[llvm-bugs] [Bug 39978] New: Clang SA false positive with copy after pointer conversion.

via llvm-bugs llvm-bugs at lists.llvm.org
Wed Dec 12 10:08:15 PST 2018 

https://bugs.llvm.org/show_bug.cgi?id=39978

            Bug ID: 39978
           Summary: Clang SA false positive with copy after pointer
                    conversion.
           Product: clang
           Version: 4.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: dcoughlin at apple.com
          Reporter: rvijayc at gmail.com
                CC: dcoughlin at apple.com, llvm-bugs at lists.llvm.org

Created attachment 21215
  --> https://bugs.llvm.org/attachment.cgi?id=21215&action=edit
Example file that demonstrates Clang SA false-positive.

I have the following situation where I am copying from var1 -> var2 (both of
which are structures aligned to word boundaries) by typecasting them to integer
pointers first and copying them as integers (this is for an embedded system
where only word-aligned reads/writes are possible). 

I have example code attached with this bug report (analyzed with Clang 4.0.1).

If do any of the following:
1. var2 = var1.
2. memcpy(&var2, &var1, sizeof(var_t));
3. copy var1 to var2 field-by-field.

Clang SA considers all fields in var2 to be initialized.

If I copy var1 to var2 by typecasting them to word (uint32) pointers and
copying them as uint32, Clang SA doesn't realize that all the fields in var2
has been written. For example:

  // Method #1: copy var1 -> var2 as a word (sizeof(unsigned int) = 4).
  unsigned int *src = (unsigned int *) &var1;
  unsigned int *dest = (unsigned int *) &var2;
  *dest = *src;

This generates false-positives on subsequent access to fields on var2, where
Clang SA complains that some fields in var2 are used uninitialized.

Please see the output below for the attached code:

$ clang --version
clang version 4.0.0 (tags/RELEASE_401/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix

$ clang -Wall clang_sa.c

$ ./a.out
1, 2, 3
1, 2, 3
sizeof(unsigned int) = 4

$ scan-build clang clang_sa.c
scan-build: Using '<snipped>/clang-4.0' for static analysis
clang_sa.c:33:3: warning: Function call argument is an uninitialized value
  printf("%d, %d, %d\n", var2.f0, var2.f1, var2.f2);  // <--- Function call
argument is an uninitialized value
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
scan-build: 1 bug found.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20181212/388da610/attachment.html>

More information about the llvm-bugs mailing list