blob: 06e4a50e44cc8a3dde1281919e8df1380cf61679 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.core,debug.ExprInspection -analyzer-store=region -analyzer-constraints=range -verify -Wno-null-dereference %s
void clang_analyzer_eval(bool);
typedef typeof(sizeof(int)) size_t;
void malloc (size_t);
void f1() {
int const &i = 3;
int b = i;
int *p = 0;
if (b != 3)
*p = 1; // no-warning
}
char* ptr();
char& ref();
// These next two tests just shouldn't crash.
char t1 () {
ref() = 'c';
return '0';
}
// just a sanity test, the same behavior as t1()
char t2 () {
*ptr() = 'c';
return '0';
}
// Each of the tests below is repeated with pointers as well as references.
// This is mostly a sanity check, but then again, both should work!
char t3 () {
char& r = ref();
r = 'c'; // no-warning
if (r) return r;
return *(char*)0; // no-warning
}
char t4 () {
char* p = ptr();
*p = 'c'; // no-warning
if (*p) return *p;
return *(char*)0; // no-warning
}
char t5 (char& r) {
r = 'c'; // no-warning
if (r) return r;
return *(char*)0; // no-warning
}
char t6 (char* p) {
*p = 'c'; // no-warning
if (*p) return *p;
return *(char*)0; // no-warning
}
// PR13440 / <rdar://problem/11977113>
// Test that the array-to-pointer decay works for array references as well.
// More generally, when we want an lvalue for a reference field, we still need
// to do one level of load.
namespace PR13440 {
typedef int T[1];
struct S {
T &x;
int *m() { return x; }
};
struct S2 {
int (&x)[1];
int *m() { return x; }
};
void test() {
int a[1];
S s = { a };
S2 s2 = { a };
if (s.x != a) return;
if (s2.x != a) return;
a[0] = 42;
clang_analyzer_eval(s.x[0] == 42); // expected-warning{{TRUE}}
clang_analyzer_eval(s2.x[0] == 42); // expected-warning{{TRUE}}
}
}
void testNullReference() {
int *x = 0;
int &y = *x; // expected-warning{{Dereference of null pointer}}
y = 5;
}
void testRetroactiveNullReference(int *x) {
// According to the C++ standard, there is no such thing as a
// "null reference". So the 'if' statement ought to be dead code.
// However, Clang (and other compilers) don't actually check that a pointer
// value is non-null in the implementation of references, so it is possible
// to produce a supposed "null reference" at runtime. The analyzer shoeuld
// still warn when it can prove such errors.
int &y = *x;
if (x != 0)
return;
y = 5; // expected-warning{{Dereference of null pointer}}
}
// ------------------------------------
// False negatives
// ------------------------------------
namespace rdar11212286 {
class B{};
B test() {
B *x = 0;
return *x; // should warn here!
}
B &testRef() {
B *x = 0;
return *x; // should warn here!
}
}
|
