This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
2
BugReporterVisitors.cpp
-
test/Analysis/
-
Analysis/
-
null-deref-path-notes.c
-
null-deref-path-notes.cpp
-
null-deref-path-notes.m

Differential D37023

[analyzer] Fix bugreporter::getDerefExpr() again.
ClosedPublic

Authored by NoQ on Aug 22 2017, 1:59 PM.

Download Raw Diff

Details

Reviewers

zaks.anna
dcoughlin
xazax.hun
a.sidorin

Commits

rG2064e8227723: [analyzer] Fix and refactor bugreporter::getDerefExpr() API.
rC314287: [analyzer] Fix and refactor bugreporter::getDerefExpr() API.
rL314287: [analyzer] Fix and refactor bugreporter::getDerefExpr() API.

Summary

This patch continues work that was started in D32291.

Our bugreporter::getDerefExpr() API tries to find out what has been dereferenced. For example, if we have an lvalue expression x->y.z which causes a null dereference when dereferenced, the function returns lvalue x->y - the object from which the null pointer must have been loaded. Similarly, unwrapping lvalue x->y would result in x.

I believe i found a more correct way to implement it, namely to see where lvalue-to-rvalue casts are located in the expression. In our example, x->y is surrounded by an lvalue-to-rvalue cast, which indicates that we should not unwrap the expression further. And it is irrelevant whether the member expression is a dot or an arrow, or whether C++ this-> or ObjC self-> is written explicitly or assumed implicitly, or whether the expression or a sub-expression is a pointer or a reference (we used to look at these).

This patch refactors getDerefExpr() with this design in mind. Now the function must be much easier to understand, and also behave correctly.

Unwrapping of binary operators that caused the dereference (eg. *x = 2 -> *x) was removed from getDerefExpr() because it contradicts its purpose and seems to have never actually been used (we should be receiving *x in this function instead in all cases).

Current implementation has the benefit of not crashing on the newly added test case. The crash was caused by the fact that the old getDerefExpr() was thinking that self was dereferenced, even though in fact it wasn't.

I should probably have a look at what else might have changed and add more test cases, because the old code was quite strange.

Diff Detail

Event Timeline

NoQ created this revision.Aug 22 2017, 1:59 PM

NoQ mentioned this in D37025: [analyzer] Support more pointer arithmetic in bugreporter::getDerefExpr()..Aug 22 2017, 2:08 PM

NoQ added a child revision: D37025: [analyzer] Support more pointer arithmetic in bugreporter::getDerefExpr()..

Hi Artem,
I have a question after quick look. The original code considered ParenExprs but I cannot find nothing paren-related in the patch. Is case (x->y).z handled as expected?

Yeah, line 86.

Sorry, missed that.

Generally, it looks good to me. Though it looks like some of the cases covered in the code do not have corresponding tests (e.g.: the parenexprs).
I think this approach is good in a sense there should be such a cast at the interesting places. But I wonder if there could be some cases where we have such cast earlier than expected.

This revision is now accepted and ready to land.Aug 28 2017, 3:46 AM

Thank you for the review!

Though it looks like some of the cases covered in the code do not have corresponding tests (e.g.: the parenexprs).

These are covered by tests in inline-defensive-checks.c:150,156,169,179 (old code had IgnoreParenCasts). This function is actually used a lot (even more so since D32291), and seems fairly well-tested, so i felt relatively safe when refactoring it.

But I wonder if there could be some cases where we have such cast earlier than expected.

I'd love to know :o

In D37023#853941, @NoQ wrote:

Thank you for the review!

Though it looks like some of the cases covered in the code do not have corresponding tests (e.g.: the parenexprs).

These are covered by tests in inline-defensive-checks.c:150,156,169,179 (old code had IgnoreParenCasts). This function is actually used a lot (even more so since D32291), and seems fairly well-tested, so i felt relatively safe when refactoring it.

Oh, indeed, thanks :)

But I wonder if there could be some cases where we have such cast earlier than expected.

