This is an archive of the discontinued LLVM Phabricator instance.

Differential D51323

[analyzer] Improve tracing for uninitialized struct fields
ClosedPublic

Authored by george.karpenkov on Aug 27 2018, 2:18 PM.

Details

Reviewers
dcoughlin
NoQ
Commits
rG574d78e78ea9: [analyzer] Improve tracing for uninitialized struct fields
rL340986: [analyzer] Improve tracing for uninitialized struct fields
rC340986: [analyzer] Improve tracing for uninitialized struct fields
Summary

rdar://13729267

Diff Detail

Repository
rC Clang

Event Timeline

george.karpenkov created this revision.Aug 27 2018, 2:18 PM
Herald added subscribers: Szelethus, mikhail.ramalho, a.sidorin and 3 others. · View Herald TranscriptAug 27 2018, 2:18 PM
NoQ added inline comments.Aug 27 2018, 2:31 PM
clang/test/Analysis/uninit-vals-ps-region.m
51–66 ↗(On Diff #162747)

Am i understanding correctly that only these two notes are new? I.e., we track the structure to its definition.

I guess it might be useful, but it's not super useful, because it's always obvious anyway where the structure is declared. The actually interesting thing to do would be to track the structure as it's being copied (or, well, moved) from one region to another, eg. partially-initialized within a function and then returned from that function by value. And i guess that it requires more sophisticated tracking.

With the newly added tracking, do we also find places where a C++ method call mutates the structure? If it does, let's add a test. It's easier because the structure's region doesn't change. I guess this may be useful when the structure is uninitialized after construction and then partially initialized by a method call. I suspect that tracking this back to the constructor that fails to initialize the structure would still require more effort.

NoQ added a comment.Aug 29 2018, 12:04 PM

Eg., let's test something like this, in both C and C++:

struct Point {
  int x, y;
};

struct Point getHalfPoint() {
  struct Point p; // Track the undef value to explain that 'y' is uninitialized here.
  p.x = 0;
  return p;
}

void use(struct Point p); 

void test1() {
  struct Point p = getHalfPoint();
  use(p); // Use of partially initialized value.
}

void test2() {
  struct Point p;
  p = getHalfPoint();
  use(p); // Use of partially initialized value.
}
NoQ accepted this revision.Aug 29 2018, 3:31 PM

The code looks great.

This revision is now accepted and ready to land.Aug 29 2018, 3:31 PM
Closed by commit rC340986: [analyzer] Improve tracing for uninitialized struct fields (authored by george.karpenkov). · Explain WhyAug 29 2018, 3:49 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: cfe-commits. · View Herald TranscriptAug 29 2018, 3:49 PM

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
2 lines
test/
Analysis/
93 lines
157 lines
199 lines
3 lines
173 lines

Diff 163217

lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp

Show First 20 LinesShow All 298 Lines▼ Show 20 Lines if (F.Find(D->getRegion())) {
} }
os << "')"; os << "')";
} }
// Generate a report for this bug. // Generate a report for this bug.
auto R = llvm::make_unique<BugReport>(*BT, os.str(), N); auto R = llvm::make_unique<BugReport>(*BT, os.str(), N);
R->addRange(ArgRange); R->addRange(ArgRange);
if (ArgEx)
bugreporter::trackNullOrUndefValue(N, ArgEx, *R);
// FIXME: enhance track back for uninitialized value for arbitrary // FIXME: enhance track back for uninitialized value for arbitrary
// memregions // memregions
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
return true; return true;
} }
} }
▲ Show 20 LinesShow All 302 LinesShow Last 20 Lines

