[cfe-dev] Fwd: Does clang analyzer can only report one warning?

Ted Kremenek kremenek at apple.com
Mon Nov 22 17:56:25 PST 2010 

Yes, multiple bugs can be reported.  For example:

$ cat test.c
void test(int flag) {
 int *a, *b;
 if (flag)
  *a = 1;
 else
  *b = 1;
}

$ clang --analyze test.c
test.c:4:4: warning: Dereference of undefined pointer value
  *a = 1;
  ^
test.c:6:4: warning: Dereference of undefined pointer value
  *b = 1;
  ^
2 warnings generated.


However, if I had wrote the code as follows, only one is reported:

$ cat test2.c
void test(int flag) {
 int *a, *b;
 *a = 1;
 *b = 1;
}

$ clang --analyze test2.c
test2.c:3:3: warning: Dereference of undefined pointer value
 *a = 1;
 ^
1 warning generated.


In the second case, the use of 'a' would constitute a fail-stop bug along the path, so further analysis is meaningless.  Contrast this with the GCC's -Wuninitialized warning (which clang will also eventually support):

$ gcc -Wuninitialized -O2 test2.c
test2.c: In function ‘test’:
test2.c:3: warning: ‘a’ is used uninitialized in this function
test2.c:4: warning: ‘b’ is used uninitialized in this function


In GCC's case, it is doing a simple dataflow analysis that doesn't take into account value or path-dependencies, so it flags both issues.  There's tradeoffs here; with the static analyzer, one will eventually find the second bug by fixing the first one, but it gets more reliable path results by doing the pruning.

On Nov 21, 2010, at 4:20 PM, J Green wrote:

> 
> 
> ---------- Forwarded message ----------
> From: J Green <greenabc99 at gmail.com>
> Date: 2010/11/21
> Subject: Re: [cfe-dev] Does clang analyzer can only report one warning?
> To: Ted Kremenek <kremenek at apple.com>
> 
> 
> Hi, Ted
>     First of all, thank for your quick reply.
>     But I still puzzled for such case: if there exists several same kind of bugs, such as uninitialized variables, for example, a and b is two uninitialized variables, they do not have any relationship (they are in different paths), would they be reported by clang at the same time(give two uninitialized warning messages at the same time)?
> 
> Thanks again.
> 
>  
> 
> 2010/11/19 Ted Kremenek <kremenek at apple.com>
> 
> For some bugs, such as uses of uninitialized variables or a null dereference, the analyzer stops analyzing a given path because the semantics would potentially be meaningless after the point of the bug.  If the second bug is dominated by one of these other fail stop bugs, it won't be reported until the other bug is resolved.  It's a tradeoff; the idea is that people will fix issues, run the analyzer again and uncover new ones, etc.
> 
> Sent from my iPad
> 
> On Nov 18, 2010, at 9:18 PM, J Green <greenabc99 at gmail.com> wrote:
> 
> > Hi, all
> >
> >      I just want to use clang static analyzer, the command is : "clang --analyze xxx.c" to check xxx.c's errors. but I can only see one warning message,
> > for example, one variable is undefined, but there exists another null pointer dereference error after that, why the analyzer can not report null pointer deference warning? Do I miss dothing sth.(e.g. one or more options needed)? or clang analyzer can only report one warning message in one function?
> >      In other words, How clang analyzer deal with different source errors?  To one kind of errors, just report the first one? or To all kind of errors, just report the first one?
> >
> >                          Thanks.
> >                          J Green
> > _______________________________________________
> > cfe-dev mailing list
> > cfe-dev at cs.uiuc.edu
> > http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
> 
> 
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20101122/15d2c602/attachment.html>

More information about the cfe-dev mailing list