This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
docs/analyzer/
-
analyzer/
-
checkers.rst
-
include/clang/StaticAnalyzer/Checkers/
-
clang/
-
StaticAnalyzer/
-
Checkers/
1
Checkers.td
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
CMakeLists.txt
2/2
UnreachableCodeChecker.cpp
-
test/Analysis/
-
Analysis/
-
malloc-annotations.c
-
malloc-annotations.cpp
-
malloc.c
-
malloc.cpp
-
qt_malloc.cpp
-
unreachable-code-path.c
-
www/analyzer/
-
analyzer/
-
alpha_checks.html

Differential D125871

[analyzer] Delete alpha.deadcode.UnreachableCode checker
Needs ReviewPublic

Authored by martong on May 18 2022, 3:51 AM.

Download Raw Diff

Details

Reviewers

NoQ
steakhal
Szelethus

Summary

This checker is fundamentally flawed, because this problem requires
all-path data-flow analysis.
This checker relies on the paths that have been visited during the
exploration of the exploded graph. There are no guarantees that the
symbolic execution will explore all paths. What's more, in practice,
most of the time it does not. Thus, we see way too many annoying false
positives.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

martong created this revision.May 18 2022, 3:51 AM

Herald added a project: Restricted Project. · View Herald TranscriptMay 18 2022, 3:51 AM

Herald added subscribers: manas, ASDenysPetrov, gamesh411 and 9 others. · View Herald Transcript

martong requested review of this revision.May 18 2022, 3:51 AM

Herald added a project: Restricted Project. · View Herald TranscriptMay 18 2022, 3:51 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

martong added inline comments.May 18 2022, 3:52 AM

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
847	TODO, update the ReleseNotes.

Harbormaster completed remote builds in B165078: Diff 430316.May 18 2022, 4:21 AM

steakhal added inline comments.May 18 2022, 4:58 AM

clang/lib/StaticAnalyzer/Checkers/UnreachableCodeChecker.cpp
53–54	I thought this check guards this checker to be meaningful. @martong

Could you please give a few examples of these FPs for the record?

In D125871#3521967, @steakhal wrote:

Could you please give a few examples of these FPs for the record?

Out of thin air I could come up with the following one below. Seems like try is not handled, but it is not attached to the fact of being non full-path. Maybe I was in too much rush, perhaps we should leave this checker here.

Besides, there is an annoying true positive which should be suppressed IMHO.

clang/lib/StaticAnalyzer/Checkers/UnreachableCodeChecker.cpp
53–54	To be honest, I missed this. So, at least the checker does not report, when the budge is out, i.e. when we definitely know for sure that we could not explore the whole graph. On the other hand, even if there is no work remaining for the engine, we still cannot be sure that all theoretical program paths have been covered can we?

Revision Contents

Path

Size

clang/

docs/

analyzer/

checkers.rst

34 lines

include/

clang/

StaticAnalyzer/

Checkers/

Checkers.td

8 lines

lib/

StaticAnalyzer/

Checkers/

CMakeLists.txt

1 line

UnreachableCodeChecker.cpp

test/

Analysis/

malloc-annotations.c

7 lines

malloc-annotations.cpp

1 line

malloc.c

10 lines

malloc.cpp

4 lines

qt_malloc.cpp

2 lines

unreachable-code-path.c

www/

analyzer/

alpha_checks.html

42 lines

Diff 430316

clang/docs/analyzer/checkers.rst

	Show First 20 Lines • Show All 1,884 Lines • ▼ Show 20 Lines
	.. code-block:: cpp			.. code-block:: cpp

	void deref_smart_ptr() {			void deref_smart_ptr() {
	std::unique_ptr<int> P;			std::unique_ptr<int> P;
	*P; // warn: dereference of a default constructed smart unique_ptr			*P; // warn: dereference of a default constructed smart unique_ptr
	}			}


	alpha.deadcode
	^^^^^^^^^^^^^^
	.. _alpha-deadcode-UnreachableCode:

	alpha.deadcode.UnreachableCode (C, C++)
	"""""""""""""""""""""""""""""""""""""""
	Check unreachable code.