test/Analysis/uninit-vals-ps-region.m

// RUN: %clang_analyze_cc1 -analyzer-store=region -analyzer-checker=core -verify %s
struct s {
int data;
};
struct s global;
void g(int);
void f4() {
int a;
if (global.data == 0)
a = 3;
if (global.data == 0) // When the true branch is feasible 'a = 3'.
g(a); // no-warning
}
// Test uninitialized value due to part of the structure being uninitialized.
struct TestUninit { int x; int y; };
struct TestUninit test_uninit_aux();
void test_unit_aux2(int);
void test_uninit_pos() {
struct TestUninit v1 = { 0, 0 };
struct TestUninit v2 = test_uninit_aux();
int z;
v1.y = z; // expected-warning{{Assigned value is garbage or undefined}}
test_unit_aux2(v2.x + v1.y);
}
void test_uninit_pos_2() {
struct TestUninit v1 = { 0, 0 };
struct TestUninit v2;
test_unit_aux2(v2.x + v1.y); // expected-warning{{The left operand of '+' is a garbage value}}
}
void test_uninit_pos_3() {
struct TestUninit v1 = { 0, 0 };
struct TestUninit v2;
test_unit_aux2(v1.y + v2.x); // expected-warning{{The right operand of '+' is a garbage value}}
}
void test_uninit_neg() {
struct TestUninit v1 = { 0, 0 };
struct TestUninit v2 = test_uninit_aux();
test_unit_aux2(v2.x + v1.y);
}
extern void test_uninit_struct_arg_aux(struct TestUninit arg);
void test_uninit_struct_arg() {
struct TestUninit x;
test_uninit_struct_arg_aux(x); // expected-warning{{Passed-by-value struct argument contains uninitialized data (e.g., field: 'x')}}
}
@interface Foo
- (void) passVal:(struct TestUninit)arg;
@end
void testFoo(Foo *o) {
struct TestUninit x;
[o passVal:x]; // expected-warning{{Passed-by-value struct argument contains uninitialized data (e.g., field: 'x')}}
}
// Test case from <rdar://problem/7780304>. That shows an uninitialized value
// being used in the LHS of a compound assignment.
void rdar_7780304() {
typedef struct s_r7780304 { int x; } s_r7780304;
s_r7780304 b;
b.x |= 1; // expected-warning{{The left expression of the compound assignment is an uninitialized value. The computed value will also be garbage}}
}
// The flip side of PR10163 -- float arrays that are actually uninitialized
// (The main test is in uninit-vals.m)
void test_PR10163(float);
void PR10163 (void) {
float x[2];
test_PR10163(x[1]); // expected-warning{{uninitialized value}}
}
struct MyStr {
int x;
int y;
};
void swap(struct MyStr *To, struct MyStr *From) {
// This is not really a swap but close enough for our test.
To->x = From->x;
To->y = From->y; // no warning
}
int test_undefined_member_assignment_in_swap(struct MyStr *s2) {
struct MyStr s1;
s1.x = 5;
swap(s2, &s1);
return s2->y; // expected-warning{{Undefined or garbage value returned to caller}}
}

