This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
2/5
StdLibraryFunctionsChecker.cpp
-
test/Analysis/
-
Analysis/
1/2
std-c-library-functions.c

Differential D79432

[analyzer] StdLibraryFunctionsChecker: Add summaries for libc
Needs ReviewPublic

Authored by martong on May 5 2020, 10:14 AM.

Download Raw Diff

Details

Reviewers

Szelethus
NoQ
baloghadamsoftware
balazske
steakhal

Summary

Add a few functions for libc. The code in this patch that adds the summaries is
auto generated from Cppcheck's config directory
(https://github.com/danmar/cppcheck/blob/master/cfg/std.cfg). Note that not all
functions are lifted in this patch. Probably another patch will follow with more
summaries for libc.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

martong created this revision.May 5 2020, 10:14 AM

Herald added a project: Restricted Project. · View Herald TranscriptMay 5 2020, 10:14 AM

Herald added subscribers: cfe-commits, ASDenysPetrov, Charusso and 9 others. · View Herald Transcript

martong added parent revisions: D77148: [analyzer] ApiModeling: Add buffer size arg constraint with multiplier involved, D79430: [analyzer] StdLibraryFunctionsChecker: Add LazyRanges to support type dependent Max.May 5 2020, 10:15 AM

Harbormaster failed remote builds in B55815: Diff 262154!May 5 2020, 10:46 AM

There a couple functional lines commented out, and we need more tests, so I take that the patch is a proof of concept for now? Because its pretty cool if so. :)

I think testing summaries this way can be really hard to manage in the future.
I see two possible ways forward to make this easier:
a) Make something like https://reviews.llvm.org/D78118 that will also dump the actual summary in a textual form, not only the fact that a summary was loaded and check for that textual form.
b) Make a small helper library for testing summaries. E.g., most of the buffer handling functions have similar summaries, so we could have only a couple of functions for testing buffer related summaries and we could just pass in function pointers (as templates or params) instead of duplicating code. Similarly, testing output ranges could be generalized.

I think b) might be a bit better solution.
Although I do see why some people like to keep tests simple without additional layers of abstractions, so I do not insist :)

In D79432#2022207, @xazax.hun wrote:

I think testing summaries this way can be really hard to manage in the future.
I see two possible ways forward to make this easier:
a) Make something like https://reviews.llvm.org/D78118 that will also dump the actual summary in a textual form, not only the fact that a summary was loaded and check for that textual form.
b) Make a small helper library for testing summaries. E.g., most of the buffer handling functions have similar summaries, so we could have only a couple of functions for testing buffer related summaries and we could just pass in function pointers (as templates or params) instead of duplicating code. Similarly, testing output ranges could be generalized.

I think b) might be a bit better solution.
Although I do see why some people like to keep tests simple without additional layers of abstractions, so I do not insist :)

My idea about the testing is the following:
We test each individual argument constraint by itself with a test function. E.g. in case of buffer sizes we have a test function specifically for it (and it requires a debug checker to be enabled)

addToFunctionSummaryMap(
    "__buf_size_arg_constraint",
    Summary(ArgTypes{ConstVoidPtrTy, SizeTy}, RetType{IntTy},
            EvalCallAsPure)
        .ArgConstraint(
            BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))));

And then in the test file we have the exact expectations:

int __buf_size_arg_constraint(const void *, size_t);
void test_buf_size_concrete() {
  char buf[3];                       // bugpath-note{{'buf' initialized here}}
  __buf_size_arg_constraint(buf, 4); // \
  // report-warning{{Function argument constraint is not satisfied}} \
  // bugpath-warning{{Function argument constraint is not satisfied}} \
  // bugpath-note{{Function argument constraint is not satisfied}}
}
...

