CSA evaluates `((0)+1)==((a)+1)` to be FALSE with the fact that variable `a` is a pointer and is NULL

Question

CSA evaluates `((0)+1)==((a)+1)` to be FALSE with the fact that variable `a` is a pointer and is NULL

Closed this issue a year ago · 2 comments

date: 2023-1-10
commit:
args: --analyze -Xclang -analyzer-stats -Xclang -analyzer-checker=core,debug.ExprInspection
test:

#include "stdio.h"
#include <stdint.h>
#include <stdbool.h>

void clang_analyzer_eval();

int *a;
void foo(int x) {
  if (0 == a) {
    clang_analyzer_eval((0 == a)==true);
    clang_analyzer_eval(((0)!=(a))==false);
    clang_analyzer_eval(((0)+0)==((a)+0));
    clang_analyzer_eval(((0)+0)<((a)+1));
    clang_analyzer_eval(((0)+1)==((a)+1));
    clang_analyzer_eval(((0)+0)<((a)+2));
    clang_analyzer_eval(((0)+1)<((a)+2));
    clang_analyzer_eval(((0)+2)==((a)+2));
    clang_analyzer_eval(((0)-0)==((a)-0));
    clang_analyzer_eval(true);
    ;
  }
}

report:
fix:
original:

Answer 1 · 2023-01-10T10:12:37.000Z

This case is similar to #35 , but there is a little difference.

https://godbolt.org/z/voMc1qMPe

Output:

<source>:10:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval((0 == a)==true);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:11:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(((0)!=(a))==false);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:12:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(((0)+0)==((a)+0));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:13:5: warning: FALSE [debug.ExprInspection]
    clang_analyzer_eval(((0)+0)<((a)+1));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:14:5: warning: FALSE [debug.ExprInspection]
    clang_analyzer_eval(((0)+1)==((a)+1));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:5: warning: FALSE [debug.ExprInspection]
    clang_analyzer_eval(((0)+0)<((a)+2));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:5: warning: FALSE [debug.ExprInspection]
    clang_analyzer_eval(((0)+1)<((a)+2));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:17:5: warning: FALSE [debug.ExprInspection]
    clang_analyzer_eval(((0)+2)==((a)+2));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(((0)-0)==((a)-0));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:19:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(true);
    ^~~~~~~~~~~~~~~~~~~~~~~~~
===-------------------------------------------------------------------------===
                                Analyzer timers
===-------------------------------------------------------------------------===
  Total Execution Time: 0.0029 seconds (0.0294 wall clock)

   ---User Time---   --System Time--   --User+System--   ---Wall Time---  --- Name ---
   0.0016 ( 58.7%)   0.0000 (  0.0%)   0.0016 ( 54.9%)   0.0214 ( 72.8%)  Path exploration time
   0.0001 (  4.5%)   0.0002 (100.0%)   0.0003 ( 10.6%)   0.0058 ( 19.8%)  Syntax-based analysis time
   0.0010 ( 36.8%)   0.0000 (  0.0%)   0.0010 ( 34.5%)   0.0022 (  7.4%)  Path-sensitive report post-processing time
   0.0028 (100.0%)   0.0002 (100.0%)   0.0029 (100.0%)   0.0294 (100.0%)  Total

10 warnings generated.
Compiler returned: 0

Answer 2 · 2023-03-20T02:25:48.000Z

duplicate of #30