1// RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-checker=core,alpha.core.CastToStruct,alpha.security.ReturnPtrRange,alpha.security.ArrayBound -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks -Wno-objc-root-class %s
2// RUN: %clang_cc1 -triple x86_64-apple-darwin9 -DTEST_64 -analyze -analyzer-checker=core,alpha.core.CastToStruct,alpha.security.ReturnPtrRange,alpha.security.ArrayBound -analyzer-store=region -verify -fblocks   -analyzer-opt-analyze-nested-blocks -Wno-objc-root-class %s
3
4typedef long unsigned int size_t;
5void *memcpy(void *, const void *, size_t);
6void *alloca(size_t);
7
8typedef struct objc_selector *SEL;
9typedef signed char BOOL;
10typedef int NSInteger;
11typedef unsigned int NSUInteger;
12typedef struct _NSZone NSZone;
13@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator;
14@protocol NSObject  - (BOOL)isEqual:(id)object; @end
15@protocol NSCopying  - (id)copyWithZone:(NSZone *)zone; @end
16@protocol NSMutableCopying  - (id)mutableCopyWithZone:(NSZone *)zone; @end
17@protocol NSCoding  - (void)encodeWithCoder:(NSCoder *)aCoder; @end
18@interface NSObject <NSObject> {} - (id)init; @end
19extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone);
20@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding>
21- (NSUInteger)length;
22+ (id)stringWithUTF8String:(const char *)nullTerminatedCString;
23@end extern NSString * const NSBundleDidLoadNotification;
24@interface NSAssertionHandler : NSObject {}
25+ (NSAssertionHandler *)currentHandler;
26- (void)handleFailureInMethod:(SEL)selector object:(id)object file:(NSString *)fileName lineNumber:(NSInteger)line description:(NSString *)format,...;
27@end
28extern NSString * const NSConnectionReplyMode;
29
30#ifdef TEST_64
31typedef long long int64_t;
32typedef int64_t intptr_t;
33#else
34typedef int int32_t;
35typedef int32_t intptr_t;
36#endif
37
38//---------------------------------------------------------------------------
39// Test case 'checkaccess_union' differs for region store and basic store.
40// The basic store doesn't reason about compound literals, so the code
41// below won't fire an "uninitialized value" warning.
42//---------------------------------------------------------------------------
43
44// PR 2948 (testcase; crash on VisitLValue for union types)
45// http://llvm.org/bugs/show_bug.cgi?id=2948
46void checkaccess_union() {
47  int ret = 0, status;
48  // Since RegionStore doesn't handle unions yet,
49  // this branch condition won't be triggered
50  // as involving an uninitialized value.
51  if (((((__extension__ (((union {  // no-warning
52    __typeof (status) __in; int __i;}
53    )
54    {
55      .__in = (status)}
56      ).__i))) & 0xff00) >> 8) == 1)
57        ret = 1;
58}
59
60// Check our handling of fields being invalidated by function calls.
61struct test2_struct { int x; int y; char* s; };
62void test2_help(struct test2_struct* p);
63
64char test2() {
65  struct test2_struct s;
66  test2_help(&s);
67  char *p = 0;
68
69  if (s.x > 1) {
70    if (s.s != 0) {
71      p = "hello";
72    }
73  }
74
75  if (s.x > 1) {
76    if (s.s != 0) {
77      return *p;
78    }
79  }
80
81  return 'a';
82}
83
84// BasicStore handles this case incorrectly because it doesn't reason about
85// the value pointed to by 'x' and thus creates different symbolic values
86// at the declarations of 'a' and 'b' respectively.  RegionStore handles
87// it correctly. See the companion test in 'misc-ps-basic-store.m'.
88void test_trivial_symbolic_comparison_pointer_parameter(int *x) {
89  int a = *x;
90  int b = *x;
91  if (a != b) {
92    int *p = 0;
93    *p = 0xDEADBEEF;     // no-warning
94  }
95}
96
97// This is a modified test from 'misc-ps.m'.  Here we have the extra
98// NULL dereferences which are pruned out by RegionStore's symbolic reasoning
99// of fields.
100typedef struct _BStruct { void *grue; } BStruct;
101void testB_aux(void *ptr);
102
103void testB(BStruct *b) {
104  {
105    int *__gruep__ = ((int *)&((b)->grue));
106    int __gruev__ = *__gruep__;
107    int __gruev2__ = *__gruep__;
108    if (__gruev__ != __gruev2__) {
109      int *p = 0;
110      *p = 0xDEADBEEF; // no-warning
111    }
112
113    testB_aux(__gruep__);
114  }
115  {
116    int *__gruep__ = ((int *)&((b)->grue));
117    int __gruev__ = *__gruep__;
118    int __gruev2__ = *__gruep__;
119    if (__gruev__ != __gruev2__) {
120      int *p = 0;
121      *p = 0xDEADBEEF; // no-warning
122    }
123
124    if (~0 != __gruev__) {}
125  }
126}
127
128void testB_2(BStruct *b) {
129  {
130    int **__gruep__ = ((int **)&((b)->grue));
131    int *__gruev__ = *__gruep__;
132    testB_aux(__gruep__);
133  }
134  {
135    int **__gruep__ = ((int **)&((b)->grue));
136    int *__gruev__ = *__gruep__;
137    if ((int*)~0 != __gruev__) {}
138  }
139}
140
141// This test case is a reduced case of a caching bug discovered by an
142// assertion failure in RegionStoreManager::BindArray.  Essentially the
143// DeclStmt is evaluated twice, but on the second loop iteration the
144// engine caches out.  Previously a false transition would cause UnknownVal
145// to bind to the variable, firing an assertion failure.  This bug was fixed
146// in r76262.
147void test_declstmt_caching() {
148again:
149  {
150    const char a[] = "I like to crash";
151    goto again;
152  }
153}
154
155//===----------------------------------------------------------------------===//
156// Reduced test case from <rdar://problem/7114618>.
157// Basically a null check is performed on the field value, which is then
158// assigned to a variable and then checked again.
