1*67e74705SXin Li// NOTE: Use '-fobjc-gc' to test the analysis being run twice, and multiple reports are not issued. 2*67e74705SXin Li// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,alpha.core,osx.cocoa.AtSync -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s 3*67e74705SXin Li// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-checker=core,alpha.core,osx.cocoa.AtSync -analyzer-store=region -analyzer-constraints=range -verify -fblocks -Wno-unreachable-code -Wno-null-dereference -Wno-objc-root-class %s 4*67e74705SXin Li 5*67e74705SXin Li#ifndef __clang_analyzer__ 6*67e74705SXin Li#error __clang_analyzer__ not defined 7*67e74705SXin Li#endif 8*67e74705SXin Li 9*67e74705SXin Litypedef struct objc_ivar *Ivar; 10*67e74705SXin Litypedef struct objc_selector *SEL; 11*67e74705SXin Litypedef signed char BOOL; 12*67e74705SXin Litypedef int NSInteger; 13*67e74705SXin Litypedef unsigned int NSUInteger; 14*67e74705SXin Litypedef struct _NSZone NSZone; 15*67e74705SXin Li@class NSInvocation, NSArray, NSMethodSignature, NSCoder, NSString, NSEnumerator; 16*67e74705SXin Li@protocol NSObject 17*67e74705SXin Li- (BOOL)isEqual:(id)object; 18*67e74705SXin Li- (id)autorelease; 19*67e74705SXin Li@end 20*67e74705SXin Li@protocol NSCopying 21*67e74705SXin Li- (id)copyWithZone:(NSZone *)zone; 22*67e74705SXin Li@end 23*67e74705SXin Li@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end 24*67e74705SXin Li@protocol NSCoding 25*67e74705SXin Li- (void)encodeWithCoder:(NSCoder *)aCoder; 26*67e74705SXin Li@end 27*67e74705SXin Li@interface NSObject <NSObject> {} 28*67e74705SXin Li- (id)init; 29*67e74705SXin Li+ (id)allocWithZone:(NSZone *)zone; 30*67e74705SXin Li@end 31*67e74705SXin Liextern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 32*67e74705SXin Li@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> 33*67e74705SXin Li- (NSUInteger)length; 34*67e74705SXin Li+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 35*67e74705SXin Li@end extern NSString * const NSBundleDidLoadNotification; 36*67e74705SXin Li@interface NSValue : NSObject <NSCopying, NSCoding> 37*67e74705SXin Li- (void)getValue:(void *)value; 38*67e74705SXin Li@end 39*67e74705SXin Li@interface NSNumber : NSValue 40*67e74705SXin Li- (char)charValue; 41*67e74705SXin Li- (id)initWithBool:(BOOL)value; 42*67e74705SXin Li@end 43*67e74705SXin Li@interface NSAssertionHandler : NSObject {} 44*67e74705SXin Li+ (NSAssertionHandler *)currentHandler; 45*67e74705SXin Li- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...; 46*67e74705SXin Li@end 47*67e74705SXin Liextern NSString * const NSConnectionReplyMode; 48*67e74705SXin Litypedef float CGFloat; 49*67e74705SXin Litypedef struct _NSPoint { 50*67e74705SXin Li CGFloat x; 51*67e74705SXin Li CGFloat y; 52*67e74705SXin Li} NSPoint; 53*67e74705SXin Litypedef struct _NSSize { 54*67e74705SXin Li CGFloat width; 55*67e74705SXin Li CGFloat height; 56*67e74705SXin Li} NSSize; 57*67e74705SXin Litypedef struct _NSRect { 58*67e74705SXin Li NSPoint origin; 59*67e74705SXin Li NSSize size; 60*67e74705SXin Li} NSRect; 61*67e74705SXin Li 62*67e74705SXin Li// Reduced test case from crash in <rdar://problem/6253157> 63*67e74705SXin Li@interface A @end 64*67e74705SXin Li@implementation A 65*67e74705SXin Li- (void)foo:(void (^)(NSObject *x))block { 66*67e74705SXin Li if (!((block != ((void *)0)))) {} 67*67e74705SXin Li} 68*67e74705SXin Li@end 69*67e74705SXin Li 70*67e74705SXin Li// Reduced test case from crash in PR 2796; 71*67e74705SXin Li// http://llvm.org/bugs/show_bug.cgi?id=2796 72*67e74705SXin Li 73*67e74705SXin Liunsigned foo(unsigned x) { return __alignof__((x)) + sizeof(x); } 74*67e74705SXin Li 75*67e74705SXin Li// Improvement to path-sensitivity involving compound assignments. 76*67e74705SXin Li// Addresses false positive in <rdar://problem/6268365> 77*67e74705SXin Li// 78*67e74705SXin Li 79*67e74705SXin Liunsigned r6268365Aux(); 80*67e74705SXin Li 81*67e74705SXin Livoid r6268365() { 82*67e74705SXin Li unsigned x = 0; 83*67e74705SXin Li x &= r6268365Aux(); 84*67e74705SXin Li unsigned j = 0; 85*67e74705SXin Li 86*67e74705SXin Li if (x == 0) ++j; 87*67e74705SXin Li if (x == 0) x = x / j; 88*67e74705SXin Li} 89*67e74705SXin Li 90*67e74705SXin Livoid divzeroassume(unsigned x, unsigned j) { 91*67e74705SXin Li x /= j; 92*67e74705SXin Li if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 93*67e74705SXin Li if (j == 0) x /= j; // no static-analyzer warning 94*67e74705SXin Li if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 95*67e74705SXin Li} 96*67e74705SXin Li 97*67e74705SXin Livoid divzeroassumeB(unsigned x, unsigned j) { 98*67e74705SXin Li x = x / j; 99*67e74705SXin Li if (j == 0) x /= 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 100*67e74705SXin Li if (j == 0) x /= j; // no static-analyzer warning 101*67e74705SXin Li if (j == 0) x = x / 0; // no static-analyzer warning expected-warning {{division by zero is undefined}} 102*67e74705SXin Li} 103*67e74705SXin Li 104*67e74705SXin Li// InitListExpr processing 105*67e74705SXin Li 106*67e74705SXin Litypedef float __m128 __attribute__((__vector_size__(16), __may_alias__)); 107*67e74705SXin Li__m128 return128() { 108*67e74705SXin Li // This compound literal has a Vector type. We currently just 109*67e74705SXin Li // return UnknownVal. 110*67e74705SXin Li return __extension__(__m128) { 0.0f, 0.0f, 0.0f, 0.0f }; 111*67e74705SXin Li} 112*67e74705SXin Li 113*67e74705SXin Litypedef long long __v2di __attribute__ ((__vector_size__ (16))); 114*67e74705SXin Litypedef long long __m128i __attribute__ ((__vector_size__ (16), __may_alias__)); 115*67e74705SXin Li__m128i vec128i(long long __q1, long long __q0) { 116*67e74705SXin Li // This compound literal returns true for both isVectorType() and 117*67e74705SXin Li // isIntegerType(). 118*67e74705SXin Li return __extension__ (__m128i)(__v2di){ __q0, __q1 }; 119*67e74705SXin Li} 120*67e74705SXin Li 121*67e74705SXin Li// sizeof(void) 122*67e74705SXin Li// - Tests a regression reported in PR 3211: http://llvm.org/bugs/show_bug.cgi?id=3211 123*67e74705SXin Livoid handle_sizeof_void(unsigned flag) { 124*67e74705SXin Li int* p = 0; 125*67e74705SXin Li 126*67e74705SXin Li if (flag) { 127*67e74705SXin Li if (sizeof(void) == 1) 128*67e74705SXin Li return; 129*67e74705SXin Li // Infeasible. 130*67e74705SXin Li *p = 1; // no-warning 131*67e74705SXin Li } 132*67e74705SXin Li 133*67e74705SXin Li void* q; 134*67e74705SXin Li 135*67e74705SXin Li if (!flag) { 136*67e74705SXin Li if (sizeof(*q) == 1) 137*67e74705SXin Li return; 138*67e74705SXin Li // Infeasibe. 139*67e74705SXin Li *p = 1; // no-warning 140*67e74705SXin Li } 141*67e74705SXin Li 142*67e74705SXin Li // Infeasible. 143*67e74705SXin Li *p = 1; // no-warning 144*67e74705SXin Li} 145*67e74705SXin Li 146*67e74705SXin Li// check deference of undefined values 147*67e74705SXin Livoid check_deref_undef(void) { 148*67e74705SXin Li int *p; 149*67e74705SXin Li *p = 0xDEADBEEF; // expected-warning{{Dereference of undefined pointer value}} 150*67e74705SXin Li} 151*67e74705SXin Li 152*67e74705SXin Li// PR 3422 153*67e74705SXin Livoid pr3422_helper(char *p); 154*67e74705SXin Livoid pr3422() { 155*67e74705SXin Li char buf[100]; 156*67e74705SXin Li char *q = &buf[10]; 157*67e74705SXin Li pr3422_helper(&q[1]); 158*67e74705SXin Li} 159*67e74705SXin Li 160*67e74705SXin Li// PR 3543 (handle empty statement expressions) 161*67e74705SXin Livoid pr_3543(void) { 162*67e74705SXin Li ({}); 163*67e74705SXin Li} 164*67e74705SXin Li 165*67e74705SXin Li// <rdar://problem/6611677> 166*67e74705SXin Li// This test case test the use of a vector type within an array subscript 167*67e74705SXin Li// expression. 