1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection,cplusplus -analyzer-config c++-inlining=destructors,cfg-temporary-dtors=true -Wno-null-dereference -Wno-inaccessible-base -verify %s
2 
3 void clang_analyzer_eval(bool);
4 void clang_analyzer_checkInlined(bool);
5 
6 class A {
7 public:
~A()8   ~A() {
9     int *x = 0;
10     *x = 3; // expected-warning{{Dereference of null pointer}}
11   }
12 };
13 
main()14 int main() {
15   A a;
16 }
17 
18 
19 typedef __typeof(sizeof(int)) size_t;
20 void *malloc(size_t);
21 void free(void *);
22 
23 class SmartPointer {
24   void *X;
25 public:
SmartPointer(void * x)26   SmartPointer(void *x) : X(x) {}
~SmartPointer()27   ~SmartPointer() {
28     free(X);
29   }
30 };
31 
testSmartPointer()32 void testSmartPointer() {
33   char *mem = (char*)malloc(4);
34   {
35     SmartPointer Deleter(mem);
36     // destructor called here
37   }
38   *mem = 0; // expected-warning{{Use of memory after it is freed}}
39 }
40 
41 
42 void doSomething();
testSmartPointer2()43 void testSmartPointer2() {
44   char *mem = (char*)malloc(4);
45   {
46     SmartPointer Deleter(mem);
47     // Remove dead bindings...
48     doSomething();
49     // destructor called here
50   }
51   *mem = 0; // expected-warning{{Use of memory after it is freed}}
52 }
53 
54 
55 class Subclass : public SmartPointer {
56 public:
Subclass(void * x)57   Subclass(void *x) : SmartPointer(x) {}
58 };
59 
testSubclassSmartPointer()60 void testSubclassSmartPointer() {
61   char *mem = (char*)malloc(4);
62   {
63     Subclass Deleter(mem);
64     // Remove dead bindings...
65     doSomething();
66     // destructor called here
67   }
68   *mem = 0; // expected-warning{{Use of memory after it is freed}}
69 }
70 
71 
72 class MultipleInheritance : public Subclass, public SmartPointer {
73 public:
MultipleInheritance(void * a,void * b)74   MultipleInheritance(void *a, void *b) : Subclass(a), SmartPointer(b) {}
75 };
76 
testMultipleInheritance1()77 void testMultipleInheritance1() {
78   char *mem = (char*)malloc(4);
79   {
80     MultipleInheritance Deleter(mem, 0);
81     // Remove dead bindings...
82     doSomething();
83     // destructor called here
84   }
85   *mem = 0; // expected-warning{{Use of memory after it is freed}}
86 }
87 
testMultipleInheritance2()88 void testMultipleInheritance2() {
89   char *mem = (char*)malloc(4);
90   {
91     MultipleInheritance Deleter(0, mem);
92     // Remove dead bindings...
93     doSomething();
94     // destructor called here
95   }
96   *mem = 0; // expected-warning{{Use of memory after it is freed}}
97 }
98 
testMultipleInheritance3()99 void testMultipleInheritance3() {
100   char *mem = (char*)malloc(4);
101   {
102     MultipleInheritance Deleter(mem, mem);
103     // Remove dead bindings...
104     doSomething();
105     // destructor called here
106     // expected-warning@28 {{Attempt to free released memory}}
107   }
108 }
109 
110 
111 class SmartPointerMember {
112   SmartPointer P;
113 public:
SmartPointerMember(void * x)114   SmartPointerMember(void *x) : P(x) {}
115 };
116 
testSmartPointerMember()117 void testSmartPointerMember() {
118   char *mem = (char*)malloc(4);
119   {
120     SmartPointerMember Deleter(mem);
121     // Remove dead bindings...
122     doSomething();
123     // destructor called here
124   }
125   *mem = 0; // expected-warning{{Use of memory after it is freed}}
126 }
127 
128 
129 struct IntWrapper {
IntWrapperIntWrapper130   IntWrapper() : x(0) {}
131   ~IntWrapper();
132   int *x;
133 };
134 
testArrayInvalidation()135 void testArrayInvalidation() {
136   int i = 42;
137   int j = 42;
138 
139   {
140     IntWrapper arr[2];
141 
142     // There should be no undefined value warnings here.
143     // Eventually these should be TRUE as well, but right now
144     // we can't handle array constructors.
