xref: /aosp_15_r20/external/clang/test/Analysis/misc-ps-region-store.m (revision 67e74705e28f6214e480b399dd47ea732279e315)
1*67e74705SXin Li// RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-checker=core,alpha.core.CastToStruct,alpha.security.ReturnPtrRange,alpha.security.ArrayBound -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks -Wno-objc-root-class %s
2*67e74705SXin Li// RUN: %clang_cc1 -triple x86_64-apple-darwin9 -DTEST_64 -analyze -analyzer-checker=core,alpha.core.CastToStruct,alpha.security.ReturnPtrRange,alpha.security.ArrayBound -analyzer-store=region -verify -fblocks   -analyzer-opt-analyze-nested-blocks -Wno-objc-root-class %s
3*67e74705SXin Li
4*67e74705SXin Litypedef long unsigned int size_t;
5*67e74705SXin Livoid *memcpy(void *, const void *, size_t);
6*67e74705SXin Livoid *alloca(size_t);
7*67e74705SXin Li
8*67e74705SXin Litypedef struct objc_selector *SEL;
9*67e74705SXin Litypedef signed char BOOL;
10*67e74705SXin Litypedef int NSInteger;
11*67e74705SXin Litypedef unsigned int NSUInteger;
12*67e74705SXin Litypedef struct _NSZone NSZone;
13*67e74705SXin Li@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator;
14*67e74705SXin Li@protocol NSObject  - (BOOL)isEqual:(id)object; @end
15*67e74705SXin Li@protocol NSCopying  - (id)copyWithZone:(NSZone *)zone; @end
16*67e74705SXin Li@protocol NSMutableCopying  - (id)mutableCopyWithZone:(NSZone *)zone; @end
17*67e74705SXin Li@protocol NSCoding  - (void)encodeWithCoder:(NSCoder *)aCoder; @end
18*67e74705SXin Li@interface NSObject <NSObject> {} - (id)init; @end
19*67e74705SXin Liextern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone);
20*67e74705SXin Li@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding>
21*67e74705SXin Li- (NSUInteger)length;
22*67e74705SXin Li+ (id)stringWithUTF8String:(const char *)nullTerminatedCString;
23*67e74705SXin Li@end extern NSString * const NSBundleDidLoadNotification;
24*67e74705SXin Li@interface NSAssertionHandler : NSObject {}
25*67e74705SXin Li+ (NSAssertionHandler *)currentHandler;
26*67e74705SXin Li- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...;
27*67e74705SXin Li@end
28*67e74705SXin Liextern NSString * const NSConnectionReplyMode;
29*67e74705SXin Li
30*67e74705SXin Li#ifdef TEST_64
31*67e74705SXin Litypedef long long int64_t;
32*67e74705SXin Litypedef int64_t intptr_t;
33*67e74705SXin Li#else
34*67e74705SXin Litypedef int int32_t;
35*67e74705SXin Litypedef int32_t intptr_t;
36*67e74705SXin Li#endif
37*67e74705SXin Li
38*67e74705SXin Li//---------------------------------------------------------------------------
39*67e74705SXin Li// Test case 'checkaccess_union' differs for region store and basic store.
40*67e74705SXin Li// The basic store doesn't reason about compound literals, so the code
41*67e74705SXin Li// below won't fire an "uninitialized value" warning.
42*67e74705SXin Li//---------------------------------------------------------------------------
43*67e74705SXin Li
44*67e74705SXin Li// PR 2948 (testcase; crash on VisitLValue for union types)
45*67e74705SXin Li// http://llvm.org/bugs/show_bug.cgi?id=2948
46*67e74705SXin Livoid checkaccess_union() {
47*67e74705SXin Li  int ret = 0, status;
48*67e74705SXin Li  // Since RegionStore doesn't handle unions yet,
49*67e74705SXin Li  // this branch condition won't be triggered
50*67e74705SXin Li  // as involving an uninitialized value.
51*67e74705SXin Li  if (((((__extension__ (((union {  // no-warning
52*67e74705SXin Li    __typeof (status) __in; int __i;}
53*67e74705SXin Li    )
54*67e74705SXin Li    {
55*67e74705SXin Li      .__in = (status)}
56*67e74705SXin Li      ).__i))) & 0xff00) >> 8) == 1)
57*67e74705SXin Li        ret = 1;
58*67e74705SXin Li}
59*67e74705SXin Li
60*67e74705SXin Li// Check our handling of fields being invalidated by function calls.
61*67e74705SXin Listruct test2_struct { int x; int y; char* s; };
62*67e74705SXin Livoid test2_help(struct test2_struct* p);
63*67e74705SXin Li
64*67e74705SXin Lichar test2() {
65*67e74705SXin Li  struct test2_struct s;
66*67e74705SXin Li  test2_help(&s);
67*67e74705SXin Li  char *p = 0;
68*67e74705SXin Li
69*67e74705SXin Li  if (s.x > 1) {
70*67e74705SXin Li    if (s.s != 0) {
71*67e74705SXin Li      p = "hello";
72*67e74705SXin Li    }
73*67e74705SXin Li  }
74*67e74705SXin Li
75*67e74705SXin Li  if (s.x > 1) {
76*67e74705SXin Li    if (s.s != 0) {
77*67e74705SXin Li      return *p;
78*67e74705SXin Li    }
79*67e74705SXin Li  }
80*67e74705SXin Li
81*67e74705SXin Li  return 'a';
82*67e74705SXin Li}
83*67e74705SXin Li
84*67e74705SXin Li// BasicStore handles this case incorrectly because it doesn't reason about
85*67e74705SXin Li// the value pointed to by 'x' and thus creates different symbolic values
86*67e74705SXin Li// at the declarations of 'a' and 'b' respectively.  RegionStore handles
87*67e74705SXin Li// it correctly. See the companion test in 'misc-ps-basic-store.m'.
88*67e74705SXin Livoid test_trivial_symbolic_comparison_pointer_parameter(int *x) {
89*67e74705SXin Li  int a = *x;
90*67e74705SXin Li  int b = *x;
91*67e74705SXin Li  if (a != b) {
92*67e74705SXin Li    int *p = 0;
93*67e74705SXin Li    *p = 0xDEADBEEF;     // no-warning
94*67e74705SXin Li  }
95*67e74705SXin Li}
96*67e74705SXin Li
97*67e74705SXin Li// This is a modified test from 'misc-ps.m'.  Here we have the extra
98*67e74705SXin Li// NULL dereferences which are pruned out by RegionStore's symbolic reasoning
99*67e74705SXin Li// of fields.
100*67e74705SXin Litypedef struct _BStruct { void *grue; } BStruct;
101*67e74705SXin Livoid testB_aux(void *ptr);
102*67e74705SXin Li
103*67e74705SXin Livoid testB(BStruct *b) {
104*67e74705SXin Li  {
105*67e74705SXin Li    int *__gruep__ = ((int *)&((b)->grue));
106*67e74705SXin Li    int __gruev__ = *__gruep__;
107*67e74705SXin Li    int __gruev2__ = *__gruep__;
108*67e74705SXin Li    if (__gruev__ != __gruev2__) {
109*67e74705SXin Li      int *p = 0;
110*67e74705SXin Li      *p = 0xDEADBEEF; // no-warning
111*67e74705SXin Li    }
112*67e74705SXin Li
113*67e74705SXin Li    testB_aux(__gruep__);
114*67e74705SXin Li  }
115*67e74705SXin Li  {
116*67e74705SXin Li    int *__gruep__ = ((int *)&((b)->grue));
117*67e74705SXin Li    int __gruev__ = *__gruep__;
118*67e74705SXin Li    int __gruev2__ = *__gruep__;
119*67e74705SXin Li    if (__gruev__ != __gruev2__) {
120*67e74705SXin Li      int *p = 0;
121*67e74705SXin Li      *p = 0xDEADBEEF; // no-warning
122*67e74705SXin Li    }
123*67e74705SXin Li
124*67e74705SXin Li    if (~0 != __gruev__) {}
125*67e74705SXin Li  }
126*67e74705SXin Li}
127*67e74705SXin Li
128*67e74705SXin Livoid testB_2(BStruct *b) {
129*67e74705SXin Li  {
130*67e74705SXin Li    int **__gruep__ = ((int **)&((b)->grue));
131*67e74705SXin Li    int *__gruev__ = *__gruep__;
132*67e74705SXin Li    testB_aux(__gruep__);
133*67e74705SXin Li  }
134*67e74705SXin Li  {
135*67e74705SXin Li    int **__gruep__ = ((int **)&((b)->grue));
136*67e74705SXin Li    int *__gruev__ = *__gruep__;
137*67e74705SXin Li    if ((int*)~0 != __gruev__) {}
138*67e74705SXin Li  }
139*67e74705SXin Li}
140*67e74705SXin Li
141*67e74705SXin Li// This test case is a reduced case of a caching bug discovered by an
142*67e74705SXin Li// assertion failure in RegionStoreManager::BindArray.  Essentially the
143*67e74705SXin Li// DeclStmt is evaluated twice, but on the second loop iteration the
144*67e74705SXin Li// engine caches out.  Previously a false transition would cause UnknownVal
145*67e74705SXin Li// to bind to the variable, firing an assertion failure.  This bug was fixed
146*67e74705SXin Li// in r76262.
147*67e74705SXin Livoid test_declstmt_caching() {
148*67e74705SXin Liagain:
149*67e74705SXin Li  {
150*67e74705SXin Li    const char a[] = "I like to crash";
151*67e74705SXin Li    goto again;
152*67e74705SXin Li  }
153*67e74705SXin Li}
154*67e74705SXin Li
155*67e74705SXin Li//===----------------------------------------------------------------------===//
156*67e74705SXin Li// Reduced test case from <rdar://problem/7114618>.
157*67e74705SXin Li// Basically a null check is performed on the field value, which is then
158*67e74705SXin Li// assigned to a variable and then checked again.