I'd love to know :o

I started to check some of the cases I was thinking about, but all of them looked fine :)

NoQ mentioned this in D37255: [analyzer] Fix bugreporter::getDerefExpr() again - a smaller targeted fix..Aug 29 2017, 2:20 AM

This seems like it is on the right track, but I think the emphasis here on lvalue-to-rvalue casts is a bit misplaced. The logic for "what is the pointer being dereferenced" and "what is the lvalue that holds the pointer being dereferenced" is mixed together in a way that I find confusing.

I think an easier to understand approach is to first find the rvalue of the pointer being dereferenced. Then, second, pattern match on that to find the underlying lvalue the pointer was loaded from (when possible).

But first a couple of points just to make sure we're on the same page (with apologies for the wall of text!). Suppose we have:

struct Y {
   ...
   int z;
};

struct X {
  ...
  Y y;
};

and a local 'x' of type X *.

For an access of the form int l = x->y.z the pointer being dereferenced is the rvalue x. The dereference ultimately results in a load from memory, but the address loaded from may be different from the the pointer being dereferenced. Here, for example, the address loaded from is (the rvalue of) x + "offset of field y into X" + "offset of field z into Y".

Fundamentally, given an expression representing the lvalue that will be loaded from, the way to find the rvalue of the pointer being dereferenced is to strip off the parts of the expression representing addition of offsets and any identity-preserving casts until you get to the expression that represents the rvalue of the base address. (This is why stripping off unary * makes sense -- in an lvalue context it represents adding an offset of 0. This is also why stripping off lvalue-to-rvalue casts doesn't make sense -- they do not preserve identity nor add an offset)

For int l = x->y.z, the expression for the pointer being dereferenced is the lvalue-to-rvalue cast that loads the value stored in local variable x from the lvalue that represents the address of the local variable x. But note that the pointer being dereferenced won't always be an lvalue-to-rvalue cast. For example in int l = returnsPointerToAnX()->y.z the expression for the pointer being dereferenced is the call expression returnsPointerToAnX(). There is no lvalue in sight.

Now, the existing behavior of getDerefExpr() requires that it return the lvalue representing the location containing the dereferenced pointer when possible. This is required by trackNullOrUndefValue() (sigh). So I suggest, for now, first finding the rvalue for the dereferenced value and then adding a fixup at the end of getDerefExpr() that looks to see whether the rvalue for the dereferenced pointer is an lvalue-to-rvalue cast. If so, the fixup will return the sub expression representing the lvalue.

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
46	An interesting aspect of this function is that sometimes it returns a sub-expression that represents the pointer rvalue and sometimes it returns a sub-expression that represents the lvalue whose location contains the pointer which is being dereferenced. I believe the reason we need the lvalue is that trackNullOrUndef() tracks lvalues better than rvalues. (That function loads from the lvalue to get the symbol representing the dereferenced pointer value.) This behavior is pretty confusing, so we should document it in the comment.
48	This comment is not right. For `x->y.z = 2` the answer should be `x` and not `x->y`.

Any news here? I'm wondering mainly because this patch is supposed to fix https://bugs.llvm.org/show_bug.cgi?id=34373.

@dcoughlin: You're right, my reasoning and understanding was not correct, and your explanation is much more clear. My code still makes sense to me though, so i updated the comments to match. And moved the unusual logic for the lvalue-to-rvalue cast unwrap to the bottom of the function.

Essentially, getDerefExpr() tries its best to explain where the null pointer comes from, on the syntactic level, by unpacking expressions that wrap the expression from which the pointer "originates", where "originates" is understood in a vague manner defined only by what the callers of this utility function expect to see. This leaves us with a few kinds of expressions that we need to unwrap, and we shouldn't touch other expressions, leaving pattern-matching over them to the caller.

There are other facilities that work on non-syntactic level, like your example where we might jump from function expression to return statement within the callee if the callee was inlined, or how getNilReceiver() function unwraps ObjCMessageExpr to the self pointer *iff* it self was nil during symbolic execution (which implies that the whole message expression is nil).