This way we have a test coverage for each argument constraint. The summaries are composed from these argument constraints. There may be issues with the composition, so we do have some additional test cases for that, e.g we have a test to check the expectations when one function has more than one constraints:

int __two_constrained_args(int, int);
void test_constraints_on_multiple_args(int x, int y) {
  // State split should not happen here. I.e. x == 1 should not be evaluated
  // FALSE.
  __two_constrained_args(x, y);
  clang_analyzer_eval(x == 1); // \
  // report-warning{{TRUE}} \
  // bugpath-warning{{TRUE}} \
  // bugpath-note{{TRUE}}
  clang_analyzer_eval(y == 1); // \
  // report-warning{{TRUE}} \
  // bugpath-warning{{TRUE}} \
  // bugpath-note{{TRUE}}
}

So, we have tests for each individual building blocks and for their conjunctions, which renders the testing of all concrete summaries superfluous and bloated. It would be as if a compiler was tested for all possible inputs.
On top of all this, errors (assertions) with concrete summaries should be discovered by running the analysis on real world projects like tmux, bitcoin, etc.

NoQ added inline comments.Jun 23 2020, 2:30 AM

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1123–1124	The three-way state split is unjustified here. Usage of `abs` is not a sufficient indication that the value may be 0, otherwise: int foo(int x, int y) { int z = abs(y); // Assuming 'abs' has taken branch on which y == 0... return x / z; // ... we'll be forced to emit a division by zero warning here. } Generally, there are very few cases when state splits upon function calls are justified. The common cases are: The function returns bool and finding that bool is the only reason to ever call this function. Eg., `isalpha()` and such. The function can at any time completely unpredictably take any of the branches, in other words, taint is involved. Eg., `scanf()` can always fail simply because the user of the program wrote something special into stdin.

NoQ added inline comments.Jun 23 2020, 2:33 AM

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1123–1124	returns bool Or something that kinda resembles bool (eg., `isalpha()` returns a variety of different ints in practice due to its static lookup table implementation strategy but the user only cares about whether it's zero or non-zero).

NoQ added inline comments.Jun 23 2020, 3:22 AM

clang/test/Analysis/std-c-library-functions.c
231	Emm :)

martong marked 2 inline comments as done.Jun 23 2020, 7:30 AM

martong added inline comments.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1123–1124	Alright, I agree, I'll remove these cases. Generally speaking I realized that it is hard to create these cases, and it is very rare when we can come up with a meaningful case set for any function. So while we are at it, could you please take a look at another patch, where I add no cases just argument constraints: D82288 ?
clang/test/Analysis/std-c-library-functions.c
231	Ups, ouch :D

Szelethus mentioned this in D72705: [analyzer] Added new checker 'alpha.unix.ErrorReturn'..Sep 2 2020, 2:42 AM

balazske added inline comments.Sep 15 2020, 9:27 AM

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1123–1124	But it could make sense that if the input of the function is known before the call, we can compute the output? For `abs(x)` if we know that `x == 0` is true the checker could assume `abs(x) == 0` too. These "cases" provide data for this functionality.

martong added inline comments.Sep 17 2020, 6:37 AM

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1123–1124	For abs(x) if we know that x == 0 is true the checker could assume abs(x) == 0 too. Yes, this is absolutely true. I think, we could approach this with introducing a postcall Kind for the summaries. Currently, we already have `EvalCallAsPure` and `NoEvalCall` for evalCall. We could have let's say enum PostCallKind { UnconditionedStateSplit, ConstrainReturnIfArgConstraintsAreSatisfied } For the ConstrainReturnIfArgConstraintsAreSatisfied we should check if the preconditions for the Args in the Case are all evaluated to Known and if so only would we apply the constraint on the return value. @NoQ What do you think? @steakhal FYI.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

StdLibraryFunctionsChecker.cpp

182 lines

test/

Analysis/

std-c-library-functions.c

10 lines

Diff 262154

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 Lines • Show All 783 Lines • ▼ Show 20 Lines	void StdLibraryFunctionsChecker::initFunctionSummaries(

