1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
// RUN: %clang_analyze_cc1 -analyzer-checker=core.BitwiseShift \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-output=text -verify \
// RUN: -triple x86_64-pc-linux-gnu -x c %s \
// RUN: -Wno-shift-count-negative -Wno-shift-negative-value \
// RUN: -Wno-shift-count-overflow -Wno-shift-overflow \
// RUN: -Wno-shift-sign-overflow
//
// RUN: %clang_analyze_cc1 -analyzer-checker=core.BitwiseShift \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config core.BitwiseShift:Pedantic=true \
// RUN: -analyzer-output=text -verify \
// RUN: -triple x86_64-pc-linux-gnu -x c++ -std=c++20 %s \
// RUN: -Wno-shift-count-negative -Wno-shift-negative-value \
// RUN: -Wno-shift-count-overflow -Wno-shift-overflow \
// RUN: -Wno-shift-sign-overflow
//
// This test file verifies the default behavior of the BitwiseShift checker,
// which reports the serious logical defects, but doesn't warn on code that's
// legal under C++20 (or later) and widely accepted (but theoretically
// undefined) in other compilation modes.
// TEST NEGATIVE RIGHT OPERAND
//===----------------------------------------------------------------------===//
int negative_right_operand_literal(void) {
return 2 << -2;
// expected-warning@-1 {{Right operand is negative in left shift}}
// expected-note@-2 {{The result of left shift is undefined because the right operand is negative}}
}
int negative_right_operand_symbolic(int left, int right) {
// expected-note@+2 {{Assuming 'right' is < 0}}
// expected-note@+1 {{Taking false branch}}
if (right >= 0)
return 0;
return left >> right;
// expected-warning@-1 {{Right operand is negative in right shift}}
// expected-note@-2 {{The result of right shift is undefined because the right operand is negative}}
}
int negative_right_operand_compound(short arg) {
// expected-note@+2 {{Assuming 'arg' is < 2}}
// expected-note@+1 {{Taking false branch}}
if (arg >= 2 )
return 0;
return 2 << (arg - 1 - 1 - 1);
// expected-warning@-1 {{Right operand is negative in left shift}}
// expected-note@-2 {{The result of left shift is undefined because the right operand is negative}}
}
// TEST TOO LARGE RIGHT OPERAND
//===----------------------------------------------------------------------===//
int too_large_right_operand_literal(void) {
return 2 << 32;
// expected-warning@-1 {{Left shift by '32' overflows the capacity of 'int'}}
// expected-note@-2 {{The result of left shift is undefined because the right operand '32' is not smaller than 32, the capacity of 'int'}}
}
int too_large_right_operand_exact_symbolic(int arg) {
// expected-note@+4 {{Assuming 'arg' is > 33}}
// expected-note@+3 {{Left side of '||' is false}}
// expected-note@+2 {{Assuming 'arg' is < 35}}
// expected-note@+1 {{Taking false branch}}
if (arg <= 33 || arg >= 35)
return 0;
return 3 << arg;
// expected-warning@-1 {{Left shift by '34' overflows the capacity of 'int'}}
// expected-note@-2 {{The result of left shift is undefined because the right operand '34' is not smaller than 32, the capacity of 'int'}}
}
int too_large_right_operand_exact_symbolic_2(char arg) {
// expected-note@+2 {{Assuming the condition is false}}
// expected-note@+1 {{Taking false branch}}
if (arg != ' ')
return 0;
return 3 << arg;
// expected-warning@-1 {{Left shift by '32' overflows the capacity of 'int'}}
// expected-note@-2 {{The result of left shift is undefined because the right operand '32' is not smaller than 32, the capacity of 'int'}}
}
int too_large_right_operand_symbolic(int left, int right) {
// expected-note@+2 {{Assuming 'right' is > 31}}
// expected-note@+1 {{Taking false branch}}
if (right <= 31)
return 0;
return left >> right;
// expected-warning@-1 {{Right shift overflows the capacity of 'int'}}
// expected-note@-2 {{The result of right shift is undefined because the right operand is >= 32, not smaller than 32, the capacity of 'int'}}
}
void clang_analyzer_value(int);
int too_large_right_operand_compound(unsigned short arg) {
// Note: this would be valid code with an 'unsigned int' because
// unsigned addition is allowed to overflow.
clang_analyzer_value(32+arg);
// expected-warning@-1 {{32s:{ [-2147483648, 2147483647] }}
// expected-note@-2 {{32s:{ [-2147483648, 2147483647] }}
return 1 << (32 + arg);
// expected-warning@-1 {{Left shift overflows the capacity of 'int'}}
// expected-note@-2 {{The result of left shift is undefined because the right operand is not smaller than 32, the capacity of 'int'}}
// FIXME: this message should be
// {{The result of left shift is undefined because the right operand is >= 32, not smaller than 32, the capacity of 'int'}}
// but for some reason neither the new logic, nor debug.ExprInspection and
// clang_analyzer_value reports this range information.
}
// TEST STATE UPDATES
//===----------------------------------------------------------------------===//
void state_update(char a, int *p) {
// NOTE: with 'int a' this would not produce a bug report because the engine
// would not rule out an overflow.
*p += 1 << a;
// expected-note@-1 {{Assuming right operand of bit shift is non-negative but less than 32}}
*p += 1 << (a + 32);
// expected-warning@-1 {{Left shift overflows the capacity of 'int'}}
// expected-note@-2 {{The result of left shift is undefined because the right operand is not smaller than 32, the capacity of 'int'}}
}
void state_update_2(char a, int *p) {
*p += 1234 >> (a + 32);
// expected-note@-1 {{Assuming right operand of bit shift is non-negative but less than 32}}
*p += 1234 >> a;
// expected-warning@-1 {{Right operand is negative in right shift}}
// expected-note@-2 {{The result of right shift is undefined because the right operand is negative}}
}
// TEST EXPRESSION TRACKING
//===----------------------------------------------------------------------===//
// Expression tracking a "generic" tool that's used by many other checkers,
// so this is just a minimal test to see that it's activated.
void setValue(unsigned *p, unsigned newval) {
*p = newval;
// expected-note@-1 {{The value 33 is assigned to 'right'}}
}
int expression_tracked_back(void) {
unsigned left = 115; // expected-note {{'left' initialized to 115}}
unsigned right;
setValue(&right, 33);
// expected-note@-1 {{Calling 'setValue'}}
// expected-note@-2 {{Passing the value 33 via 2nd parameter 'newval'}}
// expected-note@-3 {{Returning from 'setValue'}}
return left << right;
// expected-warning@-1 {{Left shift by '33' overflows the capacity of 'unsigned int'}}
// expected-note@-2 {{The result of left shift is undefined because the right operand '33' is not smaller than 32, the capacity of 'unsigned int'}}
}
// TEST PERMISSIVENESS
//===----------------------------------------------------------------------===//
int allow_overflows_and_negative_operands(void) {
// These are all legal under C++20 and many compilers accept them under
// earlier standards as well.
int int_min = 1 << 31; // no-warning
int this_overflows = 1027 << 30; // no-warning
return (-2 << 5) + (-3 >> 4); // no-warning
}
int double_negative(void) {
return -2 >> -2;
// expected-warning@-1 {{Right operand is negative in right shift}}
// expected-note@-2 {{The result of right shift is undefined because the right operand is negative}}
}
|
