<html>

    <head>

      <base href="https://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - static analyzer false positives due to pointer cast"

   href="https://llvm.org/bugs/show_bug.cgi?id=26902">26902</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>static analyzer false positives due to pointer cast

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>kremenek@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>nlewycky@google.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>This testcase is plain C code:

  typedef struct Packet_s {

    unsigned char lefthanded;

  } Packet;

  int test(const unsigned char *payload) {

    Packet *packet = (Packet*)payload;

    if (packet->lefthanded)

     return 1;

   return 0;

  }

I'm running 'clang_tidy -checks=* tc.c --' to exercise the static analyzer. The

first statement warning is a false positive:

/usr/local/google/home/nlewycky/tc.c:6:20: warning: Casting a non-structure

type to a structure type and accessing a field can lead to memory access errors

or data corruption [clang-analyzer-alpha.core.CastToStruct]

  Packet *packet = (Packet*)payload;

                   ^

That's true in the general case, but not in the specific case of a struct with

a single unsigned char. This isn't even an ABI guarantee, the standard, I

think, promises that this is safe.

Since it doesn't understand 'packet', it treats the conditional on the member

in a really bad way:

/usr/local/google/home/nlewycky/tc.c:8:12: warning: This statement is never

executed [clang-analyzer-alpha.deadcode.UnreachableCode]

    return 1;

           ^

/usr/local/google/home/nlewycky/tc.c:8:12: note: This statement is never

executed

    return 1;

           ^

/usr/local/google/home/nlewycky/tc.c:9:10: warning: This statement is never

executed [clang-analyzer-alpha.deadcode.UnreachableCode]

  return 0;

         ^

/usr/local/google/home/nlewycky/tc.c:9:10: note: This statement is never

executed

  return 0;

         ^

I don't really understand the chain of logic that led to both of these reports.

It would make sense to treat 'packet' as containing opaque data after a bad

cast, rather than toxic.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>