[clang static analyzer] core.NullDereference false positive with `*r = 42`
Opened this issue · 2 comments
date: 2023-1-12
commit: 0c0681b7414c385d0fd5fad302c0d48607262050
args: --analyze -Xclang -analyzer-stats -Xclang -analyzer-checker=core,debug.ExprInspection
test:
#include "stdio.h"
#include <stdbool.h>
void clang_analyzer_eval();
struct a
{
int b;
int c;
};
union d
{
struct a e
} main()
{
union d g = {};
int *p = (int *)0;
clang_analyzer_eval((-g.e.b && g.e.c) == false);
if (-g.e.b && g.e.c)
{
*p = 42;
}
}
report: llvm/llvm-project#60026
fix:
original:
I got a false positive error when compiling the following program with clang(trunk) -Xanalyzer -analyzer-output=text --analyze -Xanalyzer -analyzer-checker=debug.ExprInspection
in https://godbolt.org/z/GsaeKh8eY.
In this case, the eval result on line 17 is TRUE, and apparently the CSA is known to fact that the result of (-g.e.b && g.e.c)
is FALSE, yet it continues to do analysis of the code inside the if statement, which is unreachable code. This is a bit odd.
Here is the analysis results of the case. Thank you for taking the time to review this case.
Input:
#include "stdio.h"
#include <stdbool.h>
void clang_analyzer_eval();
struct a
{
int b;
int c;
};
union d
{
struct a e
} main()
{
union d g = {};
int *p = (int *)0;
clang_analyzer_eval((-g.e.b && g.e.c) == false);
if (-g.e.b && g.e.c)
{
*p = 42;
}
}
Output:
<source>:17:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval((-g.e.b && g.e.c) == false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:20:12: warning: Dereference of null pointer (loaded from variable 'p') [core.NullDereference]
*p = 42;
structure is supported .
see it live: https://godbolt.org/z/ejGdKxhcW