168*67e74705SXin Litypedef long long __a64vector __attribute__((__vector_size__(8))); 169*67e74705SXin Litypedef long long __a128vector __attribute__((__vector_size__(16))); 170*67e74705SXin Listatic inline __a64vector __attribute__((__always_inline__, __nodebug__)) 171*67e74705SXin Limy_test_mm_movepi64_pi64(__a128vector a) { 172*67e74705SXin Li return (__a64vector)a[0]; 173*67e74705SXin Li} 174*67e74705SXin Li 175*67e74705SXin Li// Test basic tracking of ivars associated with 'self'. 176*67e74705SXin Li@interface SelfIvarTest : NSObject { 177*67e74705SXin Li int flag; 178*67e74705SXin Li} 179*67e74705SXin Li- (void)test_self_tracking; 180*67e74705SXin Li@end 181*67e74705SXin Li 182*67e74705SXin Li@implementation SelfIvarTest 183*67e74705SXin Li- (void)test_self_tracking { 184*67e74705SXin Li char *p = 0; 185*67e74705SXin Li char c; 186*67e74705SXin Li 187*67e74705SXin Li if (flag) 188*67e74705SXin Li p = "hello"; 189*67e74705SXin Li 190*67e74705SXin Li if (flag) 191*67e74705SXin Li c = *p; // no-warning 192*67e74705SXin Li} 193*67e74705SXin Li@end 194*67e74705SXin Li 195*67e74705SXin Li// PR 3770 196*67e74705SXin Lichar pr3770(int x) { 197*67e74705SXin Li int y = x & 0x2; 198*67e74705SXin Li char *p = 0; 199*67e74705SXin Li if (y == 1) 200*67e74705SXin Li p = "hello"; 201*67e74705SXin Li 202*67e74705SXin Li if (y == 1) 203*67e74705SXin Li return p[0]; // no-warning 204*67e74705SXin Li 205*67e74705SXin Li return 'a'; 206*67e74705SXin Li} 207*67e74705SXin Li 208*67e74705SXin Li// PR 3772 209*67e74705SXin Li// - We just want to test that this doesn't crash the analyzer. 210*67e74705SXin Litypedef struct st ST; 211*67e74705SXin Listruct st { char *name; }; 212*67e74705SXin Liextern ST *Cur_Pu; 213*67e74705SXin Li 214*67e74705SXin Livoid pr3772(void) 215*67e74705SXin Li{ 216*67e74705SXin Li static ST *last_Cur_Pu; 217*67e74705SXin Li if (last_Cur_Pu == Cur_Pu) { 218*67e74705SXin Li return; 219*67e74705SXin Li } 220*67e74705SXin Li} 221*67e74705SXin Li 222*67e74705SXin Li// PR 3780 - This tests that StmtIterator isn't broken for VLAs in DeclGroups. 223*67e74705SXin Livoid pr3780(int sz) { typedef double MAT[sz][sz]; } 224*67e74705SXin Li 225*67e74705SXin Li// <rdar://problem/6695527> - Test that we don't symbolicate doubles before 226*67e74705SXin Li// we are ready to do something with them. 227*67e74705SXin Liint rdar6695527(double x) { 228*67e74705SXin Li if (!x) { return 0; } 229*67e74705SXin Li return 1; 230*67e74705SXin Li} 231*67e74705SXin Li 232*67e74705SXin Li// <rdar://problem/6708148> - Test that we properly invalidate structs 233*67e74705SXin Li// passed-by-reference to a function. 234*67e74705SXin Livoid pr6708148_invalidate(NSRect *x); 235*67e74705SXin Livoid pr6708148_use(NSRect x); 236*67e74705SXin Livoid pr6708148_test(void) { 237*67e74705SXin Li NSRect x; 238*67e74705SXin Li pr6708148_invalidate(&x); 239*67e74705SXin Li pr6708148_use(x); // no-warning 240*67e74705SXin Li} 241*67e74705SXin Li 242*67e74705SXin Li// Handle both kinds of noreturn attributes for pruning paths. 243*67e74705SXin Livoid rdar_6777003_noret() __attribute__((noreturn)); 244*67e74705SXin Livoid rdar_6777003_analyzer_noret() __attribute__((analyzer_noreturn)); 245*67e74705SXin Li 246*67e74705SXin Livoid rdar_6777003(int x) { 247*67e74705SXin Li int *p = 0; 248*67e74705SXin Li 249*67e74705SXin Li if (x == 1) { 250*67e74705SXin Li rdar_6777003_noret(); 251*67e74705SXin Li *p = 1; // no-warning; 252*67e74705SXin Li } 253*67e74705SXin Li 254*67e74705SXin Li if (x == 2) { 255*67e74705SXin Li rdar_6777003_analyzer_noret(); 256*67e74705SXin Li *p = 1; // no-warning; 257*67e74705SXin Li } 258*67e74705SXin Li 259*67e74705SXin Li *p = 1; // expected-warning{{Dereference of null pointer}} 260*67e74705SXin Li} 261*67e74705SXin Li 262*67e74705SXin Li// Check that the pointer-to-conts arguments do not get invalidated by Obj C 263*67e74705SXin Li// interfaces. radar://10595327 264*67e74705SXin Liint rdar_10595327(char *str) { 265*67e74705SXin Li char fl = str[0]; 266*67e74705SXin Li int *p = 0; 267*67e74705SXin Li NSString *s = [NSString stringWithUTF8String:str]; 268*67e74705SXin Li if (str[0] != fl) 269*67e74705SXin Li return *p; // no-warning 270*67e74705SXin Li return 0; 271*67e74705SXin Li} 272*67e74705SXin Li 273*67e74705SXin Li// For pointer arithmetic, --/++ should be treated as preserving non-nullness, 274*67e74705SXin Li// regardless of how well the underlying StoreManager reasons about pointer 275*67e74705SXin Li// arithmetic. 276*67e74705SXin Li// <rdar://problem/6777209> 277*67e74705SXin Livoid rdar_6777209(char *p) { 278*67e74705SXin Li if (p == 0) 279*67e74705SXin Li return; 280*67e74705SXin Li 281*67e74705SXin Li ++p; 282*67e74705SXin Li 283*67e74705SXin Li // This branch should always be infeasible. 284*67e74705SXin Li if (p == 0) 285*67e74705SXin Li *p = 'c'; // no-warning 286*67e74705SXin Li} 287*67e74705SXin Li 288*67e74705SXin Li// PR 4033. A symbolic 'void *' pointer can be used as the address for a 289*67e74705SXin Li// computed goto. 290*67e74705SXin Litypedef void *Opcode; 291*67e74705SXin LiOpcode pr_4033_getOpcode(); 292*67e74705SXin Livoid pr_4033(void) { 293*67e74705SXin Li void *lbl = &&next_opcode; 294*67e74705SXin Linext_opcode: 295*67e74705SXin Li { 296*67e74705SXin Li Opcode op = pr_4033_getOpcode(); 297*67e74705SXin Li if (op) goto *op; 298*67e74705SXin Li } 299*67e74705SXin Li} 300*67e74705SXin Li 301*67e74705SXin Li// Test invalidating pointers-to-pointers with slightly different types. This 302*67e74705SXin Li// example came from a recent false positive due to a regression where the 303*67e74705SXin Li// branch condition was falsely reported as being uninitialized. 304*67e74705SXin Livoid invalidate_by_ref(char **x); 305*67e74705SXin Liint test_invalidate_by_ref() { 306*67e74705SXin Li unsigned short y; 307*67e74705SXin Li invalidate_by_ref((char**) &y); 308*67e74705SXin Li if (y) // no-warning 309*67e74705SXin Li return 1; 310*67e74705SXin Li return 0; 311*67e74705SXin Li} 312*67e74705SXin Li 313*67e74705SXin Li// Test for <rdar://problem/7027684>. This just tests that the CFG is 314*67e74705SXin Li// constructed correctly. Previously, the successor block of the entrance 315*67e74705SXin Li// was the block containing the merge for '?', which would trigger an 316*67e74705SXin Li// assertion failure. 317*67e74705SXin Liint rdar_7027684_aux(); 318*67e74705SXin Liint rdar_7027684_aux_2() __attribute__((noreturn)); 319*67e74705SXin Livoid rdar_7027684(int x, int y) { 320*67e74705SXin Li {}; // this empty compound statement is critical. 321*67e74705SXin Li (rdar_7027684_aux() ? rdar_7027684_aux_2() : (void) 0); 322*67e74705SXin Li} 323*67e74705SXin Li 324*67e74705SXin Li// Test that we handle casts of string literals to arbitrary types. 325*67e74705SXin Liunsigned const char *string_literal_test1() { 326*67e74705SXin Li return (const unsigned char*) "hello"; 327*67e74705SXin Li} 328*67e74705SXin Li 329*67e74705SXin Liconst float *string_literal_test2() { 330*67e74705SXin Li return (const float*) "hello"; 331*67e74705SXin Li} 332*67e74705SXin Li 333*67e74705SXin Li// Test that we handle casts *from* incomplete struct types. 334*67e74705SXin Liextern const struct _FooAssertStruct _cmd; 335*67e74705SXin Livoid test_cast_from_incomplete_struct_aux(volatile const void *x); 336*67e74705SXin Livoid test_cast_from_incomplete_struct() { 337*67e74705SXin Li test_cast_from_incomplete_struct_aux(&_cmd); 338*67e74705SXin Li} 339*67e74705SXin Li 340*67e74705SXin Li// Test for <rdar://problem/7034511> 341*67e74705SXin Li// "ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' 342*67e74705SXin Li// when 'T' is a pointer" 343*67e74705SXin Li// 344*67e74705SXin Li// Previously this case would crash. 