test/Analysis/uninit-vals-ps.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core -analyzer-store=region -fblocks -verify %s
struct FPRec {
void (*my_func)(int * x);
};
int bar(int x);
int f1_a(struct FPRec* foo) {
int x;
(*foo->my_func)(&x);
return bar(x)+1; // no-warning
}
int f1_b() {
int x;
return bar(x)+1; // expected-warning{{1st function call argument is an uninitialized value}}
}
int f2() {
int x;
if (x+1) // expected-warning{{The left operand of '+' is a garbage value}}
return 1;
return 2;
}
int f2_b() {
int x;
return ((1+x)+2+((x))) + 1 ? 1 : 2; // expected-warning{{The right operand of '+' is a garbage value}}
}
int f3(void) {
int i;
int *p = &i;
if (*p > 0) // expected-warning{{The left operand of '>' is a garbage value}}
return 0;
else
return 1;
}
void f4_aux(float* x);
float f4(void) {
float x;
f4_aux(&x);
return x; // no-warning
}
struct f5_struct { int x; };
void f5_aux(struct f5_struct* s);
int f5(void) {
struct f5_struct s;
f5_aux(&s);
return s.x; // no-warning
}
void f6(int x) {
int a[20];
if (x == 25) {}
if (a[x] == 123) {} // expected-warning{{The left operand of '==' is a garbage value due to array index out of bounds}}
}
int ret_uninit() {
int i;
int *p = &i;
return *p; // expected-warning{{Undefined or garbage value returned to caller}}
}
// <rdar://problem/6451816>
typedef unsigned char Boolean;
typedef const struct __CFNumber * CFNumberRef;
typedef signed long CFIndex;
typedef CFIndex CFNumberType;
typedef unsigned long UInt32;
typedef UInt32 CFStringEncoding;
typedef const struct __CFString * CFStringRef;
extern Boolean CFNumberGetValue(CFNumberRef number, CFNumberType theType, void *valuePtr);
extern CFStringRef CFStringConvertEncodingToIANACharSetName(CFStringEncoding encoding);
CFStringRef rdar_6451816(CFNumberRef nr) {
CFStringEncoding encoding;
// &encoding is casted to void*. This test case tests whether or not
// we properly invalidate the value of 'encoding'.
CFNumberGetValue(nr, 9, &encoding);
return CFStringConvertEncodingToIANACharSetName(encoding); // no-warning
}
// PR 4630 - false warning with nonnull attribute
// This false positive (due to a regression) caused the analyzer to falsely
// flag a "return of uninitialized value" warning in the first branch due to
// the nonnull attribute.
void pr_4630_aux(char *x, int *y) __attribute__ ((nonnull (1)));
void pr_4630_aux_2(char *x, int *y);
int pr_4630(char *a, int y) {
int x;
if (y) {
pr_4630_aux(a, &x);
return x; // no-warning
}
else {
pr_4630_aux_2(a, &x);
return x; // no-warning
}
}
// PR 4631 - False positive with union initializer
// Previously the analyzer didn't examine the compound initializers of unions,
// resulting in some false positives for initializers with side-effects.
union u_4631 { int a; };
struct s_4631 { int a; };
int pr4631_f2(int *p);
int pr4631_f3(void *q);
int pr4631_f1(void)
{
int x;
union u_4631 m = { pr4631_f2(&x) };
pr4631_f3(&m); // tell analyzer that we use m
return x; // no-warning
}
int pr4631_f1_b(void)
{
int x;
struct s_4631 m = { pr4631_f2(&x) };
pr4631_f3(&m); // tell analyzer that we use m
return x; // no-warning
}
// <rdar://problem/12278788> - FP when returning a void-valued expression from
// a void function...or block.
void foo_radar12278788() { return; }
void test_radar12278788() {
return foo_radar12278788(); // no-warning
}
void foo_radar12278788_fp() { return; }
typedef int (*RetIntFuncType)();
typedef void (*RetVoidFuncType)();
int test_radar12278788_FP() {
RetVoidFuncType f = foo_radar12278788_fp;
return ((RetIntFuncType)f)(); //expected-warning {{Undefined or garbage value returned to caller}}
}
void rdar13665798() {
^() {
return foo_radar12278788(); // no-warning
}();
^void() {
return foo_radar12278788(); // no-warning
}();
^int() {
RetVoidFuncType f = foo_radar12278788_fp;
return ((RetIntFuncType)f)(); //expected-warning {{Undefined or garbage value returned to caller}}
}();
}