159//===----------------------------------------------------------------------===//
160struct s_7114618 { int *p; };
161void test_rdar_7114618(struct s_7114618 *s) {
162  if (s->p) {
163    int *p = s->p;
164    if (!p) {
165      // Infeasible
166      int *dead = 0;
167      *dead = 0xDEADBEEF; // no-warning
168    }
169  }
170}
171
172// Test pointers increment correctly.
173void f() {
174  int a[2];
175  a[1] = 3;
176  int *p = a;
177  p++;
178  if (*p != 3) {
179    int *q = 0;
180    *q = 3; // no-warning
181  }
182}
183
184//===----------------------------------------------------------------------===//
185// <rdar://problem/7185607>
186// Bit-fields of a struct should be invalidated when blasting the entire
187// struct with an integer constant.
188//===----------------------------------------------------------------------===//
189struct test_7185607 {
190  int x : 10;
191  int y : 22;
192};
193int rdar_test_7185607() {
194  struct test_7185607 s; // Uninitialized.
195  *((unsigned *) &s) = 0U;
196  return s.x; // no-warning
197}
198
199//===----------------------------------------------------------------------===//
200// <rdar://problem/7242006> [RegionStore] compound literal assignment with
201//  floats not honored
202// This test case is mirrored in misc-ps.m, but this case is a negative.
203//===----------------------------------------------------------------------===//
204typedef float CGFloat;
205typedef struct _NSSize {
206    CGFloat width;
207    CGFloat height;
208} NSSize;
209
210CGFloat rdar7242006_negative(CGFloat x) {
211  NSSize y;
212  return y.width; // expected-warning{{garbage}}
213}
214
215//===----------------------------------------------------------------------===//
216// <rdar://problem/7249340> - Allow binding of values to symbolic regions.
217// This test case shows how RegionStore tracks the value bound to 'x'
218// after the assignment.
219//===----------------------------------------------------------------------===//
220typedef int* ptr_rdar_7249340;
221void rdar_7249340(ptr_rdar_7249340 x) {
222  *x = 1;
223  if (*x)
224    return;
225  int *p = 0;   // This is unreachable.
226  *p = 0xDEADBEEF; // no-warning
227}
228
229//===----------------------------------------------------------------------===//
230// <rdar://problem/7249327> - This test case tests both value tracking of
231// array values and that we handle symbolic values that are casted
232// between different integer types.  Note the assignment 'n = *a++'; here
233// 'n' is and 'int' and '*a' is 'unsigned'.  Previously we got a false positive
234// at 'x += *b++' (undefined value) because we got a false path.
235//===----------------------------------------------------------------------===//
236int rdar_7249327_aux(void);
237
238void rdar_7249327(unsigned int A[2*32]) {
239  int B[2*32];
240  int *b;
241  unsigned int *a;
242  int x = 0;
243
244  int n;
245
246  a = A;
247  b = B;
248
249  n = *a++;
250  if (n)
251    *b++ = rdar_7249327_aux();
252
253  a = A;
254  b = B;
255
256  n = *a++;
257  if (n)
258    x += *b++; // no-warning
259}
260
261//===----------------------------------------------------------------------===//
262// <rdar://problem/6914474> - Check that 'x' is invalidated because its
263// address is passed in as a value to a struct.
264//===----------------------------------------------------------------------===//
265struct doodad_6914474 { int *v; };
266extern void prod_6914474(struct doodad_6914474 *d);
267int rdar_6914474(void) {
268  int x;
269  struct doodad_6914474 d;
270  d.v = &x;
271  prod_6914474(&d);
272  return x; // no-warning
273}
274
275// Test invalidation of a single field.
276struct s_test_field_invalidate {
277  int x;
278};
279extern void test_invalidate_field(int *x);
280int test_invalidate_field_test() {
281  struct s_test_field_invalidate y;
282  test_invalidate_field(&y.x);
283  return y.x; // no-warning
284}
285int test_invalidate_field_test_positive() {
286  struct s_test_field_invalidate y;
287  return y.x; // expected-warning{{garbage}}
288}
289
290// This test case illustrates how a typeless array of bytes casted to a
291// struct should be treated as initialized.  RemoveDeadBindings previously
292// had a bug that caused 'x' to lose its default symbolic value after the
293// assignment to 'p', thus causing 'p->z' to evaluate to "undefined".
294struct ArrayWrapper { unsigned char y[16]; };
295struct WrappedStruct { unsigned z; };
296
297void test_handle_array_wrapper_helper();
298
299int test_handle_array_wrapper() {
300  struct ArrayWrapper x;
301  test_handle_array_wrapper_helper(&x);
302  struct WrappedStruct *p = (struct WrappedStruct*) x.y; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
303  return p->z;  // no-warning
304}
305
306//===----------------------------------------------------------------------===//
307// <rdar://problem/7261075> [RegionStore] crash when
308//   handling load: '*((unsigned int *)"????")'
309//===----------------------------------------------------------------------===//
310
311int rdar_7261075(void) {
312  unsigned int var = 0;
313  if (var == *((unsigned int *)"????"))
314    return 1;
315  return 0;
316}
317
318//===----------------------------------------------------------------------===//
319// <rdar://problem/7275774> false path due to limited pointer
320//                          arithmetic constraints
321//===----------------------------------------------------------------------===//
322
323void rdar_7275774(void *data, unsigned n) {
324  if (!(data || n == 0))
325    return;
326
327  unsigned short *p = (unsigned short*) data;
328  unsigned short *q = p + (n / 2);
329
330  if (p < q) {
331    // If we reach here, 'p' cannot be null.  If 'p' is null, then 'n' must
332    // be '0', meaning that this branch is not feasible.
333    *p = *q; // no-warning
334  }
335}
336
337//===----------------------------------------------------------------------===//
338// <rdar://problem/7312221>
339//
340//  Test that Objective-C instance variables aren't prematurely pruned
341//  from the analysis state.
