[cfe-dev] Bug: Unexpected dereference claim on --analyze
Jeffrey Yasskin
jyasskin at googlers.com
Mon Dec 5 16:43:44 PST 2011
Klocwork has a similar heuristic, and it proved obnoxious in practice.
~75%-90% of the time, the real problem in the code was that someone
was checking against 0, but the pointer was actually guaranteed not to
be 0, so the check was redundant. Unless the analyzer has other
evidence that the pointer may actually be 0, it should treat
"dereference null" and "redundant check" as similar likelihood and
include both in the warning, or omit the warning.
FWIW,
Jeffrey
On Fri, Dec 2, 2011 at 1:56 PM, Anna Zaks <ganna at apple.com> wrote:
> The analyzer tries to flag the issues which most likely are bugs. (If we restrict to only warning about definite bugs, it would miss a bunch of real bugs.)
>
> In your example, you only get the warning when the function contains the check: (t->root != 0). The reasoning here is that the programmer added this check because there is a possibility of t->root to be 0. If t->root might be 0, you probably only want to dereference it if it's not 0. I suspect that the dereference checker has special heuristic which helps it to identify this case.
>
> Cheers,
> Anna.
> On Dec 2, 2011, at 1:37 PM, Jan Engelhardt wrote:
>
>>
>>
>> Observed output:
>> ===
>> clang-case2.c:17:11: warning: Access to field 'child' results in a dereference
>> of a null pointer (loaded from field 'root')
>> t->root->child = 0;
>> ~~~~ ^
>> 1 warning generated.
>>
>>
>> Expected output:
>> ===
>> None. There is no way to say with absolute confidence that t->root is
>> always NULL or never NULL.
>>
>>
>> Testcase:
>> ===
>> /*
>> SUSE Linux clang version 3.0 (branches/release_30 142912) (based on LLVM 3.0)
>>
>> clang --analyze this
>> */
>> struct node {
>> struct node *child;
>> };
>> struct tree {
>> struct node *root;
>> };
>> static void add(struct tree *t)
>> {
>> #if 1 /* generate warning */
>> t->root != 0;
>> #endif
>> t->root->child = 0;
>> }
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
More information about the cfe-dev
mailing list