<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/59964>59964</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
CSA RecursionChecker has false negative for ` for (;;) if (a() <= 0) { ...`
</td>
</tr>
<tr>
<th>Labels</th>
<td>
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
Geoffrey1014
</td>
</tr>
</table>
<pre>
Hi, I found a problem that CSA RecursionChecker has false negative for ` for (;;) if (a() <= 0) { ...`.
https://godbolt.org/z/57EGG8sYK
I think CSA should not makes the assumption that `a() <= 0` could be true.
And, GCC Static Analyzer does not make the assumption and reports `[-Wanalyzer-infinite-recursion]`.
https://godbolt.org/z/79789dKec
Compilation optons: --analyze -Xclang -analyzer-stats -Xclang -analyzer-checker=core,alpha.security.taint,debug.ExprInspection,debug.TaintTest
Input:
```c
#include "stdio.h"
#include <stdint.h>
#include <stdbool.h>
void clang_analyzer_eval(int){}
uint16_t a() {
for (;;)
if (a() <= 0) {
clang_analyzer_eval((a() <= 0)==true);
clang_analyzer_eval(((a())<(0))||((a())==(0)));
clang_analyzer_eval(((a())+0)<=((0)+0));
clang_analyzer_eval(((a())+0)<=((0)+1));
clang_analyzer_eval(((a())+1)<=((0)+1));
clang_analyzer_eval(((a())+0)<=((0)+2));
clang_analyzer_eval(((a())+1)<=((0)+2));
clang_analyzer_eval(((a())+2)<=((0)+2));
clang_analyzer_eval(((a())-0)<=((0)-0));
clang_analyzer_eval((!(a() <= 0))==false);
clang_analyzer_eval((((a())>=(0))&&((a())!=(0)))==false);
clang_analyzer_eval(true);
;
}
return 2;
}
```
Output:
```bash
<source>:9:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval((a() <= 0)==true);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:9:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval((a() <= 0)==true);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:10:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval(((a())<(0))||((a())==(0)));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:10:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((a())<(0))||((a())==(0)));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:11:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval(((a())+0)<=((0)+0));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:11:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((a())+0)<=((0)+0));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:12:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval(((a())+0)<=((0)+1));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:12:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((a())+0)<=((0)+1));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:13:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval(((a())+1)<=((0)+1));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:13:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((a())+1)<=((0)+1));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:14:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval(((a())+0)<=((0)+2));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:14:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((a())+0)<=((0)+2));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval(((a())+1)<=((0)+2));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((a())+1)<=((0)+2));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval(((a())+2)<=((0)+2));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((a())+2)<=((0)+2));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:17:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval(((a())-0)<=((0)-0));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:17:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((a())-0)<=((0)-0));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval((!(a() <= 0))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval((!(a() <= 0))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:19:7: warning: FALSE [debug.ExprInspection]
clang_analyzer_eval((((a())>=(0))&&((a())!=(0)))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:19:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval((((a())>=(0))&&((a())!=(0)))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:20:7: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(true);
^~~~~~~~~~~~~~~~~~~~~~~~~
===-------------------------------------------------------------------------===
Analyzer timers
===-------------------------------------------------------------------------===
Total Execution Time: 0.0641 seconds (0.1070 wall clock)
---User Time--- --System Time-- --User+System-- ---Wall Time--- --- Name ---
0.0550 ( 87.0%) 0.0003 ( 35.9%) 0.0553 ( 86.3%) 0.0907 ( 84.7%) Path exploration time
0.0082 ( 12.9%) 0.0002 ( 21.6%) 0.0083 ( 13.0%) 0.0123 ( 11.5%) Path-sensitive report post-processing time
0.0001 ( 0.1%) 0.0003 ( 42.5%) 0.0004 ( 0.7%) 0.0040 ( 3.8%) Syntax-based analysis time
0.0633 (100.0%) 0.0008 (100.0%) 0.0641 (100.0%) 0.1070 (100.0%) Total
23 warnings generated.