345*67e74705SXin Livoid test_rdar_7034511(NSArray *y) { 346*67e74705SXin Li NSObject *x; 347*67e74705SXin Li for (x in y) {} 348*67e74705SXin Li if (x == ((void*) 0)) {} 349*67e74705SXin Li} 350*67e74705SXin Li 351*67e74705SXin Li// Handle casts of function pointers (CodeTextRegions) to arbitrary pointer 352*67e74705SXin Li// types. This was previously causing a crash in CastRegion. 353*67e74705SXin Livoid handle_funcptr_voidptr_casts() { 354*67e74705SXin Li void **ptr; 355*67e74705SXin Li typedef void *PVOID; 356*67e74705SXin Li typedef void *PCHAR; 357*67e74705SXin Li typedef long INT_PTR, *PINT_PTR; 358*67e74705SXin Li typedef INT_PTR (*FARPROC)(); 359*67e74705SXin Li FARPROC handle_funcptr_voidptr_casts_aux(); 360*67e74705SXin Li PVOID handle_funcptr_voidptr_casts_aux_2(PVOID volatile *x); 361*67e74705SXin Li PVOID handle_funcptr_voidptr_casts_aux_3(PCHAR volatile *x); 362*67e74705SXin Li 363*67e74705SXin Li ptr = (void**) handle_funcptr_voidptr_casts_aux(); 364*67e74705SXin Li handle_funcptr_voidptr_casts_aux_2(ptr); 365*67e74705SXin Li handle_funcptr_voidptr_casts_aux_3(ptr); 366*67e74705SXin Li} 367*67e74705SXin Li 368*67e74705SXin Li// RegionStore::Retrieve previously crashed on this example. This example 369*67e74705SXin Li// was previously in the test file 'xfail_regionstore_wine_crash.c'. 370*67e74705SXin Livoid testA() { 371*67e74705SXin Li long x = 0; 372*67e74705SXin Li char *y = (char *) &x; 373*67e74705SXin Li if (!*y) 374*67e74705SXin Li return; 375*67e74705SXin Li} 376*67e74705SXin Li 377*67e74705SXin Li// RegionStoreManager previously crashed on this example. The problem is that 378*67e74705SXin Li// the value bound to the field of b->grue after the call to testB_aux is 379*67e74705SXin Li// a symbolic region. The second '*__gruep__' involves performing a load 380*67e74705SXin Li// from a 'int*' that really is a 'void**'. The loaded location must be 381*67e74705SXin Li// implicitly converted to an integer that wraps a location. Previosly we would 382*67e74705SXin Li// get a crash here due to an assertion failure. 383*67e74705SXin Litypedef struct _BStruct { void *grue; } BStruct; 384*67e74705SXin Livoid testB_aux(void *ptr); 385*67e74705SXin Livoid testB(BStruct *b) { 386*67e74705SXin Li { 387*67e74705SXin Li int *__gruep__ = ((int *)&((b)->grue)); 388*67e74705SXin Li int __gruev__ = *__gruep__; 389*67e74705SXin Li testB_aux(__gruep__); 390*67e74705SXin Li } 391*67e74705SXin Li { 392*67e74705SXin Li int *__gruep__ = ((int *)&((b)->grue)); 393*67e74705SXin Li int __gruev__ = *__gruep__; 394*67e74705SXin Li if (~0 != __gruev__) {} 395*67e74705SXin Li } 396*67e74705SXin Li} 397*67e74705SXin Li 398*67e74705SXin Livoid test_trivial_symbolic_comparison(int *x) { 399*67e74705SXin Li int test_trivial_symbolic_comparison_aux(); 400*67e74705SXin Li int a = test_trivial_symbolic_comparison_aux(); 401*67e74705SXin Li int b = a; 402*67e74705SXin Li if (a != b) { 403*67e74705SXin Li int *p = 0; 404*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 405*67e74705SXin Li } 406*67e74705SXin Li 407*67e74705SXin Li a = a == 1; 408*67e74705SXin Li b = b == 1; 409*67e74705SXin Li if (a != b) { 410*67e74705SXin Li int *p = 0; 411*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 412*67e74705SXin Li } 413*67e74705SXin Li} 414*67e74705SXin Li 415*67e74705SXin Li// Test for: 416*67e74705SXin Li// <rdar://problem/7062158> false positive null dereference due to 417*67e74705SXin Li// BasicStoreManager not tracking *static* globals 418*67e74705SXin Li// 419*67e74705SXin Li// This just tests the proper tracking of symbolic values for globals (both 420*67e74705SXin Li// static and non-static). 421*67e74705SXin Li// 422*67e74705SXin Listatic int* x_rdar_7062158; 423*67e74705SXin Livoid rdar_7062158() { 424*67e74705SXin Li int *current = x_rdar_7062158; 425*67e74705SXin Li if (current == x_rdar_7062158) 426*67e74705SXin Li return; 427*67e74705SXin Li 428*67e74705SXin Li int *p = 0; 429*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 430*67e74705SXin Li} 431*67e74705SXin Li 432*67e74705SXin Liint* x_rdar_7062158_2; 433*67e74705SXin Livoid rdar_7062158_2() { 434*67e74705SXin Li int *current = x_rdar_7062158_2; 435*67e74705SXin Li if (current == x_rdar_7062158_2) 436*67e74705SXin Li return; 437*67e74705SXin Li 438*67e74705SXin Li int *p = 0; 439*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 440*67e74705SXin Li} 441*67e74705SXin Li 442*67e74705SXin Li// This test reproduces a case for a crash when analyzing ClamAV using 443*67e74705SXin Li// RegionStoreManager (the crash doesn't exhibit in BasicStoreManager because 444*67e74705SXin Li// it isn't doing anything smart about arrays). The problem is that on the 445*67e74705SXin Li// second line, 'p = &p[i]', p is assigned an ElementRegion whose index 446*67e74705SXin Li// is a 16-bit integer. On the third line, a new ElementRegion is created 447*67e74705SXin Li// based on the previous region, but there the region uses a 32-bit integer, 448*67e74705SXin Li// resulting in a clash of values (an assertion failure at best). We resolve 449*67e74705SXin Li// this problem by implicitly converting index values to 'int' when the 450*67e74705SXin Li// ElementRegion is created. 451*67e74705SXin Liunsigned char test_array_index_bitwidth(const unsigned char *p) { 452*67e74705SXin Li unsigned short i = 0; 453*67e74705SXin Li for (i = 0; i < 2; i++) p = &p[i]; 454*67e74705SXin Li return p[i+1]; 455*67e74705SXin Li} 456*67e74705SXin Li 457*67e74705SXin Li// This case tests that CastRegion handles casts involving BlockPointerTypes. 458*67e74705SXin Li// It should not crash. 459*67e74705SXin Livoid test_block_cast() { 460*67e74705SXin Li id test_block_cast_aux(); 461*67e74705SXin Li (void (^)(void *))test_block_cast_aux(); // expected-warning{{expression result unused}} 462*67e74705SXin Li} 463*67e74705SXin Li 464*67e74705SXin Liint OSAtomicCompareAndSwap32Barrier(); 465*67e74705SXin Li 466*67e74705SXin Li// Test comparison of 'id' instance variable to a null void* constant after 467*67e74705SXin Li// performing an OSAtomicCompareAndSwap32Barrier. 468*67e74705SXin Li// This previously was a crash in RegionStoreManager. 469*67e74705SXin Li@interface TestIdNull { 470*67e74705SXin Li id x; 471*67e74705SXin Li} 472*67e74705SXin Li-(int)foo; 473*67e74705SXin Li@end 474*67e74705SXin Li@implementation TestIdNull 475*67e74705SXin Li-(int)foo { 476*67e74705SXin Li OSAtomicCompareAndSwap32Barrier(0, (signed)2, (signed*)&x); 477*67e74705SXin Li if (x == (void*) 0) { return 0; } 478*67e74705SXin Li return 1; 479*67e74705SXin Li} 480*67e74705SXin Li@end 481*67e74705SXin Li 482*67e74705SXin Li// Do not crash when performing compare and swap on symbolic values. 483*67e74705SXin Litypedef int int32_t; 484*67e74705SXin Litypedef int int32; 485*67e74705SXin Litypedef int32 Atomic32; 486*67e74705SXin Liint OSAtomicCompareAndSwap32( int32_t __oldValue, int32_t __newValue, volatile int32_t *__theValue); 487*67e74705SXin Livoid radar11390991_NoBarrier_CompareAndSwap(volatile Atomic32 *ptr, 488*67e74705SXin Li Atomic32 old_value, 489*67e74705SXin Li Atomic32 new_value) { 490*67e74705SXin Li OSAtomicCompareAndSwap32(old_value, new_value, ptr); 491*67e74705SXin Li} 492*67e74705SXin Li 493*67e74705SXin Li// PR 4594 - This was a crash when handling casts in SimpleSValuator. 494*67e74705SXin Livoid PR4594() { 495*67e74705SXin Li char *buf[1]; 496*67e74705SXin Li char **foo = buf; 497*67e74705SXin Li *foo = "test"; 498*67e74705SXin Li} 499*67e74705SXin Li 500*67e74705SXin Li// Test invalidation logic where an integer is casted to an array with a 501*67e74705SXin Li// different sign and then invalidated. 