diff options
Diffstat (limited to 'test/Analysis')
-rw-r--r-- | test/Analysis/enum.cpp | 13 | ||||
-rw-r--r-- | test/Analysis/gmalloc.c | 110 | ||||
-rw-r--r-- | test/Analysis/inlining/inline-defensive-checks.c | 41 | ||||
-rw-r--r-- | test/Analysis/inlining/inline-defensive-checks.cpp | 15 | ||||
-rw-r--r-- | test/Analysis/null-deref-offsets.c | 37 | ||||
-rw-r--r-- | test/Analysis/uninit-const.cpp | 2 |
6 files changed, 215 insertions, 3 deletions
diff --git a/test/Analysis/enum.cpp b/test/Analysis/enum.cpp index e26b8f00d98ca..b561e65ac86ea 100644 --- a/test/Analysis/enum.cpp +++ b/test/Analysis/enum.cpp @@ -24,3 +24,16 @@ void testCasting(int i) { clang_analyzer_eval(j == 0); // expected-warning{{FALSE}} } } + +enum class EnumBool : bool { + F = false, + T = true +}; + +bool testNoCrashOnSwitchEnumBool(EnumBool E) { + switch (E) { + case EnumBool::F: + return false; + } + return true; +} diff --git a/test/Analysis/gmalloc.c b/test/Analysis/gmalloc.c index 10c4fe2840545..50413e2e9b13c 100644 --- a/test/Analysis/gmalloc.c +++ b/test/Analysis/gmalloc.c @@ -13,6 +13,12 @@ gpointer g_realloc(gpointer mem, gsize n_bytes); gpointer g_try_malloc(gsize n_bytes); gpointer g_try_malloc0(gsize n_bytes); gpointer g_try_realloc(gpointer mem, gsize n_bytes); +gpointer g_malloc_n(gsize n_blocks, gsize n_block_bytes); +gpointer g_malloc0_n(gsize n_blocks, gsize n_block_bytes); +gpointer g_realloc_n(gpointer mem, gsize n_blocks, gsize n_block_bytes); +gpointer g_try_malloc_n(gsize n_blocks, gsize n_block_bytes); +gpointer g_try_malloc0_n(gsize n_blocks, gsize n_block_bytes); +gpointer g_try_realloc_n(gpointer mem, gsize n_blocks, gsize n_block_bytes); void g_free(gpointer mem); gpointer g_memdup(gconstpointer mem, guint byte_size); @@ -25,6 +31,12 @@ void f1() { gpointer g3 = g_try_malloc(n_bytes); gpointer g4 = g_try_malloc0(n_bytes); g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); g_free(g1); g_free(g2); @@ -38,6 +50,12 @@ void f2() { gpointer g3 = g_try_malloc(n_bytes); gpointer g4 = g_try_malloc0(n_bytes); g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); g_free(g1); g_free(g2); @@ -52,8 +70,100 @@ void f3() { gpointer g3 = g_try_malloc(n_bytes); gpointer g4 = g_try_malloc0(n_bytes); g3 = g_try_realloc(g3, n_bytes * 2); // expected-warning{{Potential leak of memory pointed to by 'g4'}} + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g6'}} + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g5'}} + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g8'}} + + g_free(g1); // expected-warning{{Potential leak of memory pointed to by 'g7'}} + g_free(g2); + g_free(g3); +} + +void f4() { + gpointer g1 = g_malloc(n_bytes); + gpointer g2 = g_malloc0(n_bytes); + g1 = g_realloc(g1, n_bytes * 2); + gpointer g3 = g_try_malloc(n_bytes); + gpointer g4 = g_try_malloc0(n_bytes); + g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g6'}} + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g5'}} + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g8'}} + + g_free(g1); // expected-warning{{Potential leak of memory pointed to by 'g7'}} + g_free(g2); + g_free(g3); + g_free(g4); +} + +void f5() { + gpointer g1 = g_malloc(n_bytes); + gpointer g2 = g_malloc0(n_bytes); + g1 = g_realloc(g1, n_bytes * 2); + gpointer g3 = g_try_malloc(n_bytes); + gpointer g4 = g_try_malloc0(n_bytes); + g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g6'}} + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g8'}} + + g_free(g1); // expected-warning{{Potential leak of memory pointed to by 'g7'}} + g_free(g2); + g_free(g3); + g_free(g4); + g_free(g5); +} + +void f6() { + gpointer g1 = g_malloc(n_bytes); + gpointer g2 = g_malloc0(n_bytes); + g1 = g_realloc(g1, n_bytes * 2); + gpointer g3 = g_try_malloc(n_bytes); + gpointer g4 = g_try_malloc0(n_bytes); + g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g8'}} + + g_free(g1); // expected-warning{{Potential leak of memory pointed to by 'g7'}} + g_free(g2); + g_free(g3); + g_free(g4); + g_free(g5); + g_free(g6); +} + +void f7() { + gpointer g1 = g_malloc(n_bytes); + gpointer g2 = g_malloc0(n_bytes); + g1 = g_realloc(g1, n_bytes * 2); + gpointer g3 = g_try_malloc(n_bytes); + gpointer g4 = g_try_malloc0(n_bytes); + g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g8'}} g_free(g1); g_free(g2); g_free(g3); + g_free(g4); + g_free(g5); + g_free(g6); + g_free(g7); } diff --git a/test/Analysis/inlining/inline-defensive-checks.c b/test/Analysis/inlining/inline-defensive-checks.c index 4029da651b65f..010d3a774756a 100644 --- a/test/Analysis/inlining/inline-defensive-checks.c +++ b/test/Analysis/inlining/inline-defensive-checks.c @@ -1,7 +1,7 @@ // RUN: %clang_analyze_cc1 -analyzer-checker=core -analyzer-config suppress-inlined-defensive-checks=true -verify %s // Perform inline defensive checks. -void idc(int *p) { +void idc(void *p) { if (p) ; } @@ -139,3 +139,42 @@ void idcTrackZeroThroughDoubleAssignemnt(int x) { int z = y; idcTriggerZeroValueThroughCall(z); } + +struct S { + int f1; + int f2; +}; + +void idcTrackZeroValueThroughUnaryPointerOperators(struct S *s) { + idc(s); + *(&(s->f1)) = 7; // no-warning +} + +void idcTrackZeroValueThroughUnaryPointerOperatorsWithOffset1(struct S *s) { + idc(s); + int *x = &(s->f2); + *x = 7; // no-warning +} + +void idcTrackZeroValueThroughUnaryPointerOperatorsWithOffset2(struct S *s) { + idc(s); + int *x = &(s->f2) - 1; + // FIXME: Should not warn. + *x = 7; // expected-warning{{Dereference of null pointer}} +} + +void idcTrackZeroValueThroughUnaryPointerOperatorsWithAssignment(struct S *s) { + idc(s); + int *x = &(s->f1); + *x = 7; // no-warning +} + + +struct S2 { + int a[1]; +}; + +void idcTrackZeroValueThroughUnaryPointerOperatorsWithArrayField(struct S2 *s) { + idc(s); + *(&(s->a[0])) = 7; // no-warning +} diff --git a/test/Analysis/inlining/inline-defensive-checks.cpp b/test/Analysis/inlining/inline-defensive-checks.cpp index 6a803fa695c6c..eaae8d2ae28f2 100644 --- a/test/Analysis/inlining/inline-defensive-checks.cpp +++ b/test/Analysis/inlining/inline-defensive-checks.cpp @@ -70,4 +70,17 @@ int *retNull() { void test(int *p1, int *p2) { idc(p1); Foo f(p1); -}
\ No newline at end of file +} + +struct Bar { + int x; +}; +void idcBar(Bar *b) { + if (b) + ; +} +void testRefToField(Bar *b) { + idcBar(b); + int &x = b->x; // no-warning + x = 5; +} diff --git a/test/Analysis/null-deref-offsets.c b/test/Analysis/null-deref-offsets.c new file mode 100644 index 0000000000000..988cec4985daa --- /dev/null +++ b/test/Analysis/null-deref-offsets.c @@ -0,0 +1,37 @@ +// RUN: %clang_analyze_cc1 -w -triple i386-apple-darwin10 -analyzer-checker=core,debug.ExprInspection -verify %s + +void clang_analyzer_eval(int); + +struct S { + int x, y; + int z[2]; +}; + +void testOffsets(struct S *s, int coin) { + if (s != 0) + return; + + // FIXME: Here we are testing the hack that computes offsets to null pointers + // as 0 in order to find null dereferences of not-exactly-null pointers, + // such as &(s->y) below, which is equal to 4 rather than 0 in run-time. + + // These are indeed null. + clang_analyzer_eval(s == 0); // expected-warning{{TRUE}} + clang_analyzer_eval(&(s->x) == 0); // expected-warning{{TRUE}} + + // FIXME: These should ideally be true. + clang_analyzer_eval(&(s->y) == 4); // expected-warning{{FALSE}} + clang_analyzer_eval(&(s->z[0]) == 8); // expected-warning{{FALSE}} + clang_analyzer_eval(&(s->z[1]) == 12); // expected-warning{{FALSE}} + + // FIXME: These should ideally be false. + clang_analyzer_eval(&(s->y) == 0); // expected-warning{{TRUE}} + clang_analyzer_eval(&(s->z[0]) == 0); // expected-warning{{TRUE}} + clang_analyzer_eval(&(s->z[1]) == 0); // expected-warning{{TRUE}} + + // But these should still be reported as null dereferences. + if (coin) + s->y = 5; // expected-warning{{Access to field 'y' results in a dereference of a null pointer (loaded from variable 's')}} + else + s->z[1] = 6; // expected-warning{{Array access (via field 'z') results in a null pointer dereference}} +} diff --git a/test/Analysis/uninit-const.cpp b/test/Analysis/uninit-const.cpp index 75e932a77cedb..db969bfb67d62 100644 --- a/test/Analysis/uninit-const.cpp +++ b/test/Analysis/uninit-const.cpp @@ -122,7 +122,7 @@ void f1(void) { } void f_uninit(void) { - int x; + int x; // expected-note {{'x' declared without an initial value}} doStuff_uninit(&x); // expected-warning {{1st function call argument is a pointer to uninitialized value}} // expected-note@-1 {{1st function call argument is a pointer to uninitialized value}} } |