159*67e74705SXin Li//===----------------------------------------------------------------------===//
160*67e74705SXin Listruct s_7114618 { int *p; };
161*67e74705SXin Livoid test_rdar_7114618(struct s_7114618 *s) {
162*67e74705SXin Li  if (s->p) {
163*67e74705SXin Li    int *p = s->p;
164*67e74705SXin Li    if (!p) {
165*67e74705SXin Li      // Infeasible
166*67e74705SXin Li      int *dead = 0;
167*67e74705SXin Li      *dead = 0xDEADBEEF; // no-warning
168*67e74705SXin Li    }
169*67e74705SXin Li  }
170*67e74705SXin Li}
171*67e74705SXin Li
172*67e74705SXin Li// Test pointers increment correctly.
173*67e74705SXin Livoid f() {
174*67e74705SXin Li  int a[2];
175*67e74705SXin Li  a[1] = 3;
176*67e74705SXin Li  int *p = a;
177*67e74705SXin Li  p++;
178*67e74705SXin Li  if (*p != 3) {
179*67e74705SXin Li    int *q = 0;
180*67e74705SXin Li    *q = 3; // no-warning
181*67e74705SXin Li  }
182*67e74705SXin Li}
183*67e74705SXin Li
184*67e74705SXin Li//===----------------------------------------------------------------------===//
185*67e74705SXin Li// <rdar://problem/7185607>
186*67e74705SXin Li// Bit-fields of a struct should be invalidated when blasting the entire
187*67e74705SXin Li// struct with an integer constant.
188*67e74705SXin Li//===----------------------------------------------------------------------===//
189*67e74705SXin Listruct test_7185607 {
190*67e74705SXin Li  int x : 10;
191*67e74705SXin Li  int y : 22;
192*67e74705SXin Li};
193*67e74705SXin Liint rdar_test_7185607() {
194*67e74705SXin Li  struct test_7185607 s; // Uninitialized.
195*67e74705SXin Li  *((unsigned *) &s) = 0U;
196*67e74705SXin Li  return s.x; // no-warning
197*67e74705SXin Li}
198*67e74705SXin Li
199*67e74705SXin Li//===----------------------------------------------------------------------===//
200*67e74705SXin Li// <rdar://problem/7242006> [RegionStore] compound literal assignment with
201*67e74705SXin Li//  floats not honored
202*67e74705SXin Li// This test case is mirrored in misc-ps.m, but this case is a negative.
203*67e74705SXin Li//===----------------------------------------------------------------------===//
204*67e74705SXin Litypedef float CGFloat;
205*67e74705SXin Litypedef struct _NSSize {
206*67e74705SXin Li    CGFloat width;
207*67e74705SXin Li    CGFloat height;
208*67e74705SXin Li} NSSize;
209*67e74705SXin Li
210*67e74705SXin LiCGFloat rdar7242006_negative(CGFloat x) {
211*67e74705SXin Li  NSSize y;
212*67e74705SXin Li  return y.width; // expected-warning{{garbage}}
213*67e74705SXin Li}
214*67e74705SXin Li
215*67e74705SXin Li//===----------------------------------------------------------------------===//
216*67e74705SXin Li// <rdar://problem/7249340> - Allow binding of values to symbolic regions.
217*67e74705SXin Li// This test case shows how RegionStore tracks the value bound to 'x'
218*67e74705SXin Li// after the assignment.
219*67e74705SXin Li//===----------------------------------------------------------------------===//
220*67e74705SXin Litypedef int* ptr_rdar_7249340;
221*67e74705SXin Livoid rdar_7249340(ptr_rdar_7249340 x) {
222*67e74705SXin Li  *x = 1;
223*67e74705SXin Li  if (*x)
224*67e74705SXin Li    return;
225*67e74705SXin Li  int *p = 0;   // This is unreachable.
226*67e74705SXin Li  *p = 0xDEADBEEF; // no-warning
227*67e74705SXin Li}
228*67e74705SXin Li
229*67e74705SXin Li//===----------------------------------------------------------------------===//
230*67e74705SXin Li// <rdar://problem/7249327> - This test case tests both value tracking of
231*67e74705SXin Li// array values and that we handle symbolic values that are casted
232*67e74705SXin Li// between different integer types.  Note the assignment 'n = *a++'; here
233*67e74705SXin Li// 'n' is and 'int' and '*a' is 'unsigned'.  Previously we got a false positive
234*67e74705SXin Li// at 'x += *b++' (undefined value) because we got a false path.
235*67e74705SXin Li//===----------------------------------------------------------------------===//
236*67e74705SXin Liint rdar_7249327_aux(void);
237*67e74705SXin Li
238*67e74705SXin Livoid rdar_7249327(unsigned int A[2*32]) {
239*67e74705SXin Li  int B[2*32];
240*67e74705SXin Li  int *b;
241*67e74705SXin Li  unsigned int *a;
242*67e74705SXin Li  int x = 0;
243*67e74705SXin Li
244*67e74705SXin Li  int n;
245*67e74705SXin Li
246*67e74705SXin Li  a = A;
247*67e74705SXin Li  b = B;
248*67e74705SXin Li
249*67e74705SXin Li  n = *a++;
250*67e74705SXin Li  if (n)
251*67e74705SXin Li    *b++ = rdar_7249327_aux();
252*67e74705SXin Li
253*67e74705SXin Li  a = A;
254*67e74705SXin Li  b = B;
255*67e74705SXin Li
256*67e74705SXin Li  n = *a++;
257*67e74705SXin Li  if (n)
258*67e74705SXin Li    x += *b++; // no-warning
259*67e74705SXin Li}
260*67e74705SXin Li
261*67e74705SXin Li//===----------------------------------------------------------------------===//
262*67e74705SXin Li// <rdar://problem/6914474> - Check that 'x' is invalidated because its
263*67e74705SXin Li// address is passed in as a value to a struct.
264*67e74705SXin Li//===----------------------------------------------------------------------===//
265*67e74705SXin Listruct doodad_6914474 { int *v; };
266*67e74705SXin Liextern void prod_6914474(struct doodad_6914474 *d);
267*67e74705SXin Liint rdar_6914474(void) {
268*67e74705SXin Li  int x;
269*67e74705SXin Li  struct doodad_6914474 d;
270*67e74705SXin Li  d.v = &x;
271*67e74705SXin Li  prod_6914474(&d);
272*67e74705SXin Li  return x; // no-warning
273*67e74705SXin Li}
274*67e74705SXin Li
275*67e74705SXin Li// Test invalidation of a single field.
276*67e74705SXin Listruct s_test_field_invalidate {
277*67e74705SXin Li  int x;
278*67e74705SXin Li};
279*67e74705SXin Liextern void test_invalidate_field(int *x);
280*67e74705SXin Liint test_invalidate_field_test() {
281*67e74705SXin Li  struct s_test_field_invalidate y;
282*67e74705SXin Li  test_invalidate_field(&y.x);
283*67e74705SXin Li  return y.x; // no-warning
284*67e74705SXin Li}
285*67e74705SXin Liint test_invalidate_field_test_positive() {
286*67e74705SXin Li  struct s_test_field_invalidate y;
287*67e74705SXin Li  return y.x; // expected-warning{{garbage}}
288*67e74705SXin Li}
289*67e74705SXin Li
290*67e74705SXin Li// This test case illustrates how a typeless array of bytes casted to a
291*67e74705SXin Li// struct should be treated as initialized.  RemoveDeadBindings previously
292*67e74705SXin Li// had a bug that caused 'x' to lose its default symbolic value after the
293*67e74705SXin Li// assignment to 'p', thus causing 'p->z' to evaluate to "undefined".
294*67e74705SXin Listruct ArrayWrapper { unsigned char y[16]; };
295*67e74705SXin Listruct WrappedStruct { unsigned z; };
296*67e74705SXin Li
297*67e74705SXin Livoid test_handle_array_wrapper_helper();
298*67e74705SXin Li
299*67e74705SXin Liint test_handle_array_wrapper() {
300*67e74705SXin Li  struct ArrayWrapper x;
301*67e74705SXin Li  test_handle_array_wrapper_helper(&x);
302*67e74705SXin Li  struct WrappedStruct *p = (struct WrappedStruct*) x.y; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
303*67e74705SXin Li  return p->z;  // no-warning
304*67e74705SXin Li}
305*67e74705SXin Li
306*67e74705SXin Li//===----------------------------------------------------------------------===//
307*67e74705SXin Li// <rdar://problem/7261075> [RegionStore] crash when
308*67e74705SXin Li//   handling load: '*((unsigned int *)"????")'
309*67e74705SXin Li//===----------------------------------------------------------------------===//
310*67e74705SXin Li
311*67e74705SXin Liint rdar_7261075(void) {
312*67e74705SXin Li  unsigned int var = 0;
313*67e74705SXin Li  if (var == *((unsigned int *)"????"))
314*67e74705SXin Li    return 1;
315*67e74705SXin Li  return 0;
316*67e74705SXin Li}
317*67e74705SXin Li
318*67e74705SXin Li//===----------------------------------------------------------------------===//
319*67e74705SXin Li// <rdar://problem/7275774> false path due to limited pointer
320*67e74705SXin Li//                          arithmetic constraints
321*67e74705SXin Li//===----------------------------------------------------------------------===//
322*67e74705SXin Li
323*67e74705SXin Livoid rdar_7275774(void *data, unsigned n) {
324*67e74705SXin Li  if (!(data || n == 0))
325*67e74705SXin Li    return;
326*67e74705SXin Li
327*67e74705SXin Li  unsigned short *p = (unsigned short*) data;
328*67e74705SXin Li  unsigned short *q = p + (n / 2);
329*67e74705SXin Li
330*67e74705SXin Li  if (p < q) {
331*67e74705SXin Li    // If we reach here, 'p' cannot be null.  If 'p' is null, then 'n' must
332*67e74705SXin Li    // be '0', meaning that this branch is not feasible.
333*67e74705SXin Li    *p = *q; // no-warning
334*67e74705SXin Li  }
335*67e74705SXin Li}
336*67e74705SXin Li
337*67e74705SXin Li//===----------------------------------------------------------------------===//
338*67e74705SXin Li// <rdar://problem/7312221>
339*67e74705SXin Li//
340*67e74705SXin Li//  Test that Objective-C instance variables aren't prematurely pruned
341*67e74705SXin Li//  from the analysis state.
