[llvm-bugs] [Bug 41463] New: false positive: Forming reference to null pointer after dynamic cast to this

via llvm-bugs llvm-bugs at lists.llvm.org
Thu Apr 11 03:33:02 PDT 2019 

https://bugs.llvm.org/show_bug.cgi?id=41463

            Bug ID: 41463
           Summary: false positive: Forming reference to null pointer
                    after dynamic cast to this
           Product: clang
           Version: 8.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Static Analyzer
          Assignee: dcoughlin at apple.com
          Reporter: Burlog at seznam.cz
                CC: dcoughlin at apple.com, llvm-bugs at lists.llvm.org

The code bellow emits this warning:

┣━ /tmp/ ❱ scan-build -o /tmp/report clang++ b.cc
scan-build: Using '/usr/lib64/llvm/8/bin/clang-8' for static analysis
b.cc:24:30: warning: Forming reference to null pointer
    throw std::runtime_error("error type: " + type);
                             ^~~~~~~~~~~~~~~~~~~~~
1 warning generated.
scan-build: 1 bug found.
scan-build: Run 'scan-view /tmp/report/2019-04-11-122032-4644-1' to examine bug
reports.

┣━ /tmp/ ❱ cat b.cc

#include <map>
#include <iostream>
#include <memory>

struct V {
    V(std::string type): type(std::move(type)) {}
    virtual ~V() = default;
    virtual void some_method() = 0;
    template <typename T> T f();
    std::string type;
};

template <typename T>
struct R: public V {
    R(): V("R") {}
    void some_method() override {}
    T value;
};

template <typename T>
T V::f() {
    if (auto *res = dynamic_cast<R<T> *>(this))
        return res->value;
    throw std::runtime_error("error type: " + type);
}

struct C {
    struct E {V *values[2]; bool second_valid;};

    template <typename T>
    T get(const std::string &n) {
        auto ival = map.find(n);
        if (ival == map.end())
            throw std::runtime_error("error name: " + n);
        return ival->second.values[ival->second.second_valid]->f<T>();
    }

    std::map<std::string, E> map;
};

int main(int, char *[]) {
    C c;
    C::E e;
    e.second_valid = false;
    e.values[0] = new R<int>();
    e.values[1] = new R<int>();
    c.map.emplace("r", e);
    std::cerr << c.get<int>("r") << std::endl;
    return EXIT_SUCCESS;
}

When the lines 22 and 23 are removed, the analyzer doesn't report any warning.
It looks like, that dynamic_cast of this confuses the analyzer.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190411/cbccd0a5/attachment.html>

More information about the llvm-bugs mailing list