342//===----------------------------------------------------------------------===//
343
344struct rdar_7312221_value { int x; };
345
346@interface RDar7312221
347{
348  struct rdar_7312221_value *y;
349}
350- (void) doSomething_7312221;
351@end
352
353extern struct rdar_7312221_value *rdar_7312221_helper();
354extern int rdar_7312221_helper_2(id o);
355extern void rdar_7312221_helper_3(int z);
356
357@implementation RDar7312221
358- (void) doSomething_7312221 {
359  if (y == 0) {
360    y = rdar_7312221_helper();
361    if (y != 0) {
362      y->x = rdar_7312221_helper_2(self);
363      // The following use of 'y->x' previously triggered a null dereference, as the value of 'y'
364      // before 'y = rdar_7312221_helper()' would be used.
365      rdar_7312221_helper_3(y->x); // no-warning
366    }
367  }
368}
369@end
370
371struct rdar_7312221_container {
372  struct rdar_7312221_value *y;
373};
374
375extern int rdar_7312221_helper_4(struct rdar_7312221_container *s);
376
377// This test case essentially matches the one in [RDar7312221 doSomething_7312221].
378void doSomething_7312221_with_struct(struct rdar_7312221_container *Self) {
379  if (Self->y == 0) {
380    Self->y = rdar_7312221_helper();
381    if (Self->y != 0) {
382      Self->y->x = rdar_7312221_helper_4(Self);
383      rdar_7312221_helper_3(Self->y->x); // no-warning
384    }
385  }
386}
387
388//===----------------------------------------------------------------------===//
389// <rdar://problem/7332673> - Just more tests cases for regions
390//===----------------------------------------------------------------------===//
391
392void rdar_7332673_test1() {
393    char value[1];
394    if ( *(value) != 1 ) {} // expected-warning{{The left operand of '!=' is a garbage value}}
395}
396int rdar_7332673_test2_aux(char *x);
397void rdar_7332673_test2() {
398    char *value;
399    if ( rdar_7332673_test2_aux(value) != 1 ) {} // expected-warning{{Function call argument is an uninitialized value}}
400}
401
402//===----------------------------------------------------------------------===//
403// <rdar://problem/7347252>: Because of a bug in
404//   RegionStoreManager::RemoveDeadBindings(), the symbol for s->session->p
405//   would incorrectly be pruned from the state after the call to
406//   rdar7347252_malloc1(), and would incorrectly result in a warning about
407//   passing a null pointer to rdar7347252_memcpy().
408//===----------------------------------------------------------------------===//
409
410struct rdar7347252_AA { char *p;};
411typedef struct {
412 struct rdar7347252_AA *session;
413 int t;
414 char *q;
415} rdar7347252_SSL1;
416
417int rdar7347252_f(rdar7347252_SSL1 *s);
418char *rdar7347252_malloc1(int);
419char *rdar7347252_memcpy1(char *d, char *s, int n) __attribute__((nonnull (1,2)));
420
421int rdar7347252(rdar7347252_SSL1 *s) {
422 rdar7347252_f(s);  // the SymbolicRegion of 's' is set a default binding of conjured symbol
423 if (s->session->p == ((void*)0)) {
424   if ((s->session->p = rdar7347252_malloc1(10)) == ((void*)0)) {
425     return 0;
426   }
427   rdar7347252_memcpy1(s->session->p, "aa", 2); // no-warning
428 }
429 return 0;
430}
431
432//===----------------------------------------------------------------------===//
433// PR 5316 - "crash when accessing field of lazy compound value"
434//  Previously this caused a crash at the MemberExpr '.chr' when loading
435//  a field value from a LazyCompoundVal
436//===----------------------------------------------------------------------===//
437
438typedef unsigned int pr5316_wint_t;
439typedef pr5316_wint_t pr5316_REFRESH_CHAR;
440typedef struct {
441  pr5316_REFRESH_CHAR chr;
442}
443pr5316_REFRESH_ELEMENT;
444static void pr5316(pr5316_REFRESH_ELEMENT *dst, const pr5316_REFRESH_ELEMENT *src) {
445  while ((*dst++ = *src++).chr != L'\0')  ;
446}
447
448//===----------------------------------------------------------------------===//
449// Exercise creating ElementRegion with symbolic super region.
450//===----------------------------------------------------------------------===//
451void element_region_with_symbolic_superregion(int* p) {
452  int *x;
453  int a;
454  if (p[0] == 1)
455    x = &a;
456  if (p[0] == 1)
457    (void)*x; // no-warning
458}
459
460//===----------------------------------------------------------------------===//
461// Test returning an out-of-bounds pointer (CWE-466)
462//===----------------------------------------------------------------------===//
463
464static int test_cwe466_return_outofbounds_pointer_a[10];
465int *test_cwe466_return_outofbounds_pointer() {
466  int *p = test_cwe466_return_outofbounds_pointer_a+10;
467  return p; // expected-warning{{Returned pointer value points outside the original object}}
468}
469
470//===----------------------------------------------------------------------===//
471// PR 3135 - Test case that shows that a variable may get invalidated when its
472// address is included in a structure that is passed-by-value to an unknown function.
473//===----------------------------------------------------------------------===//
474
475typedef struct { int *a; } pr3135_structure;
476int pr3135_bar(pr3135_structure *x);
477int pr3135() {
478  int x;
479  pr3135_structure y = { &x };
480  // the call to pr3135_bar may initialize x
481  if (pr3135_bar(&y) && x) // no-warning
482    return 1;
483  return 0;
484}
485
486//===----------------------------------------------------------------------===//
487// <rdar://problem/7403269> - Test that we handle compound initializers with
488// partially unspecified array values. Previously this caused a crash.
489//===----------------------------------------------------------------------===//
490
491typedef struct RDar7403269 {
492  unsigned x[10];
493  unsigned y;
494} RDar7403269;
495
496void rdar7403269() {
497  RDar7403269 z = { .y = 0 };
498  if (z.x[4] == 0)
499    return;
500  int *p = 0;
501  *p = 0xDEADBEEF; // no-warning
502}
503
504typedef struct RDar7403269_b {
505  struct zorg { int w; int k; } x[10];
506  unsigned y;
507} RDar7403269_b;
508
509void rdar7403269_b() {
510  RDar7403269_b z = { .y = 0 };
511  if (z.x[5].w == 0)
512    return;
513  int *p = 0;
514  *p = 0xDEADBEEF; // no-warning
515}
516
517void rdar7403269_b_pos() {
518  RDar7403269_b z = { .y = 0 };
519  if (z.x[5].w == 1)
520    return;
521  int *p = 0;
522  *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
523}
524
525
526//===----------------------------------------------------------------------===//
527// Test that incrementing a non-null pointer results in a non-null pointer.
