<html>

    <head>

      <base href="http://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - Static analyzer fails to detect pointer escape"

   href="http://llvm.org/bugs/show_bug.cgi?id=16629">16629</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Static analyzer fails to detect pointer escape

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>kremenek@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>labath@google.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>klimek@google.com, llvmbugs@cs.uiuc.edu

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>$ cat a.cc

struct A {

  explicit A(int* p) : p_(p) {}

  int* p_;

};

void escape(const A*[]);

void foo(int);

void f(const A& a) {

  const A* args[] = { &a };

  escape(args); // pointer to x escapes here

}

void g() {

  int x;

  f(A(&x));

  foo(x); // "uninitialized" warning should not be reported

}

$ clang --analyze a.cc

a.cc:17:3: warning: Function call argument is an uninitialized value

  foo(x); // "uninitialized" warning should not be reported

  ^~~~~~

1 warning generated.

--------

When analyzing the code above, the static analyzer fails to detect the escape

of the pointer to local variable x. Therefore, it thinks the variable is still

uninitialized and reports the false warning.

My investigation yielded a couple of interesting remarks:

- if I use a local variable of type A instead of a temporary as a parameter to

f, the warning goes away.

- if I do escape(a) in f, the warning also goes away.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>