[cfe-dev] Undiagnosed null pointer dereference
John McCall via cfe-dev
cfe-dev at lists.llvm.org
Fri Sep 8 12:54:37 PDT 2017
> On Sep 8, 2017, at 12:53 PM, Martin J. O'Riordan via cfe-dev <cfe-dev at lists.llvm.org> wrote:
>
> I was looking at a bug that a customer reported to me, and have reduced the code to the following fragment:
> void func(int *z) {
> int *b = 0; // This is the customer bug
>
> for (int j = 0; j < 16; j++) {
> int c = *b;
> c -= *z++;
> *b++ = c;
> }
> }
> It is clearly undefined behaviour, and this produces the following IR:
> ; Function Attrs: norecurse nounwind
> define void @func(i32* nocapture readonly) local_unnamed_addr #0 {
> unreachable
> }
> which emits a label for the function in assembly, but no instructions. But if I comment out any of the lines in the loop, I get:
> ; Function Attrs: norecurse nounwind readnone
> define void @func(i32* nocapture) local_unnamed_addr #0 {
> ret void
> }
> then it emits an function which returns immediately.
>
> I was surprised though, that even with ‘-Wall -Wextra’ the de-reference of the null pointer is not diagnosed.
The compiler frontend doesn't normally do the kind of cross-statement data-flow analysis that would be necessary to report this. I'm sure the static analyzer would report it, though. It would also be exposed dynamically if you built with UBSan.
I don't really see a bug here.
John.
>
> I guess this is a bug, but I haven’t yet gone through the process of reporting bugs.
>
> MartinO
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev <http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170908/a485b66a/attachment.html>
More information about the cfe-dev
mailing list