<div dir="ltr">Vince and I had a discussion about this in another channel. I am summarizing the relevant information here, so if anybody interested in this mailing list could follow up.<div><br></div><div>This issue seems to be a known problem, i.e we have a <a href="https://clang-analyzer.llvm.org/open_projects.html">technical debt with handling cast</a>s: <br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Track type information through casts more precisely.<br>The DynamicTypePropagation checker is in charge of inferring a region's dynamic type based on what operations the code is performing. Casts are a rich source of type information that the analyzer currently ignores.</blockquote><div><br></div><div>In the DynamicTypePropagation checker's checkPostStmt(CastExpr*) function there is modeling only for some ObjC casts:</div></div><div> const auto *OrigObjectPtrType = OriginType->getAs<ObjCObjectPointerType>();<br> const auto *DestObjectPtrType = DestType->getAs<ObjCObjectPointerType>();<br><br> if (!OrigObjectPtrType || !DestObjectPtrType)<br> return;<br><br>Also, this is really suspicious too:<br> /// TODO: Handle explicit casts.<br> /// Handle C++ casts.<br> ///<br> /// Precondition: the cast is between ObjCObjectPointers. <br> ExplodedNode *DynamicTypePropagation::dynamicTypePropagationOnCasts(<br></div><div><br></div><div>Gabor</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Feb 15, 2020 at 9:56 PM Vince Bridgers via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org">cfe-dev@lists.llvm.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hello, I think this case is very similar (if not the same) to case 2 described in this fogbugz case: <a href="https://bugs.llvm.org/show_bug.cgi?id=43364" target="_blank">https://bugs.llvm.org/show_bug.cgi?id=43364</a>. </div><div dir="ltr"><br></div><div>Artem, could you confirm? Any tips on where to get started looking at this one?</div><div dir="ltr"><br></div><div dir="ltr">clang -cc1 -analyze -analyzer-checker=core test.c<br>test.c:13:7: warning: Branch condition evaluates to a garbage value<br> if (p[1])<br> ^~~~<br>1 warning generated.<br><br></div><div dir="ltr"><br></div><div dir="ltr">The reproducer … <br>struct S {<br> unsigned short val;<br>};</div><div dir="ltr">int main(void)<br>{<br> struct S var = { 0x1122 };<br> char *p = (char *)&var;<br> int x = 0;<br> if (p[0])<br> x+=1;<br> if (p[1])<br> x+=1;<br> return x;<br>}<br><br></div><div dir="ltr"><br></div><div dir="ltr"> <br></div></div></div></div></div>
_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
<a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
</blockquote></div>