<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/108520>108520</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
[clang static analyzer] False negatives related to symbol values
</td>
</tr>
<tr>
<th>Labels</th>
<td>
clang
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
tianxinghe
</td>
</tr>
</table>
<pre>
commit 3e4788377bb29ed389b46521fcba0d06aa985bcf (HEAD -> main, origin/main, origin/HEAD)
Author: Giulio Eulisse <10544+ktf@users.noreply.github.com>
Date: Thu Sep 5 10:16:51 2024 +0200
Recover performance loss after PagedVector introduction (#67972)
`clang --analyze --analyzer-no-default-checks -Xanalyzer -analyzer-checker=core.NullDereference -Xanalyzer -analyzer-config -Xanalyzer -mode=deep -Xanalyzer -analyzer-output=text`
For this 200-line test case, the static analyzer failed to detect the null pointer dereference bug.
It is important to note that removing any one of the following pieces of dead code allows the analyzer to work correctly.
` v37 = (input2) >= (49);
v38 = (166841049) > (input1);
v10 = (input0) < (2067997187);
v11 = (input1) <= (618503425);`
`/* Provide Declarations */
#include <stdint.h>
#include <stdio.h>
#ifndef __cplusplus
typedef unsigned char bool;
#endif
/* External Global Variable Declarations */
/* Function Declarations */
uint8_t* malloc(uint64_t);
uint64_t atol(uint8_t*);
void free(uint8_t*);
int main(int, char **);
void func0(uint8_t**, uint8_t**, uint8_t*, uint64_t, uint8_t);
/* Global Variable Definitions and Initialization */
uint64_t* args;
uint32_t num_args = 3;
/* Function Bodies */
void init(uint32_t _1, uint8_t** argv) {
args = (uint64_t*) malloc(num_args * sizeof(uint64_t));
for (int i = 1; i <= 3; ++i) {
args[i - 1] = atol(argv[i]);
}
uint8_t *p = (uint8_t*) malloc(4);
free(p);
}
int main(int argc, char ** argv) {
uint32_t ac = (uint32_t)argc;
uint8_t** av = (uint8_t**)argv;
uint64_t* v1;
uint8_t v2;
uint64_t* inptr;
uint64_t input0;
uint64_t* inptr1;
uint64_t input1;
uint64_t* inptr2;
uint64_t input2;
uint8_t v3;
uint8_t v4;
uint8_t* v5;
uint8_t v6;
uint8_t* v7;
uint8_t v8;
uint8_t v9;
bool v10;
bool v11;
uint8_t v13;
uint8_t v14;
uint8_t* v15;
uint8_t v16;
uint8_t v17;
bool v18;
uint8_t v19;
bool v20;
uint64_t v21;
bool v22;
uint8_t v23;
uint64_t v24;
uint8_t* v25;
uint8_t** v26;
uint8_t** v27;
uint8_t v28;
uint8_t v29;
uint8_t v30;