Compiler returned: 0
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzUWV9v4roS_zTmxYrl2CQhDzzwt7faq3uvtl3tPU8rJzHEp8FGttNt9-F89iM7hFKge1IWqDaKgPzszMxvZjwkHmaMWErOhyAag2jaY7UtlR7ecLVYaP4c4rDfy1TxPPyXAGQCb-FC1bKADK61yiq-grZkFk7uRvAzz2tthJKTkucPXMOSGbhgleFQ8iWz4pHDhdIQxLj5JgNAx-4kKRQLd80cRlII6ATQKcT-dzKGCCEQYwTwFOBRae3aADoCZA7IfKmKTFUWKb0EZP4DkHmUzG5uBuaPT8305vMW2lLIB2-oKVVdFVAqC1fsgRtoSw6ZMfVqbYWSDSMQ4wNrYgxzf2vGodU1R3BXxUgWzkM3kwm8s8yKHI4kq55_cA0Lxc1W3746Jguo-Vppa5xWEI2Dr2xzZyDkQkhheaBb74Jo6nwBuzkjSZNBWnzi-a6lE7Vai4p57WptlXQSYBBstMLg_3nF5BIGWzOMZdZAdxyO5U24AZ3mSnNAJqxalwwZZ7Cwz8gyIS0gk4Jn9RLNntb6Vpo1z536LXzvJt1zY1-59Faua-vYNViMm7MlQ6iQeVUXHAJCjC2EQiUg5HCUTtyotKgEdPbGcKZUtTP-qEQBPdVvLdNv_JFVgAw8nRQkY5BMd62thbRh_M3CbeIk42YEHiR8i8OfZ_7LNPiGMcfvBXQK6NTlqL9o5bwp4kWKnz8BZIA3F8nEnQdTnPydWSdoIWO8UeYlbYWN8bkFhicLDM8t8A0LybktPF0gOavA4Bjh4CDCP09wQMI30rzNRP8309m8vVSe7aVy7M99x4SHCf8ezQdr0R-vLrflRHNbawnJdvSl0LQlcLfu_Le2R8tkxky5gejEqFrn3JMdpYCOElfyvzMthVy6n_PRv-9mEETjo2U6mp65EoFo9leHo7P595-__CbWh_h071-nfndkdwLNblH6nViGFw9m97_Jzoy6UznHsvogOuRSRe7Uh44L8LlieM5Nh14rPF0f4S7A5xLhuRKd_gevnoPHzQvwueLqOTed6INXzzX4XHH1nJtOfK3wdH1ZuwCfS4TnSnSSq4Sn46vvBbicPTTXoTK4XFjev3_wjteD7mzOE5gPIPMLOwYftxHz3je8U5zw62-0v5UPyOlv9T_J6vfsr7RmTZszONexlbgxYdu7sWLFtbmW2ntlWQVnTzyvfXvmXqy48zFGOO6H0PBcycJAF3sU4gTD76yqYF6p_AG0XYWtw4Mg-GK49kKCIPDI3bOxfLWBPOKmADJuBjZY8NWJ3d7nPv7DVtz92ErHCEcRdqbAQYIwIJErSB7HmHqcRijdxaOowQcxort4ipMG76Okxf_HbAn507pSuulUuUDsKscD4m8KyWslGDc4CVG8wf3sRnVIX5sakg0eomhXdWC4NMI3LZvmHFwrY4O1Vjk3RsjloT049JIgRuExZ_TJi4YG77fzk1d4v3EqRYMWvnuWlj0FGTO8gH71GGEODIipVxRivB-NwT6-Sacjs31S7eM-K3eTi9C2ABi45JJrZnmBdruLXMNmG5sXPn-P7l_3iiEtUpqyHh-GcUIjkuCw3yuHNMRxlsVZiHOcsyzJOCtwTEkeR2mRpllPDAkmFIchCQmNI4ryQURZjAcFJX0e4RT0MV8xUaGqelwhpZc9YUzNh1Gaxv1exTJembbnrYduUpDVSwP6uBLGmpfbrLAVH_5yg_sfW32bJnev1tVwr6srbFlnKFcrQObOrs2XS8Y_eW4BmXtuBpC5p_d3AAAA__8stDc0">