// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core,debug.ExprInspection -analyzer-config ipa=none -verify %s
void clang_analyzer_eval(bool);
class A {
public:
virtual void f(){};
};
class B : public A{
public:
int m;
};
class C : public A{};
class BB: public B{};
// A lot of the tests below have the if statement in them, which forces the
// analyzer to explore both path - when the result is 0 and not. This makes
// sure that we definitely know that the result is non-0 (as the result of
// the cast).
int testDynCastFromRadar() {
B aa;
A *a = &aa;
const int* res = 0;
B *b = dynamic_cast<B*>(a);
static const int i = 5;
if(b) {
res = &i;
} else {
res = 0;
}
return *res; // no warning
}
int testBaseToBase1() {
B b;
B *pb = &b;
B *pbb = dynamic_cast<B*>(pb);
const int* res = 0;
static const int i = 5;
if (pbb) {
res = &i;
} else {
res = 0;
}
return *res; // no warning
}
int testMultipleLevelsOfSubclassing1() {
BB bb;
B *pb = &bb;
A *pa = pb;
B *b = dynamic_cast<B*>(pa);
const int* res = 0;
static const int i = 5;
if (b) {
res = &i;
} else {
res = 0;
}
return *res; // no warning
}
int testMultipleLevelsOfSubclassing2() {
BB bb;
A *pbb = &bb;
B *b = dynamic_cast<B*>(pbb);
BB *s = dynamic_cast<BB*>(b);
const int* res = 0;
static const int i = 5;
if (s) {
res = &i;
} else {
res = 0;
}
return *res; // no warning
}
int testMultipleLevelsOfSubclassing3() {
BB bb;
A *pbb = &bb;
B *b = dynamic_cast<B*>(pbb);
return b->m; // no warning
}
int testLHS() {
B aa;
A *a = &aa;
return (dynamic_cast<B*>(a))->m;
}
int testLHS2() {
B aa;
A *a = &aa;
return (*dynamic_cast<B*>(a)).m;
}
int testDynCastUnknown2(class A *a) {
B *b = dynamic_cast<B*>(a);
return b->m; // no warning
}
int testDynCastUnknown(class A *a) {
B *b = dynamic_cast<B*>(a);
const int* res = 0;
static const int i = 5;
if (b) {
res = &i;
} else {
res = 0;
}
return *res; // expected-warning {{Dereference of null pointer}}
}
int testDynCastFail2() {
C c;
A *pa = &c;
B *b = dynamic_cast<B*>(pa);
return b->m; // expected-warning {{dereference of a null pointer}}
}
int testLHSFail() {
C c;
A *a = &c;
return (*dynamic_cast<B*>(a)).m; // expected-warning {{Dereference of null pointer}}
}
int testBaseToDerivedFail() {
A a;
B *b = dynamic_cast<B*>(&a);
return b->m; // expected-warning {{dereference of a null pointer}}
}
int testConstZeroFail() {
B *b = dynamic_cast<B*>((A *)0);
return b->m; // expected-warning {{dereference of a null pointer}}
}
int testConstZeroFail2() {
A *a = 0;
B *b = dynamic_cast<B*>(a);
return b->m; // expected-warning {{dereference of a null pointer}}
}
int testUpcast() {
B b;
A *a = dynamic_cast<A*>(&b);
const int* res = 0;
static const int i = 5;
if (a) {
res = &i;
} else {
res = 0;
}
return *res; // no warning
}
int testCastToVoidStar() {
A a;
void *b = dynamic_cast<void*>(&a);
const int* res = 0;
static const int i = 5;
if (b) {
res = &i;
} else {
res = 0;
}
return *res; // no warning
}
int testReferenceSuccessfulCast() {
B rb;
B &b = dynamic_cast<B&>(rb);
int *x = 0;
return *x; // expected-warning {{Dereference of null pointer}}
}
int testReferenceFailedCast() {
A a;
B &b = dynamic_cast<B&>(a);
int *x = 0;
return *x; // no warning (An exception is thrown by the cast.)
}
// Here we allow any outcome of the cast and this is good because there is a
// situation where this will fail. So if the user has written the code in this
// way, we assume they expect the cast to succeed.
// Note, this might need special handling if we track types of symbolic casts
// and use them for dynamic_cast handling.
int testDynCastMostLikelyWillFail(C *c) {
B *b = 0;
b = dynamic_cast<B*>(c);
const int* res = 0;
static const int i = 5;
if (b) {
res = &i;
} else {
res = 0;
}
// Note: IPA is turned off for this test because the code below shows how the
// dynamic_cast could succeed.
return *res; // expected-warning{{Dereference of null pointer}}
}
class M : public B, public C {};
void callTestDynCastMostLikelyWillFail() {
M m;
testDynCastMostLikelyWillFail(&m);
}
void testDynCastToMiddleClass () {
class BBB : public BB {};
BBB obj;
A &ref = obj;
// These didn't always correctly layer base regions.
B *ptr = dynamic_cast<B*>(&ref);
clang_analyzer_eval(ptr != 0); // expected-warning{{TRUE}}
// This is actually statically resolved to be a DerivedToBase cast.
ptr = dynamic_cast<B*>(&obj);
clang_analyzer_eval(ptr != 0); // expected-warning{{TRUE}}
}
// -----------------------------
// False positives/negatives.
// -----------------------------
// Due to symbolic regions not being typed.
int testDynCastFalsePositive(BB *c) {
B *b = 0;
b = dynamic_cast<B*>(c);
const int* res = 0;
static const int i = 5;
if (b) {
res = &i;
} else {
res = 0;
}
return *res; // expected-warning{{Dereference of null pointer}}
}
// Does not work when we new an object.
int testDynCastFail3() {
A *a = new A();
B *b = dynamic_cast<B*>(a);
return b->m;
}