528// (<rdar://problem/7191542>)
529//===----------------------------------------------------------------------===//
530
531void test_increment_nonnull_rdar_7191542(const char *path) {
532  const char *alf = 0;
533
534  for (;;) {
535    // When using basic-store, we get a null dereference here because we lose information
536    // about path after the pointer increment.
537    char c = *path++; // no-warning
538    if (c == 'a') {
539      alf = path;
540    }
541
542    if (alf)
543      return;
544  }
545}
546
547//===----------------------------------------------------------------------===//
548// Test that the store (implicitly) tracks values for doubles/floats that are
549// uninitialized (<rdar://problem/6811085>)
550//===----------------------------------------------------------------------===//
551
552double rdar_6811085(void) {
553  double u;
554  return u + 10; // expected-warning{{The left operand of '+' is a garbage value}}
555}
556
557//===----------------------------------------------------------------------===//
558// Path-sensitive tests for blocks.
559//===----------------------------------------------------------------------===//
560
561void indirect_block_call(void (^f)());
562
563int blocks_1(int *p, int z) {
564  __block int *q = 0;
565  void (^bar)() = ^{ q = p; };
566
567  if (z == 1) {
568    // The call to 'bar' might cause 'q' to be invalidated.
569    bar();
570    *q = 0x1; // no-warning
571  }
572  else if (z == 2) {
573    // The function 'indirect_block_call' might invoke bar, thus causing
574    // 'q' to possibly be invalidated.
575    indirect_block_call(bar);
576    *q = 0x1; // no-warning
577  }
578  else {
579    *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
580  }
581  return z;
582}
583
584int blocks_2(int *p, int z) {
585  int *q = 0;
586  void (^bar)(int **) = ^(int **r){ *r = p; };
587
588  if (z) {
589    // The call to 'bar' might cause 'q' to be invalidated.
590    bar(&q);
591    *q = 0x1; // no-warning
592  }
593  else {
594    *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
595  }
596  return z;
597}
598
599// Test that the value of 'x' is considered invalidated after the block
600// is passed as an argument to the message expression.
601typedef void (^RDar7582031CB)(void);
602@interface RDar7582031
603- rdar7582031:RDar7582031CB;
604- rdar7582031_b:RDar7582031CB;
605@end
606
607// Test with one block.
608unsigned rdar7582031(RDar7582031 *o) {
609  __block unsigned x;
610  [o rdar7582031:^{ x = 1; }];
611  return x; // no-warning
612}
613
614// Test with two blocks.
615unsigned long rdar7582031_b(RDar7582031 *o) {
616  __block unsigned y;
617  __block unsigned long x;
618  [o rdar7582031:^{ y = 1; }];
619  [o rdar7582031_b:^{ x = 1LL; }];
620  return x + (unsigned long) y; // no-warning
621}
622
623// Show we get an error when 'o' is null because the message
624// expression has no effect.
625unsigned long rdar7582031_b2(RDar7582031 *o) {
626  __block unsigned y;
627  __block unsigned long x;
628  if (o)
629    return 1;
630  [o rdar7582031:^{ y = 1; }];
631  [o rdar7582031_b:^{ x = 1LL; }];
632  return x + (unsigned long) y; // expected-warning{{The left operand of '+' is a garbage value}}
633}
634
635// Show that we handle static variables also getting invalidated.
636void rdar7582031_aux(void (^)(void));
637RDar7582031 *rdar7582031_aux_2();
638
639unsigned rdar7582031_static() {
640  static RDar7582031 *o = 0;
641  rdar7582031_aux(^{ o = rdar7582031_aux_2(); });
642
643  __block unsigned x;
644  [o rdar7582031:^{ x = 1; }];
645  return x; // no-warning
646}
647
648//===----------------------------------------------------------------------===//
649// <rdar://problem/7462324> - Test that variables passed using __blocks
650//  are not treated as being uninitialized.
651//===----------------------------------------------------------------------===//
652
653typedef void (^RDar_7462324_Callback)(id obj);
654
655@interface RDar7462324
656- (void) foo:(id)target;
657- (void) foo_positive:(id)target;
658
659@end
660
661@implementation RDar7462324
662- (void) foo:(id)target {
663  __block RDar_7462324_Callback builder = ((void*) 0);
664  builder = ^(id object) {
665    if (object) {
666      builder(self); // no-warning
667    }
668  };
669  builder(target);
670}
671- (void) foo_positive:(id)target {
672  __block RDar_7462324_Callback builder = ((void*) 0);
673  builder = ^(id object) {
674    id x;
675    if (object) {
676      builder(x); // expected-warning{{Block call argument is an uninitialized value}}
677    }
678  };
679  builder(target);
680}
681@end
682
683//===----------------------------------------------------------------------===//
684// <rdar://problem/7468209> - Scanning for live variables within a block should
685//  not crash on variables passed by reference via __block.
686//===----------------------------------------------------------------------===//
687
688int rdar7468209_aux();
689void rdar7468209_aux_2();
690
691void rdar7468209() {
692  __block int x = 0;
693  ^{
694    x = rdar7468209_aux();
695    // We need a second statement so that 'x' would be removed from the store if it wasn't
696    // passed by reference.
697    rdar7468209_aux_2();
698  }();
699}
700
701//===----------------------------------------------------------------------===//
702// PR 5857 - Test loading an integer from a byte array that has also been
703//  reinterpreted to be loaded as a field.
704//===----------------------------------------------------------------------===//
705
706typedef struct { int x; } TestFieldLoad;
707int pr5857(char *src) {
708  TestFieldLoad *tfl = (TestFieldLoad *) (intptr_t) src;
709  int y = tfl->x;
710  long long *z = (long long *) (intptr_t) src;
711  long long w = 0;
712  int n = 0;
713  for (n = 0; n < y; ++n) {
714    // Previously we crashed analyzing this statement.
715    w = *z++;
716  }
717  return 1;
718}
719
720//===----------------------------------------------------------------------===//
721// PR 4358 - Without field-sensitivity, this code previously triggered
722//  a false positive that 'uninit' could be uninitialized at the call
723//  to pr4358_aux().
724//===----------------------------------------------------------------------===//
725
726struct pr4358 {
727  int bar;
728  int baz;
729};
730void pr4358_aux(int x);
731void pr4358(struct pr4358 *pnt) {
732  int uninit;
733  if (pnt->bar < 3) {
734    uninit = 1;
735  } else if (pnt->baz > 2) {
736    uninit = 3;
737  } else if (pnt->baz <= 2) {
738    uninit = 2;
739  }
740  pr4358_aux(uninit); // no-warning
741}
742
743//===----------------------------------------------------------------------===//
744// <rdar://problem/7526777>
745// Test handling fields of values returned from function calls or
746// message expressions.
747//===----------------------------------------------------------------------===//
748
749typedef struct testReturn_rdar_7526777 {
750  int x;
751  int y;
752} testReturn_rdar_7526777;
753
754@interface TestReturnStruct_rdar_7526777
755- (testReturn_rdar_7526777) foo;
756@end
757
758int test_return_struct(TestReturnStruct_rdar_7526777 *x) {
759  return [x foo].x;
760}
761
762testReturn_rdar_7526777 test_return_struct_2_aux_rdar_7526777();
763
764int test_return_struct_2_rdar_7526777() {
765  return test_return_struct_2_aux_rdar_7526777().x;
766}
767
768//===----------------------------------------------------------------------===//
769// <rdar://problem/7527292> Assertion failed: (Op == BinaryOperator::Add ||
770//                                             Op == BinaryOperator::Sub)
771// This test case previously triggered an assertion failure due to a discrepancy
772// been the loaded/stored value in the array
773//===----------------------------------------------------------------------===//
774
775_Bool OSAtomicCompareAndSwapPtrBarrier( void *__oldValue, void *__newValue, void * volatile *__theValue );
776
777void rdar_7527292() {
778  static id Cache7527292[32];
779  for (signed long idx = 0;
780       idx < 32;
781       idx++) {
782    id v = Cache7527292[idx];
783    if (v && OSAtomicCompareAndSwapPtrBarrier(v, ((void*)0), (void * volatile *)(Cache7527292 + idx))) {
784    }
785  }
786}
787
788//===----------------------------------------------------------------------===//
789// <rdar://problem/7515938> - Handle initialization of incomplete arrays
790//  in structures using a compound value.  Previously this crashed.
791//===----------------------------------------------------------------------===//
792
793struct rdar_7515938 {
794  int x;
795  int y[];
796};
797
798const struct rdar_7515938 *rdar_7515938() {
799  static const struct rdar_7515938 z = { 0, { 1, 2 } };
800  if (z.y[0] != 1) {
801    int *p = 0;
802    *p = 0xDEADBEEF; // no-warning
803  }
804  return &z;
805}
806
807struct rdar_7515938_str {
808  int x;
809  char y[];
810};
811
812const struct rdar_7515938_str *rdar_7515938_str() {
813  static const struct rdar_7515938_str z = { 0, "hello" };
814  return &z;
815}
816
817//===----------------------------------------------------------------------===//
818// Assorted test cases from PR 4172.
819//===----------------------------------------------------------------------===//
820
821struct PR4172A_s { int *a; };
822
823void PR4172A_f2(struct PR4172A_s *p);
824
825int PR4172A_f1(void) {
826    struct PR4172A_s m;
827    int b[4];
828    m.a = b;
829    PR4172A_f2(&m);
830    return b[3]; // no-warning
831}
832
833struct PR4172B_s { int *a; };
834
835void PR4172B_f2(struct PR4172B_s *p);
836
837int PR4172B_f1(void) {
838    struct PR4172B_s m;
839    int x;
840    m.a = &x;
841    PR4172B_f2(&m);
842    return x; // no-warning
843}
844
845//===----------------------------------------------------------------------===//
846// Test invalidation of values in struct literals.
847//===----------------------------------------------------------------------===//
848
849struct s_rev96062 { int *x; int *y; };
850struct s_rev96062_nested { struct s_rev96062 z; };
851
852void test_a_rev96062_aux(struct s_rev96062 *s);
853void test_a_rev96062_aux2(struct s_rev96062_nested *s);
854
855int test_a_rev96062() {
856  int a, b;
857  struct s_rev96062 x = { &a, &b };
858  test_a_rev96062_aux(&x);
859  return a + b; // no-warning
860}
861int test_b_rev96062() {
862  int a, b;
863  struct s_rev96062 x = { &a, &b };
864  struct s_rev96062 z = x;
865  test_a_rev96062_aux(&z);
866  return a + b; // no-warning
867}
868int test_c_rev96062() {
869  int a, b;
870  struct s_rev96062 x = { &a, &b };
871  struct s_rev96062_nested w = { x };
872  struct s_rev96062_nested z = w;
873  test_a_rev96062_aux2(&z);
874  return a + b; // no-warning
875}
876
877//===----------------------------------------------------------------------===//
878// <rdar://problem/7242010> - The access to y[0] at the bottom previously
879//  was reported as an uninitialized value.
880//===----------------------------------------------------------------------===//
881
882char *rdar_7242010(int count, char **y) {
883  char **x = alloca((count + 4) * sizeof(*x));
884  x[0] = "hi";
885  x[1] = "there";
886  x[2] = "every";
887  x[3] = "body";
888  memcpy(x + 4, y, count * sizeof(*x));
889  y = x;
890  return y[0]; // no-warning
891}
892
893//===----------------------------------------------------------------------===//
894// <rdar://problem/7770737>
895//===----------------------------------------------------------------------===//
896
897struct rdar_7770737_s { intptr_t p; };
898void rdar_7770737_aux(struct rdar_7770737_s *p);
899int rdar_7770737(void)
900{
901  int x;
902
903  // Previously 'f' was not properly invalidated, causing the use of
904  // an uninitailized value below.