342*67e74705SXin Li//===----------------------------------------------------------------------===//
343*67e74705SXin Li
344*67e74705SXin Listruct rdar_7312221_value { int x; };
345*67e74705SXin Li
346*67e74705SXin Li@interface RDar7312221
347*67e74705SXin Li{
348*67e74705SXin Li  struct rdar_7312221_value *y;
349*67e74705SXin Li}
350*67e74705SXin Li- (void) doSomething_7312221;
351*67e74705SXin Li@end
352*67e74705SXin Li
353*67e74705SXin Liextern struct rdar_7312221_value *rdar_7312221_helper();
354*67e74705SXin Liextern int rdar_7312221_helper_2(id o);
355*67e74705SXin Liextern void rdar_7312221_helper_3(int z);
356*67e74705SXin Li
357*67e74705SXin Li@implementation RDar7312221
358*67e74705SXin Li- (void) doSomething_7312221 {
359*67e74705SXin Li  if (y == 0) {
360*67e74705SXin Li    y = rdar_7312221_helper();
361*67e74705SXin Li    if (y != 0) {
362*67e74705SXin Li      y->x = rdar_7312221_helper_2(self);
363*67e74705SXin Li      // The following use of 'y->x' previously triggered a null dereference, as the value of 'y'
364*67e74705SXin Li      // before 'y = rdar_7312221_helper()' would be used.
365*67e74705SXin Li      rdar_7312221_helper_3(y->x); // no-warning
366*67e74705SXin Li    }
367*67e74705SXin Li  }
368*67e74705SXin Li}
369*67e74705SXin Li@end
370*67e74705SXin Li
371*67e74705SXin Listruct rdar_7312221_container {
372*67e74705SXin Li  struct rdar_7312221_value *y;
373*67e74705SXin Li};
374*67e74705SXin Li
375*67e74705SXin Liextern int rdar_7312221_helper_4(struct rdar_7312221_container *s);
376*67e74705SXin Li
377*67e74705SXin Li// This test case essentially matches the one in [RDar7312221 doSomething_7312221].
378*67e74705SXin Livoid doSomething_7312221_with_struct(struct rdar_7312221_container *Self) {
379*67e74705SXin Li  if (Self->y == 0) {
380*67e74705SXin Li    Self->y = rdar_7312221_helper();
381*67e74705SXin Li    if (Self->y != 0) {
382*67e74705SXin Li      Self->y->x = rdar_7312221_helper_4(Self);
383*67e74705SXin Li      rdar_7312221_helper_3(Self->y->x); // no-warning
384*67e74705SXin Li    }
385*67e74705SXin Li  }
386*67e74705SXin Li}
387*67e74705SXin Li
388*67e74705SXin Li//===----------------------------------------------------------------------===//
389*67e74705SXin Li// <rdar://problem/7332673> - Just more tests cases for regions
390*67e74705SXin Li//===----------------------------------------------------------------------===//
391*67e74705SXin Li
392*67e74705SXin Livoid rdar_7332673_test1() {
393*67e74705SXin Li    char value[1];
394*67e74705SXin Li    if ( *(value) != 1 ) {} // expected-warning{{The left operand of '!=' is a garbage value}}
395*67e74705SXin Li}
396*67e74705SXin Liint rdar_7332673_test2_aux(char *x);
397*67e74705SXin Livoid rdar_7332673_test2() {
398*67e74705SXin Li    char *value;
399*67e74705SXin Li    if ( rdar_7332673_test2_aux(value) != 1 ) {} // expected-warning{{Function call argument is an uninitialized value}}
400*67e74705SXin Li}
401*67e74705SXin Li
402*67e74705SXin Li//===----------------------------------------------------------------------===//
403*67e74705SXin Li// <rdar://problem/7347252>: Because of a bug in
404*67e74705SXin Li//   RegionStoreManager::RemoveDeadBindings(), the symbol for s->session->p
405*67e74705SXin Li//   would incorrectly be pruned from the state after the call to
406*67e74705SXin Li//   rdar7347252_malloc1(), and would incorrectly result in a warning about
407*67e74705SXin Li//   passing a null pointer to rdar7347252_memcpy().
408*67e74705SXin Li//===----------------------------------------------------------------------===//
409*67e74705SXin Li
410*67e74705SXin Listruct rdar7347252_AA { char *p;};
411*67e74705SXin Litypedef struct {
412*67e74705SXin Li struct rdar7347252_AA *session;
413*67e74705SXin Li int t;
414*67e74705SXin Li char *q;
415*67e74705SXin Li} rdar7347252_SSL1;
416*67e74705SXin Li
417*67e74705SXin Liint rdar7347252_f(rdar7347252_SSL1 *s);
418*67e74705SXin Lichar *rdar7347252_malloc1(int);
419*67e74705SXin Lichar *rdar7347252_memcpy1(char *d, char *s, int n) __attribute__((nonnull (1,2)));
420*67e74705SXin Li
421*67e74705SXin Liint rdar7347252(rdar7347252_SSL1 *s) {
422*67e74705SXin Li rdar7347252_f(s);  // the SymbolicRegion of 's' is set a default binding of conjured symbol
423*67e74705SXin Li if (s->session->p == ((void*)0)) {
424*67e74705SXin Li   if ((s->session->p = rdar7347252_malloc1(10)) == ((void*)0)) {
425*67e74705SXin Li     return 0;
426*67e74705SXin Li   }
427*67e74705SXin Li   rdar7347252_memcpy1(s->session->p, "aa", 2); // no-warning
428*67e74705SXin Li }
429*67e74705SXin Li return 0;
430*67e74705SXin Li}
431*67e74705SXin Li
432*67e74705SXin Li//===----------------------------------------------------------------------===//
433*67e74705SXin Li// PR 5316 - "crash when accessing field of lazy compound value"
434*67e74705SXin Li//  Previously this caused a crash at the MemberExpr '.chr' when loading
435*67e74705SXin Li//  a field value from a LazyCompoundVal
436*67e74705SXin Li//===----------------------------------------------------------------------===//
437*67e74705SXin Li
438*67e74705SXin Litypedef unsigned int pr5316_wint_t;
439*67e74705SXin Litypedef pr5316_wint_t pr5316_REFRESH_CHAR;
440*67e74705SXin Litypedef struct {
441*67e74705SXin Li  pr5316_REFRESH_CHAR chr;
442*67e74705SXin Li}
443*67e74705SXin Lipr5316_REFRESH_ELEMENT;
444*67e74705SXin Listatic void pr5316(pr5316_REFRESH_ELEMENT *dst, const pr5316_REFRESH_ELEMENT *src) {
445*67e74705SXin Li  while ((*dst++ = *src++).chr != L'\0')  ;
446*67e74705SXin Li}
447*67e74705SXin Li
448*67e74705SXin Li//===----------------------------------------------------------------------===//
449*67e74705SXin Li// Exercise creating ElementRegion with symbolic super region.
450*67e74705SXin Li//===----------------------------------------------------------------------===//
451*67e74705SXin Livoid element_region_with_symbolic_superregion(int* p) {
452*67e74705SXin Li  int *x;
453*67e74705SXin Li  int a;
454*67e74705SXin Li  if (p[0] == 1)
455*67e74705SXin Li    x = &a;
456*67e74705SXin Li  if (p[0] == 1)
457*67e74705SXin Li    (void)*x; // no-warning
458*67e74705SXin Li}
459*67e74705SXin Li
460*67e74705SXin Li//===----------------------------------------------------------------------===//
461*67e74705SXin Li// Test returning an out-of-bounds pointer (CWE-466)
462*67e74705SXin Li//===----------------------------------------------------------------------===//
463*67e74705SXin Li
464*67e74705SXin Listatic int test_cwe466_return_outofbounds_pointer_a[10];
465*67e74705SXin Liint *test_cwe466_return_outofbounds_pointer() {
466*67e74705SXin Li  int *p = test_cwe466_return_outofbounds_pointer_a+10;
467*67e74705SXin Li  return p; // expected-warning{{Returned pointer value points outside the original object}}
468*67e74705SXin Li}
469*67e74705SXin Li
470*67e74705SXin Li//===----------------------------------------------------------------------===//
471*67e74705SXin Li// PR 3135 - Test case that shows that a variable may get invalidated when its
472*67e74705SXin Li// address is included in a structure that is passed-by-value to an unknown function.
473*67e74705SXin Li//===----------------------------------------------------------------------===//
474*67e74705SXin Li
475*67e74705SXin Litypedef struct { int *a; } pr3135_structure;
476*67e74705SXin Liint pr3135_bar(pr3135_structure *x);
477*67e74705SXin Liint pr3135() {
478*67e74705SXin Li  int x;
479*67e74705SXin Li  pr3135_structure y = { &x };
480*67e74705SXin Li  // the call to pr3135_bar may initialize x
481*67e74705SXin Li  if (pr3135_bar(&y) && x) // no-warning
482*67e74705SXin Li    return 1;
483*67e74705SXin Li  return 0;
484*67e74705SXin Li}
485*67e74705SXin Li
486*67e74705SXin Li//===----------------------------------------------------------------------===//
487*67e74705SXin Li// <rdar://problem/7403269> - Test that we handle compound initializers with
488*67e74705SXin Li// partially unspecified array values. Previously this caused a crash.
489*67e74705SXin Li//===----------------------------------------------------------------------===//
490*67e74705SXin Li
491*67e74705SXin Litypedef struct RDar7403269 {
492*67e74705SXin Li  unsigned x[10];
493*67e74705SXin Li  unsigned y;
494*67e74705SXin Li} RDar7403269;
495*67e74705SXin Li
496*67e74705SXin Livoid rdar7403269() {
497*67e74705SXin Li  RDar7403269 z = { .y = 0 };
498*67e74705SXin Li  if (z.x[4] == 0)
499*67e74705SXin Li    return;
500*67e74705SXin Li  int *p = 0;
501*67e74705SXin Li  *p = 0xDEADBEEF; // no-warning
502*67e74705SXin Li}
503*67e74705SXin Li
504*67e74705SXin Litypedef struct RDar7403269_b {
505*67e74705SXin Li  struct zorg { int w; int k; } x[10];
506*67e74705SXin Li  unsigned y;
507*67e74705SXin Li} RDar7403269_b;
508*67e74705SXin Li
509*67e74705SXin Livoid rdar7403269_b() {
510*67e74705SXin Li  RDar7403269_b z = { .y = 0 };
511*67e74705SXin Li  if (z.x[5].w == 0)
512*67e74705SXin Li    return;
513*67e74705SXin Li  int *p = 0;
514*67e74705SXin Li  *p = 0xDEADBEEF; // no-warning
515*67e74705SXin Li}
516*67e74705SXin Li
517*67e74705SXin Livoid rdar7403269_b_pos() {
518*67e74705SXin Li  RDar7403269_b z = { .y = 0 };
519*67e74705SXin Li  if (z.x[5].w == 1)
520*67e74705SXin Li    return;
521*67e74705SXin Li  int *p = 0;
522*67e74705SXin Li  *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
523*67e74705SXin Li}
524*67e74705SXin Li
525*67e74705SXin Li
526*67e74705SXin Li//===----------------------------------------------------------------------===//
527*67e74705SXin Li// Test that incrementing a non-null pointer results in a non-null pointer.
