<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - clang analyzer doesn't consider equality assumption in dataflow"
href="https://bugs.llvm.org/show_bug.cgi?id=39699">39699</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>clang analyzer doesn't consider equality assumption in dataflow
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>7.0
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>C++
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedclangbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>renat@idrisov.info
</td>
</tr>
<tr>
<th>CC</th>
<td>blitzrakete@gmail.com, dgregor@apple.com, erik.pilkington@gmail.com, llvm-bugs@lists.llvm.org, richard-llvm@metafoo.co.uk
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=21127" name="attach_21127" title="tidy-minimal.c">attachment 21127</a> <a href="attachment.cgi?id=21127&action=edit" title="tidy-minimal.c">[details]</a></span>
tidy-minimal.c
Hi all,
if I run analyzer on the following piece of code with:
$ clang-tidy tidy-minimal.c -checks=* --
The complete code is:
#include <stdio.h>
#include <stdlib.h>
void *something();
void *something_else();
void *subfunction(const char **error, void *ds) {
void *fs = something_else();
if (fs == NULL) {
if (error != NULL) {
*error = "error";
}
if (ds != NULL) { free(ds); }
return NULL;
}
if (ds == fs) {
return ds;
}
if (ds != NULL) { free(ds); }
ds = fs;
return ds;
}
void *myfunction(const char **error) {
void *ds = something();
ds = subfunction(error, ds);
return ds;
}
int main() {
const char *error;
void *result = myfunction(&error);
if (result == NULL) {
printf("Error is %s", error);
} else {
free(result);
}
}
I get:
/.../tidy-minimal/tidy-minimal.c:35:5: warning: 2nd function call argument is
an uninitialized value [clang-analyzer-core.CallAndMessage]
printf("Error is %s", error);
^
/.../tidy-minimal/tidy-minimal.c:32:3: note: 'error' declared without an
initial value
const char *error;
^
/.../tidy-minimal/tidy-minimal.c:33:18: note: Calling 'myfunction'
void *result = myfunction(&error);
^
/.../tidy-minimal/tidy-minimal.c:27:8: note: Calling 'subfunction'
ds = subfunction(error, ds);
^
/.../tidy-minimal/tidy-minimal.c:10:7: note: Assuming 'fs' is not equal to NULL
if (fs == NULL) {
^
/.../tidy-minimal/tidy-minimal.c:10:3: note: Taking false branch
if (fs == NULL) {
^
/.../tidy-minimal/tidy-minimal.c:17:7: note: Assuming 'ds' is equal to 'fs'
if (ds == fs) {
^
/.../tidy-minimal/tidy-minimal.c:17:3: note: Taking true branch
if (ds == fs) {
^
/.../tidy-minimal/tidy-minimal.c:18:5: note: Returning without writing to
'*error'
return ds;
^
/.../tidy-minimal/tidy-minimal.c:27:8: note: Returning from 'subfunction'
ds = subfunction(error, ds);
^
/.../tidy-minimal/tidy-minimal.c:28:3: note: Returning without writing to
'*error'
return ds;
^
/.../tidy-minimal/tidy-minimal.c:33:18: note: Returning from 'myfunction'
void *result = myfunction(&error);
^
/.../tidy-minimal/tidy-minimal.c:34:7: note: Assuming 'result' is equal to NULL
if (result == NULL) {
^
/.../tidy-minimal/tidy-minimal.c:34:3: note: Taking true branch
if (result == NULL) {
^
/.../tidy-minimal/tidy-minimal.c:35:5: note: 2nd function call argument is an
uninitialized value
printf("Error is %s", error);
^
The problem I see:
fs is assumed to be not NULL, ds is assumed as equal to fs, ds is returned, the
result is assumed to be NULL which contradicts with fs being not null
please let me know if preprocessed version would be helpful</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>