502*67e74705SXin Livoid test_invalidate_cast_int() { 503*67e74705SXin Li void test_invalidate_cast_int_aux(unsigned *i); 504*67e74705SXin Li signed i; 505*67e74705SXin Li test_invalidate_cast_int_aux((unsigned*) &i); 506*67e74705SXin Li if (i < 0) 507*67e74705SXin Li return; 508*67e74705SXin Li} 509*67e74705SXin Li 510*67e74705SXin Liint ivar_getOffset(); 511*67e74705SXin Li 512*67e74705SXin Li// Reduced from a crash involving the cast of an Objective-C symbolic region to 513*67e74705SXin Li// 'char *' 514*67e74705SXin Listatic NSNumber *test_ivar_offset(id self, SEL _cmd, Ivar inIvar) { 515*67e74705SXin Li return [[[NSNumber allocWithZone:((void*)0)] initWithBool:*(_Bool *)((char *)self + ivar_getOffset(inIvar))] autorelease]; 516*67e74705SXin Li} 517*67e74705SXin Li 518*67e74705SXin Li// Reduced from a crash in StoreManager::CastRegion involving a divide-by-zero. 519*67e74705SXin Li// This resulted from not properly handling region casts to 'const void*'. 520*67e74705SXin Livoid test_cast_const_voidptr() { 521*67e74705SXin Li char x[10]; 522*67e74705SXin Li char *p = &x[1]; 523*67e74705SXin Li const void* q = p; 524*67e74705SXin Li} 525*67e74705SXin Li 526*67e74705SXin Li// Reduced from a crash when analyzing Wine. This test handles loads from 527*67e74705SXin Li// function addresses. 528*67e74705SXin Litypedef long (*FARPROC)(); 529*67e74705SXin LiFARPROC test_load_func(FARPROC origfun) { 530*67e74705SXin Li if (!*(unsigned char*) origfun) 531*67e74705SXin Li return origfun; 532*67e74705SXin Li return 0; 533*67e74705SXin Li} 534*67e74705SXin Li 535*67e74705SXin Li// Test passing-by-value an initialized struct variable. 536*67e74705SXin Listruct test_pass_val { 537*67e74705SXin Li int x; 538*67e74705SXin Li int y; 539*67e74705SXin Li}; 540*67e74705SXin Livoid test_pass_val_aux(struct test_pass_val s); 541*67e74705SXin Livoid test_pass_val() { 542*67e74705SXin Li struct test_pass_val s; 543*67e74705SXin Li s.x = 1; 544*67e74705SXin Li s.y = 2; 545*67e74705SXin Li test_pass_val_aux(s); 546*67e74705SXin Li} 547*67e74705SXin Li 548*67e74705SXin Li// This is a reduced test case of a false positive that previously appeared 549*67e74705SXin Li// in RegionStoreManager. Previously the array access resulted in dereferencing 550*67e74705SXin Li// an undefined value. 551*67e74705SXin Liint test_array_compound(int *q, int *r, int *z) { 552*67e74705SXin Li int *array[] = { q, r, z }; 553*67e74705SXin Li int j = 0; 554*67e74705SXin Li for (unsigned i = 0; i < 3 ; ++i) 555*67e74705SXin Li if (*array[i]) ++j; // no-warning 556*67e74705SXin Li return j; 557*67e74705SXin Li} 558*67e74705SXin Li 559*67e74705SXin Li// symbolic value stored in 'x' wouldn't be implicitly casted to a signed value 560*67e74705SXin Li// during the comparison. 561*67e74705SXin Liint rdar_7124210(unsigned int x) { 562*67e74705SXin Li enum { SOME_CONSTANT = 123 }; 563*67e74705SXin Li int compare = ((signed) SOME_CONSTANT) == *((signed *) &x); 564*67e74705SXin Li return compare ? 0 : 1; // Forces the evaluation of the symbolic constraint. 565*67e74705SXin Li} 566*67e74705SXin Li 567*67e74705SXin Livoid pr4781(unsigned long *raw1) { 568*67e74705SXin Li unsigned long *cook, *raw0; 569*67e74705SXin Li unsigned long dough[32]; 570*67e74705SXin Li int i; 571*67e74705SXin Li cook = dough; 572*67e74705SXin Li for( i = 0; i < 16; i++, raw1++ ) { 573*67e74705SXin Li raw0 = raw1++; 574*67e74705SXin Li *cook = (*raw0 & 0x00fc0000L) << 6; 575*67e74705SXin Li *cook |= (*raw0 & 0x00000fc0L) << 10; 576*67e74705SXin Li } 577*67e74705SXin Li} 578*67e74705SXin Li 579*67e74705SXin Li// <rdar://problem/7185647> - 'self' should be treated as being non-null 580*67e74705SXin Li// upon entry to an objective-c method. 581*67e74705SXin Li@interface RDar7185647 582*67e74705SXin Li- (id)foo; 583*67e74705SXin Li@end 584*67e74705SXin Li@implementation RDar7185647 585*67e74705SXin Li- (id) foo { 586*67e74705SXin Li if (self) 587*67e74705SXin Li return self; 588*67e74705SXin Li *((volatile int *) 0x0) = 0xDEADBEEF; // no-warning 589*67e74705SXin Li return self; 590*67e74705SXin Li} 591*67e74705SXin Li@end 592*67e74705SXin Li 593*67e74705SXin Li// Test reasoning of __builtin_offsetof; 594*67e74705SXin Listruct test_offsetof_A { 595*67e74705SXin Li int x; 596*67e74705SXin Li int y; 597*67e74705SXin Li}; 598*67e74705SXin Listruct test_offsetof_B { 599*67e74705SXin Li int w; 600*67e74705SXin Li int z; 601*67e74705SXin Li}; 602*67e74705SXin Livoid test_offsetof_1() { 603*67e74705SXin Li if (__builtin_offsetof(struct test_offsetof_A, x) == 604*67e74705SXin Li __builtin_offsetof(struct test_offsetof_B, w)) 605*67e74705SXin Li return; 606*67e74705SXin Li int *p = 0; 607*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 608*67e74705SXin Li} 609*67e74705SXin Livoid test_offsetof_2() { 610*67e74705SXin Li if (__builtin_offsetof(struct test_offsetof_A, y) == 611*67e74705SXin Li __builtin_offsetof(struct test_offsetof_B, z)) 612*67e74705SXin Li return; 613*67e74705SXin Li int *p = 0; 614*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 615*67e74705SXin Li} 616*67e74705SXin Livoid test_offsetof_3() { 617*67e74705SXin Li if (__builtin_offsetof(struct test_offsetof_A, y) - 618*67e74705SXin Li __builtin_offsetof(struct test_offsetof_A, x) 619*67e74705SXin Li == 620*67e74705SXin Li __builtin_offsetof(struct test_offsetof_B, z) - 621*67e74705SXin Li __builtin_offsetof(struct test_offsetof_B, w)) 622*67e74705SXin Li return; 623*67e74705SXin Li int *p = 0; 624*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 625*67e74705SXin Li} 626*67e74705SXin Livoid test_offsetof_4() { 627*67e74705SXin Li if (__builtin_offsetof(struct test_offsetof_A, y) == 628*67e74705SXin Li __builtin_offsetof(struct test_offsetof_B, w)) 629*67e74705SXin Li return; 630*67e74705SXin Li int *p = 0; 631*67e74705SXin Li *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 632*67e74705SXin Li} 633*67e74705SXin Li 634*67e74705SXin Li// <rdar://problem/6829164> "nil receiver" false positive: make tracking 635*67e74705SXin Li// of the MemRegion for 'self' path-sensitive 636*67e74705SXin Li@interface RDar6829164 : NSObject { 637*67e74705SXin Li double x; int y; 638*67e74705SXin Li} 639*67e74705SXin Li- (id) init; 640*67e74705SXin Li@end 641*67e74705SXin Li 642*67e74705SXin Liid rdar_6829164_1(); 643*67e74705SXin Lidouble rdar_6829164_2(); 644*67e74705SXin Li 645*67e74705SXin Li@implementation RDar6829164 646*67e74705SXin Li- (id) init { 647*67e74705SXin Li if((self = [super init]) != 0) { 648*67e74705SXin Li id z = rdar_6829164_1(); 649*67e74705SXin Li y = (z != 0); 650*67e74705SXin Li if (y) 651*67e74705SXin Li x = rdar_6829164_2(); 652*67e74705SXin Li } 653*67e74705SXin Li return self; 654*67e74705SXin Li} 655*67e74705SXin Li@end 656*67e74705SXin Li 657*67e74705SXin Li// <rdar://problem/7242015> - Invalidate values passed-by-reference 658*67e74705SXin Li// to functions when the pointer to the value is passed as an integer. 659*67e74705SXin Livoid test_7242015_aux(unsigned long); 660*67e74705SXin Liint rdar_7242015() { 661*67e74705SXin Li int x; 662*67e74705SXin Li test_7242015_aux((unsigned long) &x); // no-warning 663*67e74705SXin Li return x; // Previously we return and uninitialized value when 664*67e74705SXin Li // using RegionStore. 665*67e74705SXin Li} 666*67e74705SXin Li 667*67e74705SXin Li// <rdar://problem/7242006> [RegionStore] compound literal assignment with 668*67e74705SXin Li// floats not honored 669*67e74705SXin LiCGFloat rdar7242006(CGFloat x) { 670*67e74705SXin Li NSSize y = (NSSize){x, 10}; 671*67e74705SXin Li return y.width; // no-warning 672*67e74705SXin Li} 673*67e74705SXin Li 674*67e74705SXin Li// PR 4988 - This test exhibits a case where a function can be referenced 675*67e74705SXin Li// when not explicitly used in an "lvalue" context (as far as the analyzer is 676*67e74705SXin Li// concerned). This previously triggered a crash due to an invalid assertion. 