528*67e74705SXin Li// (<rdar://problem/7191542>)
529*67e74705SXin Li//===----------------------------------------------------------------------===//
530*67e74705SXin Li
531*67e74705SXin Livoid test_increment_nonnull_rdar_7191542(const char *path) {
532*67e74705SXin Li  const char *alf = 0;
533*67e74705SXin Li
534*67e74705SXin Li  for (;;) {
535*67e74705SXin Li    // When using basic-store, we get a null dereference here because we lose information
536*67e74705SXin Li    // about path after the pointer increment.
537*67e74705SXin Li    char c = *path++; // no-warning
538*67e74705SXin Li    if (c == 'a') {
539*67e74705SXin Li      alf = path;
540*67e74705SXin Li    }
541*67e74705SXin Li
542*67e74705SXin Li    if (alf)
543*67e74705SXin Li      return;
544*67e74705SXin Li  }
545*67e74705SXin Li}
546*67e74705SXin Li
547*67e74705SXin Li//===----------------------------------------------------------------------===//
548*67e74705SXin Li// Test that the store (implicitly) tracks values for doubles/floats that are
549*67e74705SXin Li// uninitialized (<rdar://problem/6811085>)
550*67e74705SXin Li//===----------------------------------------------------------------------===//
551*67e74705SXin Li
552*67e74705SXin Lidouble rdar_6811085(void) {
553*67e74705SXin Li  double u;
554*67e74705SXin Li  return u + 10; // expected-warning{{The left operand of '+' is a garbage value}}
555*67e74705SXin Li}
556*67e74705SXin Li
557*67e74705SXin Li//===----------------------------------------------------------------------===//
558*67e74705SXin Li// Path-sensitive tests for blocks.
559*67e74705SXin Li//===----------------------------------------------------------------------===//
560*67e74705SXin Li
561*67e74705SXin Livoid indirect_block_call(void (^f)());
562*67e74705SXin Li
563*67e74705SXin Liint blocks_1(int *p, int z) {
564*67e74705SXin Li  __block int *q = 0;
565*67e74705SXin Li  void (^bar)() = ^{ q = p; };
566*67e74705SXin Li
567*67e74705SXin Li  if (z == 1) {
568*67e74705SXin Li    // The call to 'bar' might cause 'q' to be invalidated.
569*67e74705SXin Li    bar();
570*67e74705SXin Li    *q = 0x1; // no-warning
571*67e74705SXin Li  }
572*67e74705SXin Li  else if (z == 2) {
573*67e74705SXin Li    // The function 'indirect_block_call' might invoke bar, thus causing
574*67e74705SXin Li    // 'q' to possibly be invalidated.
575*67e74705SXin Li    indirect_block_call(bar);
576*67e74705SXin Li    *q = 0x1; // no-warning
577*67e74705SXin Li  }
578*67e74705SXin Li  else {
579*67e74705SXin Li    *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
580*67e74705SXin Li  }
581*67e74705SXin Li  return z;
582*67e74705SXin Li}
583*67e74705SXin Li
584*67e74705SXin Liint blocks_2(int *p, int z) {
585*67e74705SXin Li  int *q = 0;
586*67e74705SXin Li  void (^bar)(int **) = ^(int **r){ *r = p; };
587*67e74705SXin Li
588*67e74705SXin Li  if (z) {
589*67e74705SXin Li    // The call to 'bar' might cause 'q' to be invalidated.
590*67e74705SXin Li    bar(&q);
591*67e74705SXin Li    *q = 0x1; // no-warning
592*67e74705SXin Li  }
593*67e74705SXin Li  else {
594*67e74705SXin Li    *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
595*67e74705SXin Li  }
596*67e74705SXin Li  return z;
597*67e74705SXin Li}
598*67e74705SXin Li
599*67e74705SXin Li// Test that the value of 'x' is considered invalidated after the block
600*67e74705SXin Li// is passed as an argument to the message expression.
601*67e74705SXin Litypedef void (^RDar7582031CB)(void);
602*67e74705SXin Li@interface RDar7582031
603*67e74705SXin Li- rdar7582031:RDar7582031CB;
604*67e74705SXin Li- rdar7582031_b:RDar7582031CB;
605*67e74705SXin Li@end
606*67e74705SXin Li
607*67e74705SXin Li// Test with one block.
608*67e74705SXin Liunsigned rdar7582031(RDar7582031 *o) {
609*67e74705SXin Li  __block unsigned x;
610*67e74705SXin Li  [o rdar7582031:^{ x = 1; }];
611*67e74705SXin Li  return x; // no-warning
612*67e74705SXin Li}
613*67e74705SXin Li
614*67e74705SXin Li// Test with two blocks.
615*67e74705SXin Liunsigned long rdar7582031_b(RDar7582031 *o) {
616*67e74705SXin Li  __block unsigned y;
617*67e74705SXin Li  __block unsigned long x;
618*67e74705SXin Li  [o rdar7582031:^{ y = 1; }];
619*67e74705SXin Li  [o rdar7582031_b:^{ x = 1LL; }];
620*67e74705SXin Li  return x + (unsigned long) y; // no-warning
621*67e74705SXin Li}
622*67e74705SXin Li
623*67e74705SXin Li// Show we get an error when 'o' is null because the message
624*67e74705SXin Li// expression has no effect.
625*67e74705SXin Liunsigned long rdar7582031_b2(RDar7582031 *o) {
626*67e74705SXin Li  __block unsigned y;
627*67e74705SXin Li  __block unsigned long x;
628*67e74705SXin Li  if (o)
629*67e74705SXin Li    return 1;
630*67e74705SXin Li  [o rdar7582031:^{ y = 1; }];
631*67e74705SXin Li  [o rdar7582031_b:^{ x = 1LL; }];
632*67e74705SXin Li  return x + (unsigned long) y; // expected-warning{{The left operand of '+' is a garbage value}}
633*67e74705SXin Li}
634*67e74705SXin Li
635*67e74705SXin Li// Show that we handle static variables also getting invalidated.
636*67e74705SXin Livoid rdar7582031_aux(void (^)(void));
637*67e74705SXin LiRDar7582031 *rdar7582031_aux_2();
638*67e74705SXin Li
639*67e74705SXin Liunsigned rdar7582031_static() {
640*67e74705SXin Li  static RDar7582031 *o = 0;
641*67e74705SXin Li  rdar7582031_aux(^{ o = rdar7582031_aux_2(); });
642*67e74705SXin Li
643*67e74705SXin Li  __block unsigned x;
644*67e74705SXin Li  [o rdar7582031:^{ x = 1; }];
645*67e74705SXin Li  return x; // no-warning
646*67e74705SXin Li}
647*67e74705SXin Li
648*67e74705SXin Li//===----------------------------------------------------------------------===//
649*67e74705SXin Li// <rdar://problem/7462324> - Test that variables passed using __blocks
650*67e74705SXin Li//  are not treated as being uninitialized.
651*67e74705SXin Li//===----------------------------------------------------------------------===//
652*67e74705SXin Li
653*67e74705SXin Litypedef void (^RDar_7462324_Callback)(id obj);
654*67e74705SXin Li
655*67e74705SXin Li@interface RDar7462324
656*67e74705SXin Li- (void) foo:(id)target;
657*67e74705SXin Li- (void) foo_positive:(id)target;
658*67e74705SXin Li
659*67e74705SXin Li@end
660*67e74705SXin Li
661*67e74705SXin Li@implementation RDar7462324
662*67e74705SXin Li- (void) foo:(id)target {
663*67e74705SXin Li  __block RDar_7462324_Callback builder = ((void*) 0);
664*67e74705SXin Li  builder = ^(id object) {
665*67e74705SXin Li    if (object) {
666*67e74705SXin Li      builder(self); // no-warning
667*67e74705SXin Li    }
668*67e74705SXin Li  };
669*67e74705SXin Li  builder(target);
670*67e74705SXin Li}
671*67e74705SXin Li- (void) foo_positive:(id)target {
672*67e74705SXin Li  __block RDar_7462324_Callback builder = ((void*) 0);
673*67e74705SXin Li  builder = ^(id object) {
674*67e74705SXin Li    id x;
675*67e74705SXin Li    if (object) {
676*67e74705SXin Li      builder(x); // expected-warning{{Block call argument is an uninitialized value}}
677*67e74705SXin Li    }
678*67e74705SXin Li  };
679*67e74705SXin Li  builder(target);
680*67e74705SXin Li}
681*67e74705SXin Li@end
682*67e74705SXin Li
683*67e74705SXin Li//===----------------------------------------------------------------------===//
684*67e74705SXin Li// <rdar://problem/7468209> - Scanning for live variables within a block should
685*67e74705SXin Li//  not crash on variables passed by reference via __block.
686*67e74705SXin Li//===----------------------------------------------------------------------===//
687*67e74705SXin Li
688*67e74705SXin Liint rdar7468209_aux();
689*67e74705SXin Livoid rdar7468209_aux_2();
690*67e74705SXin Li
691*67e74705SXin Livoid rdar7468209() {
692*67e74705SXin Li  __block int x = 0;
693*67e74705SXin Li  ^{
694*67e74705SXin Li    x = rdar7468209_aux();
695*67e74705SXin Li    // We need a second statement so that 'x' would be removed from the store if it wasn't
696*67e74705SXin Li    // passed by reference.