test/Analysis/uninit-vals.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core -fblocks -verify -analyzer-output=text %s
struct FPRec {
void (*my_func)(int * x);
};
int bar(int x);
int f1_a(struct FPRec* foo) {
int x;
(*foo->my_func)(&x);
return bar(x)+1; // no-warning
}
int f1_b() {
int x; // expected-note{{'x' declared without an initial value}}
return bar(x)+1; // expected-warning{{1st function call argument is an uninitialized value}}
// expected-note@-1{{1st function call argument is an uninitialized value}}
}
int f2() {
int x; // expected-note{{'x' declared without an initial value}}
if (x+1) // expected-warning{{The left operand of '+' is a garbage value}}
// expected-note@-1{{The left operand of '+' is a garbage value}}
return 1;
return 2;
}
int f2_b() {
int x; // expected-note{{'x' declared without an initial value}}
return ((1+x)+2+((x))) + 1 ? 1 : 2; // expected-warning{{The right operand of '+' is a garbage value}}
// expected-note@-1{{The right operand of '+' is a garbage value}}
}
int f3(void) {
int i; // expected-note{{'i' declared without an initial value}}
int *p = &i;
if (*p > 0) // expected-warning{{The left operand of '>' is a garbage value}}
// expected-note@-1{{The left operand of '>' is a garbage value}}
return 0;
else
return 1;
}
void f4_aux(float* x);
float f4(void) {
float x;
f4_aux(&x);
return x; // no-warning
}
struct f5_struct { int x; };
void f5_aux(struct f5_struct* s);
int f5(void) {
struct f5_struct s;
f5_aux(&s);
return s.x; // no-warning
}
void f6(int x) {
int a[20];
if (x == 25) {} // expected-note{{Assuming 'x' is equal to 25}}
// expected-note@-1{{Taking true branch}}
if (a[x] == 123) {} // expected-warning{{The left operand of '==' is a garbage value due to array index out of bounds}}
// expected-note@-1{{The left operand of '==' is a garbage value due to array index out of bounds}}
}
int ret_uninit() {
int i; // expected-note{{'i' declared without an initial value}}
int *p = &i;
return *p; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}
// <rdar://problem/6451816>
typedef unsigned char Boolean;
typedef const struct __CFNumber * CFNumberRef;
typedef signed long CFIndex;
typedef CFIndex CFNumberType;
typedef unsigned long UInt32;
typedef UInt32 CFStringEncoding;
typedef const struct __CFString * CFStringRef;
extern Boolean CFNumberGetValue(CFNumberRef number, CFNumberType theType, void *valuePtr);
extern CFStringRef CFStringConvertEncodingToIANACharSetName(CFStringEncoding encoding);
CFStringRef rdar_6451816(CFNumberRef nr) {
CFStringEncoding encoding;
// &encoding is casted to void*. This test case tests whether or not
// we properly invalidate the value of 'encoding'.
CFNumberGetValue(nr, 9, &encoding);
return CFStringConvertEncodingToIANACharSetName(encoding); // no-warning
}
// PR 4630 - false warning with nonnull attribute
// This false positive (due to a regression) caused the analyzer to falsely
// flag a "return of uninitialized value" warning in the first branch due to
// the nonnull attribute.
void pr_4630_aux(char *x, int *y) __attribute__ ((nonnull (1)));
void pr_4630_aux_2(char *x, int *y);
int pr_4630(char *a, int y) {
int x;
if (y) {
pr_4630_aux(a, &x);
return x; // no-warning
}
else {
pr_4630_aux_2(a, &x);
return x; // no-warning
}
}
// PR 4631 - False positive with union initializer
// Previously the analyzer didn't examine the compound initializers of unions,
// resulting in some false positives for initializers with side-effects.
union u_4631 { int a; };
struct s_4631 { int a; };
int pr4631_f2(int *p);
int pr4631_f3(void *q);
int pr4631_f1(void)
{
int x;
union u_4631 m = { pr4631_f2(&x) };
pr4631_f3(&m); // tell analyzer that we use m
return x; // no-warning
}
int pr4631_f1_b(void)
{
int x;
struct s_4631 m = { pr4631_f2(&x) };
pr4631_f3(&m); // tell analyzer that we use m
return x; // no-warning
}
// <rdar://problem/12278788> - FP when returning a void-valued expression from
// a void function...or block.
void foo_radar12278788() { return; }
void test_radar12278788() {
return foo_radar12278788(); // no-warning
}
void foo_radar12278788_fp() { return; }
typedef int (*RetIntFuncType)();
typedef void (*RetVoidFuncType)();
int test_radar12278788_FP() {
RetVoidFuncType f = foo_radar12278788_fp;
return ((RetIntFuncType)f)(); //expected-warning {{Undefined or garbage value returned to caller}}
//expected-note@-1 {{Undefined or garbage value returned to caller}}
//expected-note@-2 {{Calling 'foo_radar12278788_fp'}}
//expected-note@-3 {{Returning from 'foo_radar12278788_fp'}}
}
void rdar13665798() {
^() {
return foo_radar12278788(); // no-warning
}();
^void() {
return foo_radar12278788(); // no-warning
}();
^int() { // expected-note{{Calling anonymous block}}
RetVoidFuncType f = foo_radar12278788_fp;
return ((RetIntFuncType)f)(); //expected-warning {{Undefined or garbage value returned to caller}}
//expected-note@-1 {{Undefined or garbage value returned to caller}}
//expected-note@-2 {{Calling 'foo_radar12278788_fp'}}
//expected-note@-3 {{Returning from 'foo_radar12278788_fp'}}
}();
}
struct Point {
int x, y;
};
struct Point getHalfPoint() {
struct Point p;
p.x = 0;
return p;
}
void use(struct Point p);
void testUseHalfPoint() {
struct Point p = getHalfPoint(); // expected-note{{Calling 'getHalfPoint'}}
// expected-note@-1{{Returning from 'getHalfPoint'}}
// expected-note@-2{{'p' initialized here}}
use(p); // expected-warning{{uninitialized}}
// expected-note@-1{{uninitialized}}
}
void testUseHalfPoint2() {
struct Point p;
p = getHalfPoint(); // expected-note{{Calling 'getHalfPoint'}}
// expected-note@-1{{Returning from 'getHalfPoint'}}
// expected-note@-2{{Value assigned to 'p'}}
use(p); // expected-warning{{uninitialized}}
// expected-note@-1{{uninitialized}}
}