	.. code-block:: cpp

	// C
	int test() {
	int x = 1;
	while(x);
	return x; // warn
	}

	// C++
	void test() {
	int a = 2;

	while (a > 1)
	a--;

	if (a > 1)
	a++; // warn
	}

	// Objective-C
	void test(id x) {
	return;
	[x retain]; // warn
	}

	alpha.fuchsia			alpha.fuchsia
	^^^^^^^^^^^^^			^^^^^^^^^^^^^

	.. _alpha-fuchsia-lock:			.. _alpha-fuchsia-lock:

	alpha.fuchsia.Lock			alpha.fuchsia.Lock
	""""""""""""""""""			""""""""""""""""""
	Similarly to :ref:`alpha.unix.PthreadLock <alpha-unix-PthreadLock>`, checks for			Similarly to :ref:`alpha.unix.PthreadLock <alpha-unix-PthreadLock>`, checks for
	▲ Show 20 Lines • Show All 1,032 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 Lines • Show All 838 Lines • ▼ Show 20 Lines	CmdLineOption<Boolean,
"Enable fix-it hints for this checker",		"Enable fix-it hints for this checker",
"false",		"false",
InAlpha>		InAlpha>
]>,		]>,
Documentation<HasDocumentation>;		Documentation<HasDocumentation>;

} // end DeadCode		} // end DeadCode

let ParentPackage = DeadCodeAlpha in {
martongAuthorUnsubmitted Not Done Reply Inline Actions TODO, update the ReleseNotes. martong: TODO, update the ReleseNotes.

def UnreachableCodeChecker : Checker<"UnreachableCode">,
HelpText<"Check unreachable code">,
Documentation<HasDocumentation>;

} // end "alpha.deadcode"

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Performance checkers.		// Performance checkers.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

let ParentPackage = Performance in {		let ParentPackage = Performance in {

def PaddingChecker : Checker<"Padding">,		def PaddingChecker : Checker<"Padding">,
HelpText<"Check for excessively padded structs.">,		HelpText<"Check for excessively padded structs.">,
▲ Show 20 Lines • Show All 862 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show First 20 Lines • Show All 116 Lines • ▼ Show 20 Lines	add_clang_library(clangStaticAnalyzerCheckers
UndefBranchChecker.cpp		UndefBranchChecker.cpp
UndefCapturedBlockVarChecker.cpp		UndefCapturedBlockVarChecker.cpp
UndefResultChecker.cpp		UndefResultChecker.cpp
UndefinedArraySubscriptChecker.cpp		UndefinedArraySubscriptChecker.cpp
UndefinedAssignmentChecker.cpp		UndefinedAssignmentChecker.cpp
UninitializedObject/UninitializedObjectChecker.cpp		UninitializedObject/UninitializedObjectChecker.cpp
UninitializedObject/UninitializedPointee.cpp		UninitializedObject/UninitializedPointee.cpp
UnixAPIChecker.cpp		UnixAPIChecker.cpp
UnreachableCodeChecker.cpp
VforkChecker.cpp		VforkChecker.cpp
VLASizeChecker.cpp		VLASizeChecker.cpp
ValistChecker.cpp		ValistChecker.cpp
VirtualCallChecker.cpp		VirtualCallChecker.cpp
WebKit/NoUncountedMembersChecker.cpp		WebKit/NoUncountedMembersChecker.cpp
WebKit/ASTUtils.cpp		WebKit/ASTUtils.cpp
WebKit/PtrTypesSemantics.cpp		WebKit/PtrTypesSemantics.cpp
WebKit/RefCntblBaseVirtualDtorChecker.cpp		WebKit/RefCntblBaseVirtualDtorChecker.cpp
Show All 15 Lines

clang/lib/StaticAnalyzer/Checkers/UnreachableCodeChecker.cpp

This file was deleted.

	//==- UnreachableCodeChecker.cpp - Generalized dead code checker -- C++ --==//
	//
	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
	// See https://llvm.org/LICENSE.txt for license information.
	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
	//
	//===----------------------------------------------------------------------===//
	// This file implements a generalized unreachable code checker using a
	// path-sensitive analysis. We mark any path visited, and then walk the CFG as a
	// post-analysis to determine what was never visited.
	//
	// A similar flow-sensitive only check exists in Analysis/ReachableCode.cpp
	//===----------------------------------------------------------------------===//

