[clang static analyzer] core.NullDereference false negative with `(int )0`

Question

[clang static analyzer] core.NullDereference false negative with `(int )0`

Opened this issue 2 years ago · 1 comments

I got a false negative error when compiling the following program with clang(trunk) --analyze -Xclang -analyzer-stats -Xclang -analyzer-checker=core,debug.ExprInspection https://godbolt.org/z/YxWK86exG.

Input:

void clang_analyzer_eval();

struct a b;
struct a {};

void main()
{
    if (&b == &b)
    {
        clang_analyzer_eval(((&b) + 1) < ((&b) + 2));
        if (((&b) + 1) < ((&b) + 2))
        {
            *(int *)0;
        }
    }
}

Output:

<source>:11:9: warning: TRUE [debug.ExprInspection]
        clang_analyzer_eval(((&b) + 1) < ((&b) + 2));
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Compiling and running this case through clang(trunk) shows that ((&b) + 1) < ((&b) + 2) results in FALSE, while analyzer gives TRUE. Based on the TRUE result, it appears that analyzer does not enter the if branch for analysis (and does not generate a core.NullDereference warning for *(int *)0).

In a way, from the user's point of view, this might be seen as a false negative. Thanks a lot for taking the time to review this case. We hope clang static analyzer will be better. Thanks.

Answer 1 · 2023-01-20T15:31:37.000Z

@llvm/issue-subscribers-clang-static-analyzer