905  struct rdar_7770737_s f = { .p = (intptr_t)&x };
906  rdar_7770737_aux(&f);
907  return x; // no-warning
908}
909int rdar_7770737_pos(void)
910{
911  int x;
912  struct rdar_7770737_s f = { .p = (intptr_t)&x };
913  return x; // expected-warning{{Undefined or garbage value returned to caller}}
914}
915
916//===----------------------------------------------------------------------===//
917// Test handling of the implicit 'isa' field.  For now we don't do anything
918// interesting.
919//===----------------------------------------------------------------------===//
920
921void pr6302(id x, Class y) {
922  // This previously crashed the analyzer (reported in PR 6302)
923  x->isa  = y; // expected-warning {{assignment to Objective-C's isa is deprecated in favor of object_setClass()}}
924}
925
926//===----------------------------------------------------------------------===//
927// Specially handle global variables that are declared constant.  In the
928// example below, this forces the loop to take exactly 2 iterations.
929//===----------------------------------------------------------------------===//
930
931const int pr6288_L_N = 2;
932void pr6288_(void) {
933  int x[2];
934  int *px[2];
935  int i;
936  for (i = 0; i < pr6288_L_N; i++)
937    px[i] = &x[i];
938  *(px[0]) = 0; // no-warning
939}
940
941void pr6288_pos(int z) {
942  int x[2];
943  int *px[2];
944  int i;
945  for (i = 0; i < z; i++)
946    px[i] = &x[i]; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
947  *(px[0]) = 0; // expected-warning{{Dereference of undefined pointer value}}
948}
949
950void pr6288_b(void) {
951  const int L_N = 2;
952  int x[2];
953  int *px[2];
954  int i;
955  for (i = 0; i < L_N; i++)
956    px[i] = &x[i];
957  *(px[0]) = 0; // no-warning
958}
959
960// <rdar://problem/7817800> - A bug in RemoveDeadBindings was causing instance variable bindings
961//  to get prematurely pruned from the state.
962@interface Rdar7817800 {
963  char *x;
964}
965- (void) rdar7817800_baz;
966@end
967
968char *rdar7817800_foobar();
969void rdar7817800_qux(void*);
970
971@implementation Rdar7817800
972- (void) rdar7817800_baz {
973  if (x)
974    rdar7817800_qux(x);
975  x = rdar7817800_foobar();
976  // Previously this triggered a bogus null dereference warning.
977  x[1] = 'a'; // no-warning
978}
979@end
980
981// PR 6036 - This test case triggered a crash inside StoreManager::CastRegion because the size
982// of 'unsigned long (*)[0]' is 0.
983struct pr6036_a { int pr6036_b; };
984struct pr6036_c;
985void u132monitk (struct pr6036_c *pr6036_d) {
986  (void) ((struct pr6036_a *) (unsigned long (*)[0]) ((char *) pr6036_d - 1))->pr6036_b; // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
987}
988
989// <rdar://problem/7813989> - ?-expressions used as a base of a member expression should be treated as an lvalue
990typedef struct rdar7813989_NestedVal { int w; } rdar7813989_NestedVal;
991typedef struct rdar7813989_Val { rdar7813989_NestedVal nv; } rdar7813989_Val;
992
993int rdar7813989(int x, rdar7813989_Val *a, rdar7813989_Val *b) {
994  // This previously crashed with an assertion failure.
995  int z = (x ? a->nv : b->nv).w;
996  return z + 1;
997}
998
999// PR 6844 - Don't crash on vaarg expression.
1000typedef __builtin_va_list va_list;
1001void map(int srcID, ...) {
1002  va_list ap;
1003  int i;
1004  for (i = 0; i < srcID; i++) {
1005    int v = __builtin_va_arg(ap, int);
1006  }
1007}
1008
1009// PR 6854 - crash when casting symbolic memory address to a float
1010// Handle casting from a symbolic region to a 'float'.  This isn't
1011// really all that intelligent, but previously this caused a crash
1012// in SimpleSValuator.
1013void pr6854(void * arg) {
1014  void * a = arg;
1015  *(void**)a = arg;
1016  float f = *(float*) a;
1017}
1018
1019// <rdar://problem/8032791> False positive due to symbolic store not find
1020//  value because of 'const' qualifier
1021double rdar_8032791_2();
1022double rdar_8032791_1() {
1023   struct R8032791 { double x[2]; double y; }
1024   data[3] = {
1025     {{1.0, 3.0}, 3.0},  //  1   2   3
1026     {{1.0, 1.0}, 0.0},  // 1 1 2 2 3 3
1027     {{1.0, 3.0}, 1.0}   //    1   2   3
1028   };
1029
1030   double x = 0.0;
1031   for (unsigned i = 0 ; i < 3; i++) {
1032     const struct R8032791 *p = &data[i];
1033     x += p->y + rdar_8032791_2(); // no-warning
1034   }
1035   return x;
1036}
1037
1038// PR 7450 - Handle pointer arithmetic with __builtin_alloca
1039void pr_7450_aux(void *x);
1040void pr_7450() {
1041  void *p = __builtin_alloca(10);
1042  // Don't crash when analyzing the following statement.
1043  pr_7450_aux(p + 8);
1044}
1045
1046// <rdar://problem/8243408> - Symbolicate struct values returned by value.
1047struct s_rdar_8243408 { int x; };
1048extern struct s_rdar_8243408 rdar_8243408_aux(void);
1049void rdar_8243408(void) {
1050  struct s_rdar_8243408 a = { 1 }, *b = 0;
1051  while (a.x && !b)
1052    a = rdar_8243408_aux();
1053
1054  // Previously there was a false error here with 'b' being null.
1055  (void) (a.x && b->x); // no-warning
1056
1057  // Introduce a null deref to ensure we are checking this path.
