[cfe-dev] Strange null deref from static analyzer

Wed Oct 9 20:29:13 PDT 2013

“clang —analyze” doesn’t produce a warning here either, so this looks something related to c++analyzer itself.  It is possible that c++analyzer is finding an old version of clang that has this bug.

Users aren’t really suppose to use c++analyzer directly.  It relies on a whole bunch of context when used within scan-build (including what version of clang to use).  If you want to analyze a file directly, use “clang —analyze”.

On Oct 9, 2013, at 12:38 PM, Morrell, Michael <michael.morrell at intel.com> wrote:

> [Previously posted to cfe-users with no response, so trying here]
> 
> With the following code:
> 
> =================================
> #include <stdlib.h>
> 
> extern bool x, y, z;
> 
> void foo(uint16_t *p)
> {
>   uint16_t *px = NULL, *py = NULL, *pz = NULL;
> 
>   if (x) {
>       px = p;
>       p += 32;
>   }
> 
>   if (y) {
>       py = p;
>       p += 32;
>   }
> 
>   if (z)
>       pz = p;
> 
>   if (px != NULL)
>       px[0] = 0;
>   if (py != NULL)
>       py[0] = 0;
>   if (pz != NULL)
>       pz[0] = 0;
> =================================
> 
> Running:
> 
> checker-275/libexec/c++-analyzer -c foo.cpp gives:
> 
> 
> foo.cpp:25:15: warning: Array access (from variable 'py') results in a null pointer dereference
>       py[0] = 0;
>       ~~    ^
> foo.cpp:27:15: warning: Array access (from variable 'pz') results in a null pointer dereference
>       pz[0] = 0;
>       ~~    ^
> 2 warnings generated.
> 
> All variables are checked for NULL right before the deference.  It is OK with "px", but not "py" or "pz".
> 
> As an aside, running "scan-build c++ -c foo.cpp" says there are no bugs.   I don't know why that would be different.
> 
> Should I just file a bug for this?
> 
> Michael
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev