e74705SXin Li tmp2 = tmp2t[2]; 1194*67e74705SXin Li} 1195*67e74705SXin Li 1196*67e74705SXin Li// <rdar://problem/8642434> - Handle transparent unions with the NonNullParamChecker. 1197*67e74705SXin Litypedef union { 1198*67e74705SXin Li struct rdar_8642434_typeA *_dq; 1199*67e74705SXin Li} 1200*67e74705SXin Lirdar_8642434_typeB __attribute__((transparent_union)); 1201*67e74705SXin Li 1202*67e74705SXin Li__attribute__((visibility("default"))) __attribute__((__nonnull__)) __attribute__((__nothrow__)) 1203*67e74705SXin Livoid rdar_8642434_funcA(rdar_8642434_typeB object); 1204*67e74705SXin Li 1205*67e74705SXin Livoid rdar_8642434_funcB(struct rdar_8642434_typeA *x, struct rdar_8642434_typeA *y) { 1206*67e74705SXin Li rdar_8642434_funcA(x); 1207*67e74705SXin Li if (!y) 1208*67e74705SXin Li rdar_8642434_funcA(y); // expected-warning{{Null pointer passed as an argument to a 'nonnull' parameter}} 1209*67e74705SXin Li} 1210*67e74705SXin Li 1211*67e74705SXin Li// <rdar://problem/8848957> - Handle loads and stores from a symbolic index 1212*67e74705SXin Li// into array without warning about an uninitialized value being returned. 1213*67e74705SXin Li// While RegionStore can't fully reason about this example, it shouldn't 1214*67e74705SXin Li// warn here either. 1215*67e74705SXin Litypedef struct s_test_rdar8848957 { 1216*67e74705SXin Li int x, y, z; 1217*67e74705SXin Li} s_test_rdar8848957; 1218*67e74705SXin Li 1219*67e74705SXin Lis_test_rdar8848957 foo_rdar8848957(); 1220*67e74705SXin Liint rdar8848957(int index) { 1221*67e74705SXin Li s_test_rdar8848957 vals[10]; 1222*67e74705SXin Li vals[index] = foo_rdar8848957(); 1223*67e74705SXin Li return vals[index].x; // no-warning 1224*67e74705SXin Li} 1225*67e74705SXin Li 1226*67e74705SXin Li// PR 9049 - crash on symbolicating unions. This test exists solely to 1227*67e74705SXin Li// test that the analyzer doesn't crash. 1228*67e74705SXin Litypedef struct pr9048_cdev *pr9048_cdev_t; 1229*67e74705SXin Litypedef union pr9048_abstracted_disklabel { void *opaque; } pr9048_disklabel_t; 1230*67e74705SXin Listruct pr9048_diskslice { pr9048_disklabel_t ds_label; }; 1231*67e74705SXin Listruct pr9048_diskslices { 1232*67e74705SXin Li int dss_secmult; 1233*67e74705SXin Li struct pr9048_diskslice dss_slices[16]; 1234*67e74705SXin Li}; 1235*67e74705SXin Livoid pr9048(pr9048_cdev_t dev, struct pr9048_diskslices * ssp, unsigned int slice) 1236*67e74705SXin Li{ 1237*67e74705SXin Li pr9048_disklabel_t lp; 1238*67e74705SXin Li struct pr9048_diskslice *sp; 1239*67e74705SXin Li sp = &ssp->dss_slices[slice]; 1240*67e74705SXin Li if (ssp->dss_secmult == 1) { 1241*67e74705SXin Li } else if ((lp = sp->ds_label).opaque != ((void *) 0)) { 1242*67e74705SXin Li } 1243*67e74705SXin Li} 1244*67e74705SXin Li 1245*67e74705SXin Li// Test Store reference counting in the presence of Lazy compound values. 1246*67e74705SXin Li// This previously caused an infinite recursion. 1247*67e74705SXin Litypedef struct {} Rdar_9103310_A; 1248*67e74705SXin Litypedef struct Rdar_9103310_B Rdar_9103310_B_t; 1249*67e74705SXin Listruct Rdar_9103310_B { 1250*67e74705SXin Li unsigned char Rdar_9103310_C[101]; 1251*67e74705SXin Li}; 1252*67e74705SXin Livoid Rdar_9103310_E(Rdar_9103310_A * x, struct Rdar_9103310_C * b) { // expected-warning {{declaration of 'struct Rdar_9103310_C' will not be visible outside of this function}} 1253*67e74705SXin Li char Rdar_9103310_D[4][4] = { "a", "b", "c", "d"}; 1254*67e74705SXin Li int i; 1255*67e74705SXin Li Rdar_9103310_B_t *y = (Rdar_9103310_B_t *) x; 1256*67e74705SXin Li for (i = 0; i < 101; i++) { 1257*67e74705SXin Li Rdar_9103310_F(b, "%2d%s ", (y->Rdar_9103310_C[i]) / 4, Rdar_9103310_D[(y->Rdar_9103310_C[i]) % 4]); // expected-warning {{implicit declaration of function 'Rdar_9103310_F' is invalid in C99}} 1258*67e74705SXin Li } 1259*67e74705SXin Li} 1260*67e74705SXin Li 1261*67e74705SXin Li// Test handling binding lazy compound values to a region and then have 1262*67e74705SXin Li// specific elements have other bindings. 