[cfe-dev] Clang Analyzer false positives with relations between variables
Erik Cederstrand
erik at cederstrand.dk
Tue Oct 9 11:28:37 PDT 2012
Den 06/10/2012 kl. 01.51 skrev Anna Zaks <ganna at apple.com>:
>
> The first action toward fixing the simple example, would be to add alpha-remaning support to the analyzer's constraint manager. While performing symbolic execution of the program, we cannot record the fact that x == y, so even this simplified example will not work:
>
> int foo(int y, int z, int *p) {
> int *x;
> if (y == z)
> x = 0;
> if (y == z)
> x = p;
> return *x; // False positive: null pointer dereference reported.
> }
Thanks for the explanation. It's a bit over my head to implement but nice to know what's going on.
> This would not guarantee that the second example will be solved. For example, it looks like the 'parsekey()' function is in a separate translation unit. The analyzer is not yet capable of reasoning across translation unit boundaries.
>
> One could argue that the fact that parsekey's return values have the dependency has to be recorded by the programmer. Without a better mechanism, an assert could be helpful.
I'll have a look at it again.
Erik
More information about the cfe-dev
mailing list