145     clang_analyzer_eval(arr[0].x == 0); // expected-warning{{UNKNOWN}}
146     clang_analyzer_eval(arr[1].x == 0); // expected-warning{{UNKNOWN}}
147 
148     arr[0].x = &i;
149     arr[1].x = &j;
150     clang_analyzer_eval(*arr[0].x == 42); // expected-warning{{TRUE}}
151     clang_analyzer_eval(*arr[1].x == 42); // expected-warning{{TRUE}}
152   }
153 
154   // The destructors should have invalidated i and j.
155   clang_analyzer_eval(i == 42); // expected-warning{{UNKNOWN}}
156   clang_analyzer_eval(j == 42); // expected-warning{{UNKNOWN}}
157 }
158 
159 
160 
161 // Don't crash on a default argument inside an initializer.
162 struct DefaultArg {
DefaultArgDefaultArg163   DefaultArg(int x = 0) {}
164   ~DefaultArg();
165 };
166 
167 struct InheritsDefaultArg : DefaultArg {
InheritsDefaultArgInheritsDefaultArg168   InheritsDefaultArg() {}
169   virtual ~InheritsDefaultArg();
170 };
171 
testDefaultArg()172 void testDefaultArg() {
173   InheritsDefaultArg a;
174   // Force a bug to be emitted.
175   *(char *)0 = 1; // expected-warning{{Dereference of null pointer}}
176 }
177 
178 
179 namespace DestructorVirtualCalls {
180   class A {
181   public:
182     int *out1, *out2, *out3;
183 
get()184     virtual int get() { return 1; }
185 
~A()186     ~A() {
187       *out1 = get();
188     }
189   };
190 
191   class B : public A {
192   public:
get()193     virtual int get() { return 2; }
194 
~B()195     ~B() {
196       *out2 = get();
197     }
198   };
199 
200   class C : public B {
201   public:
get()202     virtual int get() { return 3; }
203 
~C()204     ~C() {
205       *out3 = get();
206     }
207   };
208 
test()209   void test() {
210     int a, b, c;
211 
212     // New scope for the C object.
213     {
214       C obj;
215       clang_analyzer_eval(obj.get() == 3); // expected-warning{{TRUE}}
216 
217       // Sanity check for devirtualization.
218       A *base = &obj;
219       clang_analyzer_eval(base->get() == 3); // expected-warning{{TRUE}}
220 
221       obj.out1 = &a;
222       obj.out2 = &b;
223       obj.out3 = &c;
224     }
225 
226     clang_analyzer_eval(a == 1); // expected-warning{{TRUE}}
227     clang_analyzer_eval(b == 2); // expected-warning{{TRUE}}
228     clang_analyzer_eval(c == 3); // expected-warning{{TRUE}}
229   }
230 }
231 
232 
233 namespace DestructorsShouldNotAffectReturnValues {
234   class Dtor {
235   public:
~Dtor()236     ~Dtor() {
237       clang_analyzer_checkInlined(true); // expected-warning{{TRUE}}
238     }
239   };
240 
allocate()241   void *allocate() {
242     Dtor d;
243     return malloc(4); // no-warning
244   }
245 
test()246   void test() {
247     // At one point we had an issue where the statements inside an
248     // inlined destructor kept us from finding the return statement,
249     // leading the analyzer to believe that the malloc'd memory had leaked.
250     void *p = allocate();
251     free(p); // no-warning
252   }
253 }
254 
255 namespace MultipleInheritanceVirtualDtors {
256   class VirtualDtor {
257   protected:
~VirtualDtor()258     virtual ~VirtualDtor() {
259       clang_analyzer_checkInlined(true); // expected-warning{{TRUE}}
260     }
261   };
262 
263   class NonVirtualDtor {
264   protected:
~NonVirtualDtor()265     ~NonVirtualDtor() {
266       clang_analyzer_checkInlined(true); // expected-warning{{TRUE}}
267     }
268   };
269 
270   class SubclassA : public VirtualDtor, public NonVirtualDtor {
271   public:
~SubclassA()272     virtual ~SubclassA() {}
273   };
274   class SubclassB : public NonVirtualDtor, public VirtualDtor {
275   public:
~SubclassB()276     virtual ~SubclassB() {}
277   };
278 
test()279   void test() {
280     SubclassA a;
281     SubclassB b;
282   }
283 }
284 
285 namespace ExplicitDestructorCall {
286   class VirtualDtor {
287   public:
~VirtualDtor()288     virtual ~VirtualDtor() {
289       clang_analyzer_checkInlined(true); // expected-warning{{TRUE}}
290     }
291   };
292 
293   class Subclass : public VirtualDtor {
294   public:
~Subclass()295     virtual ~Subclass() {
296       clang_analyzer_checkInlined(false); // no-warning
297     }
298   };
299 
destroy(Subclass * obj)300   void destroy(Subclass *obj) {
301     obj->VirtualDtor::~VirtualDtor();
302   }
303 }
304 
305 
306 namespace MultidimensionalArrays {
testArrayInvalidation()307   void testArrayInvalidation() {
308     int i = 42;
309     int j = 42;
310 
311     {
312       IntWrapper arr[2][2];
313 
314       // There should be no undefined value warnings here.
