[PATCH] D97183: [analyzer] Add NoteTag for smart-ptr get()

Artem Dergachev via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Tue Apr 20 10:32:01 PDT 2021


NoQ added a comment.

In D97183#2701441 <https://reviews.llvm.org/D97183#2701441>, @steakhal wrote:

> I think we can conclude that `P` must be non-null (since it was unconditionally dereferenced), thus the previous check on the inner pointer and the branch it guards must be dead!

Under the same logic we also can't report null dereference in the following code:

  void bar() {
    A *p = nullptr;
    p->foo();
  }

Indeed, the null pointer `p` is unconditionally dereferenced, therefore the entire function `bar()` must be dead!

Or maybe the entire executable binary into which this code is linked is never run. Some users definitely complain about static analyzer analyzing code that was entirely dead from the start, suggested integrating with the dynamic PGO facilities to analyze hot code first.

It's important to realize that with pure static analysis it is absolutely impossible to reliably report a bug more severe than dead code. Any form of static analysis only ever finds //code that doesn't make sense//. It cannot make assumptions about how often the code is executed in practice or how severe and impactful the bug is to the users of the program under analysis. When we report anything that doesn't directly scream "dead code", like null dereference, we're still always implicitly saying "This code doesn't make sense because it either has dead parts or _____". In fact we should probably do a better job at managing expectations because users do become upset when we promise them use-after-frees but in reality only find dead code that "would have caused use-after-frees if it was ever run".


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D97183/new/

https://reviews.llvm.org/D97183



More information about the cfe-commits mailing list