bool v31;
bool v32;
uint64_t v33;
bool v34;
uint64_t v35;
uint8_t v36;
bool v37;
bool v38;
init(ac, av);
v1 = args;
inptr = (&(*v1));
input0 = *inptr;
inptr1 = (&v1[((int64_t)1)]);
input1 = *inptr1;
inptr2 = (&v1[((int64_t)2)]);
input2 = *inptr2;
v7 = (&v8);
v37 = (input2) >= (49);
v38 = (166841049) > (input1);
v10 = (input0) < (2067997187);
v11 = (input1) <= (618503425);
v8 = 1;
v7 = ((uint8_t*)/*NULL*/0); // null pointer
v26 = ((uint8_t**)/*NULL*/0);
v26 = (&v25);
v27 = v26;
v6 = 138u;
func0((&v25), v27, (&v6), 1, 1); // aliases &v25 v27
v28 = ((uint8_t)input2);
v29 = (1 - v28);
v4 = 137u;
v31 = ((int64_t)input0) < ((int64_t)2900235183);
v32 = input1 == input2;
if (v32) {
goto block1;
} else {
goto block2;
}
block4:
*v5 = 1;
func0((&v7), (&v5), (&v23), input1, 97u);
goto exit;
block3:
if (input0 >= 351170948) {
goto block4;
} else {
goto block5;
}
block5:
v7 = (&v3);
goto exit;
block1:
v22 = 1707955933 == input1;
v5 = (&v23);
v20 = ((int8_t)v29) > ((int8_t)13);
goto block3;
exit:
v33 = *inptr;
return 0;
block2:
v7 = (&v4);
v34 = v29 == 101u;
goto block1;
}
void func0(uint8_t** a1, uint8_t** a2, uint8_t* a3, uint64_t a4, uint8_t a5) {
uint64_t v1;
uint8_t v2;
uint64_t v3;
uint8_t v4;
uint64_t v5;
uint8_t v6;
uint8_t* bugptr;
uint8_t bug;
uint64_t v7;
uint64_t v8;
uint8_t v9;
bool v10;
uint8_t v11;
uint64_t v12;
uint8_t v13;
uint64_t v14;
bool v15;
v3 = 0;
v4 = *a3;
v5 = ((int64_t)(int8_t)v4);
goto block1;
block5:
v2 = v4;
bugptr = *a1;
bug = *bugptr; // null dereference
v6 = bug;
goto exit;
block4:
v7 = v3;
v8 = v7 ^ v12;
v2 = v4;
v9 = ((uint8_t)v8);
v10 = ((int8_t)v4) < ((int8_t)v9);
if (v10) {
goto block6;
} else {
goto block5;
}
block6:
v3 = 2;
goto exit;
block2:
v11 = *a3;
v12 = ((int64_t)(int8_t)v11);
goto block4;
block1:
*a2 = (&v2);
v13 = *a3;
v14 = ((int64_t)(int8_t)v13);
v15 = v5 <= v14;
if (v15) {
goto block2;
} else {
goto block3;
}
exit:
return;
block3:
v3 = 1;
goto block2;
}`
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzcWUmP6zYS_jX0pWCDi9aDD-52dyZAEASzBHNr0BJlc54sGhKlvM6vH5CUZS2UX3qOc2i3RVYVa_lqocWbRp4rIfYofEHhccNbfVH1XktefZfV-SI2J5V_7jN1vUoNTARxkrA4Pp1oKnKWpKcgCikpshPHOY44T5PwlBWAaPK3t8MRtoi9wZXLCtFXULU8m2_viwVDi2iK8BHhw8GqgNgBfpJtKRW8taVsGgGIvRIcBgGiL990gQLcNqJudpWqxa383J2lvrSnXaauiL05UUeuhREE8M9LC_8QNwiBYMQOJELsEBKgmAaA6AumGDsW9wkA8HeRqU7UcBN1oeorrzIBpWoa4IUWNfzGzyL_XWRa1SArXau8zbRUlbEdURbFaUwHm_rPCGclr86w3fKKl59_ise3elupbS4K3pZ6m11E9q2B7b_vm_Ags3uiRuyYqVrsfm3L8ihqUYhaGA39PKoq5Hmyd1W5QOyYC3Hz86hW31qN2FGL7xpFE_e8qxr0RTZAMd6WshKgRaMh440wcdUXAY3mWmYwCC64LEUOWkEutMi0JarasoSbkpVxaD6y4tSed-6onzXIBuT1pmrNK20EVEoL0BeuoRZX1cnqDLz6BFUJUIWVW6iyVH-YjZsUmWjMei54DpnKBXCz2VjCQT2t4A9Vf4NM1bXIdPm5G0IGAB2LAbGjCa2sbq02gQWDMrcWpCbQ7OWBnY4ldwYSRUlAsKUxPIMQsmAieHIKdhyvZoHiKE7TmCTxkotMuEjP1a9FJAkxC2jY800DeRdjluk7ogf4rVadzAUcRVbymhtEN4DowWzfiSmTVVa2uU3JRuey0rvLkHQ-ArXYL6pcFPDxkd3KtjF_9039eRNmq61sZcohu_AaTkqVI7MRZaLKZTE8D-vWiLfvWtQVL-GnUp14Cb_zWvJT-dyqqYj3tnLp_ISllZVOPrQhvxpQZYgmZi0KzOI4TPdV4FqVPZXjnNJ1SuZQ1EI8oZGV7ktqIitt8s16yNJ5xbVVhmfyDobt6cIrPCwZ7Yylzzy29HUhK-n8xqscfjYPvJR_8r5Mzl3pDjsAr8_NzHeMfmio2uuH2bNwZ-uKDKF7UbkUa3G2vjEK9q6xR3yQhWOMOp3NqXiUdQAwqDKJuonAAw0PlekBGvmnUMUMI7NsBoBC1S6ZNUgrnyD2Yr--3g03LQvRFzlVy_otfJGwBYLCo-Xt8WZtCF8kCo-eE1F8nD6PH3pnGAtuY3OTpbWBzxoH5tsMOo8T_bA2xmQzbPsjMcSOZ2P1zBKiqRXDZuSj2HY-kw6OsVsw3hHaEZ9M6Ogqh6xuuvbuQl_rn3Iuz3uw-vcGVr9O0PcxrxnMvxysOBK60M8QrTLEfobEvzwFlWkFplf6FlfiQlYsIusmkZFND3qvRdCR2KfMijVkZI6jpP7oQ0eJRy5diRplU417EesmUm_Y-szo6Fr03O5KBOmK0bPC8ICaL4zMZzZbAXLHmI96aXZPvYJVFvmk-OLKpib23_pOwm3R4t1ySnPleNrawKXovQYhGtnPQ0c8rcHViZ72sCworlCMZHXEXOrM1-TRcKzkZRdwlWQifBQEV0h-JJo-EU0noqeh7OKx5GTC_380eT_4kqGt-50wG_3sVPPrv375xQ0y2Mlz08775A41EkejFXlPRK6wR53HBur0nZeJzvERlrST9fsQOhFIX20hoa_3c6J-lfQfYzt5KXljpznDbhlH2iQ-a9MBMjPd0wEisLU1a04R9FbE7Qxco_waIX8BmmlepBhTFpKELcHq8uKRfcPTKEWk_T3FFMDlFHpWWsGpVNm3KZxQfARRNmKdfnSAZxqzJAFio99DTF0KPcidhTbuY9g_htNHyvrne8a8Qhq3c79YLcV3qT1DvtWMTTRzDhrqoy0OLCQkxmmQPHVa8EWnhT92WjhRbVrbFgB4Yug9qGNh1MGFxDhOwzBlbAKZWUEJJxm8xB7FUyy7lOnouFyOd4hf-3s8FoFyZo3Vd_r6u1ctdFtXgH29dQDsqmMXN4-OBX19Su8-Ipi0K-qT51eTyZXRe50G7rs40ukacDa-VwMPRvvAwylSHyPLly4bf2V6f9B-dXA_tWffPcYwndrzikLLUdGt_-_T_mOWXrkYdWRlSCbeIXl2D-jPDD2gNsiywMK-hoHogY8OGKdgMr7zj9JtgdwVVD4pMa4ozK5nLlKDVmS-ed8ZIjqZJ0a_xd5tcY19HuUfVurAl7UzjPYDkdkM3xax89vXpd6O3y17OfHXuWDRrvuN5eDt-i_BT1tJ9KNW4u0i819fJr6LZuXT2kG_5v9Z1RxG1glQ7Q79MVjJYnL2t9KJBmQ-RfDJTWI5nhG2qmPwF3Rcdjri8tCmo53O5wl_j3D4NML0i8MCWwvzaod0TXC9BY7Gnh4NZCUadNbRIrzJ9yxPWco3Yk9iGlGSUsw2lz1OWJQlJBBRGuYxDQsRRyLPg4CHQc4SvpF7immAU8JwSjFmO3HKWSbiiBQ8z7mIUYDFlctyV5bddafq80Y2TSv2BCchxZuSn0TZ2DeMlNoXYIhSFB439d4wbE_tuUEBLmWjm4cILXVpX0u6V2az90koPMI7N-6vxJlr2YkGalFy7d4xNZ_Xk6nhvGxFs2nrcn_R-tYY99kqN3pXSN_Nkf2_7a1W_xGZRvTdmtAg-t5b0e3pfwMAAP__NQmglw">