<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/63684>63684</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            The clang static analyzer cannot generate path-sensitive error reports after enabling the ipa-always-inline-size parameter
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          yinluming13579
      </td>
    </tr>
</table>

<pre>
    Hi, I've been checking my code for bugs recently using the clang static analyzer's null pointer dereference checker.During the detection process, I encountered such a problem: Now there is a global variable named pointer, and the pointer variable is assigned a value of NULL in a function, and then there is a function call of other translation units, but the function call does not Modify the value of pointer. After this function call, I dereference this variable, thus forming a null pointer dereference bug.When I checked the bug with the clang static analyzer, I found that when the clang static analyzer checked the bug, the cross-translation unit module of the clang static analyzer would not inline the function call by default, so the constraint solver thought that the pointer was Where dereferenced this pointer may or may not be null! I guess the reason for this problem is because clang static analyzer doesn't inline the function call, so it can't analyze the function call, so it can't determine whether the function call modifies the global variable pointer.So I used the parameter ipa-always-inline-size, which allows function calls across translation units to be checked inline, by checking std::tie(notNullState, nullState) = state->assume(location); The value of notNullState and nullState in the code, I found that after using this parameter, only nullState exists but notNullState does not exist, and the solver gives a correct judgment!
But the ensuing problem is that when I use this parameter, DereferenceChecker can detect the null pointer dereferencing bug, but cannot generate the corresponding path-sensitive inspection report. If I do not use this parameter, the constraint solver cannot get the correct the result of. I think since the constraint solver can check that this is a null pointer dereference bug after using the parameter and the clang static analyzer cannot generate an error report, it should be a bug of the clang static analyzer.
Here are the clang arguments I use:
`/project/coreutils-8.31# /usr/local/bin/clang-17 --analyze -Qunused-arguments -Xclang -analyzer-opt-analyze-headers -Xclang -analyzer-output=plist-multi-file -o /project/coreutils-8.31/reports/comm.c_clangsa_609b90dbff1573250e9ad7cef4b8d72c.plist -Xclang -analyzer-config -Xclang expand-macros=true -Xclang -analyzer-checker=alpha.security.cert.env.InvalidPtr,alpha.security.cert.pos.34c,core.CallAndMessage,core.DivideZero,core.NonNullParamChecker,core.NullDereference,core.StackAddressEscape,core.UndefinedBinaryOperatorResult,core.VLASize,core.uninitialized.ArraySubscript,core.uninitialized.Assign,core.uninitialized.Branch,core.uninitialized.CapturedBlockVariable,core.uninitialized.NewArraySize,core.uninitialized.UndefReturn,cplusplus.InnerPointer,cplusplus.Move,cplusplus.NewDelete,cplusplus.NewDeleteLeaks,cplusplus.PlacementNew,cplusplus.PureVirtualCall,cplusplus.StringChecker,deadcode.DeadStores,nullability.NullPassedToNonnull,nullability.NullReturnedFromNonnull,optin.cplusplus.UninitializedObject,optin.cplusplus.VirtualCall,optin.portability.UnixAPI,security.FloatLoopCounter,security.insecureAPI.UncheckedReturn,security.insecureAPI.getpw,security.insecureAPI.gets,security.insecureAPI.mkstemp,security.insecureAPI.mktemp,security.insecureAPI.rand,security.insecureAPI.vfork,unix.API,unix.MismatchedDeallocator,unix.Vfork,unix.cstring.BadSizeArg,unix.cstring.NullArg,valist.CopyToSelf,valist.Uninitialized,valist.Unterminated -Xclang -analyzer-disable-checker=unix.Malloc,unix.MallocSizeof,optin.portability.UnixAPI -Xclang -analyzer-config -Xclang aggressive-binary-operation-simplification=true -Xclang -analyzer-config -Xclang crosscheck-with-z3=true -Xclang -analyzer-config -Xclang experimental-enable-naive-ctu-analysis=true -Xclang -analyzer-config -Xclang ctu-dir=/project/coreutils-8.31/reports/ctu-dir/x86_64 -Xclang -analyzer-config -Xclang display-ctu-progress=true -x c --target=x86_64-linux-gnu -std=gnu11 -Xclang -analyzer-config -Xclang core.NullDereference=true -Xclang -analyzer-max-loop -Xclang 10 -Xclang -analyzer-config -Xclang max-inlinable-size=500 -Xclang -analyzer-config -Xclang max-nodes=2250000 -Xclang -analyzer-config -Xclang ipa-always-inline-size=80 -Xclang -analyzer-config -Xclang max-times-inline-large=80000 -I/project/coreutils-8.31 -I/project/coreutils-8.31/lib -I/project/coreutils-8.31/lib -I/project/coreutils-8.31/lib -I/project/coreutils-8.31/src -I/project/coreutils-8.31/src -O2 -isystem /usr/local/include -isystem /usr/include/x86_64-linux-gnu -isystem /usr/include /project/coreutils-8.31/src/comm.c`
The project I detected is the comm.c file of coreutils8.31
Below is the test code I used:
`pointer = NULL;
thisline[i] = readlinebuffer_delim (all_line[i][alt[i][0]],
streams[i], delim);
printf("%d", *pointer);`
readlinebuffer_delim is a function that needs to be checked across translation units, and pointer is a global variable pointer. If the ipa-always-inline-size parameter is not added, the clang static analyzer will not analyze the readlinebuffer_delim function call, so the constraint solver will think that printf ("%d", *pointer); Whether the pointer variable of the position is empty is uncertain. If the ipa-always-inline-size parameter is used, the constraint solver can judge that the pointer variable is null, but this clang static analyzer Unable to generate path-sensitive bug reports.