// These types are useful for writing specifications quickly,		// These types are useful for writing specifications quickly,
// New specifications should probably introduce more types.		// New specifications should probably introduce more types.
// Some types are hard to obtain from the AST, eg. "ssize_t".		// Some types are hard to obtain from the AST, eg. "ssize_t".
// In such cases it should be possible to provide multiple variants		// In such cases it should be possible to provide multiple variants
// of function summary for common cases (eg. ssize_t could be int or long		// of function summary for common cases (eg. ssize_t could be int or long
// or long long, so three summary variants would be enough).		// or long long, so three summary variants would be enough).
// Of course, function variants are also useful for C++ overloads.		// Of course, function variants are also useful for C++ overloads.
		const QualType WCharTy = ACtx.WideCharTy;
const QualType IntTy = ACtx.IntTy;		const QualType IntTy = ACtx.IntTy;
		const QualType LongTy = ACtx.LongTy;
		const QualType UnsignedLongTy = ACtx.UnsignedLongTy;
		const QualType LongLongTy = ACtx.LongLongTy;
		const QualType SizeTy = ACtx.getSizeType();
		const QualType VoidTy = ACtx.VoidTy;
const QualType VoidPtrTy = ACtx.VoidPtrTy; // void *		const QualType VoidPtrTy = ACtx.VoidPtrTy; // void *
		const QualType ConstVoidPtrTy =
		ACtx.getPointerType(ACtx.VoidTy.withConst()); // const void *
		const QualType CharPtrTy = ACtx.getPointerType(ACtx.CharTy); // char *
const QualType ConstCharPtrTy =		const QualType ConstCharPtrTy =
ACtx.getPointerType(ACtx.CharTy.withConst()); // const char *		ACtx.getPointerType(ACtx.CharTy.withConst()); // const char *
		const QualType WCharPtrTy = ACtx.getPointerType(WCharTy); // wchar_t *

const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue();		const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue();
		const RangeInt IntMin = BVF.getMinValue(IntTy).getLimitedValue();

// Set UCharRangeMax to min of int or uchar maximum value.		// Set UCharRangeMax to min of int or uchar maximum value.
// The C standard states that the arguments of functions like isalpha must		// The C standard states that the arguments of functions like isalpha must
// be representable as an unsigned char. Their type is 'int', so the max		// be representable as an unsigned char. Their type is 'int', so the max
// value of the argument should be min(UCharMax, IntMax). This just happen		// value of the argument should be min(UCharMax, IntMax). This just happen
// to be true for commonly used and well tested instruction set		// to be true for commonly used and well tested instruction set
// architectures, but not for others.		// architectures, but not for others.
const RangeInt UCharRangeMax =		const RangeInt UCharRangeMax =
▲ Show 20 Lines • Show All 266 Lines • ▼ Show 20 Lines	addToFunctionSummaryMap({"fread", "fwrite"},
.ArgConstraint(NotNull(ArgNo(0))));		.ArgConstraint(NotNull(ArgNo(0))));

// getline()-like functions either fail or read at least the delimiter.		// getline()-like functions either fail or read at least the delimiter.
addToFunctionSummaryMap(		addToFunctionSummaryMap(
{"getline", "getdelim"},		{"getline", "getdelim"},
Summary(NoEvalCall)		Summary(NoEvalCall)
.Case({ReturnValueCondition(WithinRange, {{-1, -1}, {1, Max}})}));		.Case({ReturnValueCondition(WithinRange, {{-1, -1}, {1, Max}})}));

		// int fprintf(FILE stream, const char format, ...);
		addToFunctionSummaryMap(
		"fprintf",
		Summary(ArgTypes{Irrelevant, ConstCharPtrTy}, RetType{IntTy}, NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0)))
		.ArgConstraint(NotNull(ArgNo(1))));

		// size_t strcspn(const char cs, const char ct);
		addToFunctionSummaryMap("strcspn",
		Summary(ArgTypes{ConstCharPtrTy, ConstCharPtrTy},
		RetType{SizeTy}, EvalCallAsPure)
		// TODO .ArgConstraint(NullTerminated(ArgNo(0)))
		// TODO .ArgConstraint(NullTerminated(ArgNo(1)))
		.ArgConstraint(NotNull(ArgNo(0)))
		.ArgConstraint(NotNull(ArgNo(1))));