1263*67e74705SXin Liint PR9455() { 1264*67e74705SXin Li char arr[4] = "000"; 1265*67e74705SXin Li arr[0] = '1'; 1266*67e74705SXin Li if (arr[1] == '0') 1267*67e74705SXin Li return 1; 1268*67e74705SXin Li int *p = 0; 1269*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 1270*67e74705SXin Li return 1; 1271*67e74705SXin Li} 1272*67e74705SXin Liint PR9455_2() { 1273*67e74705SXin Li char arr[4] = "000"; 1274*67e74705SXin Li arr[0] = '1'; 1275*67e74705SXin Li if (arr[1] == '0') { 1276*67e74705SXin Li int *p = 0; 1277*67e74705SXin Li *p = 0xDEADBEEF; // expected-warning {{null}} 1278*67e74705SXin Li } 1279*67e74705SXin Li return 1; 1280*67e74705SXin Li} 1281*67e74705SXin Li 1282*67e74705SXin Li// Test initialization of substructs via lazy compound values. 1283*67e74705SXin Litypedef float RDar9163742_Float; 1284*67e74705SXin Li 1285*67e74705SXin Litypedef struct { 1286*67e74705SXin Li RDar9163742_Float x, y; 1287*67e74705SXin Li} RDar9163742_Point; 1288*67e74705SXin Litypedef struct { 1289*67e74705SXin Li RDar9163742_Float width, height; 1290*67e74705SXin Li} RDar9163742_Size; 1291*67e74705SXin Litypedef struct { 1292*67e74705SXin Li RDar9163742_Point origin; 1293*67e74705SXin Li RDar9163742_Size size; 1294*67e74705SXin Li} RDar9163742_Rect; 1295*67e74705SXin Li 1296*67e74705SXin Liextern RDar9163742_Rect RDar9163742_RectIntegral(RDar9163742_Rect); 1297*67e74705SXin Li 1298*67e74705SXin LiRDar9163742_Rect RDar9163742_IntegralRect(RDar9163742_Rect frame) 1299*67e74705SXin Li{ 1300*67e74705SXin Li RDar9163742_Rect integralFrame; 1301*67e74705SXin Li integralFrame.origin.x = frame.origin.x; 1302*67e74705SXin Li integralFrame.origin.y = frame.origin.y; 1303*67e74705SXin Li integralFrame.size = frame.size; 1304*67e74705SXin Li return RDar9163742_RectIntegral(integralFrame); // no-warning; all fields initialized 1305*67e74705SXin Li} 1306*67e74705SXin Li 1307*67e74705SXin Li// Test correct handling of prefix '--' operator. 1308*67e74705SXin Livoid rdar9444714() { 1309*67e74705SXin Li int x; 1310*67e74705SXin Li char str[ 32 ]; 1311*67e74705SXin Li char buf[ 32 ]; 1312*67e74705SXin Li char * dst; 1313*67e74705SXin Li char * ptr; 1314*67e74705SXin Li 1315*67e74705SXin Li x = 1234; 1316*67e74705SXin Li dst = str; 1317*67e74705SXin Li ptr = buf; 1318*67e74705SXin Li do 1319*67e74705SXin Li { 1320*67e74705SXin Li *ptr++ = (char)( '0' + ( x % 10 ) ); 1321*67e74705SXin Li x /= 10; 1322*67e74705SXin Li } while( x > 0 ); 1323*67e74705SXin Li 1324*67e74705SXin Li while( ptr > buf ) 1325*67e74705SXin Li { 1326*67e74705SXin Li *dst++ = *( --( ptr ) ); // no-warning 1327*67e74705SXin Li } 1328*67e74705SXin Li *dst = '\0'; 1329*67e74705SXin Li} 1330*67e74705SXin Li 1331*67e74705SXin Li// Test handling symbolic elements with field accesses. 1332*67e74705SXin Li// <rdar://problem/11127008> 1333*67e74705SXin Litypedef struct { 1334*67e74705SXin Li unsigned value; 1335*67e74705SXin Li} RDar11127008; 1336*67e74705SXin Li 1337*67e74705SXin Lisigned rdar_11127008_index(); 1338*67e74705SXin Li 1339*67e74705SXin Listatic unsigned rdar_11127008(void) { 1340*67e74705SXin Li RDar11127008 values[] = {{.value = 0}, {.value = 1}}; 1341*67e74705SXin Li signed index = rdar_11127008_index(); 1342*67e74705SXin Li if (index < 0) return 0; 1343*67e74705SXin Li if (index >= 2) return 0; 1344*67e74705SXin Li return values[index].value; 1345*67e74705SXin Li} 1346*67e74705SXin Li 1347*67e74705SXin Li// Test handling invalidating arrays passed to a block via captured 1348*67e74705SXin Li// pointer value (not a __block variable). 1349*67e74705SXin Litypedef void (^radar11125868_cb)(int *, unsigned); 1350*67e74705SXin Li 1351*67e74705SXin Livoid rdar11125868_aux(radar11125868_cb cb); 1352*67e74705SXin Li 1353*67e74705SXin Liint rdar11125868() { 1354*67e74705SXin Li int integersStackArray[1]; 1355*67e74705SXin Li int *integers = integersStackArray; 1356*67e74705SXin Li rdar11125868_aux(^(int *integerValue, unsigned index) { 1357*67e74705SXin Li integers[index] = integerValue[index]; 1358*67e74705SXin Li }); 1359*67e74705SXin Li return integers[0] == 0; // no-warning 1360*67e74705SXin Li} 1361*67e74705SXin Li 1362*67e74705SXin Liint rdar11125868_positive() { 1363*67e74705SXin Li int integersStackArray[1]; 1364*67e74705SXin Li int *integers = integersStackArray; 1365*67e74705SXin Li return integers[0] == 0; // expected-warning {{The left operand of '==' is a}} 1366*67e74705SXin Li} 1367