677*67e74705SXin Livoid pr_4988(void) { 678*67e74705SXin Li pr_4988; // expected-warning{{expression result unused}} 679*67e74705SXin Li} 680*67e74705SXin Li 681*67e74705SXin Li// <rdar://problem/7152418> - A 'signed char' is used as a flag, which is 682*67e74705SXin Li// implicitly converted to an int. 683*67e74705SXin Livoid *rdar7152418_bar(); 684*67e74705SXin Li@interface RDar7152418 { 685*67e74705SXin Li signed char x; 686*67e74705SXin Li} 687*67e74705SXin Li-(char)foo; 688*67e74705SXin Li@end; 689*67e74705SXin Li@implementation RDar7152418 690*67e74705SXin Li-(char)foo { 691*67e74705SXin Li char *p = 0; 692*67e74705SXin Li void *result = 0; 693*67e74705SXin Li if (x) { 694*67e74705SXin Li result = rdar7152418_bar(); 695*67e74705SXin Li p = "hello"; 696*67e74705SXin Li } 697*67e74705SXin Li if (!result) { 698*67e74705SXin Li result = rdar7152418_bar(); 699*67e74705SXin Li if (result && x) 700*67e74705SXin Li return *p; // no-warning 701*67e74705SXin Li } 702*67e74705SXin Li return 1; 703*67e74705SXin Li} 704*67e74705SXin Li 705*67e74705SXin Li//===----------------------------------------------------------------------===// 706*67e74705SXin Li// Test constant-folding of symbolic values, automatically handling type 707*67e74705SXin Li// conversions of the symbol as necessary. 708*67e74705SXin Li//===----------------------------------------------------------------------===// 709*67e74705SXin Li 710*67e74705SXin Li// Previously this would crash once we started eagerly evaluating symbols whose 711*67e74705SXin Li// values were constrained to a single value. 712*67e74705SXin Livoid test_symbol_fold_1(signed char x) { 713*67e74705SXin Li while (1) { 714*67e74705SXin Li if (x == ((signed char) 0)) {} 715*67e74705SXin Li } 716*67e74705SXin Li} 717*67e74705SXin Li 718*67e74705SXin Li// This previously caused a crash because it triggered an assertion in APSInt. 719*67e74705SXin Livoid test_symbol_fold_2(unsigned int * p, unsigned int n, 720*67e74705SXin Li const unsigned int * grumpkin, unsigned int dn) { 721*67e74705SXin Li unsigned int i; 722*67e74705SXin Li unsigned int tempsub[8]; 723*67e74705SXin Li unsigned int *solgrumpkin = tempsub + n; 724*67e74705SXin Li for (i = 0; i < n; i++) 725*67e74705SXin Li solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF; 726*67e74705SXin Li for (i <<= 5; i < (n << 5); i++) {} 727*67e74705SXin Li} 728*67e74705SXin Li 729*67e74705SXin Li// This previously caused a crash because it triggered an assertion in APSInt. 730*67e74705SXin Li// 'x' would evaluate to a 8-bit constant (because of the return value of 731*67e74705SXin Li// test_symbol_fold_3_aux()) which would not get properly promoted to an 732*67e74705SXin Li// integer. 733*67e74705SXin Lichar test_symbol_fold_3_aux(void); 734*67e74705SXin Liunsigned test_symbol_fold_3(void) { 735*67e74705SXin Li unsigned x = test_symbol_fold_3_aux(); 736*67e74705SXin Li if (x == 54) 737*67e74705SXin Li return (x << 8) | 0x5; 738*67e74705SXin Li return 0; 739*67e74705SXin Li} 740*67e74705SXin Li 741*67e74705SXin Li//===----------------------------------------------------------------------===// 742*67e74705SXin Li// Tests for the warning of casting a non-struct type to a struct type 743*67e74705SXin Li//===----------------------------------------------------------------------===// 744*67e74705SXin Li 745*67e74705SXin Litypedef struct {unsigned int v;} NSSwappedFloat; 746*67e74705SXin Li 747*67e74705SXin LiNSSwappedFloat test_cast_nonstruct_to_struct(float x) { 748*67e74705SXin Li struct hodor { 749*67e74705SXin Li float number; 750*67e74705SXin Li NSSwappedFloat sf; 751*67e74705SXin Li }; 752*67e74705SXin Li return ((struct hodor *)&x)->sf; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} 753*67e74705SXin Li} 754*67e74705SXin Li 755*67e74705SXin LiNSSwappedFloat test_cast_nonstruct_to_union(float x) { 756*67e74705SXin Li union bran { 757*67e74705SXin Li float number; 758*67e74705SXin Li NSSwappedFloat sf; 759*67e74705SXin Li }; 760*67e74705SXin Li return ((union bran *)&x)->sf; // no-warning 761*67e74705SXin Li} 762*67e74705SXin Li 763*67e74705SXin Livoid test_undefined_array_subscript() { 764*67e74705SXin Li int i, a[10]; 765*67e74705SXin Li int *p = &a[i]; // expected-warning{{Array subscript is undefined}} 766*67e74705SXin Li} 767*67e74705SXin Li@end 768*67e74705SXin Li 769*67e74705SXin Li//===----------------------------------------------------------------------===// 770*67e74705SXin Li// Test using an uninitialized value as a branch condition. 771*67e74705SXin Li//===----------------------------------------------------------------------===// 772*67e74705SXin Li 773*67e74705SXin Liint test_uninit_branch(void) { 774*67e74705SXin Li int x; 775*67e74705SXin Li if (x) // expected-warning{{Branch condition evaluates to a garbage value}} 776*67e74705SXin Li return 1; 777*67e74705SXin Li return 0; 778*67e74705SXin Li} 779*67e74705SXin Li 780*67e74705SXin Liint test_uninit_branch_b(void) { 781*67e74705SXin Li int x; 782*67e74705SXin Li return x ? 1 : 0; // expected-warning{{Branch condition evaluates to a garbage value}} 783*67e74705SXin Li} 784*67e74705SXin Li 785*67e74705SXin Liint test_uninit_branch_c(void) { 786*67e74705SXin Li int x; 787*67e74705SXin Li if ((short)x) // expected-warning{{Branch condition evaluates to a garbage value}} 788*67e74705SXin Li return 1; 789*67e74705SXin Li return 0; 790*67e74705SXin Li} 791*67e74705SXin Li 792*67e74705SXin Li//===----------------------------------------------------------------------===// 793*67e74705SXin Li// Test passing an undefined value in a message or function call. 794*67e74705SXin Li//===----------------------------------------------------------------------===// 795*67e74705SXin Li 796*67e74705SXin Livoid test_bad_call_aux(int x); 797*67e74705SXin Livoid test_bad_call(void) { 798*67e74705SXin Li int y; 799*67e74705SXin Li test_bad_call_aux(y); // expected-warning{{Function call argument is an uninitialized value}} 800*67e74705SXin Li} 801*67e74705SXin Li 802*67e74705SXin Li@interface TestBadArg {} 803*67e74705SXin Li- (void) testBadArg:(int) x; 804*67e74705SXin Li@end 805*67e74705SXin Li 806*67e74705SXin Livoid test_bad_msg(TestBadArg *p) { 807*67e74705SXin Li int y; 808*67e74705SXin Li [p testBadArg:y]; // expected-warning{{Argument in message expression is an uninitialized value}} 809*67e74705SXin Li} 810*67e74705SXin Li 811*67e74705SXin Li//===----------------------------------------------------------------------===// 812*67e74705SXin Li// PR 6033 - Test emitting the correct output in a warning where we use '%' 813*67e74705SXin Li// with operands that are undefined. 814*67e74705SXin Li//===----------------------------------------------------------------------===// 815*67e74705SXin Li 816*67e74705SXin Liint pr6033(int x) { 817*67e74705SXin Li int y; 818*67e74705SXin Li return x % y; // expected-warning{{The right operand of '%' is a garbage value}} 819*67e74705SXin Li} 820*67e74705SXin Li 821*67e74705SXin Listruct trie { 822*67e74705SXin Li struct trie* next; 823*67e74705SXin Li}; 824*67e74705SXin Li 825*67e74705SXin Listruct kwset { 826*67e74705SXin Li struct trie *trie; 827*67e74705SXin Li unsigned char y[10]; 828*67e74705SXin Li struct trie* next[10]; 829*67e74705SXin Li int d; 830*67e74705SXin Li}; 831*67e74705SXin Li 832*67e74705SXin Litypedef struct trie trie_t; 833*67e74705SXin Litypedef struct kwset kwset_t; 834*67e74705SXin Li 835*67e74705SXin Livoid f(kwset_t *kws, char const *p, char const *q) { 836*67e74705SXin Li struct trie const *trie; 837*67e74705SXin Li struct trie * const *next = kws->next; 838*67e74705SXin Li register unsigned char c; 839*67e74705SXin Li register char const *end = p; 840*67e74705SXin Li register char const *lim = q; 841*67e74705SXin Li register int d = 1; 842*67e74705SXin Li register unsigned char const *y = kws->y; 843*67e74705SXin Li 844*67e74705SXin Li d = y[c = (end+=d)[-1]]; // no-warning 845*67e74705SXin Li trie = next[c]; 846*67e74705SXin Li} 847*67e74705SXin Li 848*67e74705SXin Li//===----------------------------------------------------------------------===// 849*67e74705SXin Li// <rdar://problem/7593875> When handling sizeof(VLA) it leads to a hole in 850*67e74705SXin Li// the ExplodedGraph (causing a false positive) 851*67e74705SXin Li//===----------------------------------------------------------------------===// 852*67e74705SXin Li 853*67e74705SXin Liint rdar_7593875_aux(int x); 854*67e74705SXin Liint rdar_7593875(int n) { 855*67e74705SXin Li int z[n > 10 ? 