697*67e74705SXin Li    rdar7468209_aux_2();
698*67e74705SXin Li  }();
699*67e74705SXin Li}
700*67e74705SXin Li
701*67e74705SXin Li//===----------------------------------------------------------------------===//
702*67e74705SXin Li// PR 5857 - Test loading an integer from a byte array that has also been
703*67e74705SXin Li//  reinterpreted to be loaded as a field.
704*67e74705SXin Li//===----------------------------------------------------------------------===//
705*67e74705SXin Li
706*67e74705SXin Litypedef struct { int x; } TestFieldLoad;
707*67e74705SXin Liint pr5857(char *src) {
708*67e74705SXin Li  TestFieldLoad *tfl = (TestFieldLoad *) (intptr_t) src;
709*67e74705SXin Li  int y = tfl->x;
710*67e74705SXin Li  long long *z = (long long *) (intptr_t) src;
711*67e74705SXin Li  long long w = 0;
712*67e74705SXin Li  int n = 0;
713*67e74705SXin Li  for (n = 0; n < y; ++n) {
714*67e74705SXin Li    // Previously we crashed analyzing this statement.
715*67e74705SXin Li    w = *z++;
716*67e74705SXin Li  }
717*67e74705SXin Li  return 1;
718*67e74705SXin Li}
719*67e74705SXin Li
720*67e74705SXin Li//===----------------------------------------------------------------------===//
721*67e74705SXin Li// PR 4358 - Without field-sensitivity, this code previously triggered
722*67e74705SXin Li//  a false positive that 'uninit' could be uninitialized at the call
723*67e74705SXin Li//  to pr4358_aux().
724*67e74705SXin Li//===----------------------------------------------------------------------===//
725*67e74705SXin Li
726*67e74705SXin Listruct pr4358 {
727*67e74705SXin Li  int bar;
728*67e74705SXin Li  int baz;
729*67e74705SXin Li};
730*67e74705SXin Livoid pr4358_aux(int x);
731*67e74705SXin Livoid pr4358(struct pr4358 *pnt) {
732*67e74705SXin Li  int uninit;
733*67e74705SXin Li  if (pnt->bar < 3) {
734*67e74705SXin Li    uninit = 1;
735*67e74705SXin Li  } else if (pnt->baz > 2) {
736*67e74705SXin Li    uninit = 3;
737*67e74705SXin Li  } else if (pnt->baz <= 2) {
738*67e74705SXin Li    uninit = 2;
739*67e74705SXin Li  }
740*67e74705SXin Li  pr4358_aux(uninit); // no-warning
741*67e74705SXin Li}
742*67e74705SXin Li
743*67e74705SXin Li//===----------------------------------------------------------------------===//
744*67e74705SXin Li// <rdar://problem/7526777>
745*67e74705SXin Li// Test handling fields of values returned from function calls or
746*67e74705SXin Li// message expressions.
747*67e74705SXin Li//===----------------------------------------------------------------------===//
748*67e74705SXin Li
749*67e74705SXin Litypedef struct testReturn_rdar_7526777 {
750*67e74705SXin Li  int x;
751*67e74705SXin Li  int y;
752*67e74705SXin Li} testReturn_rdar_7526777;
753*67e74705SXin Li
754*67e74705SXin Li@interface TestReturnStruct_rdar_7526777
755*67e74705SXin Li- (testReturn_rdar_7526777) foo;
756*67e74705SXin Li@end
757*67e74705SXin Li
758*67e74705SXin Liint test_return_struct(TestReturnStruct_rdar_7526777 *x) {
759*67e74705SXin Li  return [x foo].x;
760*67e74705SXin Li}
761*67e74705SXin Li
762*67e74705SXin LitestReturn_rdar_7526777 test_return_struct_2_aux_rdar_7526777();
763*67e74705SXin Li
764*67e74705SXin Liint test_return_struct_2_rdar_7526777() {
765*67e74705SXin Li  return test_return_struct_2_aux_rdar_7526777().x;
766*67e74705SXin Li}
767*67e74705SXin Li
768*67e74705SXin Li//===----------------------------------------------------------------------===//
769*67e74705SXin Li// <rdar://problem/7527292> Assertion failed: (Op == BinaryOperator::Add ||
770*67e74705SXin Li//                                             Op == BinaryOperator::Sub)
771*67e74705SXin Li// This test case previously triggered an assertion failure due to a discrepancy
772*67e74705SXin Li// been the loaded/stored value in the array
773*67e74705SXin Li//===----------------------------------------------------------------------===//
774*67e74705SXin Li
775*67e74705SXin Li_Bool OSAtomicCompareAndSwapPtrBarrier( void *__oldValue, void *__newValue, void * volatile *__theValue );
776*67e74705SXin Li
777*67e74705SXin Livoid rdar_7527292() {
778*67e74705SXin Li  static id Cache7527292[32];
779*67e74705SXin Li  for (signed long idx = 0;
780*67e74705SXin Li       idx < 32;
781*67e74705SXin Li       idx++) {
782*67e74705SXin Li    id v = Cache7527292[idx];
783*67e74705SXin Li    if (v && OSAtomicCompareAndSwapPtrBarrier(v, ((void*)0), (void * volatile *)(Cache7527292 + idx))) {
784*67e74705SXin Li    }
785*67e74705SXin Li  }
786*67e74705SXin Li}
787*67e74705SXin Li
788*67e74705SXin Li//===----------------------------------------------------------------------===//
789*67e74705SXin Li// <rdar://problem/7515938> - Handle initialization of incomplete arrays
790*67e74705SXin Li//  in structures using a compound value.  Previously this crashed.
791*67e74705SXin Li//===----------------------------------------------------------------------===//
792*67e74705SXin Li
793*67e74705SXin Listruct rdar_7515938 {
794*67e74705SXin Li  int x;
795*67e74705SXin Li  int y[];
796*67e74705SXin Li};
797*67e74705SXin Li
798*67e74705SXin Liconst struct rdar_7515938 *rdar_7515938() {
799*67e74705SXin Li  static const struct rdar_7515938 z = { 0, { 1, 2 } };
800*67e74705SXin Li  if (z.y[0] != 1) {
801*67e74705SXin Li    int *p = 0;
802*67e74705SXin Li    *p = 0xDEADBEEF; // no-warning
803*67e74705SXin Li  }
804*67e74705SXin Li  return &z;
805*67e74705SXin Li}
806*67e74705SXin Li
807*67e74705SXin Listruct rdar_7515938_str {
808*67e74705SXin Li  int x;
809*67e74705SXin Li  char y[];
810*67e74705SXin Li};
811*67e74705SXin Li
812*67e74705SXin Liconst struct rdar_7515938_str *rdar_7515938_str() {
813*67e74705SXin Li  static const struct rdar_7515938_str z = { 0, "hello" };
814*67e74705SXin Li  return &z;
815*67e74705SXin Li}
816*67e74705SXin Li
817*67e74705SXin Li//===----------------------------------------------------------------------===//
818*67e74705SXin Li// Assorted test cases from PR 4172.
819*67e74705SXin Li//===----------------------------------------------------------------------===//
820*67e74705SXin Li
821*67e74705SXin Listruct PR4172A_s { int *a; };
822*67e74705SXin Li
823*67e74705SXin Livoid PR4172A_f2(struct PR4172A_s *p);
824*67e74705SXin Li
825*67e74705SXin Liint PR4172A_f1(void) {
826*67e74705SXin Li    struct PR4172A_s m;
827*67e74705SXin Li    int b[4];
828*67e74705SXin Li    m.a = b;
829*67e74705SXin Li    PR4172A_f2(&m);
830*67e74705SXin Li    return b[3]; // no-warning
831*67e74705SXin Li}
832*67e74705SXin Li
833*67e74705SXin Listruct PR4172B_s { int *a; };
834*67e74705SXin Li
835*67e74705SXin Livoid PR4172B_f2(struct PR4172B_s *p);
836*67e74705SXin Li
837*67e74705SXin Liint PR4172B_f1(void) {
838*67e74705SXin Li    struct PR4172B_s m;
839*67e74705SXin Li    int x;
840*67e74705SXin Li    m.a = &x;
841*67e74705SXin Li    PR4172B_f2(&m);
842*67e74705SXin Li    return x; // no-warning
843*67e74705SXin Li}
844*67e74705SXin Li
845*67e74705SXin Li//===----------------------------------------------------------------------===//
846*67e74705SXin Li// Test invalidation of values in struct literals.
847*67e74705SXin Li//===----------------------------------------------------------------------===//
848*67e74705SXin Li
849*67e74705SXin Listruct s_rev96062 { int *x; int *y; };
850*67e74705SXin Listruct s_rev96062_nested { struct s_rev96062 z; };
851*67e74705SXin Li
852*67e74705SXin Livoid test_a_rev96062_aux(struct s_rev96062 *s);
853*67e74705SXin Livoid test_a_rev96062_aux2(struct s_rev96062_nested *s);
854*67e74705SXin Li
855*67e74705SXin Liint test_a_rev96062() {
856*67e74705SXin Li  int a, b;
857*67e74705SXin Li  struct s_rev96062 x = { &a, &b };
858*67e74705SXin Li  test_a_rev96062_aux(&x);
859*67e74705SXin Li  return a + b; // no-warning
860*67e74705SXin Li}
861*67e74705SXin Liint test_b_rev96062() {
862*67e74705SXin Li  int a, b;
863*67e74705SXin Li  struct s_rev96062 x = { &a, &b };
864*67e74705SXin Li  struct s_rev96062 z = x;
865*67e74705SXin Li  test_a_rev96062_aux(&z);
866*67e74705SXin Li  return a + b; // no-warning
867*67e74705SXin Li}
868*67e74705SXin Liint test_c_rev96062() {
869*67e74705SXin Li  int a, b;
870*67e74705SXin Li  struct s_rev96062 x = { &a, &b };
871*67e74705SXin Li  struct s_rev96062_nested w = { x };
872*67e74705SXin Li  struct s_rev96062_nested z = w;
873*67e74705SXin Li  test_a_rev96062_aux2(&z);
874*67e74705SXin Li  return a + b; // no-warning
875*67e74705SXin Li}
876*67e74705SXin Li
877*67e74705SXin Li//===----------------------------------------------------------------------===//
878*67e74705SXin Li// <rdar://problem/7242010> - The access to y[0] at the bottom previously
879*67e74705SXin Li//  was reported as an uninitialized value.
