Fix issue 8144: valueFlowBeforeCondition: struct (cppcheck-opensource#2645)

pfultz2 · web-flow · commit 8301fa824493 · 2020-05-21T08:47:48.000+02:00
diff --git a/lib/astutils.cpp b/lib/astutils.cpp
@@ -1085,6 +1085,35 @@ bool isEscapeFunction(const Token* ftok, const Library* library)
     return false;
 }
 
+static bool hasReturnFunction(const Token* tok, const Library* library, const Token** unknownFunc)
+{
+    if (!tok)
+        return false;
+    const Token* ftok = tok->str() == "(" ? tok->previous() : nullptr;
+    while (Token::simpleMatch(ftok, "("))
+        ftok = ftok->astOperand1();
+    if (ftok) {
+        const Function * function = ftok->function();
+        if (function) {
+            if (function->isEscapeFunction())
+                return true;
+            if (function->isAttributeNoreturn())
+                return true;
+        } else if (library && library->isnoreturn(ftok)) {
+            return true;
+        } else if (Token::Match(ftok, "exit|abort")) {
+            return true;
+        }
+        if (unknownFunc && !function && library && library->functions.count(library->getFunctionName(ftok)) == 0)
+            *unknownFunc = ftok;
+        return false;
+    } else if (tok->isConstOp()) {
+        return hasReturnFunction(tok->astOperand1(), library, unknownFunc) || hasReturnFunction(tok->astOperand2(), library, unknownFunc);
+    }
+
+    return false;
+}
+
 bool isReturnScope(const Token* const endToken, const Library* library, const Token** unknownFunc, bool functionScope)
 {
     if (!endToken || endToken->str() != "}")
@@ -1110,21 +1139,12 @@ bool isReturnScope(const Token* const endToken, const Library* library, const To
         if (Token::Match(prev->link()->previous(), "[;{}] {"))
             return isReturnScope(prev, library, unknownFunc, functionScope);
     } else if (Token::simpleMatch(prev, ";")) {
-        if (Token::simpleMatch(prev->previous(), ") ;") && Token::Match(prev->linkAt(-1)->tokAt(-2), "[;{}] %name% (")) {
-            const Token * ftok = prev->linkAt(-1)->previous();
-            const Function * function = ftok->function();
-            if (function) {
-                if (function->isEscapeFunction())
-                    return true;
-                if (function->isAttributeNoreturn())
-                    return true;
-            } else if (library && library->isnoreturn(ftok)) {
-                return true;
-            } else if (Token::Match(ftok, "exit|abort")) {
-                return true;
-            }
-            if (unknownFunc && !function && library && library->functions.count(library->getFunctionName(ftok)) == 0)
-                *unknownFunc = ftok;
+        if (prev->tokAt(-2) && hasReturnFunction(prev->tokAt(-2)->astTop(), library, unknownFunc))
+            return true;
+        // Unknown symbol
+        if (Token::Match(prev->tokAt(-2), ";|}|{ %name% ;") && prev->previous()->isIncompleteVar()) {
+            if (unknownFunc)
+                *unknownFunc = prev->previous();
             return false;
         }
         if (Token::simpleMatch(prev->previous(), ") ;") && prev->previous()->link() &&
diff --git a/lib/checknullpointer.cpp b/lib/checknullpointer.cpp
@@ -195,7 +195,13 @@ bool CheckNullPointer::isPointerDeRef(const Token *tok, bool &unknown, const Set
 
     // read/write member variable
     if (firstOperand && parent->originalName() == "->" && (!parent->astParent() || parent->astParent()->str() != "&")) {
-        if (!parent->astParent() || parent->astParent()->str() != "(" || parent->astParent() == tok->previous())
+        if (!parent->astParent())
+            return true;
+        if (!Token::Match(parent->astParent()->previous(), "if|while|for|switch ("))
+            return true;
+        if (!Token::Match(parent->astParent()->previous(), "%name% ("))
+            return true;
+        if (parent->astParent() == tok->previous())
             return true;
         unknown = true;
         return false;
@@ -251,73 +257,6 @@ bool CheckNullPointer::isPointerDeRef(const Token *tok, bool &unknown, const Set
 }
 