10 : n]; // VLA. 856*67e74705SXin Li int v; 857*67e74705SXin Li v = rdar_7593875_aux(sizeof(z)); 858*67e74705SXin Li // Previously we got a false positive about 'v' being uninitialized. 859*67e74705SXin Li return v; // no-warning 860*67e74705SXin Li} 861*67e74705SXin Li 862*67e74705SXin Li//===----------------------------------------------------------------------===// 863*67e74705SXin Li// Handle casts from symbolic regions (packaged as integers) to doubles. 864*67e74705SXin Li// Previously this caused an assertion failure. 865*67e74705SXin Li//===----------------------------------------------------------------------===// 866*67e74705SXin Li 867*67e74705SXin Livoid *foo_rev95119(); 868*67e74705SXin Livoid baz_rev95119(double x); 869*67e74705SXin Livoid bar_rev95119() { 870*67e74705SXin Li // foo_rev95119() returns a symbolic pointer. It is then 871*67e74705SXin Li // cast to an int which is then cast to a double. 872*67e74705SXin Li int value = (int) foo_rev95119(); 873*67e74705SXin Li baz_rev95119((double)value); 874*67e74705SXin Li} 875*67e74705SXin Li 876*67e74705SXin Li//===----------------------------------------------------------------------===// 877*67e74705SXin Li// Handle loading a symbolic pointer from a symbolic region that was 878*67e74705SXin Li// invalidated by a call to an unknown function. 879*67e74705SXin Li//===----------------------------------------------------------------------===// 880*67e74705SXin Li 881*67e74705SXin Livoid bar_rev95192(int **x); 882*67e74705SXin Livoid foo_rev95192(int **x) { 883*67e74705SXin Li *x = 0; 884*67e74705SXin Li bar_rev95192(x); 885*67e74705SXin Li // Not a null dereference. 886*67e74705SXin Li **x = 1; // no-warning 887*67e74705SXin Li} 888*67e74705SXin Li 889*67e74705SXin Li//===----------------------------------------------------------------------===// 890*67e74705SXin Li// Handle casts of a function to a function pointer with a different return 891*67e74705SXin Li// value. We don't yet emit an error for such cases, but we now we at least 892*67e74705SXin Li// don't crash when the return value gets interpreted in a way that 893*67e74705SXin Li// violates our invariants. 894*67e74705SXin Li//===----------------------------------------------------------------------===// 895*67e74705SXin Li 896*67e74705SXin Livoid *foo_rev95267(); 897*67e74705SXin Liint bar_rev95267() { 898*67e74705SXin Li char (*Callback_rev95267)(void) = (char (*)(void)) foo_rev95267; 899*67e74705SXin Li if ((*Callback_rev95267)() == (char) 0) 900*67e74705SXin Li return 1; 901*67e74705SXin Li return 0; 902*67e74705SXin Li} 903*67e74705SXin Li 904*67e74705SXin Li// Same as previous case, but handle casts to 'void'. 905*67e74705SXin Liint bar_rev95274() { 906*67e74705SXin Li void (*Callback_rev95274)(void) = (void (*)(void)) foo_rev95267; 907*67e74705SXin Li (*Callback_rev95274)(); 908*67e74705SXin Li return 0; 909*67e74705SXin Li} 910*67e74705SXin Li 911*67e74705SXin Livoid rdar7582031_test_static_init_zero() { 912*67e74705SXin Li static unsigned x; 913*67e74705SXin Li if (x == 0) 914*67e74705SXin Li return; 915*67e74705SXin Li int *p = 0; 916*67e74705SXin Li *p = 0xDEADBEEF; 917*67e74705SXin Li} 918*67e74705SXin Livoid rdar7582031_test_static_init_zero_b() { 919*67e74705SXin Li static void* x; 920*67e74705SXin Li if (x == 0) 921*67e74705SXin Li return; 922*67e74705SXin Li int *p = 0; 923*67e74705SXin Li *p = 0xDEADBEEF; 924*67e74705SXin Li} 925*67e74705SXin Li 926*67e74705SXin Li//===----------------------------------------------------------------------===// 927*67e74705SXin Li// Test handling of parameters that are structs that contain floats and // 928*67e74705SXin Li// nested fields. // 929*67e74705SXin Li//===----------------------------------------------------------------------===// 930*67e74705SXin Li 931*67e74705SXin Listruct s_rev95547_nested { float x, y; }; 932*67e74705SXin Listruct s_rev95547 { 933*67e74705SXin Li struct s_rev95547_nested z1; 934*67e74705SXin Li struct s_rev95547_nested z2; 935*67e74705SXin Li}; 936*67e74705SXin Lifloat foo_rev95547(struct s_rev95547 w) { 937*67e74705SXin Li return w.z1.x + 20.0; // no-warning 938*67e74705SXin Li} 939*67e74705SXin Livoid foo_rev95547_b(struct s_rev95547 w) { 940*67e74705SXin Li struct s_rev95547 w2 = w; 941*67e74705SXin Li w2.z1.x += 20.0; // no-warning 942*67e74705SXin Li} 943*67e74705SXin Li 944*67e74705SXin Li//===----------------------------------------------------------------------===// 945*67e74705SXin Li// Test handling statement expressions that don't populate a CFG block that 946*67e74705SXin Li// is used to represent the computation of the RHS of a logical operator. 947*67e74705SXin Li// This previously triggered a crash. 948*67e74705SXin Li//===----------------------------------------------------------------------===// 949*67e74705SXin Li 950*67e74705SXin Livoid pr6938() { 951*67e74705SXin Li if (1 && ({ 952*67e74705SXin Li while (0); 953*67e74705SXin Li 0; 954*67e74705SXin Li }) == 0) { 955*67e74705SXin Li } 956*67e74705SXin Li} 957*67e74705SXin Li 958*67e74705SXin Livoid pr6938_b() { 959*67e74705SXin Li if (1 && *({ // expected-warning{{Dereference of null pointer}} 960*67e74705SXin Li while (0) {} 961*67e74705SXin Li ({ 962*67e74705SXin Li (int *) 0; 963*67e74705SXin Li }); 964*67e74705SXin Li }) == 0) { 965*67e74705SXin Li } 966*67e74705SXin Li} 967*67e74705SXin Li 968*67e74705SXin Li//===----------------------------------------------------------------------===// 969*67e74705SXin Li// <rdar://problem/7979430> - The CFG for code containing an empty 970*67e74705SXin Li// @synchronized block was previously broken (and would crash the analyzer). 971*67e74705SXin Li//===----------------------------------------------------------------------===// 972*67e74705SXin Li 973*67e74705SXin Livoid r7979430(id x) { 974*67e74705SXin Li @synchronized(x) {} 975*67e74705SXin Li} 976*67e74705SXin Li 977*67e74705SXin Li//===----------------------------------------------------------------------=== 978*67e74705SXin Li// PR 7361 - Test that functions wrapped in macro instantiations are analyzed. 979*67e74705SXin Li//===----------------------------------------------------------------------=== 980*67e74705SXin Li#define MAKE_TEST_FN() \ 981*67e74705SXin Li void test_pr7361 (char a) {\ 982*67e74705SXin Li char* b = 0x0; *b = a;\ 983*67e74705SXin Li } 984*67e74705SXin Li 985*67e74705SXin LiMAKE_TEST_FN() // expected-warning{{null pointer}} 986*67e74705SXin Li 987*67e74705SXin Li//===----------------------------------------------------------------------=== 988*67e74705SXin Li// PR 7491 - Test that symbolic expressions can be used as conditions. 989*67e74705SXin Li//===----------------------------------------------------------------------=== 990*67e74705SXin Li 991*67e74705SXin Livoid pr7491 () { 992*67e74705SXin Li extern int getint(); 993*67e74705SXin Li int a = getint()-1; 994*67e74705SXin Li if (a) { 995*67e74705SXin Li return; 996*67e74705SXin Li } 997*67e74705SXin Li if (!a) { 998*67e74705SXin Li return; 999*67e74705SXin Li } else { 1000*67e74705SXin Li // Should be unreachable 1001*67e74705SXin Li (void)*(char*)0; // no-warning 1002*67e74705SXin Li } 1003*67e74705SXin Li} 1004*67e74705SXin Li 1005*67e74705SXin Li//===----------------------------------------------------------------------=== 1006*67e74705SXin Li// PR 7475 - Test that assumptions about global variables are reset after 1007*67e74705SXin Li// calling a global function. 