880*67e74705SXin Li//===----------------------------------------------------------------------===//
881*67e74705SXin Li
882*67e74705SXin Lichar *rdar_7242010(int count, char **y) {
883*67e74705SXin Li  char **x = alloca((count + 4) * sizeof(*x));
884*67e74705SXin Li  x[0] = "hi";
885*67e74705SXin Li  x[1] = "there";
886*67e74705SXin Li  x[2] = "every";
887*67e74705SXin Li  x[3] = "body";
888*67e74705SXin Li  memcpy(x + 4, y, count * sizeof(*x));
889*67e74705SXin Li  y = x;
890*67e74705SXin Li  return y[0]; // no-warning
891*67e74705SXin Li}
892*67e74705SXin Li
893*67e74705SXin Li//===----------------------------------------------------------------------===//
894*67e74705SXin Li// <rdar://problem/7770737>
895*67e74705SXin Li//===----------------------------------------------------------------------===//
896*67e74705SXin Li
897*67e74705SXin Listruct rdar_7770737_s { intptr_t p; };
898*67e74705SXin Livoid rdar_7770737_aux(struct rdar_7770737_s *p);
899*67e74705SXin Liint rdar_7770737(void)
900*67e74705SXin Li{
901*67e74705SXin Li  int x;
902*67e74705SXin Li
903*67e74705SXin Li  // Previously 'f' was not properly invalidated, causing the use of
904*67e74705SXin Li  // an uninitailized value below.
905*67e74705SXin Li  struct rdar_7770737_s f = { .p = (intptr_t)&x };
906*67e74705SXin Li  rdar_7770737_aux(&f);
907*67e74705SXin Li  return x; // no-warning
908*67e74705SXin Li}
909*67e74705SXin Liint rdar_7770737_pos(void)
910*67e74705SXin Li{
911*67e74705SXin Li  int x;
912*67e74705SXin Li  struct rdar_7770737_s f = { .p = (intptr_t)&x };
913*67e74705SXin Li  return x; // expected-warning{{Undefined or garbage value returned to caller}}
914*67e74705SXin Li}
915*67e74705SXin Li
916*67e74705SXin Li//===----------------------------------------------------------------------===//
917*67e74705SXin Li// Test handling of the implicit 'isa' field.  For now we don't do anything
918*67e74705SXin Li// interesting.
919*67e74705SXin Li//===----------------------------------------------------------------------===//
920*67e74705SXin Li
921*67e74705SXin Livoid pr6302(id x, Class y) {
922*67e74705SXin Li  // This previously crashed the analyzer (reported in PR 6302)
923*67e74705SXin Li  x->isa  = y; // expected-warning {{assignment to Objective-C's isa is deprecated in favor of object_setClass()}}
924*67e74705SXin Li}
925*67e74705SXin Li
926*67e74705SXin Li//===----------------------------------------------------------------------===//
927*67e74705SXin Li// Specially handle global variables that are declared constant.  In the
928*67e74705SXin Li// example below, this forces the loop to take exactly 2 iterations.
929*67e74705SXin Li//===----------------------------------------------------------------------===//
930*67e74705SXin Li
931*67e74705SXin Liconst int pr6288_L_N = 2;
932*67e74705SXin Livoid pr6288_(void) {
933*67e74705SXin Li  int x[2];
934*67e74705SXin Li  int *px[2];
935*67e74705SXin Li  int i;
936*67e74705SXin Li  for (i = 0; i < pr6288_L_N; i++)
937*67e74705SXin Li    px[i] = &x[i];
938*67e74705SXin Li  *(px[0]) = 0; // no-warning
939*67e74705SXin Li}
940*67e74705SXin Li
941*67e74705SXin Livoid pr6288_pos(int z) {
942*67e74705SXin Li  int x[2];
943*67e74705SXin Li  int *px[2];
944*67e74705SXin Li  int i;
945*67e74705SXin Li  for (i = 0; i < z; i++)
946*67e74705SXin Li    px[i] = &x[i]; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
947*67e74705SXin Li  *(px[0]) = 0; // expected-warning{{Dereference of undefined pointer value}}
948*67e74705SXin Li}
949*67e74705SXin Li
950*67e74705SXin Livoid pr6288_b(void) {
951*67e74705SXin Li  const int L_N = 2;
952*67e74705SXin Li  int x[2];
953*67e74705SXin Li  int *px[2];
954*67e74705SXin Li  int i;
955*67e74705SXin Li  for (i = 0; i < L_N; i++)
956*67e74705SXin Li    px[i] = &x[i];
957*67e74705SXin Li  *(px[0]) = 0; // no-warning
958*67e74705SXin Li}
959*67e74705SXin Li
960*67e74705SXin Li// <rdar://problem/7817800> - A bug in RemoveDeadBindings was causing instance variable bindings
961*67e74705SXin Li//  to get prematurely pruned from the state.
962*67e74705SXin Li@interface Rdar7817800 {
963*67e74705SXin Li  char *x;
964*67e74705SXin Li}
965*67e74705SXin Li- (void) rdar7817800_baz;
966*67e74705SXin Li@end
967*67e74705SXin Li
968*67e74705SXin Lichar *rdar7817800_foobar();
969*67e74705SXin Livoid rdar7817800_qux(void*);
970*67e74705SXin Li
971*67e74705SXin Li@implementation Rdar7817800
972*67e74705SXin Li- (void) rdar7817800_baz {
973*67e74705SXin Li  if (x)
974*67e74705SXin Li    rdar7817800_qux(x);
975*67e74705SXin Li  x = rdar7817800_foobar();
976*67e74705SXin Li  // Previously this triggered a bogus null dereference warning.
977*67e74705SXin Li  x[1] = 'a'; // no-warning
978*67e74705SXin Li}
979*67e74705SXin Li@end
980*67e74705SXin Li
981*67e74705SXin Li// PR 6036 - This test case triggered a crash inside StoreManager::CastRegion because the size
982*67e74705SXin Li// of 'unsigned long (*)[0]' is 0.
983*67e74705SXin Listruct pr6036_a { int pr6036_b; };
984*67e74705SXin Listruct pr6036_c;
985*67e74705SXin Livoid u132monitk (struct pr6036_c *pr6036_d) {
986*67e74705SXin Li  (void) ((struct pr6036_a *) (unsigned long (*)[0]) ((char *) pr6036_d - 1))->pr6036_b; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
987*67e74705SXin Li}
988*67e74705SXin Li
989*67e74705SXin Li// <rdar://problem/7813989> - ?-expressions used as a base of a member expression should be treated as an lvalue
990*67e74705SXin Litypedef struct rdar7813989_NestedVal { int w; } rdar7813989_NestedVal;
991*67e74705SXin Litypedef struct rdar7813989_Val { rdar7813989_NestedVal nv; } rdar7813989_Val;
992*67e74705SXin Li
993*67e74705SXin Liint rdar7813989(int x, rdar7813989_Val *a, rdar7813989_Val *b) {
994*67e74705SXin Li  // This previously crashed with an assertion failure.
995*67e74705SXin Li  int z = (x ? a->nv : b->nv).w;
996*67e74705SXin Li  return z + 1;
997*67e74705SXin Li}
998*67e74705SXin Li
999*67e74705SXin Li// PR 6844 - Don't crash on vaarg expression.
1000*67e74705SXin Litypedef __builtin_va_list va_list;
1001*67e74705SXin Livoid map(int srcID, ...) {
1002*67e74705SXin Li  va_list ap;
1003*67e74705SXin Li  int i;
1004*67e74705SXin Li  for (i = 0; i < srcID; i++) {
1005*67e74705SXin Li    int v = __builtin_va_arg(ap, int);
1006*67e74705SXin Li  }
1007*67e74705SXin Li}
1008*67e74705SXin Li
1009*67e74705SXin Li// PR 6854 - crash when casting symbolic memory address to a float
1010*67e74705SXin Li// Handle casting from a symbolic region to a 'float'.  This isn't
1011*67e74705SXin Li// really all that intelligent, but previously this caused a crash
1012*67e74705SXin Li// in SimpleSValuator.
1013*67e74705SXin Livoid pr6854(void * arg) {
1014*67e74705SXin Li  void * a = arg;
1015*67e74705SXin Li  *(void**)a = arg;
1016*67e74705SXin Li  float f = *(float*) a;
1017*67e74705SXin Li}
1018*67e74705SXin Li
1019*67e74705SXin Li// <rdar://problem/8032791> False positive due to symbolic store not find
1020*67e74705SXin Li//  value because of 'const' qualifier
1021*67e74705SXin Lidouble rdar_8032791_2();
1022*67e74705SXin Lidouble rdar_8032791_1() {
1023*67e74705SXin Li   struct R8032791 { double x[2]; double y; }
1024*67e74705SXin Li   data[3] = {
1025*67e74705SXin Li     {{1.0, 3.0}, 3.0},  //  1   2   3
1026*67e74705SXin Li     {{1.0, 1.0}, 0.0},  // 1 1 2 2 3 3
1027*67e74705SXin Li     {{1.0, 3.0}, 1.0}   //    1   2   3
1028*67e74705SXin Li   };
1029*67e74705SXin Li
1030*67e74705SXin Li   double x = 0.0;
1031*67e74705SXin Li   for (unsigned i = 0 ; i < 3; i++) {
1032*67e74705SXin Li     const struct R8032791 *p = &data[i];
1033*67e74705SXin Li     x += p->y + rdar_8032791_2(); // no-warning
1034*67e74705SXin Li   }
1035*67e74705SXin Li   return x;
1036*67e74705SXin Li}
1037*67e74705SXin Li
1038*67e74705SXin Li// PR 7450 - Handle pointer arithmetic with __builtin_alloca
1039*67e74705SXin Livoid pr_7450_aux(void *x);
1040*67e74705SXin Livoid pr_7450() {
1041*67e74705SXin Li  void *p = __builtin_alloca(10);
1042*67e74705SXin Li  // Don't crash when analyzing the following statement.
1043*67e74705SXin Li  pr_7450_aux(p + 8);
1044*67e74705SXin Li}
1045*67e74705SXin Li
1046*67e74705SXin Li// <rdar://problem/8243408> - Symbolicate struct values returned by value.
