[cfe-dev] Confused by analysis
Ted Kremenek
kremenek at apple.com
Wed Feb 25 09:21:05 PST 2009
On Feb 25, 2009, at 9:03 AM, Ben Laurie wrote:
> void f2(int n) {
> char *p = 0;
> char a[10];
>
> if (n < 1)
> p = a;
>
> if (n > 0)
> *p = 'X'; // expected-warning{{Dereference of null pointer.}}
>
> if (n >= -3)
> *p = 'X'; // expected-warning{{Dereference of null pointer.}}
> }
Hi Ben,
For these kind of questions its often useful to look at the simulation
graph. e.g.:
clang -checker-cfref -analyze -analyzer-viz-egraph-graphviz /tmp/
t.c -analyze-function=f2
From the graph I see three paths through 'f2':
PATH 1
----------
(1) At the first condition, take the false branch. The possible
values of 'n' is now [1, 2147483647].
(2) At the second condition, we can only take the true branch. This
results in a null dereference. That path stops at that point because
the program would halt.
PATHS 2 and 3
------------------
(1) At the first condition, take the true branch. The possible values
of 'n' is now [-2147483648, 0].
(2) Assign 'a' to 'p'. The value in 'p' is guaranteed to not be null
(it is the address of 'a').
(3) We take the false branch for 'if (n > 0)'.
(4) Both subsequent branches are taken because both 'n >= -3' and 'n <
-3' are satisfiable. We still get no null dereference because 'p' is
not null.
From these paths we see there is no way to hit the second '*p = 'X''
with p being null.
More information about the cfe-dev
mailing list