315       // Eventually these should be TRUE as well, but right now
316       // we can't handle array constructors.
317       clang_analyzer_eval(arr[0][0].x == 0); // expected-warning{{UNKNOWN}}
318       clang_analyzer_eval(arr[1][1].x == 0); // expected-warning{{UNKNOWN}}
319 
320       arr[0][0].x = &i;
321       arr[1][1].x = &j;
322       clang_analyzer_eval(*arr[0][0].x == 42); // expected-warning{{TRUE}}
323       clang_analyzer_eval(*arr[1][1].x == 42); // expected-warning{{TRUE}}
324     }
325 
326     // The destructors should have invalidated i and j.
327     clang_analyzer_eval(i == 42); // expected-warning{{UNKNOWN}}
328     clang_analyzer_eval(j == 42); // expected-warning{{UNKNOWN}}
329   }
330 }
331 
332 namespace LifetimeExtension {
333   struct IntWrapper {
334 	int x;
IntWrapperLifetimeExtension::IntWrapper335 	IntWrapper(int y) : x(y) {}
IntWrapperLifetimeExtension::IntWrapper336 	IntWrapper() {
337       extern void use(int);
338       use(x); // no-warning
339 	}
340   };
341 
342   struct DerivedWrapper : public IntWrapper {
DerivedWrapperLifetimeExtension::DerivedWrapper343 	DerivedWrapper(int y) : IntWrapper(y) {}
344   };
345 
get()346   DerivedWrapper get() {
347 	return DerivedWrapper(1);
348   }
349 
test()350   void test() {
351 	const DerivedWrapper &d = get(); // lifetime extended here
352   }
353 
354 
355   class SaveOnDestruct {
356   public:
357     static int lastOutput;
358     int value;
359 
360     SaveOnDestruct();
~SaveOnDestruct()361     ~SaveOnDestruct() {
362       lastOutput = value;
363     }
364   };
365 
testSimple()366   void testSimple() {
367     {
368       const SaveOnDestruct &obj = SaveOnDestruct();
369       if (obj.value != 42)
370         return;
371       // destructor called here
372     }
373 
374     clang_analyzer_eval(SaveOnDestruct::lastOutput == 42); // expected-warning{{TRUE}}
375   }
376 
377   struct NRCheck {
378     bool bool_;
NRCheckLifetimeExtension::NRCheck379     NRCheck():bool_(true) {}
380     ~NRCheck() __attribute__((noreturn));
operator boolLifetimeExtension::NRCheck381     operator bool() const { return bool_; }
382   };
383 
384   struct CheckAutoDestructor {
385     bool bool_;
CheckAutoDestructorLifetimeExtension::CheckAutoDestructor386     CheckAutoDestructor():bool_(true) {}
operator boolLifetimeExtension::CheckAutoDestructor387     operator bool() const { return bool_; }
388   };
389 
390   struct CheckCustomDestructor {
391     bool bool_;
CheckCustomDestructorLifetimeExtension::CheckCustomDestructor392     CheckCustomDestructor():bool_(true) {}
393     ~CheckCustomDestructor();
operator boolLifetimeExtension::CheckCustomDestructor394     operator bool() const { return bool_; }
395   };
396 
testUnnamedNR()397   bool testUnnamedNR() {
398     if (NRCheck())
399       return true;
400     return false;
401   }
402 
testNamedNR()403   bool testNamedNR() {
404     if (NRCheck c = NRCheck())
405       return true;
406     return false;
407   }
408 
testUnnamedAutoDestructor()409   bool testUnnamedAutoDestructor() {
410     if (CheckAutoDestructor())
411       return true;
412     return false;
413   }
414 
testNamedAutoDestructor()415   bool testNamedAutoDestructor() {
416     if (CheckAutoDestructor c = CheckAutoDestructor())
417       return true;
418     return false;
419   }
420 
testUnnamedCustomDestructor()421   bool testUnnamedCustomDestructor() {
422     if (CheckCustomDestructor())
423       return true;