test/Analysis/uninit-vals.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core.builtin -verify -DCHECK_FOR_CRASH %s // RUN: %clang_analyze_cc1 -analyzer-checker=core.builtin -verify -DCHECK_FOR_CRASH %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=core -verify -analyzer-output=text %s
#ifdef CHECK_FOR_CRASH #ifdef CHECK_FOR_CRASH
// expected-no-diagnostics // expected-no-diagnostics
#endif #endif
namespace PerformTrivialCopyForUndefs { namespace PerformTrivialCopyForUndefs {
struct A { struct A {
int x; int x;
Show All 12 Linesvoid foo() {
C *c2; C *c2;
#ifdef CHECK_FOR_CRASH #ifdef CHECK_FOR_CRASH
// If the value of variable is not defined and checkers that check undefined // If the value of variable is not defined and checkers that check undefined
// values are not enabled, performTrivialCopy should be able to handle the // values are not enabled, performTrivialCopy should be able to handle the
// case with undefined values, too. // case with undefined values, too.
c1.b.a = c2->b.a; c1.b.a = c2->b.a;
#else #else
c1.b.a = c2->b.a; // expected-warning{{1st function call argument is an uninitialized value}} c1.b.a = c2->b.a; // expected-warning{{1st function call argument is an uninitialized value}}
// expected-note@-1{{1st function call argument is an uninitialized value}}
#endif #endif
} }
} }

