[llvm-bugs] [Bug 4550] track linear constraints

[via llvm-bugs]

https://llvm.org/bugs/show_bug.cgi?id=4550

Devin Coughlin <dcoughlin at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
                 CC|                            |dcoughlin at apple.com
            Version|unspecified                 |trunk
         Resolution|FIXED                       |---

--- Comment #5 from Devin Coughlin <dcoughlin at apple.com> ---
Reopening because the static analyzer still does not track linear constraints.

The attached example (reproduced below) no longer shows a false positive in
more recent clangs because the analyzer changed its heuristics about when to
analyze functions at the top level, without context.

With these changed heuristics, the analyzer doesn't analyze msort() as a
top-level function but rather only in context (inlining) for the three calls in
main(). If you were to comment out main, the analysis would analyze msort() at
the top-level (making no assumptions about len) and show the false positive
again: "Dereference of null pointer (loaded from variable 'q')".

#include <stdlib.h>
#include <stdio.h>

static int dummy = 42;

void
msort(int len)
{
  int *p, *q = NULL;
  int half, n;

  if (len <= 1)
    return;

  half = len >> 1;
  p = &dummy;
  for (n = half; --n >= 0; ) {
    q = p;
  }
  printf("%d\n", *q); // <-- False positive here.

}

int
main(int argc, char **argv)
{
  msort(1);
  msort(2);
  msort(3);


  return (0);
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20151113/1f58f114/attachment.html>