424     return false;
425   }
426 
427   // This case used to cause an unexpected "Undefined or garbage value returned
428   // to caller" warning
testNamedCustomDestructor()429   bool testNamedCustomDestructor() {
430     if (CheckCustomDestructor c = CheckCustomDestructor())
431       return true;
432     return false;
433   }
434 
testMultipleTemporariesCustomDestructor()435   bool testMultipleTemporariesCustomDestructor() {
436     if (CheckCustomDestructor c = (CheckCustomDestructor(), CheckCustomDestructor()))
437       return true;
438     return false;
439   }
440 
441   class VirtualDtorBase {
442   public:
443     int value;
~VirtualDtorBase()444     virtual ~VirtualDtorBase() {}
445   };
446 
447   class SaveOnVirtualDestruct : public VirtualDtorBase {
448   public:
449     static int lastOutput;
450 
451     SaveOnVirtualDestruct();
~SaveOnVirtualDestruct()452     virtual ~SaveOnVirtualDestruct() {
453       lastOutput = value;
454     }
455   };
456 
testVirtual()457   void testVirtual() {
458     {
459       const VirtualDtorBase &obj = SaveOnVirtualDestruct();
460       if (obj.value != 42)
461         return;
462       // destructor called here
463     }
464 
465     clang_analyzer_eval(SaveOnVirtualDestruct::lastOutput == 42); // expected-warning{{TRUE}}
466   }
467 }
468 
469 namespace NoReturn {
470   struct NR {
471     ~NR() __attribute__((noreturn));
472   };
473 
f(int ** x)474   void f(int **x) {
475     NR nr;
476   }
477 
g()478   void g() {
479     int *x;
480     f(&x);
481     *x = 47; // no warning
482   }
483 
g2(int * x)484   void g2(int *x) {
485     if (! x) NR();
486     *x = 47; // no warning
487   }
488 }
489 
490 namespace PseudoDtor {
491   template <typename T>
destroy(T & obj)492   void destroy(T &obj) {
493     clang_analyzer_checkInlined(true); // expected-warning{{TRUE}}
494     obj.~T();
495   }
496 
test()497   void test() {
498     int i;
499     destroy(i);
500     clang_analyzer_eval(true); // expected-warning{{TRUE}}
501   }
502 }
503 
504 namespace Incomplete {
505   class Foo; // expected-note{{forward declaration}}
f(Foo * foo)506   void f(Foo *foo) { delete foo; } // expected-warning{{deleting pointer to incomplete type}}
507 }
508 
509 namespace TypeTraitExpr {
510 template <bool IsSimple, typename T>
511 struct copier {
512   static void do_copy(T *dest, const T *src, unsigned count);
513 };
514 template <typename T, typename U>
do_copy(T * dest,const U * src,unsigned count)515 void do_copy(T *dest, const U *src, unsigned count) {
516   const bool IsSimple = __is_trivial(T) && __is_same(T, U);
517   copier<IsSimple, T>::do_copy(dest, src, count);
518 }
519 struct NonTrivial {
520   int *p;
NonTrivialTypeTraitExpr::NonTrivial521   NonTrivial() : p(new int[1]) { p[0] = 0; }
NonTrivialTypeTraitExpr::NonTrivial522   NonTrivial(const NonTrivial &other) {
523     p = new int[1];
524     do_copy(p, other.p, 1);
525   }
operator =TypeTraitExpr::NonTrivial526   NonTrivial &operator=(const NonTrivial &other) {
527     p = other.p;
528     return *this;
529   }
~NonTrivialTypeTraitExpr::NonTrivial530   ~NonTrivial() {
531     delete[] p; // expected-warning {{free released memory}}
532   }
533 };
534 
f()535 void f() {
536   NonTrivial nt1;
537   NonTrivial nt2(nt1);
538   nt1 = nt2;
539   clang_analyzer_eval(__is_trivial(NonTrivial)); // expected-warning{{FALSE}}
540   clang_analyzer_eval(__alignof(NonTrivial) > 0); // expected-warning{{TRUE}}
541 }
542 }
543