		// void qsort(void *base, size_t n, size_t size,
		// int (cmp)(const void , const void *));
		addToFunctionSummaryMap(
		"qsort", Summary(ArgTypes{VoidPtrTy, SizeTy, SizeTy, Irrelevant},
		RetType{VoidTy}, NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0)))
		.ArgConstraint(NotNull(ArgNo(3)))
		//.ArgConstraint(ArgumentCondition(1, WithinRange, Range(0, SizeMax)))
		//.ArgConstraint(ArgumentCondition(2, WithinRange, Range(0, SizeMax)))
		);

		// int abs(int j); intmax_t imaxabs(intmax_t n); double fabs(double x);
		// double complex cabs(double complex z); long int labs(long int x); long
		// long int llabs(long long int x);
		addToFunctionSummaryMap(
		"abs", Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
		.Case({ArgumentCondition(0, WithinRange, SingleValue(0)),
		ReturnValueCondition(WithinRange, SingleValue(0))})
		NoQUnsubmitted Not Done Reply Inline Actions The three-way state split is unjustified here. Usage of `abs` is not a sufficient indication that the value may be 0, otherwise: int foo(int x, int y) { int z = abs(y); // Assuming 'abs' has taken branch on which y == 0... return x / z; // ... we'll be forced to emit a division by zero warning here. } Generally, there are very few cases when state splits upon function calls are justified. The common cases are: The function returns bool and finding that bool is the only reason to ever call this function. Eg., `isalpha()` and such. The function can at any time completely unpredictably take any of the branches, in other words, taint is involved. Eg., `scanf()` can always fail simply because the user of the program wrote something special into stdin. NoQ: The three-way state split is unjustified here. Usage of `abs` is not a sufficient indication…
		NoQUnsubmitted Not Done Reply Inline Actions returns bool Or something that kinda resembles bool (eg., `isalpha()` returns a variety of different ints in practice due to its static lookup table implementation strategy but the user only cares about whether it's zero or non-zero). NoQ: > returns bool Or something that kinda resembles bool (eg., `isalpha()` returns a variety of…
		martongAuthorUnsubmitted Done Reply Inline Actions Alright, I agree, I'll remove these cases. Generally speaking I realized that it is hard to create these cases, and it is very rare when we can come up with a meaningful case set for any function. So while we are at it, could you please take a look at another patch, where I add no cases just argument constraints: D82288 ? martong: Alright, I agree, I'll remove these cases. Generally speaking I realized that it is hard to…
		balazskeUnsubmitted Not Done Reply Inline Actions But it could make sense that if the input of the function is known before the call, we can compute the output? For `abs(x)` if we know that `x == 0` is true the checker could assume `abs(x) == 0` too. These "cases" provide data for this functionality. balazske: But it could make sense that if the input of the function is known before the call, we can…
		martongAuthorUnsubmitted Done Reply Inline Actions For abs(x) if we know that x == 0 is true the checker could assume abs(x) == 0 too. Yes, this is absolutely true. I think, we could approach this with introducing a postcall Kind for the summaries. Currently, we already have `EvalCallAsPure` and `NoEvalCall` for evalCall. We could have let's say enum PostCallKind { UnconditionedStateSplit, ConstrainReturnIfArgConstraintsAreSatisfied } For the ConstrainReturnIfArgConstraintsAreSatisfied we should check if the preconditions for the Args in the Case are all evaluated to Known and if so only would we apply the constraint on the return value. @NoQ What do you think? @steakhal FYI. martong: > For abs(x) if we know that x == 0 is true the checker could assume abs(x) == 0 too. Yes…
		.Case({ArgumentCondition(0, WithinRange, Range(1, IntMax)),
		ReturnValueCondition(WithinRange, Range(IntMin, -1))})
		.Case({ArgumentCondition(0, WithinRange, Range(IntMin, -1)),
		ReturnValueCondition(WithinRange, Range(1, IntMax))}));

		// double sqrt(double x);
		// addToFunctionSummaryMap("sqrt",
		// Summary(ArgTypes{}, RetType{}, EvalCallAsPure)
		//.ArgConstraint(ArgumentCondition(0, WithinRange, Range(0.0:)))
		//);