1047*67e74705SXin Listruct s_rdar_8243408 { int x; };
1048*67e74705SXin Liextern struct s_rdar_8243408 rdar_8243408_aux(void);
1049*67e74705SXin Livoid rdar_8243408(void) {
1050*67e74705SXin Li  struct s_rdar_8243408 a = { 1 }, *b = 0;
1051*67e74705SXin Li  while (a.x && !b)
1052*67e74705SXin Li    a = rdar_8243408_aux();
1053*67e74705SXin Li
1054*67e74705SXin Li  // Previously there was a false error here with 'b' being null.
1055*67e74705SXin Li  (void) (a.x && b->x); // no-warning
1056*67e74705SXin Li
1057*67e74705SXin Li  // Introduce a null deref to ensure we are checking this path.
1058*67e74705SXin Li  int *p = 0;
1059*67e74705SXin Li  *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
1060*67e74705SXin Li}
1061*67e74705SXin Li
1062*67e74705SXin Li// <rdar://problem/8258814>
1063*67e74705SXin Liint r8258814()
1064*67e74705SXin Li{
1065*67e74705SXin Li  int foo;
1066*67e74705SXin Li  int * a = &foo;
1067*67e74705SXin Li  a[0] = 10;
1068*67e74705SXin Li  // Do not warn that the value of 'foo' is uninitialized.
1069*67e74705SXin Li  return foo; // no-warning
1070*67e74705SXin Li}
1071*67e74705SXin Li
1072*67e74705SXin Li// PR 8052 - Don't crash when reasoning about loads from a function address.\n
1073*67e74705SXin Litypedef unsigned int __uint32_t;
1074*67e74705SXin Litypedef unsigned long vm_offset_t;
1075*67e74705SXin Litypedef __uint32_t pd_entry_t;
1076*67e74705SXin Litypedef unsigned char u_char;
1077*67e74705SXin Litypedef unsigned int u_int;
1078*67e74705SXin Litypedef unsigned long u_long;
1079*67e74705SXin Liextern int      bootMP_size;
1080*67e74705SXin Livoid            bootMP(void);
1081*67e74705SXin Listatic void
1082*67e74705SXin Lipr8052(u_int boot_addr)
1083*67e74705SXin Li{
1084*67e74705SXin Li    int             x;
1085*67e74705SXin Li    int             size = *(int *) ((u_long) & bootMP_size);
1086*67e74705SXin Li    u_char         *src = (u_char *) ((u_long) bootMP);
1087*67e74705SXin Li    u_char         *dst = (u_char *) boot_addr + ((vm_offset_t) ((((((((1 <<
1088*67e74705SXin Li12) / (sizeof(pd_entry_t))) - 1) - 1) - (260 - 2))) << 22) | ((0) << 12)));
1089*67e74705SXin Li#ifdef TEST_64
1090*67e74705SXin Li// expected-warning@-3 {{cast to 'u_char *' (aka 'unsigned char *') from smaller integer type 'u_int' (aka 'unsigned int')}}
1091*67e74705SXin Li#endif
1092*67e74705SXin Li    for (x = 0;
1093*67e74705SXin Li         x < size;
1094*67e74705SXin Li         ++x)
1095*67e74705SXin Li        *dst++ = *src++;
1096*67e74705SXin Li}
1097*67e74705SXin Li
1098*67e74705SXin Li// PR 8015 - don't return undefined values for arrays when using a valid
1099*67e74705SXin Li// symbolic index
1100*67e74705SXin Liint pr8015_A();
1101*67e74705SXin Livoid pr8015_B(const char *);
1102*67e74705SXin Li
1103*67e74705SXin Livoid pr8015_C() {
1104*67e74705SXin Li  int number = pr8015_A();
1105*67e74705SXin Li  const char *numbers[] = { "zero" };
1106*67e74705SXin Li  if (number == 0) {
1107*67e74705SXin Li      pr8015_B(numbers[number]); // no-warning
1108*67e74705SXin Li  }
1109*67e74705SXin Li}
1110*67e74705SXin Li
1111*67e74705SXin Li// Tests that we correctly handle that 'number' is perfectly constrained
1112*67e74705SXin Li// after 'if (nunber == 0)', allowing us to resolve that
1113*67e74705SXin Li// numbers[number] == numbers[0].
1114*67e74705SXin Livoid pr8015_D_FIXME() {
1115*67e74705SXin Li  int number = pr8015_A();
1116*67e74705SXin Li  const char *numbers[] = { "zero" };
1117*67e74705SXin Li  if (number == 0) {
1118*67e74705SXin Li    if (numbers[number] == numbers[0])
1119*67e74705SXin Li      return;
1120*67e74705SXin Li    // Unreachable.
1121*67e74705SXin Li    int *p = 0;
1122*67e74705SXin Li    *p = 0xDEADBEEF; // no-warnng
1123*67e74705SXin Li  }
1124*67e74705SXin Li}
1125*67e74705SXin Li
1126*67e74705SXin Livoid pr8015_E() {
1127*67e74705SXin Li  // Similar to pr8015_C, but number is allowed to be a valid range.
1128*67e74705SXin Li  unsigned number = pr8015_A();
1129*67e74705SXin Li  const char *numbers[] = { "zero", "one", "two" };
1130*67e74705SXin Li  if (number < 3) {
1131*67e74705SXin Li    pr8015_B(numbers[number]); // no-warning
1132*67e74705SXin Li  }
1133*67e74705SXin Li}
1134*67e74705SXin Li
1135*67e74705SXin Livoid pr8015_F_FIXME() {
1136*67e74705SXin Li  // Similar to pr8015_E, but like pr8015_D we check if the pointer
1137*67e74705SXin Li  // is the same as one of the string literals.  The null dereference
1138*67e74705SXin Li  // here is not feasible in practice, so this is a false positive.
1139*67e74705SXin Li  int number = pr8015_A();
1140*67e74705SXin Li  const char *numbers[] = { "zero", "one", "two" };
1141*67e74705SXin Li  if (number < 3) {
1142*67e74705SXin Li    const char *p = numbers[number];
1143*67e74705SXin Li    if (p == numbers[0] || p == numbers[1] || p == numbers[2])
1144*67e74705SXin Li      return;
1145*67e74705SXin Li    int *q = 0;
1146*67e74705SXin Li    *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
1147*67e74705SXin Li  }
1148*67e74705SXin Li}
1149*67e74705SXin Li
1150*67e74705SXin Li// PR 8141.  Previously the statement expression in the for loop caused
1151*67e74705SXin Li// the CFG builder to crash.
1152*67e74705SXin Listruct list_pr8141
1153*67e74705SXin Li{
1154*67e74705SXin Li  struct list_pr8141 *tail;
1155*67e74705SXin Li};
1156*67e74705SXin Li
1157*67e74705SXin Listruct list_pr8141 *
1158*67e74705SXin Lipr8141 (void) {
1159*67e74705SXin Li  struct list_pr8141 *items;
1160*67e74705SXin Li  for (;; items = ({ do { } while (0); items->tail; })) // expected-warning{{Dereference of undefined pointer value}}
1161*67e74705SXin Li    {
1162*67e74705SXin Li    }
1163*67e74705SXin Li}
1164*67e74705SXin Li
1165*67e74705SXin Li// Don't crash when building the CFG.
1166*67e74705SXin Livoid do_not_crash(int x) {
1167*67e74705SXin Li  while (x - ({do {} while (0); x; })) {
1168*67e74705SXin Li  }
1169*67e74705SXin Li}
1170*67e74705SXin Li
1171*67e74705SXin Li// <rdar://problem/8424269> - Handle looking at the size of a VLA in
1172*67e74705SXin Li// ArrayBoundChecker.  Nothing intelligent (yet); just don't crash.
1173*67e74705SXin Litypedef struct RDar8424269_A {
1174*67e74705SXin Li  int RDar8424269_C;
1175*67e74705SXin Li} RDar8424269_A;
1176*67e74705SXin Listatic void RDar8424269_B(RDar8424269_A *p, unsigned char *RDar8424269_D,
1177*67e74705SXin Li                          const unsigned char *RDar8424269_E, int RDar8424269_F,
1178*67e74705SXin Li    int b_w, int b_h, int dx, int dy) {
1179*67e74705SXin Li  int x, y, b, r, l;
1180*67e74705SXin Li  unsigned char tmp2t[3][RDar8424269_F * (32 + 8)];
1181*67e74705SXin Li  unsigned char *tmp2 = tmp2t[0];
1182*67e74705SXin Li  if (p && !p->RDar8424269_C)
1183*67e74705SXin Li    b = 15;
1184*67e74705SXin Li  tmp2 = tmp2t[1];
1185*67e74705SXin Li  if (b & 2) { // expected-warning{{The left operand of '&' is a garbage value}}
1186*67e74705SXin Li    for (y = 0; y < b_h; y++) {
1187*67e74705SXin Li      for (x = 0; x < b_w + 1; x++) {
1188*67e74705SXin Li        int am = 0;
1189*67e74705SXin Li        tmp2[x] = am;
1190*67e74705SXin Li      }
1191*67e74705SXin Li    }
1192*67e74705SXin Li  }
1193*67e74705SXin Li  tmp2 = tmp2t[2];
1194*67e74705SXin Li}
1195*67e74705SXin Li
1196*67e74705SXin Li// <rdar://problem/8642434> - Handle transparent unions with the NonNullParamChecker.
1197*67e74705SXin Litypedef union {
1198*67e74705SXin Li  struct rdar_8642434_typeA *_dq;
1199*67e74705SXin Li}
1200*67e74705SXin Lirdar_8642434_typeB __attribute__((transparent_union));
1201*67e74705SXin Li
1202*67e74705SXin Li__attribute__((visibility("default"))) __attribute__((__nonnull__)) __attribute__((__nothrow__))
1203*67e74705SXin Livoid rdar_8642434_funcA(rdar_8642434_typeB object);
1204*67e74705SXin Li
1205*67e74705SXin Livoid rdar_8642434_funcB(struct rdar_8642434_typeA *x, struct rdar_8642434_typeA *y) {
1206*67e74705SXin Li  rdar_8642434_funcA(x);
1207*67e74705SXin Li  if (!y)
1208*67e74705SXin Li    rdar_8642434_funcA(y); // expected-warning{{Null pointer passed as an argument to a 'nonnull' parameter}}
1209*67e74705SXin Li}
1210*67e74705SXin Li
1211*67e74705SXin Li// <rdar://problem/8848957> - Handle loads and stores from a symbolic index
1212*67e74705SXin Li// into array without warning about an uninitialized value being returned.