So that's right - lvalue-to-rvalue casts are not "the whole point", but merely an example of an expression kind that we do not have a right to unwrap. In fact, the callers still expect us to unwrap it once, but immediately stop afterwards. This inconsistency should probably be fixed, but getDerefExpr is used by checkers, and current code in checkers seems clean and concise enough.

I had a look at other cast kinds in OperationKinds.def, and all of them seemed as if they're worth unwrapping, apart from, of course, CK_LValueToRValue.

@xazax.hun: So, i guess, if the cast is earlier than we'd expect, then we'd just fail to unwrap something. So we won't find where the pointer comes from, and give up prematurely on our pattern-matching, while looking at roughly the same expression/value, plus-minus offsets. It sounds better than the case when the cast is later than we'd expect, where we may accidentally unwrap wrong stuff and start tracking a completely unrelated value, so i hope it shouldn't be a problem. Thanks for sharing the concern - the AST is huge and very few people possess really deep understanding of it, so any curious findings about it are really nice to share.

Add no-crash test cases from https://bugs.llvm.org/show_bug.cgi?id=34373 and https://bugs.llvm.org/show_bug.cgi?id=34731 .

LGTM! Thanks Artem.

Closed by commit rL314287: [analyzer] Fix and refactor bugreporter::getDerefExpr() API. (authored by dergachev). · Explain WhySep 27 2017, 2:35 AM

This revision was automatically updated to reflect the committed changes.

Thank you, Artem!

NoQ mentioned this in D77179: [Analyzer][WebKit] UncountedCallArgsChecker.Jun 10 2020, 1:27 AM

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Core/

BugReporterVisitors.cpp

80 lines

test/

Analysis/

null-deref-path-notes.c

10 lines

null-deref-path-notes.cpp

25 lines

null-deref-path-notes.m

240 lines

Diff 116673

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

	Show All 36 Lines

	bool bugreporter::isDeclRefExprToReference(const Expr *E) {			bool bugreporter::isDeclRefExprToReference(const Expr *E) {
	if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {			if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
	return DRE->getDecl()->getType()->isReferenceType();			return DRE->getDecl()->getType()->isReferenceType();
	}			}
	return false;			return false;
	}			}

				/// Given that expression S represents a pointer that would be dereferenced,
				/// try to find a sub-expression from which the pointer came from.
				dcoughlinUnsubmitted Not Done Reply Inline Actions An interesting aspect of this function is that sometimes it returns a sub-expression that represents the pointer rvalue and sometimes it returns a sub-expression that represents the lvalue whose location contains the pointer which is being dereferenced. I believe the reason we need the lvalue is that trackNullOrUndef() tracks lvalues better than rvalues. (That function loads from the lvalue to get the symbol representing the dereferenced pointer value.) This behavior is pretty confusing, so we should document it in the comment. dcoughlin: An interesting aspect of this function is that sometimes it returns a sub-expression that…
				/// This is used for tracking down origins of a null or undefined value:
				/// "this is null because that is null because that is null" etc.
				dcoughlinUnsubmitted Not Done Reply Inline Actions This comment is not right. For `x->y.z = 2` the answer should be `x` and not `x->y`. dcoughlin: This comment is not right. For `x->y.z = 2` the answer should be `x` and not `x->y`.
				/// We wipe away field and element offsets because they merely add offsets.
				/// We also wipe away all casts except lvalue-to-rvalue casts, because the
				/// latter represent an actual pointer dereference; however, we remove
				/// the final lvalue-to-rvalue cast before returning from this function
				/// because it demonstrates more clearly from where the pointer rvalue was
				/// loaded. Examples:
				/// x->y.z ==> x (lvalue)
				/// foo()->y.z ==> foo() (rvalue)
	const Expr bugreporter::getDerefExpr(const Stmt S) {			const Expr bugreporter::getDerefExpr(const Stmt S) {
	// Pattern match for a few useful cases:
	// a[0], p->f, *p
	const Expr *E = dyn_cast<Expr>(S);			const Expr *E = dyn_cast<Expr>(S);
	if (!E)			if (!E)
	return nullptr;			return nullptr;
	E = E->IgnoreParenCasts();

	while (true) {			while (true) {
	if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) {			if (const CastExpr *CE = dyn_cast<CastExpr>(E)) {
	assert(B->isAssignmentOp());			if (CE->getCastKind() == CK_LValueToRValue) {
	E = B->getLHS()->IgnoreParenCasts();			// This cast represents the load we're looking for.
	continue;			break;
	}
	else if (const UnaryOperator *U = dyn_cast<UnaryOperator>(E)) {
	if (U->getOpcode() == UO_Deref)
	return U->getSubExpr()->IgnoreParenCasts();
	}			}
	else if (const MemberExpr *ME = dyn_cast<MemberExpr>(E)) {			E = CE->getSubExpr();
	if (ME->isImplicitAccess()) {			} else if (isa<BinaryOperator>(E)) {
	return ME;			// Probably more arithmetic can be pattern-matched here,
	} else if (ME->isArrow() \|\| isDeclRefExprToReference(ME->getBase())) {			// but for now give up.
	return ME->getBase()->IgnoreParenCasts();			break;
				} else if (const UnaryOperator *U = dyn_cast<UnaryOperator>(E)) {
				if (U->getOpcode() == UO_Deref) {
				// Operators '*' and '&' don't actually mean anything.
				// We look at casts instead.
				E = U->getSubExpr();
	} else {			} else {
	// If we have a member expr with a dot, the base must have been			// Probably more arithmetic can be pattern-matched here,
	// dereferenced.			// but for now give up.
	return getDerefExpr(ME->getBase());			break;
	}
	}
	else if (const ObjCIvarRefExpr *IvarRef = dyn_cast<ObjCIvarRefExpr>(E)) {
	return IvarRef->getBase()->IgnoreParenCasts();
	}
	else if (const ArraySubscriptExpr *AE = dyn_cast<ArraySubscriptExpr>(E)) {
	return getDerefExpr(AE->getBase());
	}			}
	else if (isa<DeclRefExpr>(E)) {
	return E;
	}			}
				// Pattern match for a few useful cases: a[0], p->f, *p etc.
				else if (const MemberExpr *ME = dyn_cast<MemberExpr>(E)) {
				E = ME->getBase();
				} else if (const ObjCIvarRefExpr *IvarRef = dyn_cast<ObjCIvarRefExpr>(E)) {
				E = IvarRef->getBase();
				} else if (const ArraySubscriptExpr *AE = dyn_cast<ArraySubscriptExpr>(E)) {
				E = AE->getBase();
				} else if (const ParenExpr *PE = dyn_cast<ParenExpr>(E)) {
				E = PE->getSubExpr();
				} else {
				// Other arbitrary stuff.
	break;			break;
	}			}
				}

	return nullptr;			// Special case: remove the final lvalue-to-rvalue cast, but do not recurse
				// deeper into the sub-expression. This way we return the lvalue from which
				// our pointer rvalue was loaded.
				if (const ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E))
				if (CE->getCastKind() == CK_LValueToRValue)
				E = CE->getSubExpr();

				return E;
	}			}

	const Stmt bugreporter::GetDenomExpr(const ExplodedNode N) {			const Stmt bugreporter::GetDenomExpr(const ExplodedNode N) {
	const Stmt *S = N->getLocationAs<PreStmt>()->getStmt();			const Stmt *S = N->getLocationAs<PreStmt>()->getStmt();
	if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(S))			if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(S))
	return BE->getRHS();			return BE->getRHS();
	return nullptr;			return nullptr;
	}			}
	▲ Show 20 Lines • Show All 1,754 Lines • Show Last 20 Lines

test/Analysis/null-deref-path-notes.c

This file was added.

				// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core -analyzer-output=text -verify %s

				// Avoid the crash when finding the expression for tracking the origins
				// of the null pointer for path notes. Apparently, not much actual tracking
				// needs to be done in this example.
				void pr34373() {
				int *a = 0;
				(a + 0)[0]; // expected-warning{{Array access results in a null pointer dereference}}
				// expected-note@-1{{Array access results in a null pointer dereference}}
				}

test/Analysis/null-deref-path-notes.cpp

This file was added.