 
-void CheckNullPointer::nullPointerLinkedList()
-{
-
-    if (!mSettings->isEnabled(Settings::WARNING))
-        return;
-
-    const SymbolDatabase* const symbolDatabase = mTokenizer->getSymbolDatabase();
-
-    // looping through items in a linked list in a inner loop.
-    // Here is an example:
-    //    for (const Token *tok = tokens; tok; tok = tok->next) {
-    //        if (tok->str() == "hello")
-    //            tok = tok->next;   // <- tok might become a null pointer!
-    //    }
-    for (const Scope &forScope : symbolDatabase->scopeList) {
-        const Token* const tok1 = forScope.classDef;
-        // search for a "for" scope..
-        if (forScope.type != Scope::eFor || !tok1)
-            continue;
-
-        // is there any dereferencing occurring in the for statement
-        const Token* end2 = tok1->linkAt(1);
-        for (const Token *tok2 = tok1->tokAt(2); tok2 != end2; tok2 = tok2->next()) {
-            // Dereferencing a variable inside the "for" parentheses..
-            if (Token::Match(tok2, "%var% . %name%")) {
-                // Is this variable a pointer?
-                const Variable *var = tok2->variable();
-                if (!var || !var->isPointer())
-                    continue;
-
-                // Variable id for dereferenced variable
-                const unsigned int varid(tok2->varId());
-
-                if (Token::Match(tok2->tokAt(-2), "%varid% ?", varid))
-                    continue;
-
-                // Check usage of dereferenced variable in the loop..
-                // TODO: Move this to ValueFlow
-                for (const Scope *innerScope : forScope.nestedList) {
-                    if (innerScope->type != Scope::eWhile)
-                        continue;
-
-                    // TODO: are there false negatives for "while ( %varid% ||"
-                    if (Token::Match(innerScope->classDef->next(), "( %varid% &&|)", varid)) {
-                        // Make sure there is a "break" or "return" inside the loop.
-                        // Without the "break" a null pointer could be dereferenced in the
-                        // for statement.
-                        for (const Token *tok4 = innerScope->bodyStart; tok4; tok4 = tok4->next()) {
-                            if (tok4 == forScope.bodyEnd) {
-                                const ValueFlow::Value v(innerScope->classDef, 0LL);
-                                nullPointerError(tok1, var->name(), &v, false);
-                                break;
-                            }
-
-                            // There is a "break" or "return" inside the loop.
-                            // TODO: there can be false negatives. There could still be
-                            //       execution paths that are not properly terminated
-                            else if (tok4->str() == "break" || tok4->str() == "return")
-                                break;
-                        }
-                    }
-                }
-            }
-        }
-    }
-}
-
 static bool isNullablePointer(const Token* tok, const Settings* settings)
 {
     if (!tok)
@@ -374,7 +313,6 @@ void CheckNullPointer::nullPointerByDeRefAndChec()
 
 void CheckNullPointer::nullPointer()
 {
-    nullPointerLinkedList();
     nullPointerByDeRefAndChec();
 }
 
diff --git a/lib/checknullpointer.h b/lib/checknullpointer.h
@@ -137,12 +137,6 @@ class CPPCHECKLIB CheckNullPointer : public Check {
                "- undefined null pointer arithmetic\n";
     }
 
-    /**
-     * @brief Does one part of the check for nullPointer().
-     * looping through items in a linked list in a inner loop..
-     */
-    void nullPointerLinkedList();
-
     /**
      * @brief Does one part of the check for nullPointer().
      * Dereferencing a pointer and then checking if it's NULL..
diff --git a/lib/forwardanalyzer.cpp b/lib/forwardanalyzer.cpp
@@ -407,8 +407,12 @@ struct ForwardTraversal {
             } else {
                 if (updateTok(tok, &next) == Progress::Break)
                     return Progress::Break;
-                if (next)
-                    tok = next;
+                if (next) {
+                    if (precedes(next, end))
+                        tok = next->previous();
+                    else
+                        return Progress::Break;
+                }
             }
             // Prevent infinite recursion
             if (tok->next() == start)
diff --git a/lib/templatesimplifier.cpp b/lib/templatesimplifier.cpp
@@ -147,10 +147,10 @@ TemplateSimplifier::TokenAndName::TokenAndName(Token *token, const std::string &
         if ((isFunction() || isClass()) && mNameToken->strAt(-1) == "::") {
             const Token * start = mNameToken;
 
-            while (Token::Match(start->tokAt(-2), "%name% ::") ||
-                   (Token::simpleMatch(start->tokAt(-2), "> ::") &&
-                    start->tokAt(-2)->findOpeningBracket() &&
-                    Token::Match(start->tokAt(-2)->findOpeningBracket()->previous(), "%name% <"))) {
+            while (start && (Token::Match(start->tokAt(-2), "%name% ::") ||
+                               (Token::simpleMatch(start->tokAt(-2), "> ::") &&
+                                start->tokAt(-2)->findOpeningBracket() &&
+                                Token::Match(start->tokAt(-2)->findOpeningBracket()->previous(), "%name% <")))) {
                 if (start->strAt(-2) == ">")
                     start = start->tokAt(-2)->findOpeningBracket()->previous();
                 else
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -1686,6 +1686,8 @@ namespace {
 
