<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - scan-build reports false positive nullptr dereference because it apparently incorrectly tracks properties of std::initializer_list as argument of a constructor"
href="https://bugs.llvm.org/show_bug.cgi?id=39042">39042</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>scan-build reports false positive nullptr dereference because it apparently incorrectly tracks properties of std::initializer_list as argument of a constructor
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>7.0
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Static Analyzer
</td>
</tr>
<tr>
<th>Assignee</th>
<td>dcoughlin@apple.com
</td>
</tr>
<tr>
<th>Reporter</th>
<td>thomas.ullmann@mpibpc.mpg.de
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=20908" name="attach_20908" title="The full source and output of scan-build including the html-output">attachment 20908</a> <a href="attachment.cgi?id=20908&action=edit" title="The full source and output of scan-build including the html-output">[details]</a></span>
The full source and output of scan-build including the html-output
I encountered false positive reports of nullptr dereferences
when constructing objects from std::initializer_list and storing
information from the initializer lists in member arrays. The
actual problem occurred with nested initializer lists, but I
could reproduce the problem also with a simple 1D case:
/*---------------------------------------------------------
The test program
-----------------------------------------------------------*/
#include <memory>
#include <initializer_list>
#include <iostream>
class TestClass
{
public:
size_t* ptr_;
TestClass() : ptr_(nullptr) {}
TestClass(const std::initializer_list<size_t> &ini)
: TestClass()
{
// check whether the list contains elements
// The scan-build HTML-report wrongly suggests
// that this condition is true and that the constructor
// returns from here resulting in no change to ptr_.
if (ini.size() == 0)
{
return;
}
// save the number of elements in *ptr_
// The program actually arrives here as it should.
ptr_ = new size_t;
*ptr_ = ini.size();
}
~TestClass() { delete ptr_; }
};
int main ()
{
// Scan-build doesn't recognize that testObj.ptr_ is not nullptr
// after constructing the object from the initializer list.
TestClass testObj =
{
1,
};
// This correctly outputs 1, and the program also gives no errors
// when checked with valgrind. However, scan-build reports a
// nullptr dereference.
std::cout << "*testObj.ptr_ = " << *testObj.ptr_ << std::endl;
return 0;
}</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>