[cfe-dev] Is this a false positive?

[Andrew Brampton]

Hi,
I'm using the Clang Static Analyzer (r70876) and I'm unsure if the
following is a false positive (in the sense that I shouldn't fill a
bug report):

1: int size;
2: socklen_t size_len = sizeof(size);
3: if (getsockopt(s, SOL_SOCKET, SO_SNDBUF, (char *)&size, &size_len) < 0)
4:   return SOCKET_ERROR;
5: return size;

It says "Uninitialized or undefined return value returned to caller"
on line 5. I can understand why this is happening because clang
doesn't realise that if getsockopt returns successfully (by returning
a value >= 0) then size will have been set. I easily fixed the problem
by initialising size to SOCKET_ERROR.

Now is this a false positive, or should clang actually know that
getsockopt will change the size variable? I can understand how it
wouldn't know since getsockopt is in an external library, but I was
wondering if clang perhaps kept some kind of metadata about how
different functions were meant to work?

For example, I haven't tested it but if I did
1: char src = "X";
2: char dest[100];
3: strcpy(dest, src, 1);
4: return dest[0];

Would clang know that the first byte of dest would have been set? I
guess in this case it might since strcpy is most likely a builtin, or
declared in the header file.

Thanks
Andrew

P.S I am really impressed with this static analyser!. I have tried
many other static code analysers in the past and they have always
generated far too many false positives, or displayed the output in a
hard to read/understand way. Your simple HTML output is great! I can't
wait until all this also works for C++ ;)