		// int mbtowc(wchar_t* pwc, const char* pmb, size_t max);
		addToFunctionSummaryMap(
		"mbtowc", Summary(ArgTypes{WCharPtrTy, ConstCharPtrTy, SizeTy},
		RetType{IntTy}, NoEvalCall)
		//.ArgConstraint(ArgumentCondition(2, WithinRange, Range(0, SizeMax)))
		);

		// struct tm * localtime(const time_t *tp);
		addToFunctionSummaryMap("localtime", Summary(ArgTypes{Irrelevant},
		RetType{Irrelevant}, NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0))));

		// void memchr(const void s, int c, size_t n);
		addToFunctionSummaryMap(
		"memchr", Summary(ArgTypes{ConstVoidPtrTy, IntTy, SizeTy},
		RetType{VoidPtrTy}, EvalCallAsPure)
		.ArgConstraint(NotNull(ArgNo(0)))
		.ArgConstraint(BufferSize(0, 2))
		.ArgConstraint(ArgumentCondition(1, WithinRange,
		Range(0, UCharRangeMax)))
		//.ArgConstraint(ArgumentCondition(2, WithinRange, Range(0, SizeMax)))
		);

		// void* bsearch(const void* key, const void* base, size_t num, size_t size,
		// int(compar)(const void,const void*));
		addToFunctionSummaryMap(
		"bsearch",
		Summary(ArgTypes{ConstVoidPtrTy, ConstVoidPtrTy, SizeTy, SizeTy},
		RetType{VoidPtrTy}, EvalCallAsPure)
		.ArgConstraint(NotNull(ArgNo(0)))
		.ArgConstraint(NotNull(ArgNo(1)))
		//.ArgConstraint(ArgumentCondition(2, WithinRange, Range(0, SizeMax)))
		//.ArgConstraint(ArgumentCondition(3, WithinRange, Range(0, SizeMax)))
		.ArgConstraint(NotNull(ArgNo(4))));

		// int fputc(int c, FILE *stream);
		// int putc(int c, FILE *stream);
		addToFunctionSummaryMap(
		{"fputc", "putc"},
		Summary(ArgTypes{IntTy, Irrelevant}, RetType{IntTy}, NoEvalCall)
		.ArgConstraint(
		ArgumentCondition(0, WithinRange, Range(0, UCharRangeMax)))
		.ArgConstraint(NotNull(ArgNo(1))));

		// void reallocarray(void ptr, size_t nmemb, size_t size);
		addToFunctionSummaryMap(
		"reallocarray", Summary(ArgTypes{VoidPtrTy, SizeTy, SizeTy},
		RetType{VoidPtrTy}, NoEvalCall)
		//.ArgConstraint(ArgumentCondition(1, WithinRange, Range(0, SizeMax)))
		//.ArgConstraint(ArgumentCondition(2, WithinRange, Range(0, SizeMax)))
		);

		// size_t strftime(char s, size_t max, const char fmt, const struct tm *p);
		addToFunctionSummaryMap(
		"strftime",
		Summary(ArgTypes{CharPtrTy, SizeTy, ConstCharPtrTy, Irrelevant},
		RetType{SizeTy}, NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0)))
		//.ArgConstraint(ArgumentCondition(1, WithinRange, Range(0, SizeMax)))
		.ArgConstraint(NotNull(ArgNo(2)))
		.ArgConstraint(NotNull(ArgNo(3))));

		// char* strstr(const char s1, const char s2);
		addToFunctionSummaryMap("strstr",
		Summary(ArgTypes{ConstCharPtrTy, ConstCharPtrTy},
		RetType{CharPtrTy}, NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0)))
		.ArgConstraint(NotNull(ArgNo(1))));