	#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
	#include "clang/AST/ParentMap.h"
	#include "clang/Basic/Builtins.h"
	#include "clang/Basic/SourceManager.h"
	#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
	#include "clang/StaticAnalyzer/Core/Checker.h"
	#include "clang/StaticAnalyzer/Core/CheckerManager.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
	#include "llvm/ADT/SmallSet.h"

	using namespace clang;
	using namespace ento;

	namespace {
	class UnreachableCodeChecker : public Checker<check::EndAnalysis> {
	public:
	void checkEndAnalysis(ExplodedGraph &G, BugReporter &B,
	ExprEngine &Eng) const;
	private:
	typedef llvm::SmallSet<unsigned, 32> CFGBlocksSet;

	static inline const Stmt getUnreachableStmt(const CFGBlock CB);
	static void FindUnreachableEntryPoints(const CFGBlock *CB,
	CFGBlocksSet &reachable,
	CFGBlocksSet &visited);
	static bool isInvalidPath(const CFGBlock *CB, const ParentMap &PM);
	static inline bool isEmptyCFGBlock(const CFGBlock *CB);
	};
	}

	void UnreachableCodeChecker::checkEndAnalysis(ExplodedGraph &G,
	BugReporter &B,
	ExprEngine &Eng) const {
	CFGBlocksSet reachable, visited;

	if (Eng.hasWorkRemaining())
	return;
	steakhalUnsubmitted Not Done Reply Inline Actions I thought this check guards this checker to be meaningful. @martong steakhal: I thought this check guards this checker to be meaningful. @martong
	martongAuthorUnsubmitted Done Reply Inline Actions To be honest, I missed this. So, at least the checker does not report, when the budge is out, i.e. when we definitely know for sure that we could not explore the whole graph. On the other hand, even if there is no work remaining for the engine, we still cannot be sure that all theoretical program paths have been covered can we? martong: To be honest, I missed this. So, at least the checker does not report, when the budge is out, i.

	const Decl *D = nullptr;
	CFG *C = nullptr;
	const ParentMap *PM = nullptr;
	const LocationContext *LC = nullptr;
	// Iterate over ExplodedGraph
	for (ExplodedGraph::node_iterator I = G.nodes_begin(), E = G.nodes_end();
	I != E; ++I) {
	const ProgramPoint &P = I->getLocation();
	LC = P.getLocationContext();
	if (!LC->inTopFrame())
	continue;

	if (!D)
	D = LC->getAnalysisDeclContext()->getDecl();

	// Save the CFG if we don't have it already
	if (!C)
	C = LC->getAnalysisDeclContext()->getUnoptimizedCFG();
	if (!PM)
	PM = &LC->getParentMap();

	if (Optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) {
	const CFGBlock *CB = BE->getBlock();
	reachable.insert(CB->getBlockID());
	}
	}

	// Bail out if we didn't get the CFG or the ParentMap.
	if (!D \|\| !C \|\| !PM)
	return;

	// Don't do anything for template instantiations. Proving that code
	// in a template instantiation is unreachable means proving that it is
	// unreachable in all instantiations.
	if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
	if (FD->isTemplateInstantiation())
	return;

	// Find CFGBlocks that were not covered by any node
	for (CFG::const_iterator I = C->begin(), E = C->end(); I != E; ++I) {
	const CFGBlock CB = I;
	// Check if the block is unreachable
	if (reachable.count(CB->getBlockID()))
	continue;

	// Check if the block is empty (an artificial block)
	if (isEmptyCFGBlock(CB))
	continue;

	// Find the entry points for this block
	if (!visited.count(CB->getBlockID()))
	FindUnreachableEntryPoints(CB, reachable, visited);

	// This block may have been pruned; check if we still want to report it
	if (reachable.count(CB->getBlockID()))
	continue;

	// Check for false positives
	if (isInvalidPath(CB, *PM))
	continue;

	// It is good practice to always have a "default" label in a "switch", even
	// if we should never get there. It can be used to detect errors, for
	// instance. Unreachable code directly under a "default" label is therefore
	// likely to be a false positive.
	if (const Stmt *label = CB->getLabel())
	if (label->getStmtClass() == Stmt::DefaultStmtClass)
	continue;

	// Special case for __builtin_unreachable.
	// FIXME: This should be extended to include other unreachable markers,
	// such as llvm_unreachable.
	if (!CB->empty()) {
	bool foundUnreachable = false;
	for (CFGBlock::const_iterator ci = CB->begin(), ce = CB->end();
	ci != ce; ++ci) {
	if (Optional<CFGStmt> S = (*ci).getAs<CFGStmt>())
	if (const CallExpr *CE = dyn_cast<CallExpr>(S->getStmt())) {
	if (CE->getBuiltinCallee() == Builtin::BI__builtin_unreachable \|\|
	CE->isBuiltinAssumeFalse(Eng.getContext())) {
	foundUnreachable = true;
	break;
	}
	}
	}
	if (foundUnreachable)
	continue;
	}