1058  int *p = 0;
1059  *p = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
1060}
1061
1062// <rdar://problem/8258814>
1063int r8258814()
1064{
1065  int foo;
1066  int * a = &foo;
1067  a[0] = 10;
1068  // Do not warn that the value of 'foo' is uninitialized.
1069  return foo; // no-warning
1070}
1071
1072// PR 8052 - Don't crash when reasoning about loads from a function address.\n
1073typedef unsigned int __uint32_t;
1074typedef unsigned long vm_offset_t;
1075typedef __uint32_t pd_entry_t;
1076typedef unsigned char u_char;
1077typedef unsigned int u_int;
1078typedef unsigned long u_long;
1079extern int      bootMP_size;
1080void            bootMP(void);
1081static void
1082pr8052(u_int boot_addr)
1083{
1084    int             x;
1085    int             size = *(int *) ((u_long) & bootMP_size);
1086    u_char         *src = (u_char *) ((u_long) bootMP);
1087    u_char         *dst = (u_char *) boot_addr + ((vm_offset_t) ((((((((1 <<
108812) / (sizeof(pd_entry_t))) - 1) - 1) - (260 - 2))) << 22) | ((0) << 12)));
1089#ifdef TEST_64
1090// expected-warning@-3 {{cast to 'u_char *' (aka 'unsigned char *') from smaller integer type 'u_int' (aka 'unsigned int')}}
1091#endif
1092    for (x = 0;
1093         x < size;
1094         ++x)
1095        *dst++ = *src++;
1096}
1097
1098// PR 8015 - don't return undefined values for arrays when using a valid
1099// symbolic index
1100int pr8015_A();
1101void pr8015_B(const char *);
1102
1103void pr8015_C() {
1104  int number = pr8015_A();
1105  const char *numbers[] = { "zero" };
1106  if (number == 0) {
1107      pr8015_B(numbers[number]); // no-warning
1108  }
1109}
1110
1111// Tests that we correctly handle that 'number' is perfectly constrained
1112// after 'if (nunber == 0)', allowing us to resolve that
1113// numbers[number] == numbers[0].
1114void pr8015_D_FIXME() {
1115  int number = pr8015_A();
1116  const char *numbers[] = { "zero" };
1117  if (number == 0) {
1118    if (numbers[number] == numbers[0])
1119      return;
1120    // Unreachable.
1121    int *p = 0;
1122    *p = 0xDEADBEEF; // no-warnng
1123  }
1124}
1125
1126void pr8015_E() {
1127  // Similar to pr8015_C, but number is allowed to be a valid range.
1128  unsigned number = pr8015_A();
1129  const char *numbers[] = { "zero", "one", "two" };
1130  if (number < 3) {
1131    pr8015_B(numbers[number]); // no-warning
1132  }
1133}
1134
1135void pr8015_F_FIXME() {
1136  // Similar to pr8015_E, but like pr8015_D we check if the pointer
1137  // is the same as one of the string literals.  The null dereference
1138  // here is not feasible in practice, so this is a false positive.
1139  int number = pr8015_A();
1140  const char *numbers[] = { "zero", "one", "two" };
1141  if (number < 3) {
1142    const char *p = numbers[number];
1143    if (p == numbers[0] || p == numbers[1] || p == numbers[2])
1144      return;
1145    int *q = 0;
1146    *q = 0xDEADBEEF; // expected-warning{{Dereference of null pointer}}
1147  }
1148}
1149
1150// PR 8141.  Previously the statement expression in the for loop caused
1151// the CFG builder to crash.
1152struct list_pr8141
1153{
1154  struct list_pr8141 *tail;
1155};
1156
1157struct list_pr8141 *
1158pr8141 (void) {
1159  struct list_pr8141 *items;
1160  for (;; items = ({ do { } while (0); items->tail; })) // expected-warning{{Dereference of undefined pointer value}}
1161    {
1162    }
1163}
1164
1165// Don't crash when building the CFG.
1166void do_not_crash(int x) {
1167  while (x - ({do {} while (0); x; })) {
1168  }
1169}
1170
1171// <rdar://problem/8424269> - Handle looking at the size of a VLA in
1172// ArrayBoundChecker.  Nothing intelligent (yet); just don't crash.
1173typedef struct RDar8424269_A {
1174  int RDar8424269_C;
1175} RDar8424269_A;
1176static void RDar8424269_B(RDar8424269_A *p, unsigned char *RDar8424269_D,
1177                          const unsigned char *RDar8424269_E, int RDar8424269_F,
1178    int b_w, int b_h, int dx, int dy) {
1179  int x, y, b, r, l;
1180  unsigned char tmp2t[3][RDar8424269_F * (32 + 8)];
1181  unsigned char *tmp2 = tmp2t[0];
1182  if (p && !p->RDar8424269_C)
1183    b = 15;
1184  tmp2 = tmp2t[1];
1185  if (b & 2) { // expected-warning{{The left operand of '&' is a garbage value}}
1186    for (y = 0; y < b_h; y++) {
1187      for (x = 0; x < b_w + 1; x++) {
1188        int am = 0;
1189        tmp2[x] = am;
1190      }
1191    }
1192  }
1193  tmp2 = tmp2t[2];
1194}
1195
1196// <rdar://problem/8642434> - Handle transparent unions with the NonNullParamChecker.
1197typedef union {
1198  struct rdar_8642434_typeA *_dq;
1199}
1200rdar_8642434_typeB __attribute__((transparent_union));
1201
1202__attribute__((visibility("default"))) __attribute__((__nonnull__)) __attribute__((__nothrow__))
1203void rdar_8642434_funcA(rdar_8642434_typeB object);
1204
1205void rdar_8642434_funcB(struct rdar_8642434_typeA *x, struct rdar_8642434_typeA *y) {
1206  rdar_8642434_funcA(x);
1207  if (!y)
1208    rdar_8642434_funcA(y); // expected-warning{{Null pointer passed as an argument to a 'nonnull' parameter}}
1209}
1210
1211// <rdar://problem/8848957> - Handle loads and stores from a symbolic index
1212// into array without warning about an uninitialized value being returned.
