[cfe-dev] [Analyzer] For the undefined value of array element, the tracking information is incomplete.

Henry Wong via cfe-dev cfe-dev at lists.llvm.org
Tue Aug 7 03:50:48 PDT 2018 

Hi all,

For the code below, there is a undefined value assignment. However the report is incomplete, based on the report, we can't know where the undefined value came from.

```
// clang -cc1 -analyze -analyzer-checker=core -analyzer-output=text test.c

void foo() {
    char *argv[10];
    const char* s = argv[2];
}

// Report information.

test.c:3:2: warning: Assigned value is garbage or undefined
        const char *s = argv[2];
        ^               ~~~~~~~
test.c:3:2: note: Assigned value is garbage or undefined
        const char *s = argv[2];
        ^               ~~~~~~~
1 warning generated.
```

The fix for this is not complex, adding the special hanle for `ArraySubscriptExpr` in `peelOffOuterExpr()` can achieve the goal.
```
static const Expr *peelOffOuterExpr(const Expr *Ex, const ExplodedNode *N) {
// ...

if (auto *ASE = dyn_cast<ArraySubscriptExpr>(Ex))
    return peelOffOuterExpr(ASE->getBase(), N);

// ...
}
```

However, After we modified `peelOffOuterExpr()`, another problem emerged at this time. Although we got the information where the undefined value came from, the description is not correct.
```
test.c:3:2: warning: Assigned value is garbage or undefined
        const char *s = argv[2];
        ^               ~~~~~~~
test.c:2:2: note: 'argv' initialized here
        char *argv[10];
        ^~~~~~~~~~
test.c:3:2: note: Assigned value is garbage or undefined
        const char *s = argv[2];
        ^               ~~~~~~~
1 warning generated.
```

The essential reason is that analyzer treat completely-undefined structures as defined values, see http://clang-developers.42468.n3.nabble.com/uninitialized-variable-tp4053392p4053393.html. That's why `showBRDiagnostics()` gave the wrong description.
Clang Developers - uninitialized variable<http://clang-developers.42468.n3.nabble.com/uninitialized-variable-tp4053392p4053393.html>
uninitialized variable. I am writing a checker to check that a variable is given a value before it is accessed. So I created a checkLocation call-back: void checkLocation(SVal L, bool IsLoad, const...
clang-developers.42468.n3.nabble.com


I want to know if there is a simple and efficient way to determine whether the `LazyCompoundVal` is undefined or partially-undefined except iterating the `ElementRegion` bindings?

Thanks in advance!

Henry Wong
Qihoo 360 Codesafe Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180807/5caecac9/attachment.html>

More information about the cfe-dev mailing list