test/Analysis/uninit-vals.m

// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,debug.ExprInspection -verify %s // RUN: %clang_analyze_cc1 -analyzer-store=region -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-output=text -verify %s
typedef unsigned int NSUInteger; typedef unsigned int NSUInteger;
typedef __typeof__(sizeof(int)) size_t; typedef __typeof__(sizeof(int)) size_t;
void *malloc(size_t); void *malloc(size_t);
void *calloc(size_t nmemb, size_t size); void *calloc(size_t nmemb, size_t size);
void free(void *); void free(void *);
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
struct s {
int data;
};
struct s global;
void g(int);
void f4() {
int a;
if (global.data == 0)
a = 3;
if (global.data == 0) // When the true branch is feasible 'a = 3'.
g(a); // no-warning
}
// Test uninitialized value due to part of the structure being uninitialized.
struct TestUninit { int x; int y; };
struct TestUninit test_uninit_aux();
void test_unit_aux2(int);
void test_uninit_pos() {
struct TestUninit v1 = { 0, 0 };
struct TestUninit v2 = test_uninit_aux();
int z; // expected-note{{'z' declared without an initial value}}
v1.y = z; // expected-warning{{Assigned value is garbage or undefined}}
// expected-note@-1{{Assigned value is garbage or undefined}}
test_unit_aux2(v2.x + v1.y);
}
void test_uninit_pos_2() {
struct TestUninit v1 = { 0, 0 };
struct TestUninit v2;
test_unit_aux2(v2.x + v1.y); // expected-warning{{The left operand of '+' is a garbage value}}
// expected-note@-1{{The left operand of '+' is a garbage value}}
}
void test_uninit_pos_3() {
struct TestUninit v1 = { 0, 0 };
struct TestUninit v2;
test_unit_aux2(v1.y + v2.x); // expected-warning{{The right operand of '+' is a garbage value}}
// expected-note@-1{{The right operand of '+' is a garbage value}}
}
void test_uninit_neg() {
struct TestUninit v1 = { 0, 0 };
struct TestUninit v2 = test_uninit_aux();
test_unit_aux2(v2.x + v1.y);
}
extern void test_uninit_struct_arg_aux(struct TestUninit arg);
void test_uninit_struct_arg() {
struct TestUninit x; // expected-note{{'x' initialized here}}
test_uninit_struct_arg_aux(x); // expected-warning{{Passed-by-value struct argument contains uninitialized data (e.g., field: 'x')}}
// expected-note@-1{{Passed-by-value struct argument contains uninitialized data (e.g., field: 'x')}}
}
@interface Foo
- (void) passVal:(struct TestUninit)arg;
@end
void testFoo(Foo *o) {
struct TestUninit x; // expected-note{{'x' initialized here}}
[o passVal:x]; // expected-warning{{Passed-by-value struct argument contains uninitialized data (e.g., field: 'x')}}
// expected-note@-1{{Passed-by-value struct argument contains uninitialized data (e.g., field: 'x')}}
}
// Test case from <rdar://problem/7780304>. That shows an uninitialized value
// being used in the LHS of a compound assignment.
void rdar_7780304() {
typedef struct s_r7780304 { int x; } s_r7780304;
s_r7780304 b;
b.x |= 1; // expected-warning{{The left expression of the compound assignment is an uninitialized value. The computed value will also be garbage}}
// expected-note@-1{{The left expression of the compound assignment is an uninitialized value. The computed value will also be garbage}}
}
// The flip side of PR10163 -- float arrays that are actually uninitialized
void test_PR10163(float);
void PR10163 (void) {
float x[2];
test_PR10163(x[1]); // expected-warning{{uninitialized value}}
// expected-note@-1{{1st function call argument is an uninitialized value}}
}
// PR10163 -- don't warn for default-initialized float arrays.
void PR10163_default_initialized_arrays(void) {
float x[2] = {0};
test_PR10163(x[1]); // no-warning
}
struct MyStr {
int x;
int y;
};
void swap(struct MyStr *To, struct MyStr *From) {
// This is not really a swap but close enough for our test.
To->x = From->x;
To->y = From->y; // expected-note{{Uninitialized value stored to field 'y'}}
}
int test_undefined_member_assignment_in_swap(struct MyStr *s2) {
struct MyStr s1;
s1.x = 5;
swap(s2, &s1); // expected-note{{Calling 'swap'}}
// expected-note@-1{{Returning from 'swap'}}
return s2->y; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}
@interface A @interface A
- (NSUInteger)foo; - (NSUInteger)foo;
@end @end
NSUInteger f8(A* x){ NSUInteger f8(A* x){
const NSUInteger n = [x foo]; const NSUInteger n = [x foo];
int* bogus; int* bogus;
if (n > 0) { // tests const cast transfer function logic if (n > 0) { // tests const cast transfer function logic
NSUInteger i; NSUInteger i;
for (i = 0; i < n; ++i) for (i = 0; i < n; ++i)
bogus = 0; bogus = 0;
if (bogus) // no-warning if (bogus) // no-warning
return n+1; return n+1;
} }
return n; return n;
} }
// PR10163 -- don't warn for default-initialized float arrays.
// (An additional test is in uninit-vals-ps-region.m)
void test_PR10163(float);
void PR10163 (void) {
float x[2] = {0};
test_PR10163(x[1]); // no-warning
}
typedef struct { typedef struct {
float x; float x;
float y; float y;
