[cfe-dev] Bug: Unexpected dereference claim on --analyze

Anna Zaks ganna at apple.com
Mon Dec 5 17:08:19 PST 2011 

On Dec 5, 2011, at 4:43 PM, Jeffrey Yasskin wrote:

> Klocwork has a similar heuristic, and it proved obnoxious in practice.
> ~75%-90% of the time, the real problem in the code was that someone
> was checking against 0, but the pointer was actually guaranteed not to
> be 0, so the check was redundant. Unless the analyzer has other
> evidence that the pointer may actually be 0, it should treat
> "dereference null" and "redundant check" as similar likelihood and
> include both in the warning, or omit the warning.
> 

After looking at the code, I realize that this is probably a general analyzer heuristic, not specific to NULL dereferencing.  

Thanks for the feedback. I think the best solution would be to mention the possible redundant check in the diagnostic. Please, file a bug report!

Anna.

> FWIW,
> Jeffrey
> 
> On Fri, Dec 2, 2011 at 1:56 PM, Anna Zaks <ganna at apple.com> wrote:
>> The analyzer tries to flag the issues which most likely are bugs. (If we restrict to only warning about definite bugs, it would miss a bunch of real bugs.)
>> 
>> In your example, you only get the warning when the function contains the check: (t->root != 0). The reasoning here is that the programmer added this check because there is a possibility of t->root to be 0. If t->root might be 0, you probably only want to dereference it if it's not 0. I suspect that the dereference checker has special heuristic which helps it to identify this case.
>> 
>> Cheers,
>> Anna.
>> On Dec 2, 2011, at 1:37 PM, Jan Engelhardt wrote:
>> 
>>> 
>>> 
>>> Observed output:
>>> ===
>>> clang-case2.c:17:11: warning: Access to field 'child' results in a dereference
>>>      of a null pointer (loaded from field 'root')
>>>        t->root->child = 0;
>>>           ~~~~  ^
>>> 1 warning generated.
>>> 
>>> 
>>> Expected output:
>>> ===
>>> None. There is no way to say with absolute confidence that t->root is
>>> always NULL or never NULL.
>>> 
>>> 
>>> Testcase:
>>> ===
>>> /*
>>> SUSE Linux clang version 3.0 (branches/release_30 142912) (based on LLVM 3.0)
>>> 
>>> clang --analyze this
>>> */
>>> struct node {
>>>       struct node *child;
>>> };
>>> struct tree {
>>>       struct node *root;
>>> };
>>> static void add(struct tree *t)
>>> {
>>> #if 1 /* generate warning */
>>>       t->root != 0;
>>> #endif
>>>       t->root->child = 0;
>>> }
>>> _______________________________________________
>>> cfe-dev mailing list
>>> cfe-dev at cs.uiuc.edu
>>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>> 
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

More information about the cfe-dev mailing list