[PATCH] [analyzer] Path-sensitive different.IntegerOverflow checker

Anna Zaks zaks.anna at gmail.com
Thu Nov 13 17:14:21 PST 2014 

I suspect, this code below explains why you are getting the false positives.

The issue you highlight in the example is that sometimes the analyzer doesn't know what the value of a variable is. The existing checkers minimize false positives by issuing a warning only when it's known that a value is "bad". For example, we would only warn if StateOverflow && !StateNotOverflow. This will flag much less issues, but should not produce a lot of false positives.

Are the false positives you are getting being flagged by the first if clause? 

 if (StateOverflow && StateNotOverflow) {
    if (Pack.LValueIsTainted) {
      Msg.assign("Possible integer overflow while " + Pack.Operation +
                 ". Left operand is tainted: " + Pack.LValue + " AND " +
                 Pack.RValue);
      reportBug(Msg, C, SL);
    } else if (Pack.RValueIsTainted) {
      Msg.assign("Possible integer overflow while " + Pack.Operation +
                 ". Right operand is tainted: " + Pack.LValue + " AND " +
                 Pack.RValue);
      reportBug(Msg, C, SL);
    }
    return;
  }

  if (StateOverflow) {
    Msg.assign("Integer overflow while " + Pack.Operation + ". " + Pack.LValue +
               " AND " + Pack.RValue);
    reportBug(Msg, C, SL);
  }

================
Comment at: lib/StaticAnalyzer/Checkers/IntegerOverflowChecker.cpp:35
@@ +34,3 @@
+  mutable std::unique_ptr<BuiltinBug> BT;
+
+  mutable std::set<SourceLocation> OverflowLoc;
----------------
j.trofimovich wrote:
> zaks.anna wrote:
> > Are you getting multiple reports on the same location? I don't think that should be happening - the bug reporting infrastructure should unique reports.
> In what way should bug reporting infrastructure unique reports? scan-build prevents existence of fully identical reports by computing digest (Digest::MD5->new->addfile(*FILE)->hexdigest; scan-build, line 247) but cases when alerts differs by message only aren't caught.
Identical issues should have the same message. Do you have identical issues with different messages?

http://reviews.llvm.org/D4066

More information about the cfe-commits mailing list