float z; float z;
} Point; } Point;
typedef struct { typedef struct {
Point origin; Point origin;
int size; int size;
} Circle; } Circle;
Point makePoint(float x, float y) { Point makePoint(float x, float y) {
Point result; Point result;
result.x = x; result.x = x;
result.y = y; result.y = y;
result.z = 0.0; result.z = 0.0;
return result; return result;
} }
void PR14765_test() { void PR14765_test() {
Circle *testObj = calloc(sizeof(Circle), 1); Circle *testObj = calloc(sizeof(Circle), 1);
clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
testObj->origin = makePoint(0.0, 0.0); testObj->origin = makePoint(0.0, 0.0);
if (testObj->size > 0) { ; } // warning occurs here if (testObj->size > 0) { ; } // expected-note{{Taking false branch}}
// FIXME: Assigning to 'testObj->origin' kills the default binding for the // FIXME: Assigning to 'testObj->origin' kills the default binding for the
// whole region, meaning that we've forgotten that testObj->size should also // whole region, meaning that we've forgotten that testObj->size should also
// default to 0. Tracked by <rdar://problem/12701038>. // default to 0. Tracked by <rdar://problem/12701038>.
// This should be TRUE. // This should be TRUE.
clang_analyzer_eval(testObj->size == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{UNKNOWN}}
// expected-note@-1{{UNKNOWN}}
free(testObj); free(testObj);
} }
void PR14765_argument(Circle *testObj) { void PR14765_argument(Circle *testObj) {
int oldSize = testObj->size; int oldSize = testObj->size;
clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
testObj->origin = makePoint(0.0, 0.0); testObj->origin = makePoint(0.0, 0.0);
clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
} }
typedef struct { typedef struct {
int x; int x;
int y; int y;
int z; int z;
} IntPoint; } IntPoint;
Show All 9 LinesIntPoint makeIntPoint(int x, int y) {
result.z = 0; result.z = 0;
return result; return result;
} }
void PR14765_test_int() { void PR14765_test_int() {
IntCircle *testObj = calloc(sizeof(IntCircle), 1); IntCircle *testObj = calloc(sizeof(IntCircle), 1);
clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.x == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.x == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.y == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.y == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.z == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.z == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
testObj->origin = makeIntPoint(1, 2); testObj->origin = makeIntPoint(1, 2);
if (testObj->size > 0) { ; } // warning occurs here if (testObj->size > 0) { ; } // expected-note{{Taking false branch}}
// expected-note@-1{{Taking false branch}}
// expected-note@-2{{Taking false branch}}
// expected-note@-3{{Taking false branch}}
// FIXME: Assigning to 'testObj->origin' kills the default binding for the // FIXME: Assigning to 'testObj->origin' kills the default binding for the
// whole region, meaning that we've forgotten that testObj->size should also // whole region, meaning that we've forgotten that testObj->size should also
// default to 0. Tracked by <rdar://problem/12701038>. // default to 0. Tracked by <rdar://problem/12701038>.
// This should be TRUE. // This should be TRUE.
clang_analyzer_eval(testObj->size == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{UNKNOWN}}
// expected-note@-1{{UNKNOWN}}
clang_analyzer_eval(testObj->origin.x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.x == 1); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.y == 2); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.y == 2); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.z == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.z == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
free(testObj); free(testObj);
} }
void PR14765_argument_int(IntCircle *testObj) { void PR14765_argument_int(IntCircle *testObj) {
int oldSize = testObj->size; int oldSize = testObj->size;
clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
testObj->origin = makeIntPoint(1, 2); testObj->origin = makeIntPoint(1, 2);
clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.x == 1); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.y == 2); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.y == 2); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.z == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.z == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
} }
void rdar13292559(Circle input) { void rdar13292559(Circle input) {
extern void useCircle(Circle); extern void useCircle(Circle);
Circle obj = input; Circle obj = input;
useCircle(obj); // no-warning useCircle(obj); // no-warning
Show All 23 Lines
void testSmallStructsCopiedPerField() { void testSmallStructsCopiedPerField() {
IntPoint2D a; IntPoint2D a;
a.x = 0; a.x = 0;
IntPoint2D b = a; IntPoint2D b = a;
extern void useInt(int); extern void useInt(int);