	// We found a block that wasn't covered - find the statement to report
	SourceRange SR;
	PathDiagnosticLocation DL;
	SourceLocation SL;
	if (const Stmt *S = getUnreachableStmt(CB)) {
	// In macros, 'do {...} while (0)' is often used. Don't warn about the
	// condition 0 when it is unreachable.
	if (S->getBeginLoc().isMacroID())
	if (const auto *I = dyn_cast<IntegerLiteral>(S))
	if (I->getValue() == 0ULL)
	if (const Stmt *Parent = PM->getParent(S))
	if (isa<DoStmt>(Parent))
	continue;
	SR = S->getSourceRange();
	DL = PathDiagnosticLocation::createBegin(S, B.getSourceManager(), LC);
	SL = DL.asLocation();
	if (SR.isInvalid() \|\| !SL.isValid())
	continue;
	}
	else
	continue;

	// Check if the SourceLocation is in a system header
	const SourceManager &SM = B.getSourceManager();
	if (SM.isInSystemHeader(SL) \|\| SM.isInExternCSystemHeader(SL))
	continue;

	B.EmitBasicReport(D, this, "Unreachable code", categories::UnusedCode,
	"This statement is never executed", DL, SR);
	}
	}

	// Recursively finds the entry point(s) for this dead CFGBlock.
	void UnreachableCodeChecker::FindUnreachableEntryPoints(const CFGBlock *CB,
	CFGBlocksSet &reachable,
	CFGBlocksSet &visited) {
	visited.insert(CB->getBlockID());

	for (CFGBlock::const_pred_iterator I = CB->pred_begin(), E = CB->pred_end();
	I != E; ++I) {
	if (!*I)
	continue;

	if (!reachable.count((*I)->getBlockID())) {
	// If we find an unreachable predecessor, mark this block as reachable so
	// we don't report this block
	reachable.insert(CB->getBlockID());
	if (!visited.count((*I)->getBlockID()))
	// If we haven't previously visited the unreachable predecessor, recurse
	FindUnreachableEntryPoints(*I, reachable, visited);
	}
	}
	}

	// Find the Stmt* in a CFGBlock for reporting a warning
	const Stmt UnreachableCodeChecker::getUnreachableStmt(const CFGBlock CB) {
	for (CFGBlock::const_iterator I = CB->begin(), E = CB->end(); I != E; ++I) {
	if (Optional<CFGStmt> S = I->getAs<CFGStmt>()) {
	if (!isa<DeclStmt>(S->getStmt()))
	return S->getStmt();
	}
	}
	if (const Stmt *S = CB->getTerminatorStmt())
	return S;
	else
	return nullptr;
	}

	// Determines if the path to this CFGBlock contained an element that infers this
	// block is a false positive. We assume that FindUnreachableEntryPoints has
	// already marked only the entry points to any dead code, so we need only to
	// find the condition that led to this block (the predecessor of this block.)
	// There will never be more than one predecessor.
	bool UnreachableCodeChecker::isInvalidPath(const CFGBlock *CB,
	const ParentMap &PM) {
	// We only expect a predecessor size of 0 or 1. If it is >1, then an external
	// condition has broken our assumption (for example, a sink being placed by
	// another check). In these cases, we choose not to report.
	if (CB->pred_size() > 1)
	return true;

	// If there are no predecessors, then this block is trivially unreachable
	if (CB->pred_size() == 0)
	return false;

	const CFGBlock pred = CB->pred_begin();
	if (!pred)
	return false;

	// Get the predecessor block's terminator condition
	const Stmt *cond = pred->getTerminatorCondition();

	//assert(cond && "CFGBlock's predecessor has a terminator condition");
	// The previous assertion is invalid in some cases (eg do/while). Leaving
	// reporting of these situations on at the moment to help triage these cases.
	if (!cond)
	return false;

	// Run each of the checks on the conditions
	return containsMacro(cond) \|\| containsEnum(cond) \|\|
	containsStaticLocal(cond) \|\| containsBuiltinOffsetOf(cond) \|\|
	containsStmt<UnaryExprOrTypeTraitExpr>(cond);
	}