1008*67e74705SXin Li//===----------------------------------------------------------------------=== 1009*67e74705SXin Li 1010*67e74705SXin Liint *pr7475_someGlobal; 1011*67e74705SXin Livoid pr7475_setUpGlobal(); 1012*67e74705SXin Li 1013*67e74705SXin Livoid pr7475() { 1014*67e74705SXin Li if (pr7475_someGlobal == 0) 1015*67e74705SXin Li pr7475_setUpGlobal(); 1016*67e74705SXin Li *pr7475_someGlobal = 0; // no-warning 1017*67e74705SXin Li} 1018*67e74705SXin Li 1019*67e74705SXin Livoid pr7475_warn() { 1020*67e74705SXin Li static int *someStatic = 0; 1021*67e74705SXin Li if (someStatic == 0) 1022*67e74705SXin Li pr7475_setUpGlobal(); 1023*67e74705SXin Li *someStatic = 0; // expected-warning{{null pointer}} 1024*67e74705SXin Li} 1025*67e74705SXin Li 1026*67e74705SXin Li// <rdar://problem/8202272> - __imag passed non-complex should not crash 1027*67e74705SXin Lifloat f0(_Complex float x) { 1028*67e74705SXin Li float l0 = __real x; 1029*67e74705SXin Li return __real l0 + __imag l0; 1030*67e74705SXin Li} 1031*67e74705SXin Li 1032*67e74705SXin Li 1033*67e74705SXin Li//===----------------------------------------------------------------------=== 1034*67e74705SXin Li// Test that we can reduce symbols to constants whether they are on the left 1035*67e74705SXin Li// or right side of an expression. 1036*67e74705SXin Li//===----------------------------------------------------------------------=== 1037*67e74705SXin Li 1038*67e74705SXin Livoid reduce_to_constant(int x, int y) { 1039*67e74705SXin Li if (x != 20) 1040*67e74705SXin Li return; 1041*67e74705SXin Li 1042*67e74705SXin Li int a = x + y; 1043*67e74705SXin Li int b = y + x; 1044*67e74705SXin Li 1045*67e74705SXin Li if (y == -20 && a != 0) 1046*67e74705SXin Li (void)*(char*)0; // no-warning 1047*67e74705SXin Li if (y == -20 && b != 0) 1048*67e74705SXin Li (void)*(char*)0; // no-warning 1049*67e74705SXin Li} 1050*67e74705SXin Li 1051*67e74705SXin Li// <rdar://problem/8360854> - Test that code after a switch statement with no 1052*67e74705SXin Li// 'case:' labels is correctly evaluated. 1053*67e74705SXin Livoid r8360854(int n) { 1054*67e74705SXin Li switch (n) { 1055*67e74705SXin Li default: ; 1056*67e74705SXin Li } 1057*67e74705SXin Li int *p = 0; 1058*67e74705SXin Li *p = 0xDEADBEEF; // expected-warning{{null pointer}} 1059*67e74705SXin Li} 1060*67e74705SXin Li 1061*67e74705SXin Li// PR 8050 - crash in CastSizeChecker when pointee is an incomplete type 1062*67e74705SXin Litypedef long unsigned int __darwin_size_t; 1063*67e74705SXin Litypedef __darwin_size_t size_t; 1064*67e74705SXin Livoid *malloc(size_t); 1065*67e74705SXin Li 1066*67e74705SXin Listruct PR8050; 1067*67e74705SXin Li 1068*67e74705SXin Livoid pr8050(struct PR8050 **arg) 1069*67e74705SXin Li{ 1070*67e74705SXin Li *arg = malloc(1); 1071*67e74705SXin Li} 1072*67e74705SXin Li 1073*67e74705SXin Li// <rdar://problem/5880430> Switch on enum should not consider default case live 1074*67e74705SXin Li// if all enum values are covered 1075*67e74705SXin Lienum Cases { C1, C2, C3, C4 }; 1076*67e74705SXin Livoid test_enum_cases(enum Cases C) { 1077*67e74705SXin Li switch (C) { 1078*67e74705SXin Li case C1: 1079*67e74705SXin Li case C2: 1080*67e74705SXin Li case C4: 1081*67e74705SXin Li case C3: 1082*67e74705SXin Li return; 1083*67e74705SXin Li } 1084*67e74705SXin Li int *p = 0; 1085*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 1086*67e74705SXin Li} 1087*67e74705SXin Li 1088*67e74705SXin Livoid test_enum_cases_positive(enum Cases C) { 1089*67e74705SXin Li switch (C) { // expected-warning{{enumeration value 'C4' not handled in switch}} 1090*67e74705SXin Li case C1: 1091*67e74705SXin Li case C2: 1092*67e74705SXin Li case C3: 1093*67e74705SXin Li return; 1094*67e74705SXin Li } 1095*67e74705SXin Li int *p = 0; 1096*67e74705SXin Li *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}} 1097*67e74705SXin Li} 1098*67e74705SXin Li 1099*67e74705SXin Li// <rdar://problem/6351970> rule request: warn if synchronization mutex can be nil 1100*67e74705SXin Livoid rdar6351970() { 1101*67e74705SXin Li id x = 0; 1102*67e74705SXin Li @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}} 1103*67e74705SXin Li} 1104*67e74705SXin Li 1105*67e74705SXin Livoid rdar6351970_b(id x) { 1106*67e74705SXin Li if (!x) 1107*67e74705SXin Li @synchronized(x) {} // expected-warning{{Nil value used as mutex for @synchronized() (no synchronization will occur)}} 1108*67e74705SXin Li} 1109*67e74705SXin Li 1110*67e74705SXin Livoid rdar6351970_c() { 1111*67e74705SXin Li id x; 1112*67e74705SXin Li @synchronized(x) {} // expected-warning{{Uninitialized value used as mutex for @synchronized}} 1113*67e74705SXin Li} 1114*67e74705SXin Li 1115*67e74705SXin Li@interface Rdar8578650 1116*67e74705SXin Li- (id) foo8578650; 1117*67e74705SXin Li@end 1118*67e74705SXin Li 1119*67e74705SXin Livoid rdar8578650(id x) { 1120*67e74705SXin Li @synchronized (x) { 1121*67e74705SXin Li [x foo8578650]; 1122*67e74705SXin Li } 1123*67e74705SXin Li // At this point we should assume that 'x' is not nil, not 1124*67e74705SXin Li // the inverse. 1125*67e74705SXin Li @synchronized (x) { // no-warning 1126*67e74705SXin Li } 1127*67e74705SXin Li} 1128*67e74705SXin Li 1129*67e74705SXin Li// <rdar://problem/6352035> rule request: direct structure member access null pointer dereference 1130*67e74705SXin Li@interface RDar6352035 { 1131*67e74705SXin Li int c; 1132*67e74705SXin Li} 1133*67e74705SXin Li- (void)foo; 1134*67e74705SXin Li- (void)bar; 1135*67e74705SXin Li@end 1136*67e74705SXin Li 1137*67e74705SXin Li@implementation RDar6352035 1138*67e74705SXin Li- (void)foo { 1139*67e74705SXin Li RDar6352035 *friend = 0; 1140*67e74705SXin Li friend->c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'friend')}} 1141*67e74705SXin Li} 1142*67e74705SXin Li- (void)bar { 1143*67e74705SXin Li self = 0; 1144*67e74705SXin Li c = 7; // expected-warning{{Access to instance variable 'c' results in a dereference of a null pointer (loaded from variable 'self')}} 1145*67e74705SXin Li} 1146*67e74705SXin Li@end 1147*67e74705SXin Li 1148*67e74705SXin Li// PR 8149 - GNU statement expression in condition of ForStmt. 1149*67e74705SXin Li// This previously triggered an assertion failure in CFGBuilder. 1150*67e74705SXin Livoid pr8149(void) { 1151*67e74705SXin Li for (; ({ do { } while (0); 0; });) { } 1152*67e74705SXin Li} 1153*67e74705SXin Li 1154*67e74705SXin Li// PR 8458 - Make sure @synchronized doesn't crash with properties. 1155*67e74705SXin Li@interface PR8458 {} 1156*67e74705SXin Li@property(readonly) id lock; 1157*67e74705SXin Li@end 1158*67e74705SXin Li 1159*67e74705SXin Listatic 1160*67e74705SXin Livoid __PR8458(PR8458 *x) { 1161*67e74705SXin Li @synchronized(x.lock) {} // no-warning 1162*67e74705SXin Li} 1163*67e74705SXin Li 1164*67e74705SXin Li// PR 8440 - False null dereference during store to array-in-field-in-global. 1165*67e74705SXin Li// This test case previously resulted in a bogus null deref warning from 1166*67e74705SXin Li// incorrect lazy symbolication logic in RegionStore. 