useInt(b.x); // no-warning useInt(b.x); // no-warning
useInt(b.y); // expected-warning{{uninitialized}} useInt(b.y); // expected-warning{{uninitialized}}
// expected-note@-1{{uninitialized}}
} }
void testLargeStructsNotCopiedPerField() { void testLargeStructsNotCopiedPerField() {
IntPoint a; IntPoint a;
a.x = 0; a.x = 0;
IntPoint b = a; IntPoint b = a;
extern void useInt(int); extern void useInt(int);
useInt(b.x); // no-warning useInt(b.x); // no-warning
useInt(b.y); // no-warning useInt(b.y); // no-warning
} }
void testSmallStructInLargerStruct() { void testSmallStructInLargerStruct() {
IntCircle2D *testObj = calloc(sizeof(IntCircle2D), 1); IntCircle2D *testObj = calloc(sizeof(IntCircle2D), 1);
clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.x == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.x == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.y == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.y == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
testObj->origin = makeIntPoint2D(1, 2); testObj->origin = makeIntPoint2D(1, 2);
if (testObj->size > 0) { ; } // warning occurs here if (testObj->size > 0) { ; } // expected-note{{Taking false branch}}
// expected-note@-1{{Taking false branch}}
// expected-note@-2{{Taking false branch}}
clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.x == 1); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.y == 2); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.y == 2); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
free(testObj); free(testObj);
} }
void testCopySmallStructIntoArgument(IntCircle2D *testObj) { void testCopySmallStructIntoArgument(IntCircle2D *testObj) {
int oldSize = testObj->size; int oldSize = testObj->size;
clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
testObj->origin = makeIntPoint2D(1, 2); testObj->origin = makeIntPoint2D(1, 2);
clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == oldSize); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.x == 1); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.y == 2); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.y == 2); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
} }
void testSmallStructBitfields() { void testSmallStructBitfields() {
struct { struct {
int x : 4; int x : 4;
int y : 4; int y : 4;
} a, b; } a, b;
a.x = 1; a.x = 1;
a.y = 2; a.y = 2;
b = a; b = a;
clang_analyzer_eval(b.x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(b.x == 1); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(b.y == 2); // expected-warning{{TRUE}} clang_analyzer_eval(b.y == 2); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
} }
void testSmallStructBitfieldsFirstUndef() { void testSmallStructBitfieldsFirstUndef() {
struct { struct {
int x : 4; int x : 4;
int y : 4; int y : 4;
} a, b; } a, b;
a.y = 2; a.y = 2;
b = a; b = a;
clang_analyzer_eval(b.y == 2); // expected-warning{{TRUE}} clang_analyzer_eval(b.y == 2); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(b.x == 1); // expected-warning{{garbage}} clang_analyzer_eval(b.x == 1); // expected-warning{{garbage}}
// expected-note@-1{{garbage}}
} }
void testSmallStructBitfieldsSecondUndef() { void testSmallStructBitfieldsSecondUndef() {
struct { struct {
int x : 4; int x : 4;
int y : 4; int y : 4;
} a, b; } a, b;
a.x = 1; a.x = 1;
b = a; b = a;
clang_analyzer_eval(b.x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(b.x == 1); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
clang_analyzer_eval(b.y == 2); // expected-warning{{garbage}} clang_analyzer_eval(b.y == 2); // expected-warning{{garbage}}
// expected-note@-1{{garbage}}
} }
void testSmallStructBitfieldsFirstUnnamed() { void testSmallStructBitfieldsFirstUnnamed() {
struct { struct {
int : 4; int : 4;
int y : 4; int y : 4;
} a, b, c; } a, b, c;
a.y = 2; a.y = 2;
b = a; b = a; // expected-note{{Value assigned to 'c'}}
clang_analyzer_eval(b.y == 2); // expected-warning{{TRUE}} clang_analyzer_eval(b.y == 2); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
b = c; b = c; // expected-note{{Uninitialized value stored to 'b.y'}}
clang_analyzer_eval(b.y == 2); // expected-warning{{garbage}} clang_analyzer_eval(b.y == 2); // expected-warning{{garbage}}
// expected-note@-1{{garbage}}
} }
void testSmallStructBitfieldsSecondUnnamed() { void testSmallStructBitfieldsSecondUnnamed() {
struct { struct {
int x : 4; int x : 4;
int : 4; int : 4;
} a, b, c; } a, b, c;
a.x = 1; a.x = 1;
b = a; b = a; // expected-note{{Value assigned to 'c'}}
clang_analyzer_eval(b.x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(b.x == 1); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}}
b = c; b = c; // expected-note{{Uninitialized value stored to 'b.x'}}
clang_analyzer_eval(b.x == 1); // expected-warning{{garbage}} clang_analyzer_eval(b.x == 1); // expected-warning{{garbage}}
// expected-note@-1{{garbage}}
} }
lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp