1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-config ipa=inlining -analyzer-config c++-allocator-inlining=true -verify %s 2 3 void clang_analyzer_eval(bool); 4 void clang_analyzer_checkInlined(bool); 5 6 typedef __typeof__(sizeof(int)) size_t; 7 extern "C" void *malloc(size_t); 8 9 // This is the standard placement new. operator new(size_t,void * __p)10 inline void* operator new(size_t, void* __p) throw() 11 { 12 clang_analyzer_checkInlined(true);// expected-warning{{TRUE}} 13 return __p; 14 } 15 16 17 class A { 18 public: getZero()19 int getZero() { return 0; } getNum()20 virtual int getNum() { return 0; } 21 }; 22 test(A & a)23 void test(A &a) { 24 clang_analyzer_eval(a.getZero() == 0); // expected-warning{{TRUE}} 25 clang_analyzer_eval(a.getNum() == 0); // expected-warning{{UNKNOWN}} 26 27 A copy(a); 28 clang_analyzer_eval(copy.getZero() == 0); // expected-warning{{TRUE}} 29 clang_analyzer_eval(copy.getNum() == 0); // expected-warning{{TRUE}} 30 } 31 32 33 class One : public A { 34 public: getNum()35 virtual int getNum() { return 1; } 36 }; 37 testPathSensitivity(int x)38 void testPathSensitivity(int x) { 39 A a; 40 One b; 41 42 A *ptr; 43 switch (x) { 44 case 0: 45 ptr = &a; 46 break; 47 case 1: 48 ptr = &b; 49 break; 50 default: 51 return; 52 } 53 54 // This should be true on both branches. 55 clang_analyzer_eval(ptr->getNum() == x); // expected-warning {{TRUE}} 56 } 57 58 59 namespace PureVirtualParent { 60 class Parent { 61 public: 62 virtual int pureVirtual() const = 0; callVirtual() const63 int callVirtual() const { 64 return pureVirtual(); 65 } 66 }; 67 68 class Child : public Parent { 69 public: pureVirtual() const70 virtual int pureVirtual() const { 71 clang_analyzer_checkInlined(true); // expected-warning{{TRUE}} 72 return 42; 73 } 74 }; 75 testVirtual()76 void testVirtual() { 77 Child x; 78 79 clang_analyzer_eval(x.pureVirtual() == 42); // expected-warning{{TRUE}} 80 clang_analyzer_eval(x.callVirtual() == 42); // expected-warning{{TRUE}} 81 } 82 } 83 84 85 namespace PR13569 { 86 class Parent { 87 protected: 88 int m_parent; 89 virtual int impl() const = 0; 90 Parent()91 Parent() : m_parent(0) {} 92 93 public: interface() const94 int interface() const { 95 clang_analyzer_checkInlined(true); // expected-warning{{TRUE}} 96 return impl(); 97 } 98 }; 99 100 class Child : public Parent { 101 protected: impl() const102 virtual int impl() const { 103 clang_analyzer_checkInlined(true); // expected-warning{{TRUE}} 104 return m_parent + m_child; 105 } 106 107 public: Child()108 Child() : m_child(0) {} 109 110 int m_child; 111 }; 112 testVirtual()113 void testVirtual() { 114 Child x; 115 x.m_child = 42; 116 117 // Don't crash when inlining and devirtualizing. 118 x.interface(); 119 } 120 121 122 class Grandchild : public Child {}; 123 testDevirtualizeToMiddle()124 void testDevirtualizeToMiddle() { 125 Grandchild x; 126 x.m_child = 42; 127 128 // Don't crash when inlining and devirtualizing. 129 x.interface(); 130 } 131 } 132 133 namespace PR13569_virtual { 134 class Parent { 135 protected: 136 int m_parent; 137 virtual int impl() const = 0; 138 Parent()139 Parent() : m_parent(0) {} 140 141 public: interface() const142 int interface() const { 143 clang_analyzer_checkInlined(true); // expected-warning{{TRUE}} 144 return impl(); 145 } 146 }; 147 148 class Child : virtual public Parent { 149 protected: impl() const150 virtual int impl() const { 151 clang_analyzer_checkInlined(true); // expected-warning{{TRUE}} 152 return m_parent + m_child; 153 } 154 155 public: Child()156 Child() : m_child(0) {} 157 158 int m_child; 159 }; 160 testVirtual()161 void testVirtual() { 162 Child x; 163 x.m_child = 42; 164 165 // Don't crash when inlining and devirtualizing. 166 x.interface(); 167 } 168 169 170 class Grandchild : virtual public Child {}; 171 testDevirtualizeToMiddle()172 void testDevirtualizeToMiddle() { 173 Grandchild x; 174 x.m_child = 42; 175 176 // Don't crash when inlining and devirtualizing. 177 x.interface(); 178 } 179 } 180 181 namespace Invalidation { 182 struct X { touchInvalidation::X183 void touch(int &x) const { 184 x = 0; 185 } 186 187 void touch2(int &x) const; 188 touchVInvalidation::X189 virtual void touchV(int &x) const { 190 x = 0; 191 } 192 193 virtual void touchV2(int &x) const; 194 testInvalidation::X195 int test() const { 196 // We were accidentally not invalidating under inlining 197 // at one point for virtual methods with visible definitions. 198 int a, b, c, d; 199 touch(a); 200 touch2(b); 201 touchV(c); 202 touchV2(d); 203 return a + b + c + d; // no-warning 204 } 205 }; 206 } 207 208 namespace DefaultArgs { takesDefaultArgs(int i=42)209 int takesDefaultArgs(int i = 42) { 210 return -i; 211 } 212 testFunction()213 void testFunction() { 214 clang_analyzer_eval(takesDefaultArgs(1) == -1); // expected-warning{{TRUE}} 215 clang_analyzer_eval(takesDefaultArgs() == -42); // expected-warning{{TRUE}} 216 } 217 218 class Secret { 219 public: 220 static const int value = 40 + 2; get(int i=value)221 int get(int i = value) { 222 return i; 223 } 224 }; 225 testMethod()226 void testMethod() { 227 Secret obj; 228 clang_analyzer_eval(obj.get(1) == 1); // expected-warning{{TRUE}} 229 clang_analyzer_eval(obj.get() == 42); // expected-warning{{TRUE}} 230 clang_analyzer_eval(Secret::value == 42); // expected-warning{{TRUE}} 231 } 232 233 enum ABC { 234 A = 0, 235 B = 1, 236 C = 2 237 }; 238 enumUser(ABC input=B)239 int enumUser(ABC input = B) { 240 return static_cast<int>(input); 241 } 242 testEnum()243 void testEnum() { 244 clang_analyzer_eval(enumUser(C) == 2); // expected-warning{{TRUE}} 245 clang_analyzer_eval(enumUser() == 1); // expected-warning{{TRUE}} 246 } 247 248 exprUser(int input=2* 4)249 int exprUser(int input = 2 * 4) { 250 return input; 251 } 252 complicatedExprUser(int input=2* Secret::value)253 int complicatedExprUser(int input = 2 * Secret::value) { 254 return input; 255 } 256 testExprs()257 void testExprs() { 258 clang_analyzer_eval(exprUser(1) == 1); // expected-warning{{TRUE}} 259 clang_analyzer_eval(exprUser() == 8); // expected-warning{{TRUE}} 260 261 clang_analyzer_eval(complicatedExprUser(1) == 1); // expected-warning{{TRUE}} 262 clang_analyzer_eval(complicatedExprUser() == 84); // expected-warning{{TRUE}} 263 } 264 defaultReference(const int & input=42)265 int defaultReference(const int &input = 42) { 266 return -input; 267 } defaultReferenceZero(const int & input=0)268 int defaultReferenceZero(const int &input = 0) { 269 return -input; 270 } 271 testReference()272 void testReference() { 273 clang_analyzer_eval(defaultReference(1) == -1); // expected-warning{{TRUE}} 274 clang_analyzer_eval(defaultReference() == -42); // expected-warning{{TRUE}} 275 276 clang_analyzer_eval(defaultReferenceZero(1) == -1); // expected-warning{{TRUE}} 277 clang_analyzer_eval(defaultReferenceZero() == 0); // expected-warning{{TRUE}} 278 } 279 defaultFloatReference(const double & i=42)280 double defaultFloatReference(const double &i = 42) { 281 return -i; 282 } defaultFloatReferenceZero(const double & i=0)283 double defaultFloatReferenceZero(const double &i = 0) { 284 return -i; 285 } 286 testFloatReference()287 void testFloatReference() { 288 clang_analyzer_eval(defaultFloatReference(1) == -1); // expected-warning{{UNKNOWN}} 289 clang_analyzer_eval(defaultFloatReference() == -42); // expected-warning{{UNKNOWN}} 290 291 clang_analyzer_eval(defaultFloatReferenceZero(1) == -1); // expected-warning{{UNKNOWN}} 292 clang_analyzer_eval(defaultFloatReferenceZero() == 0); // expected-warning{{UNKNOWN}} 293 } 294 defaultString(const char * s="abc")295 char defaultString(const char *s = "abc") { 296 return s[1]; 297 } 298 testString()299 void testString() { 300 clang_analyzer_eval(defaultString("xyz") == 'y'); // expected-warning{{TRUE}} 301 clang_analyzer_eval(defaultString() == 'b'); // expected-warning{{TRUE}} 302 } 303 304 const void * const void_string = "abc"; 305 testBitcastedString()306 void testBitcastedString() { 307 clang_analyzer_eval(0 != void_string); // expected-warning{{TRUE}} 308 clang_analyzer_eval('b' == ((char *)void_string)[1]); // expected-warning{{TRUE}} 309 } 310 } 311 312 namespace OperatorNew { 313 class IntWrapper { 314 public: 315 int value; 316 IntWrapper(int input)317 IntWrapper(int input) : value(input) { 318 // We don't want this constructor to be inlined unless we can actually 319 // use the proper region for operator new. 320 // See PR12014 and <rdar://problem/12180598>. 