1213*67e74705SXin Li// While RegionStore can't fully reason about this example, it shouldn't
1214*67e74705SXin Li// warn here either.
1215*67e74705SXin Litypedef struct s_test_rdar8848957 {
1216*67e74705SXin Li  int x, y, z;
1217*67e74705SXin Li} s_test_rdar8848957;
1218*67e74705SXin Li
1219*67e74705SXin Lis_test_rdar8848957 foo_rdar8848957();
1220*67e74705SXin Liint rdar8848957(int index) {
1221*67e74705SXin Li  s_test_rdar8848957 vals[10];
1222*67e74705SXin Li  vals[index] = foo_rdar8848957();
1223*67e74705SXin Li  return vals[index].x; // no-warning
1224*67e74705SXin Li}
1225*67e74705SXin Li
1226*67e74705SXin Li// PR 9049 - crash on symbolicating unions.  This test exists solely to
1227*67e74705SXin Li// test that the analyzer doesn't crash.
1228*67e74705SXin Litypedef struct pr9048_cdev *pr9048_cdev_t;
1229*67e74705SXin Litypedef union pr9048_abstracted_disklabel { void *opaque; } pr9048_disklabel_t;
1230*67e74705SXin Listruct pr9048_diskslice { pr9048_disklabel_t ds_label; };
1231*67e74705SXin Listruct pr9048_diskslices {
1232*67e74705SXin Li  int dss_secmult;
1233*67e74705SXin Li  struct pr9048_diskslice dss_slices[16];
1234*67e74705SXin Li};
1235*67e74705SXin Livoid pr9048(pr9048_cdev_t dev, struct pr9048_diskslices * ssp, unsigned int slice)
1236*67e74705SXin Li{
1237*67e74705SXin Li  pr9048_disklabel_t     lp;
1238*67e74705SXin Li  struct pr9048_diskslice *sp;
1239*67e74705SXin Li  sp = &ssp->dss_slices[slice];
1240*67e74705SXin Li  if (ssp->dss_secmult == 1) {
1241*67e74705SXin Li  } else if ((lp = sp->ds_label).opaque != ((void *) 0)) {
1242*67e74705SXin Li  }
1243*67e74705SXin Li}
1244*67e74705SXin Li
1245*67e74705SXin Li// Test Store reference counting in the presence of Lazy compound values.
1246*67e74705SXin Li// This previously caused an infinite recursion.
1247*67e74705SXin Litypedef struct {} Rdar_9103310_A;
1248*67e74705SXin Litypedef struct Rdar_9103310_B Rdar_9103310_B_t;
1249*67e74705SXin Listruct Rdar_9103310_B {
1250*67e74705SXin Li  unsigned char           Rdar_9103310_C[101];
1251*67e74705SXin Li};
1252*67e74705SXin Livoid Rdar_9103310_E(Rdar_9103310_A * x, struct Rdar_9103310_C * b) { // expected-warning {{declaration of 'struct Rdar_9103310_C' will not be visible outside of this function}}
1253*67e74705SXin Li  char Rdar_9103310_D[4][4] = { "a", "b", "c", "d"};
1254*67e74705SXin Li  int i;
1255*67e74705SXin Li  Rdar_9103310_B_t *y = (Rdar_9103310_B_t *) x;
1256*67e74705SXin Li  for (i = 0; i < 101; i++) {
1257*67e74705SXin Li    Rdar_9103310_F(b, "%2d%s ", (y->Rdar_9103310_C[i]) / 4, Rdar_9103310_D[(y->Rdar_9103310_C[i]) % 4]); // expected-warning {{implicit declaration of function 'Rdar_9103310_F' is invalid in C99}}
1258*67e74705SXin Li  }
1259*67e74705SXin Li}
1260*67e74705SXin Li
1261*67e74705SXin Li// Test handling binding lazy compound values to a region and then have
1262*67e74705SXin Li// specific elements have other bindings.
1263*67e74705SXin Liint PR9455() {
1264*67e74705SXin Li  char arr[4] = "000";
1265*67e74705SXin Li  arr[0] = '1';
1266*67e74705SXin Li  if (arr[1] == '0')
1267*67e74705SXin Li    return 1;
1268*67e74705SXin Li  int *p = 0;
1269*67e74705SXin Li  *p = 0xDEADBEEF; // no-warning
1270*67e74705SXin Li  return 1;
1271*67e74705SXin Li}
1272*67e74705SXin Liint PR9455_2() {
1273*67e74705SXin Li  char arr[4] = "000";
1274*67e74705SXin Li  arr[0] = '1';
1275*67e74705SXin Li  if (arr[1] == '0') {
1276*67e74705SXin Li    int *p = 0;
1277*67e74705SXin Li    *p = 0xDEADBEEF; // expected-warning {{null}}
1278*67e74705SXin Li  }
1279*67e74705SXin Li  return 1;
1280*67e74705SXin Li}
1281*67e74705SXin Li
1282*67e74705SXin Li// Test initialization of substructs via lazy compound values.
1283*67e74705SXin Litypedef float RDar9163742_Float;
1284*67e74705SXin Li
1285*67e74705SXin Litypedef struct {
1286*67e74705SXin Li    RDar9163742_Float x, y;
1287*67e74705SXin Li} RDar9163742_Point;
1288*67e74705SXin Litypedef struct {
1289*67e74705SXin Li    RDar9163742_Float width, height;
1290*67e74705SXin Li} RDar9163742_Size;
1291*67e74705SXin Litypedef struct {
1292*67e74705SXin Li    RDar9163742_Point origin;
1293*67e74705SXin Li    RDar9163742_Size size;
1294*67e74705SXin Li} RDar9163742_Rect;
1295*67e74705SXin Li
1296*67e74705SXin Liextern  RDar9163742_Rect RDar9163742_RectIntegral(RDar9163742_Rect);
1297*67e74705SXin Li
1298*67e74705SXin LiRDar9163742_Rect RDar9163742_IntegralRect(RDar9163742_Rect frame)
1299*67e74705SXin Li{
1300*67e74705SXin Li    RDar9163742_Rect integralFrame;
1301*67e74705SXin Li    integralFrame.origin.x = frame.origin.x;
1302*67e74705SXin Li    integralFrame.origin.y = frame.origin.y;
1303*67e74705SXin Li    integralFrame.size = frame.size;
1304*67e74705SXin Li    return RDar9163742_RectIntegral(integralFrame); // no-warning; all fields initialized
1305*67e74705SXin Li}
1306*67e74705SXin Li
1307*67e74705SXin Li// Test correct handling of prefix '--' operator.
1308*67e74705SXin Livoid rdar9444714() {
1309*67e74705SXin Li  int   x;
1310*67e74705SXin Li  char    str[ 32 ];
1311*67e74705SXin Li  char    buf[ 32 ];
1312*67e74705SXin Li  char *  dst;
1313*67e74705SXin Li  char *  ptr;
1314*67e74705SXin Li
1315*67e74705SXin Li  x = 1234;
1316*67e74705SXin Li  dst = str;
1317*67e74705SXin Li  ptr = buf;
1318*67e74705SXin Li  do
1319*67e74705SXin Li  {
1320*67e74705SXin Li    *ptr++ = (char)( '0' + ( x % 10 ) );
1321*67e74705SXin Li    x /= 10;
1322*67e74705SXin Li  } while( x > 0 );
1323*67e74705SXin Li
1324*67e74705SXin Li  while( ptr > buf )
1325*67e74705SXin Li  {
1326*67e74705SXin Li    *dst++ = *( --( ptr ) ); // no-warning
1327*67e74705SXin Li  }
1328*67e74705SXin Li  *dst = '\0';
1329*67e74705SXin Li}
1330*67e74705SXin Li
1331*67e74705SXin Li// Test handling symbolic elements with field accesses.
1332*67e74705SXin Li// <rdar://problem/11127008>
1333*67e74705SXin Litypedef struct {
1334*67e74705SXin Li    unsigned value;
1335*67e74705SXin Li} RDar11127008;
1336*67e74705SXin Li
1337*67e74705SXin Lisigned rdar_11127008_index();
1338*67e74705SXin Li
1339*67e74705SXin Listatic unsigned rdar_11127008(void) {
1340*67e74705SXin Li    RDar11127008 values[] = {{.value = 0}, {.value = 1}};
1341*67e74705SXin Li    signed index = rdar_11127008_index();
1342*67e74705SXin Li    if (index < 0) return 0;
1343*67e74705SXin Li    if (index >= 2) return 0;
1344*67e74705SXin Li    return values[index].value;
1345*67e74705SXin Li}
1346*67e74705SXin Li
1347*67e74705SXin Li// Test handling invalidating arrays passed to a block via captured
1348*67e74705SXin Li// pointer value (not a __block variable).
1349*67e74705SXin Litypedef void (^radar11125868_cb)(int *, unsigned);
1350*67e74705SXin Li
1351*67e74705SXin Livoid rdar11125868_aux(radar11125868_cb cb);
1352*67e74705SXin Li
1353*67e74705SXin Liint rdar11125868() {
1354*67e74705SXin Li  int integersStackArray[1];
1355*67e74705SXin Li  int *integers = integersStackArray;
1356*67e74705SXin Li  rdar11125868_aux(^(int *integerValue, unsigned index) {
1357*67e74705SXin Li      integers[index] = integerValue[index];
1358*67e74705SXin Li    });
1359*67e74705SXin Li  return integers[0] == 0; // no-warning
1360*67e74705SXin Li}
1361*67e74705SXin Li
1362*67e74705SXin Liint rdar11125868_positive() {
1363*67e74705SXin Li  int integersStackArray[1];
1364*67e74705SXin Li  int *integers = integersStackArray;
1365*67e74705SXin Li  return integers[0] == 0; // expected-warning {{The left operand of '==' is a}}
1366*67e74705SXin Li}
1367