[llvm-bugs] [Bug 39134] CSA doesn't show all bugs in function

via llvm-bugs llvm-bugs at lists.llvm.org
Fri Oct 5 20:04:59 PDT 2018 

https://bugs.llvm.org/show_bug.cgi?id=39134

Artem Dergachev <noqnoqneo at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX
                 CC|                            |noqnoqneo at gmail.com

--- Comment #1 from Artem Dergachev <noqnoqneo at gmail.com> ---
Behaves correctly, i guess. Static Analyzer tries to prove that bugs can
actually occur when a specific execution path is taken, therefore the second
and the third bug here are treated as unreachable code, because the code above
them already contains undefined behavior. This doesn't prevent the analyzer
from finding any bugs, just delays finding some bugs until the previous bug is
fixed and the code is re-analyzed. A longer reply in
http://lists.llvm.org/pipermail/cfe-dev/2018-September/059552.html

We probably could have continued from the next statement after a UB is found,
in order to reduce the number of times the user has to spend re-running the
analyzer, but this would be very hard to even justify, let alone implement, and
the gain is very minor. Like, after 'free(c)' here, is 'c' freed? If not, maybe
we should diagnose a memory leak? If 'c' is treated as released but read later,
is it a use-after-free? If not, is the value read from it known to be same as
before or not? A checker-specific conservative behavior would need to be chosen
(in this case the correct answer would be to stop tracking the pointer in
MallocChecker and invalidate the contents and the reachable heap). Similar
questions would need to be asked for every checker, i.e. dozens of checkers
would need to be updated to support such restart feature and development of new
checkers would become harder. And even if it's done, in a lot of cases our
users would still eagerly discard newly found bugs as false positives because
they would notice that the bug is found immediately after a UB.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20181006/f86d34e7/attachment.html>

More information about the llvm-bugs mailing list