	// Returns true if the given CFGBlock is empty
	bool UnreachableCodeChecker::isEmptyCFGBlock(const CFGBlock *CB) {
	return CB->getLabel() == nullptr // No labels
	&& CB->size() == 0 // No statements
	&& !CB->getTerminatorStmt(); // No terminator
	}

	void ento::registerUnreachableCodeChecker(CheckerManager &mgr) {
	mgr.registerChecker<UnreachableCodeChecker>();
	}

	bool ento::shouldRegisterUnreachableCodeChecker(const CheckerManager &mgr) {
	return true;
	}

clang/test/Analysis/malloc-annotations.c

// RUN: %clang_analyze_cc1 -analyzer-store=region -verify \		// RUN: %clang_analyze_cc1 -analyzer-store=region -verify \
// RUN: -analyzer-checker=core \		// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \		// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-checker=alpha.core.CastSize \		// RUN: -analyzer-checker=alpha.core.CastSize \
// RUN: -analyzer-checker=unix.Malloc \		// RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s		// RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s

		void clang_analyzer_warnIfReached(void);

typedef __typeof(sizeof(int)) size_t;		typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);		void *malloc(size_t);
void free(void *);		void free(void *);
void realloc(void ptr, size_t size);		void realloc(void ptr, size_t size);
void *calloc(size_t nmemb, size_t size);		void *calloc(size_t nmemb, size_t size);
void __attribute((ownership_returns(malloc))) *my_malloc(size_t);		void __attribute((ownership_returns(malloc))) *my_malloc(size_t);
void __attribute((ownership_takes(malloc, 1))) my_free(void *);		void __attribute((ownership_takes(malloc, 1))) my_free(void *);
void my_freeBoth(void , void )		void my_freeBoth(void , void )
▲ Show 20 Lines • Show All 241 Lines • ▼ Show 20 Lines	char callocZeroesGood (void) {
}		}
return result; // no-warning		return result; // no-warning
}		}

char callocZeroesBad (void) {		char callocZeroesBad (void) {
char *buf = calloc(2,2);		char *buf = calloc(2,2);
char result = buf[3]; // no-warning		char result = buf[3]; // no-warning
if (buf[1] != 0) {		if (buf[1] != 0) {
free(buf); // expected-warning{{never executed}}		clang_analyzer_warnIfReached(); // no-warning
		free(buf);
}		}
return result; // expected-warning{{Potential leak of memory pointed to by}}		return result; // expected-warning{{Potential leak of memory pointed to by}}
}		}

void testMultipleFreeAnnotations(void) {		void testMultipleFreeAnnotations(void) {
int *p = malloc(12);		int *p = malloc(12);
int *q = malloc(12);		int *q = malloc(12);
my_freeBoth(p, q);		my_freeBoth(p, q);
}		}

clang/test/Analysis/malloc-annotations.cpp

	// RUN: %clang_analyze_cc1 -analyzer-store=region -verify \			// RUN: %clang_analyze_cc1 -analyzer-store=region -verify \
	// RUN: -analyzer-checker=core \			// RUN: -analyzer-checker=core \
	// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
	// RUN: -analyzer-checker=alpha.core.CastSize \			// RUN: -analyzer-checker=alpha.core.CastSize \
	// RUN: -analyzer-checker=unix.Malloc \			// RUN: -analyzer-checker=unix.Malloc \
	// RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s			// RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s

	typedef __typeof(sizeof(int)) size_t;			typedef __typeof(sizeof(int)) size_t;
	void *malloc(size_t);			void *malloc(size_t);
	void free(void *);			void free(void *);

	▲ Show 20 Lines • Show All 88 Lines • Show Last 20 Lines

clang/test/Analysis/malloc.c

// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -analyzer-store=region -verify %s \		// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -analyzer-store=region -verify %s \
// RUN: -analyzer-checker=core \		// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \		// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-checker=alpha.core.CastSize \		// RUN: -analyzer-checker=alpha.core.CastSize \
// RUN: -analyzer-checker=unix \		// RUN: -analyzer-checker=unix \
// RUN: -analyzer-checker=debug.ExprInspection		// RUN: -analyzer-checker=debug.ExprInspection

#include "Inputs/system-header-simulator.h"		#include "Inputs/system-header-simulator.h"

void clang_analyzer_eval(int);		void clang_analyzer_eval(int);
void clang_analyzer_dump(int);		void clang_analyzer_dump(int);
void clang_analyzer_dumpExtent(void *);		void clang_analyzer_dumpExtent(void *);
		void clang_analyzer_warnIfReached(void);

// Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines		// Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use		// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
// the builtin type: "Using the typedef version can cause portability		// the builtin type: "Using the typedef version can cause portability
// problems", but we're ok here because we're not actually running anything.		// problems", but we're ok here because we're not actually running anything.
// Also of note is this cryptic warning: "The wchar_t type is not supported		// Also of note is this cryptic warning: "The wchar_t type is not supported
// when you compile C code".		// when you compile C code".
//		//
▲ Show 20 Lines • Show All 685 Lines • ▼ Show 20 Lines	char callocZeroesGood (void) {
}		}
return result; // no-warning		return result; // no-warning
}		}

char callocZeroesBad (void) {		char callocZeroesBad (void) {
char *buf = calloc(2,2);		char *buf = calloc(2,2);
char result = buf[3]; // no-warning		char result = buf[3]; // no-warning
if (buf[1] != 0) {		if (buf[1] != 0) {
free(buf); // expected-warning{{never executed}}		clang_analyzer_warnIfReached(); // no-warning
		free(buf);
}		}
return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}		return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
}		}

void nullFree(void) {		void nullFree(void) {
int *p = 0;		int *p = 0;
free(p); // no warning - a nop		free(p); // no warning - a nop
}		}
▲ Show 20 Lines • Show All 653 Lines • ▼ Show 20 Lines	int CMPRegionHeapToHeap2(void) {
free(x2);		free(x2);
return x;		return x;
}		}

int CMPRegionHeapToHeap(void) {		int CMPRegionHeapToHeap(void) {
int x = 0;		int x = 0;
int *x1 = malloc(8);		int *x1 = malloc(8);
int *x4 = x1;		int *x4 = x1;
		clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
if (x1 == x4) {		if (x1 == x4) {
free(x1);		free(x1);
return 5/x; // expected-warning{{Division by zero}}		return 5/x; // expected-warning{{Division by zero}}
}		}
return x;// expected-warning{{This statement is never executed}}		clang_analyzer_warnIfReached(); // no-warning
		return x;
}		}

int HeapAssignment(void) {		int HeapAssignment(void) {
int m = 0;		int m = 0;
int *x = malloc(4);		int *x = malloc(4);
int *y = x;		int *y = x;
*x = 5;		*x = 5;
clang_analyzer_eval(x != y); // expected-warning{{FALSE}}		clang_analyzer_eval(x != y); // expected-warning{{FALSE}}
▲ Show 20 Lines • Show All 502 Lines • Show Last 20 Lines

clang/test/Analysis/malloc.cpp

	// RUN: %clang_analyze_cc1 -w -verify %s \			// RUN: %clang_analyze_cc1 -w -verify %s \
	// RUN: -analyzer-checker=core \			// RUN: -analyzer-checker=core \
	// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
	// RUN: -analyzer-checker=alpha.core.CastSize \			// RUN: -analyzer-checker=alpha.core.CastSize \
	// RUN: -analyzer-checker=unix.Malloc \			// RUN: -analyzer-checker=unix.Malloc \
	// RUN: -analyzer-checker=cplusplus.NewDelete			// RUN: -analyzer-checker=cplusplus.NewDelete

	// RUN: %clang_analyze_cc1 -w -verify %s \			// RUN: %clang_analyze_cc1 -w -verify %s \
	// RUN: -triple i386-unknown-linux-gnu \			// RUN: -triple i386-unknown-linux-gnu \
	// RUN: -analyzer-checker=core \			// RUN: -analyzer-checker=core \
	// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
	// RUN: -analyzer-checker=alpha.core.CastSize \			// RUN: -analyzer-checker=alpha.core.CastSize \
	// RUN: -analyzer-checker=unix.Malloc \			// RUN: -analyzer-checker=unix.Malloc \
	// RUN: -analyzer-checker=cplusplus.NewDelete			// RUN: -analyzer-checker=cplusplus.NewDelete

	// RUN: %clang_analyze_cc1 -w -verify %s -DTEST_INLINABLE_ALLOCATORS \			// RUN: %clang_analyze_cc1 -w -verify %s -DTEST_INLINABLE_ALLOCATORS \
	// RUN: -analyzer-checker=core \			// RUN: -analyzer-checker=core \
	// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
	// RUN: -analyzer-checker=alpha.core.CastSize \			// RUN: -analyzer-checker=alpha.core.CastSize \
	// RUN: -analyzer-checker=unix.Malloc \			// RUN: -analyzer-checker=unix.Malloc \
	// RUN: -analyzer-checker=cplusplus.NewDelete			// RUN: -analyzer-checker=cplusplus.NewDelete

	// RUN: %clang_analyze_cc1 -w -verify %s -DTEST_INLINABLE_ALLOCATORS \			// RUN: %clang_analyze_cc1 -w -verify %s -DTEST_INLINABLE_ALLOCATORS \
	// RUN: -triple i386-unknown-linux-gnu \			// RUN: -triple i386-unknown-linux-gnu \
	// RUN: -analyzer-checker=core \			// RUN: -analyzer-checker=core \
	// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
	// RUN: -analyzer-checker=alpha.core.CastSize \			// RUN: -analyzer-checker=alpha.core.CastSize \
	// RUN: -analyzer-checker=unix.Malloc \			// RUN: -analyzer-checker=unix.Malloc \
	// RUN: -analyzer-checker=cplusplus.NewDelete			// RUN: -analyzer-checker=cplusplus.NewDelete

	#include "Inputs/system-header-simulator-cxx.h"			#include "Inputs/system-header-simulator-cxx.h"

	typedef __typeof(sizeof(int)) size_t;			typedef __typeof(sizeof(int)) size_t;
	void *malloc(size_t);			void *malloc(size_t);
	▲ Show 20 Lines • Show All 183 Lines • Show Last 20 Lines

clang/test/Analysis/qt_malloc.cpp

	// RUN: %clang_analyze_cc1 -std=c++11 -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,cplusplus -analyzer-store=region -verify %s			// RUN: %clang_analyze_cc1 -std=c++11 -analyzer-checker=core,alpha.core.CastSize,unix.Malloc,cplusplus -analyzer-store=region -verify %s
	// expected-no-diagnostics			// expected-no-diagnostics
	#include "Inputs/qt-simulator.h"			#include "Inputs/qt-simulator.h"

	void send(QObject *obj)			void send(QObject *obj)
	{			{
	QEvent *e1 = new QEvent(QEvent::None);			QEvent *e1 = new QEvent(QEvent::None);
	static_cast<QApplication *>(QCoreApplication::instance())->postEvent(obj, e1);			static_cast<QApplication *>(QCoreApplication::instance())->postEvent(obj, e1);
	QEvent *e2 = new QEvent(QEvent::None);			QEvent *e2 = new QEvent(QEvent::None);
	Show All 12 Lines

clang/test/Analysis/unreachable-code-path.c

This file was deleted.

	// RUN: %clang_analyze_cc1 -analyzer-checker=core,deadcode.DeadStores,alpha.deadcode.UnreachableCode -verify -analyzer-opt-analyze-nested-blocks -Wno-unused-value %s

	extern void foo(int a);

	// The first few tests are non-path specific - we should be able to find them

	void test(unsigned a) {
	switch (a) {
	a += 5; // expected-warning{{never executed}}
	case 2:
	a *= 10;
	case 3:
	a %= 2;
	}
	foo(a);
	}

	void test2(unsigned a) {
	help:
	if (a > 0)
	return;
	if (a == 0)
	return;
	foo(a); // expected-warning{{never executed}}
	goto help;
	}

	void test3(unsigned a) {
	while(1);
	if (a > 5) { // expected-warning{{never executed}}
	return;
	}
	}

	// These next tests are path-sensitive

	void test4(void) {
	int a = 5;

	while (a > 1)
	a -= 2;

	if (a > 1) {
	a = a + 56; // expected-warning{{never executed}}
	}

	foo(a);
	}

	extern void bar(char c);

	void test5(const char *c) {
	foo(c[0]);

	if (!c) {
	bar(1); // expected-warning{{never executed}}
	}
	}

	// These next tests are false positives and should not generate warnings

	void test6(const char *c) {
	if (c) return;
	if (!c) return;
	__builtin_unreachable(); // no-warning
	__builtin_assume(0); // no-warning
	}

	// Compile-time constant false positives
	#define CONSTANT 0
	enum test_enum { Off, On };
	void test7(void) {
	if (CONSTANT)
	return; // no-warning

	if (sizeof(int))
	return; // no-warning

	if (Off)
	return; // no-warning
	}

	void test8(void) {
	static unsigned a = 0;

	if (a)
	a = 123; // no-warning

	a = 5;
	}

	// Check for bugs where multiple statements are reported
	void test9(unsigned a) {
	switch (a) {
	if (a) // expected-warning{{never executed}}
	foo(a + 5); // no-warning
	else // no-warning
	foo(a); // no-warning
	case 1:
	case 2:
	break;
	default:
	break;
	}
	}

	// Tests from flow-sensitive version
	void test10(void) {
	goto c;
	d:
	goto e; // expected-warning {{never executed}}
	c: ;
	int i;
	return;
	goto b; // expected-warning {{never executed}}
	goto a; // expected-warning {{never executed}}
	b:
	i = 1; // no-warning
	a:
	i = 2; // no-warning
	goto f;
	e:
	goto d;
	f: ;
	}

