<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Loss of array extent in type punning triggers two incorrect analyzer core warnings"
href="https://bugs.llvm.org/show_bug.cgi?id=50604">50604</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Loss of array extent in type punning triggers two incorrect analyzer core warnings
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Static Analyzer
</td>
</tr>
<tr>
<th>Assignee</th>
<td>dcoughlin@apple.com
</td>
</tr>
<tr>
<th>Reporter</th>
<td>chris.hamilton@ericsson.com
</td>
</tr>
<tr>
<th>CC</th>
<td>dcoughlin@apple.com, llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=24916" name="attach_24916" title="Small reproducer">attachment 24916</a> <a href="attachment.cgi?id=24916&action=edit" title="Small reproducer">[details]</a></span>
Small reproducer
After commit b30521c28a4d, we started seeing two false-positive static analyzer
warnings. Small reproducer (also attached):
eahcmrh@seroius03977[19:32][repo/eahcmrh/nrbbphy]$ cat reproducer.c
int sim_printf(const char*, ...);
static const unsigned RV[1][5] = {{1,2,3,4,5}, };
void clang_analyzer_dump(void*);
void clang_analyzer_printState();
void bar() {
const unsigned* rvp = &(RV[0][0]);
clang_analyzer_dump(rvp);
clang_analyzer_dump(&(RV[0][0]));
sim_printf("%u", rvp[4]);
}
unsigned *foo(unsigned * buf_p) {
const unsigned* rvp = &(RV[0][0]);
return buf_p + rvp[4];
}
I added clang_analyzer_* calls in hopes of spotlighting the root cause for
those who understand this code better than myself. Here's the output with
commit b30521c28a4d:
bash> clang -Xanalyzer -analyzer-werror --analyze reproducer.c
reproducer.c:11:3: error: 2nd function call argument is an uninitialized
value [core.CallAndMessage]
sim_printf("%u", rvp[4]);
^~~~~~~~~~~~~~~~~~~~~~~~
reproducer.c:16:16: error: The right operand of '+' is a garbage value
[core.UndefinedBinaryOperatorResult]
return buf_p + rvp[4];
^ ~~~~~~
2 errors generated.
Enabling the clang_analyzer_* debug output gives:
bash> clang -Xanalyzer -analyzer-werror -Xanalyzer
-analyzer-checker=debug.ExprInspection --analyze reproducer.c
reproducer.c:9:3: error: &Element{RV,0 S64b,unsigned int}
[debug.ExprInspection]
clang_analyzer_dump(rvp);
^~~~~~~~~~~~~~~~~~~~~~~~
reproducer.c:10:3: error: &Element{Element{RV,0 S64b,unsigned int [5]},0
S64b,unsigned int} [debug.ExprInspection]
clang_analyzer_dump(&(RV[0][0]));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
reproducer.c:11:3: error: 2nd function call argument is an uninitialized
value [core.CallAndMessage]
sim_printf("%u", rvp[4]);
^~~~~~~~~~~~~~~~~~~~~~~~
reproducer.c:16:16: error: The right operand of '+' is a garbage value
[core.UndefinedBinaryOperatorResult]
return buf_p + rvp[4];
^ ~~~~~~
4 errors generated.
Note that the 'rvp' expression has lost extent information (unsigned int [5])
in this output, while the expression it was assigned from still has this info.
For contrast, here's the output with debug dumps enabled from a build without
commit b30521c28a4d:
bash> clang -Xanalyzer -analyzer-werror -Xanalyzer
-analyzer-checker=debug.ExprInspection --analyze reproducer.c
reproducer.c:9:3: error: &Element{Element{RV,0 S64b,unsigned int [5]},0
S64b,unsigned int} [debug.ExprInspection]
clang_analyzer_dump(rvp);
^~~~~~~~~~~~~~~~~~~~~~~~
reproducer.c:10:3: error: &Element{Element{RV,0 S64b,unsigned int [5]},0
S64b,unsigned int} [debug.ExprInspection]
clang_analyzer_dump(&(RV[0][0]));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 errors generated.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>