		// size_t strspn(const char cs, const char ct);
		addToFunctionSummaryMap("strspn",
		Summary(ArgTypes{ConstCharPtrTy, ConstCharPtrTy},
		RetType{SizeTy}, NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0)))
		.ArgConstraint(NotNull(ArgNo(1))));

		auto Strtol = [&](RetType R) {
		return Summary(ArgTypes{ConstCharPtrTy, Irrelevant, IntTy}, RetType{R},
		NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0)))
		.ArgConstraint(ArgumentCondition(2, WithinRange, {{0, 0}, {2, 36}}));
		};
		// long strtol(const char s, char *endp, int base);
		addToFunctionSummaryMap("strtol", Strtol(LongTy));
		// unsigned long strtoul(const char s, char *endp, int base);
		addToFunctionSummaryMap("strtoul", Strtol(UnsignedLongTy));
		// long long strtoll(const char s, char *endp, int base);
		addToFunctionSummaryMap("strtoll", Strtol(LongLongTy));

		// char * ctime(const time_t *tp);
		addToFunctionSummaryMap(
		"ctime", Summary(ArgTypes{Irrelevant}, RetType{CharPtrTy}, NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0))));

		// int fputs(const char string, FILE stream);
		addToFunctionSummaryMap("fputs", Summary(ArgTypes{ConstCharPtrTy, Irrelevant},
		RetType{IntTy}, NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0)))
		.ArgConstraint(NotNull(ArgNo(1))));

		// char * getenv(const char *name);
		addToFunctionSummaryMap(
		"getenv", Summary(ArgTypes{Irrelevant}, RetType{CharPtrTy}, NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0))));

		// char * strchr(const char *cs, int c);
		// char * strrchr(const char * str, int character);
		addToFunctionSummaryMap(
		{"strchr", "strrchr"},
		Summary(ArgTypes{ConstCharPtrTy, IntTy}, RetType{CharPtrTy}, NoEvalCall)
		.ArgConstraint(NotNull(ArgNo(0)))
		.ArgConstraint(
		ArgumentCondition(1, WithinRange, Range(0, UCharRangeMax))));

		// int tolower(int c);
		// int toupper(int c);
		addToFunctionSummaryMap(
		{"tolower", "toupper"},
		Summary(ArgTypes{}, RetType{}, NoEvalCall)
		.Case({ReturnValueCondition(WithinRange,
		{{EOFv, EOFv}, {0, UCharRangeMax}})})
		.ArgConstraint(ArgumentCondition(
		0, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));

// Functions for testing.		// Functions for testing.
if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {		if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {
addToFunctionSummaryMap(		addToFunctionSummaryMap(
"__two_constrained_args",		"__two_constrained_args",
Summary(ArgTypes{IntTy, IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy, IntTy}, RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))		.ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))
.ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1))));		.ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1))));
addToFunctionSummaryMap(		addToFunctionSummaryMap(
▲ Show 20 Lines • Show All 53 Lines • Show Last 20 Lines

clang/test/Analysis/std-c-library-functions.c

	Show First 20 Lines • Show All 216 Lines • ▼ Show 20 Lines

	void test_call_by_pointer() {			void test_call_by_pointer() {
	typedef int (*func)(int);			typedef int (*func)(int);
	func f = isascii;			func f = isascii;
	clang_analyzer_eval(f('A')); // expected-warning{{TRUE}}			clang_analyzer_eval(f('A')); // expected-warning{{TRUE}}
	f = ispunct;			f = ispunct;
	clang_analyzer_eval(f('A')); // expected-warning{{FALSE}}			clang_analyzer_eval(f('A')); // expected-warning{{FALSE}}
	}			}

				int abs(int);
				void test_abs(int p) {
				if (p == 0)
				clang_analyzer_eval(abs(p) == 0); // expected-warning{{TRUE}}
				if (p > 0)
				clang_analyzer_eval(abs(p) < 0); // expected-warning{{TRUE}}
				NoQUnsubmitted Not Done Reply Inline Actions Emm :) NoQ: Emm :)
				martongAuthorUnsubmitted Done Reply Inline Actions Ups, ouch :D martong: Ups, ouch :D
				if (p < 0)
				clang_analyzer_eval(abs(p) > 0); // expected-warning{{TRUE}}
				}