				// RUN: %clang_analyze_cc1 -w -x c++ -analyzer-checker=core -analyzer-output=text -analyzer-eagerly-assume -verify %s

				namespace pr34731 {
				int b;
				class c {
				class B {
				public:
				double ***d;
				B();
				};
				void e(double **, int);
				void f(B &, int &);
				};

				// Properly track the null pointer in the array field back to the default
				// constructor of 'h'.
				void c::f(B &g, int &i) {
				e(g.d[9], i); // expected-warning{{Array access (via field 'd') results in a null pointer dereference}}
				// expected-note@-1{{Array access (via field 'd') results in a null pointer dereference}}
				B h, a; // expected-note{{Value assigned to 'h.d'}}
				a.d == __null; // expected-note{{Assuming the condition is true}}
				a.d != h.d; // expected-note{{Assuming pointer value is null}}
				f(h, b); // expected-note{{Calling 'c::f'}}
				}
				}

test/Analysis/null-deref-path-notes.m

Show First 20 Lines • Show All 44 Lines • ▼ Show 20 Lines	if (coin) {
p = getPointer();		p = getPointer();
} else {		} else {
p = 0; // expected-note {{Null pointer value stored to 'p'}}		p = 0; // expected-note {{Null pointer value stored to 'p'}}
}		}

*p = 1; // expected-warning{{Dereference of null pointer}} expected-note{{Dereference of null pointer}}		*p = 1; // expected-warning{{Dereference of null pointer}} expected-note{{Dereference of null pointer}}
}		}

		@interface WithArrayPtr
		- (void) useArray;
		@end

		@implementation WithArrayPtr {
		@public int *p;
		}
		- (void)useArray {
		p[1] = 2; // expected-warning{{Array access (via ivar 'p') results in a null pointer dereference}}
		// expected-note@-1{{Array access (via ivar 'p') results in a null pointer dereference}}
		}
		@end

		void testWithArrayPtr(WithArrayPtr *w) {
		w->p = 0; // expected-note{{Null pointer value stored to 'p'}}
		[w useArray]; // expected-note{{Calling 'useArray'}}
		}

// CHECK: <key>diagnostics</key>		// CHECK: <key>diagnostics</key>
// CHECK-NEXT: <array>		// CHECK-NEXT: <array>
// CHECK-NEXT: <dict>		// CHECK-NEXT: <dict>
// CHECK-NEXT: <key>path</key>		// CHECK-NEXT: <key>path</key>
// CHECK-NEXT: <array>		// CHECK-NEXT: <array>
// CHECK-NEXT: <dict>		// CHECK-NEXT: <dict>
// CHECK-NEXT: <key>kind</key><string>control</string>		// CHECK-NEXT: <key>kind</key><string>control</string>
▲ Show 20 Lines • Show All 735 Lines • ▼ Show 20 Lines
// CHECK-NEXT: <key>issue_hash_function_offset</key><string>11</string>		// CHECK-NEXT: <key>issue_hash_function_offset</key><string>11</string>
// CHECK-NEXT: <key>location</key>		// CHECK-NEXT: <key>location</key>
// CHECK-NEXT: <dict>		// CHECK-NEXT: <dict>
// CHECK-NEXT: <key>line</key><integer>50</integer>		// CHECK-NEXT: <key>line</key><integer>50</integer>
// CHECK-NEXT: <key>col</key><integer>6</integer>		// CHECK-NEXT: <key>col</key><integer>6</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer>		// CHECK-NEXT: <key>file</key><integer>0</integer>
// CHECK-NEXT: </dict>		// CHECK-NEXT: </dict>
// CHECK-NEXT: </dict>		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>path</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>kind</key><string>event</string>
		// CHECK-NEXT: <key>location</key>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>67</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <key>ranges</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>67</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>67</integer>
		// CHECK-NEXT: <key>col</key><integer>10</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: <key>depth</key><integer>0</integer>
		// CHECK-NEXT: <key>extended_message</key>
		// CHECK-NEXT: <string>Null pointer value stored to 'p'</string>
		// CHECK-NEXT: <key>message</key>
		// CHECK-NEXT: <string>Null pointer value stored to 'p'</string>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>kind</key><string>control</string>
		// CHECK-NEXT: <key>edges</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>start</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>67</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>67</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: <key>end</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>68</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>68</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>kind</key><string>event</string>
		// CHECK-NEXT: <key>location</key>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>68</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <key>ranges</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>68</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>68</integer>
		// CHECK-NEXT: <key>col</key><integer>14</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: <key>depth</key><integer>0</integer>
		// CHECK-NEXT: <key>extended_message</key>
		// CHECK-NEXT: <string>Calling 'useArray'</string>
		// CHECK-NEXT: <key>message</key>
		// CHECK-NEXT: <string>Calling 'useArray'</string>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>kind</key><string>event</string>
		// CHECK-NEXT: <key>location</key>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>60</integer>
		// CHECK-NEXT: <key>col</key><integer>1</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <key>depth</key><integer>1</integer>
		// CHECK-NEXT: <key>extended_message</key>
		// CHECK-NEXT: <string>Entered call from 'testWithArrayPtr'</string>
		// CHECK-NEXT: <key>message</key>
		// CHECK-NEXT: <string>Entered call from 'testWithArrayPtr'</string>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>kind</key><string>control</string>
		// CHECK-NEXT: <key>edges</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>start</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>60</integer>
		// CHECK-NEXT: <key>col</key><integer>1</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>60</integer>
		// CHECK-NEXT: <key>col</key><integer>1</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: <key>end</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>61</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>61</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>kind</key><string>control</string>
		// CHECK-NEXT: <key>edges</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>start</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>61</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>61</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: <key>end</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>61</integer>
		// CHECK-NEXT: <key>col</key><integer>8</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>61</integer>
		// CHECK-NEXT: <key>col</key><integer>8</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>kind</key><string>event</string>
		// CHECK-NEXT: <key>location</key>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>61</integer>
		// CHECK-NEXT: <key>col</key><integer>8</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <key>ranges</key>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <array>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>61</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>61</integer>
		// CHECK-NEXT: <key>col</key><integer>3</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: <key>depth</key><integer>1</integer>
		// CHECK-NEXT: <key>extended_message</key>
		// CHECK-NEXT: <string>Array access (via ivar 'p') results in a null pointer dereference</string>
		// CHECK-NEXT: <key>message</key>
		// CHECK-NEXT: <string>Array access (via ivar 'p') results in a null pointer dereference</string>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </array>
		// CHECK-NEXT: <key>description</key><string>Array access (via ivar 'p') results in a null pointer dereference</string>
		// CHECK-NEXT: <key>category</key><string>Logic error</string>
		// CHECK-NEXT: <key>type</key><string>Dereference of null pointer</string>
		// CHECK-NEXT: <key>check_name</key><string>core.NullDereference</string>
		// CHECK-NEXT: <!-- This hash is experimental and going to change! -->
		// CHECK-NEXT: <key>issue_hash_content_of_line_in_context</key><string>fb0ad1e4e3090d9834d542eb54bc9d2e</string>
		// CHECK-NEXT: <key>issue_context_kind</key><string>Objective-C method</string>
		// CHECK-NEXT: <key>issue_context</key><string>useArray</string>
		// CHECK-NEXT: <key>issue_hash_function_offset</key><string>1</string>
		// CHECK-NEXT: <key>location</key>
		// CHECK-NEXT: <dict>
		// CHECK-NEXT: <key>line</key><integer>61</integer>
		// CHECK-NEXT: <key>col</key><integer>8</integer>
		// CHECK-NEXT: <key>file</key><integer>0</integer>
		// CHECK-NEXT: </dict>
		// CHECK-NEXT: </dict>
// CHECK-NEXT: </array>		// CHECK-NEXT: </array>