[cfe-dev] Strange null deref from static analyzer

Morrell, Michael michael.morrell at intel.com
Thu Oct 10 16:17:55 PDT 2013 

Ted,

I agree that it's a bit risky to use c++-analyzer directly, but it usually works.  Anyway, here's a slightly modified version that shows the two bad null deref errors when run using:

  checker-275's scan-build

    scan-build c++ -c nullderef.cpp

and the output shows it is using the clang that came with checker-275.

The code is:

==================================
#include <stdlib.h>

extern bool x, y, z;

uint16_t *foo(uint16_t *p)
{
    uint16_t *px = 0, *py = 0, *pz = 0;

    if (x) {
        px = p;
        p += 32;
    }

    if (y) {
        py = p;
        p += 32;
    }

    if (z)
        pz = p;

    if (px)
        *px = 0;

    if (py)
        *py = 0;

    if (pz)
        *pz = 0;

    return px;
}
==================================

The only difference is that I'm adding a return.  I don't know why that would make a difference.

  Michael

On Oct 9, 2013, at 8:29 PM, Ted Kremenek <kremenek at apple.com>
 wrote:

> “clang —analyze” doesn’t produce a warning here either, so this looks something related to c++analyzer itself.  It is possible that c++analyzer is finding an old version of clang that has this bug.
> 
> Users aren’t really suppose to use c++analyzer directly.  It relies on a whole bunch of context when used within scan-build (including what version of clang to use).  If you want to analyze a file directly, use “clang —analyze”.
> 
> On Oct 9, 2013, at 12:38 PM, Morrell, Michael <michael.morrell at intel.com> wrote:
> 
>> [Previously posted to cfe-users with no response, so trying here]
>> 
>> With the following code:
>> 
>> =================================
>> #include <stdlib.h>
>> 
>> extern bool x, y, z;
>> 
>> void foo(uint16_t *p)
>> {
>>  uint16_t *px = NULL, *py = NULL, *pz = NULL;
>> 
>>  if (x) {
>>      px = p;
>>      p += 32;
>>  }
>> 
>>  if (y) {
>>      py = p;
>>      p += 32;
>>  }
>> 
>>  if (z)
>>      pz = p;
>> 
>>  if (px != NULL)
>>      px[0] = 0;
>>  if (py != NULL)
>>      py[0] = 0;
>>  if (pz != NULL)
>>      pz[0] = 0;
>> =================================
>> 
>> Running:
>> 
>> checker-275/libexec/c++-analyzer -c foo.cpp gives:
>> 
>> 
>> foo.cpp:25:15: warning: Array access (from variable 'py') results in a null pointer dereference
>>      py[0] = 0;
>>      ~~    ^
>> foo.cpp:27:15: warning: Array access (from variable 'pz') results in a null pointer dereference
>>      pz[0] = 0;
>>      ~~    ^
>> 2 warnings generated.
>> 
>> All variables are checked for NULL right before the deference.  It is OK with "px", but not "py" or "pz".
>> 
>> As an aside, running "scan-build c++ -c foo.cpp" says there are no bugs.   I don't know why that would be different.
>> 
>> Should I just file a bug for this?
>> 
>> Michael
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>

More information about the cfe-dev mailing list