321 clang_analyzer_checkInlined(false); // no-warning 322 } 323 }; 324 test()325 void test() { 326 IntWrapper *obj = new IntWrapper(42); 327 // should be TRUE 328 clang_analyzer_eval(obj->value == 42); // expected-warning{{UNKNOWN}} 329 delete obj; 330 } 331 testPlacement()332 void testPlacement() { 333 IntWrapper *obj = static_cast<IntWrapper *>(malloc(sizeof(IntWrapper))); 334 IntWrapper *alias = new (obj) IntWrapper(42); 335 336 clang_analyzer_eval(alias == obj); // expected-warning{{TRUE}} 337 338 // should be TRUE 339 clang_analyzer_eval(obj->value == 42); // expected-warning{{UNKNOWN}} 340 } 341 } 342 343 344 namespace VirtualWithSisterCasts { 345 // This entire set of tests exercises casts from sister classes and 346 // from classes outside the hierarchy, which can very much confuse 347 // code that uses DynamicTypeInfo or needs to construct CXXBaseObjectRegions. 348 // These examples used to cause crashes in +Asserts builds. 349 struct Parent { 350 virtual int foo(); 351 int x; 352 }; 353 354 struct A : Parent { fooVirtualWithSisterCasts::A355 virtual int foo() { return 42; } 356 }; 357 358 struct B : Parent { 359 virtual int foo(); 360 }; 361 362 struct Grandchild : public A {}; 363 364 struct Unrelated {}; 365 testDowncast(Parent * b)366 void testDowncast(Parent *b) { 367 A *a = (A *)(void *)b; 368 clang_analyzer_eval(a->foo() == 42); // expected-warning{{UNKNOWN}} 369 370 a->x = 42; 371 clang_analyzer_eval(a->x == 42); // expected-warning{{TRUE}} 372 } 373 testRelated(B * b)374 void testRelated(B *b) { 375 A *a = (A *)(void *)b; 376 clang_analyzer_eval(a->foo() == 42); // expected-warning{{UNKNOWN}} 377 378 a->x = 42; 379 clang_analyzer_eval(a->x == 42); // expected-warning{{TRUE}} 380 } 381 testUnrelated(Unrelated * b)382 void testUnrelated(Unrelated *b) { 383 A *a = (A *)(void *)b; 384 clang_analyzer_eval(a->foo() == 42); // expected-warning{{UNKNOWN}} 385 386 a->x = 42; 387 clang_analyzer_eval(a->x == 42); // expected-warning{{TRUE}} 388 } 389 testCastViaNew(B * b)390 void testCastViaNew(B *b) { 391 Grandchild *g = new (b) Grandchild(); 392 clang_analyzer_eval(g->foo() == 42); // expected-warning{{TRUE}} 393 394 g->x = 42; 395 clang_analyzer_eval(g->x == 42); // expected-warning{{TRUE}} 396 } 397 } 398 399 400 namespace QualifiedCalls { test(One * object)401 void test(One *object) { 402 // This uses the One class from the top of the file. 403 clang_analyzer_eval(object->getNum() == 1); // expected-warning{{UNKNOWN}} 404 clang_analyzer_eval(object->One::getNum() == 1); // expected-warning{{TRUE}} 405 clang_analyzer_eval(object->A::getNum() == 0); // expected-warning{{TRUE}} 406 407 // getZero is non-virtual. 408 clang_analyzer_eval(object->getZero() == 0); // expected-warning{{TRUE}} 409 clang_analyzer_eval(object->One::getZero() == 0); // expected-warning{{TRUE}} 410 clang_analyzer_eval(object->A::getZero() == 0); // expected-warning{{TRUE}} 411 } 412 } 413 414 415 namespace rdar12409977 { 416 struct Base { 417 int x; 418 }; 419 420 struct Parent : public Base { 421 virtual Parent *vGetThis(); getThisrdar12409977::Parent422 Parent *getThis() { return vGetThis(); } 423 }; 424 425 struct Child : public Parent { vGetThisrdar12409977::Child426 virtual Child *vGetThis() { return this; } 427 }; 428 test()429 void test() { 430 Child obj; 431 obj.x = 42; 432 433 // Originally, calling a devirtualized method with a covariant return type 434 // caused a crash because the return value had the wrong type. When we then 435 // go to layer a CXXBaseObjectRegion on it, the base isn't a direct base of 436 // the object region and we get an assertion failure. 437 clang_analyzer_eval(obj.getThis()->x == 42); // expected-warning{{TRUE}} 438 } 439 } 440 441 namespace bug16307 { one_argument(int a)442 void one_argument(int a) { } call_with_less()443 void call_with_less() { 444 reinterpret_cast<void (*)()>(one_argument)(); // expected-warning{{Function taking 1 argument}} 445 } 446 } 447