<html>

    <head>

      <base href="https://llvm.org/bugs/" />

    </head>

    <body><span class="vcard"><a class="email" href="mailto:dcoughlin@apple.com" title="Devin Coughlin <dcoughlin@apple.com>"> <span class="fn">Devin Coughlin</span></a>

</span> changed

              <a class="bz_bug_link 

          bz_status_REOPENED "

   title="REOPENED --- - track linear constraints"

   href="https://llvm.org/bugs/show_bug.cgi?id=4550">bug 4550</a>

        <br>

             <table border="1" cellspacing="0" cellpadding="8">

          <tr>

            <th>What</th>

            <th>Removed</th>

            <th>Added</th>

          </tr>

         <tr>

           <td style="text-align:right;">Status</td>

           <td>RESOLVED

           </td>

           <td>REOPENED

           </td>

         </tr>

         <tr>

           <td style="text-align:right;">CC</td>

           <td>

           </td>

           <td>dcoughlin@apple.com

           </td>

         </tr>

         <tr>

           <td style="text-align:right;">Version</td>

           <td>unspecified

           </td>

           <td>trunk

           </td>

         </tr>

         <tr>

           <td style="text-align:right;">Resolution</td>

           <td>FIXED

           </td>

           <td>---

           </td>

         </tr></table>

      <p>

        <div>

            <b><a class="bz_bug_link 

          bz_status_REOPENED "

   title="REOPENED --- - track linear constraints"

   href="https://llvm.org/bugs/show_bug.cgi?id=4550#c5">Comment # 5</a>

              on <a class="bz_bug_link 

          bz_status_REOPENED "

   title="REOPENED --- - track linear constraints"

   href="https://llvm.org/bugs/show_bug.cgi?id=4550">bug 4550</a>

              from <span class="vcard"><a class="email" href="mailto:dcoughlin@apple.com" title="Devin Coughlin <dcoughlin@apple.com>"> <span class="fn">Devin Coughlin</span></a>

</span></b>

        <pre>Reopening because the static analyzer still does not track linear constraints.

The attached example (reproduced below) no longer shows a false positive in

more recent clangs because the analyzer changed its heuristics about when to

analyze functions at the top level, without context.

With these changed heuristics, the analyzer doesn't analyze msort() as a

top-level function but rather only in context (inlining) for the three calls in

main(). If you were to comment out main, the analysis would analyze msort() at

the top-level (making no assumptions about len) and show the false positive

again: "Dereference of null pointer (loaded from variable 'q')".

#include <stdlib.h>

#include <stdio.h>

static int dummy = 42;

void

msort(int len)

{

  int *p, *q = NULL;

  int half, n;

  if (len <= 1)

    return;

  half = len >> 1;

  p = &dummy;

  for (n = half; --n >= 0; ) {

    q = p;

  }

  printf("%d\n", *q); // <-- False positive here.

}

int

main(int argc, char **argv)

{

  msort(1);

  msort(2);

  msort(3);

  return (0);

}</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>