     void setScopeInfo(Token *tok, std::list<ScopeInfo3> *scopeInfo, bool all = false)
     {
+        if (!tok)
+            return;
         while (tok->str() == "}" && !scopeInfo->empty() && tok == scopeInfo->back().bodyEnd)
             scopeInfo->pop_back();
         if (!Token::Match(tok, "namespace|class|struct|union %name% {|:|::")) {
@@ -5902,7 +5904,7 @@ bool Tokenizer::simplifyConditions()
                  Token::simpleMatch(tok, "|| true ||")) {
             //goto '('
             Token *tok2 = tok;
-            while (tok2->previous()) {
+            while (tok2 && tok2->previous()) {
                 if (tok2->previous()->str() == ")")
                     tok2 = tok2->previous()->link();
                 else {
@@ -6466,7 +6468,7 @@ void Tokenizer::simplifyFunctionPointers()
             !(Token::Match(tok2, "%name% (") && Token::simpleMatch(tok2->linkAt(1), ") ) (")))
             continue;
 
-        while (tok->str() != "(")
+        while (tok && tok->str() != "(")
             tok = tok->next();
 
         // check that the declaration ends
diff --git a/lib/valueflow.cpp b/lib/valueflow.cpp
@@ -102,6 +102,7 @@
 #include <map>
 #include <set>
 #include <stack>
+#include <tuple>
 #include <vector>
 
 static void bailoutInternal(TokenList *tokenlist, ErrorLogger *errorLogger, const Token *tok, const std::string &what, const std::string &file, int line, const std::string &function)
@@ -1838,6 +1839,29 @@ static void valueFlowReverse(TokenList *tokenlist,
         }
 
         if (tok2->str() == "}") {
+            const Token* condTok = getCondTokFromEnd(tok2);
+            // Evaluate condition of for and while loops first
+            if (condTok && condTok->astTop() && Token::Match(condTok->astTop()->previous(), "for|while (")) {
+                const Token* startTok = nullptr;
+                const Token* endTok = nullptr;
+                std::tie(startTok, endTok) = condTok->findExpressionStartEndTokens();
+                if (!isVariableChanged(startTok, endTok, varid, false, settings, true)) {
+                    std::list<ValueFlow::Value> values = {val};
+                    if (val2.condition) {
+                        values.push_back(val2);
+                    }
+                    const Token *expr = Token::findmatch(tok2, "%varid%", varid);
+                    valueFlowForward(const_cast<Token*>(startTok),
+                                         endTok,
+                                         expr,
+                                         values,
+                                         false,
+                                         false,
+                                         tokenlist,
+                                         errorLogger,
+                                         settings);
+                }
+            }
             const Token *vartok = Token::findmatch(tok2->link(), "%varid%", tok2, varid);
             while (Token::Match(vartok, "%name% = %num% ;") && !vartok->tokAt(2)->getValue(num))
                 vartok = Token::findmatch(vartok->next(), "%varid%", tok2, varid);
@@ -4089,26 +4113,27 @@ struct ValueFlowConditionHandler {
                     // After conditional code..
                     if (Token::simpleMatch(top->link(), ") {")) {
                         Token *after = top->link()->linkAt(1);
-                        std::string unknownFunction;
-                        if (settings->library.isScopeNoReturn(after, &unknownFunction)) {
-                            if (settings->debugwarnings && !unknownFunction.empty())
-                                bailout(tokenlist, errorLogger, after, "possible noreturn scope");
-                            continue;
-                        }
-
-                        bool dead_if = isReturnScope(after, &settings->library) ||
+                        const Token* unknownFunction = nullptr;
+                        bool dead_if = isReturnScope(after, &settings->library, &unknownFunction) ||
                                        (tok->astParent() && Token::simpleMatch(tok->astParent()->previous(), "while (") &&
                                         !isBreakScope(after));
                         bool dead_else = false;
 
+                        if (!dead_if && unknownFunction) {
+                            if (settings->debugwarnings)
+                                bailout(tokenlist, errorLogger, unknownFunction, "possible noreturn scope");
+                            continue;
+                        }
+
                         if (Token::simpleMatch(after, "} else {")) {
                             after = after->linkAt(2);
-                            if (Token::simpleMatch(after->tokAt(-2), ") ; }")) {
+                            unknownFunction = nullptr;
+                            dead_else = isReturnScope(after, &settings->library, &unknownFunction);
+                            if (!dead_else && unknownFunction) {
                                 if (settings->debugwarnings)
-                                    bailout(tokenlist, errorLogger, after, "possible noreturn scope");
+                                    bailout(tokenlist, errorLogger, unknownFunction, "possible noreturn scope");
                                 continue;
                             }
-                            dead_else = isReturnScope(after, &settings->library);
                         }
 
                         if (dead_if && dead_else)
diff --git a/test/testnullpointer.cpp b/test/testnullpointer.cpp
diff --git a/test/testvalueflow.cpp b/test/testvalueflow.cpp