1167*67e74705SXin Listatic struct { 1168*67e74705SXin Li int num; 1169*67e74705SXin Li char **data; 1170*67e74705SXin Li} saved_pr8440; 1171*67e74705SXin Li 1172*67e74705SXin Lichar *foo_pr8440(); 1173*67e74705SXin Lichar **bar_pr8440(); 1174*67e74705SXin Livoid baz_pr8440(int n) 1175*67e74705SXin Li{ 1176*67e74705SXin Li saved_pr8440.num = n; 1177*67e74705SXin Li if (saved_pr8440.data) 1178*67e74705SXin Li return; 1179*67e74705SXin Li saved_pr8440.data = bar_pr8440(); 1180*67e74705SXin Li for (int i = 0 ; i < n ; i ++) 1181*67e74705SXin Li saved_pr8440.data[i] = foo_pr8440(); // no-warning 1182*67e74705SXin Li} 1183*67e74705SXin Li 1184*67e74705SXin Li// Support direct accesses to non-null memory. Reported in: 1185*67e74705SXin Li// PR 5272 1186*67e74705SXin Li// <rdar://problem/6839683> 1187*67e74705SXin Liint test_direct_address_load() { 1188*67e74705SXin Li int *p = (int*) 0x4000; 1189*67e74705SXin Li return *p; // no-warning 1190*67e74705SXin Li} 1191*67e74705SXin Li 1192*67e74705SXin Livoid pr5272_test() { 1193*67e74705SXin Li struct pr5272 { int var2; }; 1194*67e74705SXin Li (*(struct pr5272*)0xBC000000).var2 = 0; // no-warning 1195*67e74705SXin Li (*(struct pr5272*)0xBC000000).var2 += 2; // no-warning 1196*67e74705SXin Li} 1197*67e74705SXin Li 1198*67e74705SXin Li// Support casting the return value of function to another different type 1199*67e74705SXin Li// This previously caused a crash, although we likely need more precise 1200*67e74705SXin Li// reasoning here. <rdar://problem/8663544> 1201*67e74705SXin Livoid* rdar8663544(); 1202*67e74705SXin Litypedef struct {} Val8663544; 1203*67e74705SXin LiVal8663544 bazR8663544() { 1204*67e74705SXin Li Val8663544(*func) () = (Val8663544(*) ()) rdar8663544; 1205*67e74705SXin Li return func(); 1206*67e74705SXin Li} 1207*67e74705SXin Li 1208*67e74705SXin Li// PR 8619 - Handle ternary expressions with a call to a noreturn function. 1209*67e74705SXin Li// This previously resulted in a crash. 1210*67e74705SXin Livoid pr8619_noreturn(int x) __attribute__((noreturn)); 1211*67e74705SXin Li 1212*67e74705SXin Livoid pr8619(int a, int b, int c) { 1213*67e74705SXin Li a ?: pr8619_noreturn(b || c); 1214*67e74705SXin Li} 1215*67e74705SXin Li 1216*67e74705SXin Li 1217*67e74705SXin Li// PR 8646 - crash in the analyzer when handling unions. 1218*67e74705SXin Liunion pr8648_union { 1219*67e74705SXin Li signed long long pr8648_union_field; 1220*67e74705SXin Li}; 1221*67e74705SXin Livoid pr8648() { 1222*67e74705SXin Li long long y; 1223*67e74705SXin Li union pr8648_union x = { .pr8648_union_field = 0LL }; 1224*67e74705SXin Li y = x.pr8648_union_field; 1225*67e74705SXin Li 1226*67e74705SXin Li union pr8648_union z; 1227*67e74705SXin Li z = (union pr8648_union) { .pr8648_union_field = 0LL }; 1228*67e74705SXin Li 1229*67e74705SXin Li union pr8648_union w; 1230*67e74705SXin Li w = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }); 1231*67e74705SXin Li 1232*67e74705SXin Li // crash, no assignment 1233*67e74705SXin Li (void) ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field; 1234*67e74705SXin Li 1235*67e74705SXin Li // crash with assignment 1236*67e74705SXin Li y = ({ (union pr8648_union) { .pr8648_union_field = 0LL }; }).pr8648_union_field; 1237*67e74705SXin Li} 1238*67e74705SXin Li 1239*67e74705SXin Li// PR 9269 - don't assert when building the following CFG. The for statement 1240*67e74705SXin Li// contains a condition with multiple basic blocks, and the value of the 1241*67e74705SXin Li// statement expression is then indexed as part of a bigger condition expression. 1242*67e74705SXin Li// This example exposed a bug in child traversal in the CFGBuilder. 1243*67e74705SXin Livoid pr9269() { 1244*67e74705SXin Li struct s { char *bar[10]; } baz[2] = { 0 }; 1245*67e74705SXin Li unsigned i = 0; 1246*67e74705SXin Li for (i = 0; 1247*67e74705SXin Li (* ({ while(0); ({ &baz[0]; }); })).bar[0] != 0; // expected-warning {{while loop has empty body}} expected-note {{put the semicolon on a separate line to silence this warning}} 1248*67e74705SXin Li ++i) {} 1249*67e74705SXin Li} 1250*67e74705SXin Li 1251*67e74705SXin Li// Test evaluation of GNU-style ?:. 1252*67e74705SXin Liint pr9287(int type) { return type ? : 0; } // no-warning 1253*67e74705SXin Li 1254*67e74705SXin Livoid pr9287_b(int type, int *p) { 1255*67e74705SXin Li int x = type ? : 0; 1256*67e74705SXin Li if (x) { 1257*67e74705SXin Li p = 0; 1258*67e74705SXin Li } 1259*67e74705SXin Li if (type) { 1260*67e74705SXin Li *p = 0xDEADBEEF; // expected-warning {{null pointer}} 1261*67e74705SXin Li } 1262*67e74705SXin Li} 1263*67e74705SXin Li 1264*67e74705SXin Livoid pr9287_c(int type, int *p) { 1265*67e74705SXin Li int x = type ? : 0; 1266*67e74705SXin Li if (x) { 1267*67e74705SXin Li p = 0; 1268*67e74705SXin Li } 1269*67e74705SXin Li if (!type) { 1270*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 1271*67e74705SXin Li } 1272*67e74705SXin Li} 1273*67e74705SXin Li 1274*67e74705SXin Livoid test_switch() { 1275*67e74705SXin Li switch (4) { 1276*67e74705SXin Li case 1: { 1277*67e74705SXin Li int *p = 0; 1278*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 1279*67e74705SXin Li break; 1280*67e74705SXin Li } 1281*67e74705SXin Li case 4: { 1282*67e74705SXin Li int *p = 0; 1283*67e74705SXin Li *p = 0xDEADBEEF; // expected-warning {{null}} 1284*67e74705SXin Li break; 1285*67e74705SXin Li } 1286*67e74705SXin Li default: { 1287*67e74705SXin Li int *p = 0; 1288*67e74705SXin Li *p = 0xDEADBEEF; // no-warning 1289*67e74705SXin Li break; 1290*67e74705SXin Li } 1291*67e74705SXin Li } 1292*67e74705SXin Li} 1293*67e74705SXin Li 1294*67e74705SXin Li// PR 9467. Tests various CFG optimizations. This previously crashed. 1295*67e74705SXin Listatic void test(unsigned int bit_mask) 1296*67e74705SXin Li{ 1297*67e74705SXin Li unsigned int bit_index; 1298*67e74705SXin Li for (bit_index = 0; 1299*67e74705SXin Li bit_index < 24; 1300*67e74705SXin Li bit_index++) { 1301*67e74705SXin Li switch ((0x01 << bit_index) & bit_mask) { 1302*67e74705SXin Li case 0x100000: ; 1303*67e74705SXin Li } 1304*67e74705SXin Li } 1305*67e74705SXin Li} 1306*67e74705SXin Li 1307*67e74705SXin Li// Don't crash on code containing __label__. 1308*67e74705SXin Liint radar9414427_aux(); 1309*67e74705SXin Livoid radar9414427() { 1310*67e74705SXin Li __label__ mylabel; 1311*67e74705SXin Li if (radar9414427_aux()) { 1312*67e74705SXin Li mylabel: do {} 1313*67e74705SXin Li while (0); 1314*67e74705SXin Li } 1315*67e74705SXin Li} 1316*67e74705SXin Li 1317*67e74705SXin Li// Analyze methods in @implementation (category) 1318*67e74705SXin Li@interface RDar9465344 1319*67e74705SXin Li@end 1320*67e74705SXin Li 1321*67e74705SXin Li@implementation RDar9465344 (MyCategory) 1322*67e74705SXin Li- (void) testcategoryImpl { 1323*67e74705SXin Li int *p = 0x0; 1324*67e74705SXin Li *p = 0xDEADBEEF; // expected-warning {{null}} 1325*67e74705SXin Li} 1326*67e74705SXin Li@end 1327*67e74705SXin Li 1328*67e74705SXin Li@implementation RDar9465344 1329*67e74705SXin Li@end 1330*67e74705SXin Li 1331*67e74705SXin Li// Don't crash when analyzing access to 'self' within a block. 1332*67e74705SXin Li@interface Rdar10380300Base 1333*67e74705SXin Li- (void) foo; 1334*67e74705SXin Li@end 1335*67e74705SXin Li@interface Rdar10380300 : Rdar10380300Base @end 1336*67e74705SXin Li@implementation Rdar10380300 1337*67e74705SXin Li- (void)foo { 1338*67e74705SXin Li ^{ 1339*67e74705SXin Li [super foo]; 1340*67e74705SXin Li }(); 1341*67e74705SXin Li} 1342*67e74705SXin Li@end 1343*67e74705SXin Li 1344*67e74705SXin Li// Don't crash when a ?: is only preceded by a statement (not an expression) 1345*67e74705SXin Li// in the CFG. 1346*67e74705SXin Livoid __assert_fail(); 1347*67e74705SXin Li 1348*67e74705SXin Lienum rdar1196620_e { E_A, E_B, E_C, E_D }; 1349*67e74705SXin Listruct rdar1196620_s { int ints[E_D+1]; }; 1350*67e74705SXin Li 1351*67e74705SXin Listatic void rdar1196620_call_assert(struct rdar1196620_s* s) { 1352*67e74705SXin Li int i = 0; 1353*67e74705SXin Li s?(void)0:__assert_fail(); 1354*67e74705SXin Li} 1355*67e74705SXin Li 1356*67e74705SXin Listatic void rdar1196620(struct rdar1196620_s* s) { 1357*67e74705SXin Li rdar1196620_call_assert(s); 1358*67e74705SXin Li} 1359*67e74705SXin Li 1360*67e74705SXin Li 1361