<html>

    <head>

      <base href="http://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - scan-build null dereference false positive"

   href="http://llvm.org/bugs/show_bug.cgi?id=16129">16129</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>scan-build null dereference false positive

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>3.2

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>kremenek@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>nbowler@draconx.ca

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvmbugs@cs.uiuc.edu

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=10575" name="attach_10575" title="Annotated source file.">attachment 10575</a> <a href="attachment.cgi?id=10575&action=edit" title="Annotated source file.">[details]</a></span>

Annotated source file.

Consider the following C program (key locations marked in comments):

  #include <stdio.h>

  #include <stdlib.h>

  int main(int argc, char **argv)

  {

      int *x = NULL, n = argc;

      if (!x && !argv[n]) /* (A) */

          return EXIT_FAILURE;

      if (argv[n]) /* (B) */

          ;

      else

          printf("%d\n", *x); /* (C) */

      return EXIT_SUCCESS;

  }

The scan-build report suggests that a NULL pointer dereference is possible by

the following path:

  1: false branch at (A)

  2: false branch at (B)

  3: NULL dereference at (C).

This is clearly a false positive.  By taking the false branch at A, that

implies that at least one of x and argv[n] is non-zero (ignore the fact that

in this test case both values are always zero).  By taking the false branch at

B, this implies that argv[n] is zero.  So given the first 2 decisions, we can

conclude that x must be non-zero at (C), and thus there is no NULL

dereference.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>