If the value of ipa-always-inline-size is set very small, such as 10, in this case readlinebuffer_delim cannot be checked inline because it is greater than 10. If it is set to 80, readlinebuffer_delim can be checked inline, but in this way No way to generate bug reports (even if bugs can be found).
Thank you for taking the time to read my question, thank you for your help, I really tried many ways, but none of them can solve this problem, looking forward to your reply!
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy8Oc1y4zjOT6NcWFLZUpzYhxwce1LjqnSmv0mn-6u9dFEiJHNCkVr-2FE__RZISZYT25297CElS_gHARBAqDG8kgB30ew-mq2vqLNbpe9aLoWruaym2ex2cZUr1t79yaN0RTZRersDkgNIUmyheOWyInVLCsWAlEqT3FWGaChAWtESZxBut0AKQWVFjKWWF4RKKtpfoKP01hDphCCN4tKCJgw0lKBBFhD4g07WTvdcGFgoLFeSNFoVYIzXiYAslEN6YMS4YksownMBdZQtyZPaI7EGwg2hpBIqp4LsqOY0F0AkrYH1CiA_KpkX1us0YCJ5cBgjlOyocEBUSZ5eHh8Jl4SS0kmv3YiLHIvu4aSgQiCpQiCxmkojqIc4ya23KnfWa3FMwxQYIpUlXxTjZesxBkU6hROyLFFvu-XmmDx4a-xjj9MbiGC7dQYPEk-f0POHk7sq-YHmbbpzCj7LXUX23G4vnTnqUCrn_UMt2XdOOo3-nnvQEUihlTHxe8-RWjEnvDPOc9wrJ5h3IpeCSzjh5rwlDErqhEV5RgVuShqrKZeWGCV23sPKVVsb7BiHzJ4a8sOf-8hnLHi7x6lpS1R4oC45eGdH6ZRsSOXAGM9RAzVK-tQK1CGuMZ5yKKgz56zESJFRenveys40bklBA2ZH_BlUzEQMEsDzC1H8wYs1xiiHYMj7tOuD9VmRDXGmO-GGaloja8IbGlOxp62JgwGx4b98iO63HFNcCLV_F9-GUB8XHzOKWIUe7oMpcPRp1h7qmLEsypZRtrQconQulX1yQjxbaj2qPLwsSJStvcshjrI_qDGuRhKhChoKwCLK7sm3cXaO2fnqMPDD4hECjMGH9KA-l_tCihHQuwhRlRTtiBG8cWONrx1H4oay4RHGRa6L5IrvACtUobSGwpJ_HKtqkDZKp9FkHU2W9105AmkcqjKKw0MW-4M8oeX6kASrUNQxjrpq7tmeqTMoqUt6tKmgEo2oQIJGs4LTtAbTKMm8WtRuYwPScMt36FjTdBeGhkZpm5BNiSVQeW-c1vZ0rg-y7UFsp7wG44QlqkzIBvnJV2J4qK5nOIWY6-sGN-F6uFRs38XBOFP6ozxTP9_5jEoCWivdOQQN5paYrS-KORDqpV0qoEmIiD-xvFENI0SqK4dRY0IkYDJ51OhmEqUPjVb_QGGj9KFQGpzlwsTzJJtGaUai9MEZHaUPmEEiSh9yLhER2cbTWxLHfW2K_89JLBfxQVj8_0F8j6Nj1dj-Jd4CZaBPYjnbOBtl60ZwY-PaCcvjkgsgsSIXFX4IzjMeVNdJ8dPzNvTnzWSRLyYsL8vp7DZLZxNYUHZbQHmdz9ltWiRe1gllCiVLXg0AeGuoZHHtC1qUra12cIoqpFOUralotjQxUDjNbZsUoG0Ccpds5I4Kzr5ajO1TSI0ySXZdROkKrUxWVIilZF_AGFpB_3XNd5zBv0Cr_suTklhfvmIYdkk9gJwQo5TvPz9bWrwuGdNgzB-moM0AeZEMSi6B3XNJdftXg6Gq9N8-r3qk74_L53AD-FcnueSWU8F_AUuWWtP22eWm0LyxZ3B873Yadq-pLLanYSvaWKeB3QtVvH4_9EonUJ9gHzQ5q6g39W-wTntNGuEM_iUbKUF_HZrQA-CL2sHRhyfYr0GAPfP1EeirOQJ9FbQAzJQn2B8DnIbvXFtHxSpc8gfYs8Wm-3CwDCjD-ylZA2XPVmlAIVixaM4FBlOIBmOAfVNPSoZm5gNGMB3Yg1b1AUs1lsvkIP1l7LO_8pCFH7COdQ9QTMte3ovkb8uvmyhdDRH_IBS1j0o1qzAwjGFc-p-w_LpJXmTXKgxHdRKtAtvsLwDNOVj9aizUzXnwJaimkp2D7UqlX6N05SR_S4Lx_ucXbmpqiy2wNWDrVGCC9cDvY6LC-KNP7inDMF7q6j0EzzF8xtJibLJSTftNPYMoD9-OjnD8OfSN1AI7Uc8YN5hdo7oWtPcqD7b4N1ROlZcO_vdVllYVViO-gzj3pSdWvvZwJWPD60bwkncd3fkSfMzSN6Be_RgHofhX9mlSeGtAc8xUKmKQ3hGSonKFdYHK8EuXwTtNrIsZRx9--i7rKNKHt_nNz5vr38tg3DSCtl7BRivvzUHBN1KQOLZUV4C3bOAZCy7dW1xJR2LfcK8r6abTT5hz6mo564uavsVCqWYATSe_F4FEfjTwrvfzRraeTT5JKRUDND5NZ5PJZ4jOjDjZev5JiZbXMNAK9LMn9sI3Fw79MhS7MJ7_z3CMLj6H81dKYm5aLJwf-0UuC-EYnMDoIENQjwPwHPJvuj-ji6Hzw97WN7k47HU0fsmCsw2OmqYbAxCZ-O5SlWRg6TmGCQuE2vfoFowNS7UwHI9b6X5CwBH06eXxMcruAwwnCT_Xzu55NFt7BA2U4bfclSXonwwER3PnVIifI9xodk-FPbxM_GMdpavA2lgNtDY9QroinlOYcwNKo7m0ZZTOozSN0hnzjxWJ0uWwW_PIvb9Oana8JvPzkQRg7-f3c2N-P9n2Ljq58BvWZJsw5JxOw_EqIszOlDF_k11aLXEhAu5ok3LS0FPrldPjoucZpkrvj-Bn8ltHkx-jxcyHXWY34DUKJ2Ul0UaoG9viDydxMKBc_lcu8mF6aXz2SwX4uCwb71e7frDbfnJzxs8vvkJjUAxz7bvJH4fY7mLr5tXOlGEfc8YmbogBS3agW2Lq_nD8UtmQ6cTPy7LTjZozp9sN3R82TsPOjlsUVGmgYVNLJZlOvLsDBFWwisy9vHMizmy0nB003NOWPCn_GPtq5ByMI9iBJLwMu_uOr99AReki6Ysbla-kVS5sIulrv4bAKwh5o46kbsm_HZh-BW6PiFrlNNmCaMKKS2Mb2hKrOTBSU9milsPmWyrZx2gw1YfR0QoUUYVSXpNS6T3VDBXxYjQ0oo3S6RW7y9giW9AruJvezOez68X19c3V9m42u53flvNsMpukdJHOsnQ6nWVZCtNitijm8yt-l07SbHI7mU0W2eT6JklvaMYgLYub-e01TFl0PYGacpEIsasTpasrboyDu5vsZn59JWgOwvh_q6SpBKzrxgFm6mx9pe-QJkZ3R9cTbIvNgYvlVsDdt0_vc97F_Xi3Y7qlkW8l-wP7XSpfOS3uttY2Bu-c9CFKHyputy5PClXjhSt2_SM-XJHePGwhvfn_CQAA___oNln3">