[cfe-dev] [analyzer] Speaking about reaching definitions...
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Thu Jun 27 13:56:19 PDT 2019
This is very loosely related to Kristof's GSoC and this is my favorite
subject: weird assumption chains.
Consider:
void foo1() {
int *a = bar();
int *b = a;
if (b) { /* ... */ }
*a = 1;
}
This is a valid null dereference bug. Like, 'b' is probably null
(otherwise why check?), therefore 'a', which is equal to 'b', may also
be null.
Now consider:
void foo2() {
int *a = bar();
int *b = nullptr;
if (coin()) {
b = a;
}
if (b) { /* ... */ }
*a = 1;
}
In foo2 we will report a null dereference as well, however the null
check for 'b' is well-justified even if bar() never returns null,
therefore it's a false positive.
How 'bout we suppress the null dereference warning when the
reaching-definition analysis for 'b' that starts at 'if (b)' - i.e. at
the collapse point - yields multiple definitions and some of them is a
plain null?
Note that the plain-null definition would never be a part of the bug
path because it would not have a corresponding collapse point (it's
already a concrete null).
More information about the cfe-dev
mailing list