	// test11: we can actually end up in the default case, even if it is not
	// obvious: there might be something wrong with the given argument.
	enum foobar { FOO, BAR };
	extern void error(void);
	void test11(enum foobar fb) {
	switch (fb) {
	case FOO:
	break;
	case BAR:
	break;
	default:
	error(); // no-warning
	return;
	error(); // expected-warning {{never executed}}
	}
	}

	void inlined(int condition) {
	if (condition) {
	foo(5); // no-warning
	} else {
	foo(6);
	}
	}

	void testInlined(void) {
	extern int coin(void);
	int cond = coin();
	if (!cond) {
	inlined(0);
	if (cond) {
	foo(5); // expected-warning {{never executed}}
	}
	}
	}

	// Don't warn about unreachable VarDecl.
	void dostuff(int*A);
	void varDecl1(int X) {
	switch (X) {
	int A; // No warning here.
	case 1:
	dostuff(&A);
	break;
	case 2:
	dostuff(&A);
	break;
	}
	}
	void varDecl2(int X) {
	switch (X) {
	int A=1; // expected-warning {{never executed}}
	case 1:
	dostuff(&A);
	break;
	case 2:
	dostuff(&A);
	break;
	}
	}

	// Ensure that ExplodedGraph and unoptimized CFG match.
	void test12(int x) {
	switch (x) {
	case 1:
	break; // not unreachable
	case 2:
	do { } while (0);
	break;
	}
	}

	// Don't merge return nodes in ExplodedGraph unless they are same.
	extern int table[];
	static int inlineFunction(const int i) {
	if (table[i] != 0)
	return 1;
	return 0;
	}
	void test13(int i) {
	int x = inlineFunction(i);
	x && x < 10; // no-warning
	}

	// Don't warn in a macro
	#define RETURN(X) do { return; } while (0)
	void macro(void) {
	RETURN(1); // no-warning
	}

	// Avoid FP when macro argument is known
	void writeSomething(int *x);
	#define MACRO(C) \
	if (!C) { \
	static int x; \
	writeSomething(&x); \
	}
	void macro2(void) {
	MACRO(1);
	}

clang/www/analyzer/alpha_checks.html

Show First 20 Lines • Show All 441 Lines • ▼ Show 20 Lines	void f() {
A b = std::move(a); // note: 'a' became 'moved-from' here		A b = std::move(a); // note: 'a' became 'moved-from' here
a.foo(); // warn: method call on a 'moved-from' object 'a'		a.foo(); // warn: method call on a 'moved-from' object 'a'
}		}
</pre></div></div></td></tr>		</pre></div></div></td></tr>


</tbody></table>		</tbody></table>


<!-- =========================== dead code alpha =========================== -->
<h3 id="deadcode_alpha_checkers">Dead Code Alpha Checkers</h3>
<table class="checkers">
<colgroup><col class="namedescr"><col class="example"></colgroup>
<thead><tr><td>Name, Description</td><td>Example</td></tr></thead>

<tbody>
<tr><td><a id="alpha.deadcode.UnreachableCode"><div class="namedescr expandable"><span class="name">
alpha.deadcode.UnreachableCode</span><span class="lang">
(C, C++, ObjC)</span><div class="descr">
Check unreachable code.</div></div></a></td>
<td><div class="exampleContainer expandable">
<div class="example"><pre>
// C
int test() {
int x = 1;
while(x);
return x; // warn
}
</pre></div><div class="separator"></div>
<div class="example"><pre>
// C++
void test() {
int a = 2;

while (a > 1)
a--;

if (a > 1)
a++; // warn
}
</pre></div><div class="separator"></div>
<div class="example"><pre>
// Objective-C
void test(id x) {
return;
[x retain]; // warn
}
</pre></div></div></td></tr>
</tbody></table>

<!-- =========================== llvm alpha =========================== -->		<!-- =========================== llvm alpha =========================== -->
<h3 id="llvm_alpha_checkers">LLVM Checkers</h3>		<h3 id="llvm_alpha_checkers">LLVM Checkers</h3>
<table class="checkers">		<table class="checkers">
<colgroup><col class="namedescr"><col class="example"></colgroup>		<colgroup><col class="namedescr"><col class="example"></colgroup>
<thead><tr><td>Name, Description</td><td>Example</td></tr></thead>		<thead><tr><td>Name, Description</td><td>Example</td></tr></thead>

<tbody>		<tbody>
<tr><td><a id="alpha.llvm.Conventions"><div class="namedescr expandable"><span class="name">		<tr><td><a id="alpha.llvm.Conventions"><div class="namedescr expandable"><span class="name">
▲ Show 20 Lines • Show All 605 Lines • Show Last 20 Lines