[llvm-bugs] [Bug 39699] New: clang analyzer doesn't consider equality assumption in dataflow
via llvm-bugs
llvm-bugs at lists.llvm.org
Sat Nov 17 22:56:27 PST 2018
https://bugs.llvm.org/show_bug.cgi?id=39699
Bug ID: 39699
Summary: clang analyzer doesn't consider equality assumption in
dataflow
Product: clang
Version: 7.0
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P
Component: C++
Assignee: unassignedclangbugs at nondot.org
Reporter: renat at idrisov.info
CC: blitzrakete at gmail.com, dgregor at apple.com,
erik.pilkington at gmail.com, llvm-bugs at lists.llvm.org,
richard-llvm at metafoo.co.uk
Created attachment 21127
--> https://bugs.llvm.org/attachment.cgi?id=21127&action=edit
tidy-minimal.c
Hi all,
if I run analyzer on the following piece of code with:
$ clang-tidy tidy-minimal.c -checks=* --
The complete code is:
#include <stdio.h>
#include <stdlib.h>
void *something();
void *something_else();
void *subfunction(const char **error, void *ds) {
void *fs = something_else();
if (fs == NULL) {
if (error != NULL) {
*error = "error";
}
if (ds != NULL) { free(ds); }
return NULL;
}
if (ds == fs) {
return ds;
}
if (ds != NULL) { free(ds); }
ds = fs;
return ds;
}
void *myfunction(const char **error) {
void *ds = something();
ds = subfunction(error, ds);
return ds;
}
int main() {
const char *error;
void *result = myfunction(&error);
if (result == NULL) {
printf("Error is %s", error);
} else {
free(result);
}
}
I get:
/.../tidy-minimal/tidy-minimal.c:35:5: warning: 2nd function call argument is
an uninitialized value [clang-analyzer-core.CallAndMessage]
printf("Error is %s", error);
^
/.../tidy-minimal/tidy-minimal.c:32:3: note: 'error' declared without an
initial value
const char *error;
^
/.../tidy-minimal/tidy-minimal.c:33:18: note: Calling 'myfunction'
void *result = myfunction(&error);
^
/.../tidy-minimal/tidy-minimal.c:27:8: note: Calling 'subfunction'
ds = subfunction(error, ds);
^
/.../tidy-minimal/tidy-minimal.c:10:7: note: Assuming 'fs' is not equal to NULL
if (fs == NULL) {
^
/.../tidy-minimal/tidy-minimal.c:10:3: note: Taking false branch
if (fs == NULL) {
^
/.../tidy-minimal/tidy-minimal.c:17:7: note: Assuming 'ds' is equal to 'fs'
if (ds == fs) {
^
/.../tidy-minimal/tidy-minimal.c:17:3: note: Taking true branch
if (ds == fs) {
^
/.../tidy-minimal/tidy-minimal.c:18:5: note: Returning without writing to
'*error'
return ds;
^
/.../tidy-minimal/tidy-minimal.c:27:8: note: Returning from 'subfunction'
ds = subfunction(error, ds);
^
/.../tidy-minimal/tidy-minimal.c:28:3: note: Returning without writing to
'*error'
return ds;
^
/.../tidy-minimal/tidy-minimal.c:33:18: note: Returning from 'myfunction'
void *result = myfunction(&error);
^
/.../tidy-minimal/tidy-minimal.c:34:7: note: Assuming 'result' is equal to NULL
if (result == NULL) {
^
/.../tidy-minimal/tidy-minimal.c:34:3: note: Taking true branch
if (result == NULL) {
^
/.../tidy-minimal/tidy-minimal.c:35:5: note: 2nd function call argument is an
uninitialized value
printf("Error is %s", error);
^
The problem I see:
fs is assumed to be not NULL, ds is assumed as equal to fs, ds is returned, the
result is assumed to be NULL which contradicts with fs being not null
please let me know if preprocessed version would be helpful
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20181118/8a8beb65/attachment.html>
More information about the llvm-bugs
mailing list