[analyzer] Add missing return after function pointer null check.

Also add some tests that there is actually a message and that the bug is
actually a hard error. This actually behaved correctly before, because:

- addTransition() doesn't actually add a transition if the new state is null;
  it assumes you want to propagate the predecessor forward and does nothing.
- generateSink() is called in order to emit a bug report.
- If at least one new node has been generated, the predecessor node is /not/
  propagated forward.

But now it's spelled out explicitly.

Found by Richard Mazorodze, who's working on a patch that may require this.

llvm-svn: 191805

2 files changed, 14 insertions, 0 deletions

diff --git a/clang/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp
index d5ab479ec3c..fefcbe7b09c 100644
--- a/clang/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp
@@ -249,6 +249,7 @@ void CallAndMessageChecker::checkPreStmt(const CallExpr *CE,
       BT_call_null.reset(
         new BuiltinBug("Called function pointer is null (null dereference)"));
     emitBadCall(BT_call_null.get(), C, Callee);
+    return;
   }
 
   C.addTransition(StNonNull);
diff --git a/clang/test/Analysis/func.c b/clang/test/Analysis/func.c
index 9abb560e758..275a82da2e7 100644
--- a/clang/test/Analysis/func.c
+++ b/clang/test/Analysis/func.c
@@ -25,3 +25,16 @@ void f3(void (*f)(void), void (*g)(void)) {
   (*g)();
   clang_analyzer_eval(!g); // expected-warning{{FALSE}}
 }
+
+void nullFunctionPointerConstant() {
+  void (*f)(void) = 0;
+  f(); // expected-warning{{Called function pointer is null}}
+  clang_analyzer_eval(0); // no-warning
+}
+
+void nullFunctionPointerConstraint(void (*f)(void)) {
+  if (f)
+    return;
+  f(); // expected-warning{{Called function pointer is null}}
+  clang_analyzer_eval(0); // no-warning
+}