1213// While RegionStore can't fully reason about this example, it shouldn't
1214// warn here either.
1215typedef struct s_test_rdar8848957 {
1216  int x, y, z;
1217} s_test_rdar8848957;
1218
1219s_test_rdar8848957 foo_rdar8848957();
1220int rdar8848957(int index) {
1221  s_test_rdar8848957 vals[10];
1222  vals[index] = foo_rdar8848957();
1223  return vals[index].x; // no-warning
1224}
1225
1226// PR 9049 - crash on symbolicating unions.  This test exists solely to
1227// test that the analyzer doesn't crash.
1228typedef struct pr9048_cdev *pr9048_cdev_t;
1229typedef union pr9048_abstracted_disklabel { void *opaque; } pr9048_disklabel_t;
1230struct pr9048_diskslice { pr9048_disklabel_t ds_label; };
1231struct pr9048_diskslices {
1232  int dss_secmult;
1233  struct pr9048_diskslice dss_slices[16];
1234};
1235void pr9048(pr9048_cdev_t dev, struct pr9048_diskslices * ssp, unsigned int slice)
1236{
1237  pr9048_disklabel_t     lp;
1238  struct pr9048_diskslice *sp;
1239  sp = &ssp->dss_slices[slice];
1240  if (ssp->dss_secmult == 1) {
1241  } else if ((lp = sp->ds_label).opaque != ((void *) 0)) {
1242  }
1243}
1244
1245// Test Store reference counting in the presence of Lazy compound values.
1246// This previously caused an infinite recursion.
1247typedef struct {} Rdar_9103310_A;
1248typedef struct Rdar_9103310_B Rdar_9103310_B_t;
1249struct Rdar_9103310_B {
1250  unsigned char           Rdar_9103310_C[101];
1251};
1252void Rdar_9103310_E(Rdar_9103310_A * x, struct Rdar_9103310_C * b) { // expected-warning {{declaration of 'struct Rdar_9103310_C' will not be visible outside of this function}}
1253  char Rdar_9103310_D[4][4] = { "a", "b", "c", "d"};
1254  int i;
1255  Rdar_9103310_B_t *y = (Rdar_9103310_B_t *) x;
1256  for (i = 0; i < 101; i++) {
1257    Rdar_9103310_F(b, "%2d%s ", (y->Rdar_9103310_C[i]) / 4, Rdar_9103310_D[(y->Rdar_9103310_C[i]) % 4]); // expected-warning {{implicit declaration of function 'Rdar_9103310_F' is invalid in C99}}
1258  }
1259}
1260
1261// Test handling binding lazy compound values to a region and then have
1262// specific elements have other bindings.
1263int PR9455() {
1264  char arr[4] = "000";
1265  arr[0] = '1';
1266  if (arr[1] == '0')
1267    return 1;
1268  int *p = 0;
1269  *p = 0xDEADBEEF; // no-warning
1270  return 1;
1271}
1272int PR9455_2() {
1273  char arr[4] = "000";
1274  arr[0] = '1';
1275  if (arr[1] == '0') {
1276    int *p = 0;
1277    *p = 0xDEADBEEF; // expected-warning {{null}}
1278  }
1279  return 1;
1280}
1281
1282// Test initialization of substructs via lazy compound values.
1283typedef float RDar9163742_Float;
1284
1285typedef struct {
1286    RDar9163742_Float x, y;
1287} RDar9163742_Point;
1288typedef struct {
1289    RDar9163742_Float width, height;
1290} RDar9163742_Size;
1291typedef struct {
1292    RDar9163742_Point origin;
1293    RDar9163742_Size size;
1294} RDar9163742_Rect;
1295
1296extern  RDar9163742_Rect RDar9163742_RectIntegral(RDar9163742_Rect);
1297
1298RDar9163742_Rect RDar9163742_IntegralRect(RDar9163742_Rect frame)
1299{
1300    RDar9163742_Rect integralFrame;
1301    integralFrame.origin.x = frame.origin.x;
1302    integralFrame.origin.y = frame.origin.y;
1303    integralFrame.size = frame.size;
1304    return RDar9163742_RectIntegral(integralFrame); // no-warning; all fields initialized
1305}
1306
1307// Test correct handling of prefix '--' operator.
1308void rdar9444714() {
1309  int   x;
1310  char    str[ 32 ];
1311  char    buf[ 32 ];
1312  char *  dst;
1313  char *  ptr;
1314
1315  x = 1234;
1316  dst = str;
1317  ptr = buf;
1318  do
1319  {
1320    *ptr++ = (char)( '0' + ( x % 10 ) );
1321    x /= 10;
1322  } while( x > 0 );
1323
1324  while( ptr > buf )
1325  {
1326    *dst++ = *( --( ptr ) ); // no-warning
1327  }
1328  *dst = '\0';
1329}
1330
1331// Test handling symbolic elements with field accesses.
1332// <rdar://problem/11127008>
1333typedef struct {
1334    unsigned value;
1335} RDar11127008;
1336
1337signed rdar_11127008_index();
1338
1339static unsigned rdar_11127008(void) {
1340    RDar11127008 values[] = {{.value = 0}, {.value = 1}};
1341    signed index = rdar_11127008_index();
1342    if (index < 0) return 0;
1343    if (index >= 2) return 0;
1344    return values[index].value;
1345}
1346
1347// Test handling invalidating arrays passed to a block via captured
1348// pointer value (not a __block variable).
1349typedef void (^radar11125868_cb)(int *, unsigned);
1350
1351void rdar11125868_aux(radar11125868_cb cb);
1352
1353int rdar11125868() {
1354  int integersStackArray[1];
1355  int *integers = integersStackArray;
1356  rdar11125868_aux(^(int *integerValue, unsigned index) {
1357      integers[index] = integerValue[index];
1358    });
1359  return integers[0] == 0; // no-warning
1360}
1361
1362int rdar11125868_positive() {
1363  int integersStackArray[1];
1364  int *integers = integersStackArray;
1365  return integers[0] == 0; // expected-warning {{The left operand of '==' is a}}
1366}
1367