[cfe-dev] [analyzer] Simple Example produces an inconsistent result
Aleksei Sidorin via cfe-dev
cfe-dev at lists.llvm.org
Tue Nov 3 00:18:38 PST 2015
Hello Scott,
You have touched a very sensitive moment.
TL;DR: The reason warning does not appear is that function is not
analyzed out of context if it was inlined before. Functions are analyzed
in topological order. In your case, inlining of 'foo' does not touch
(len < 10 == true) branch so it will never be analyzed.
But, more thoroughly, CSA has some issues with topological sorting.
First, it is not clear if topological sorting is really required since
it throws some possible execution paths away (as in Scott's example).
Second, it does not work as expected because of some call graph issues
(I made some attempts to resolve them and hope to contribute these patches).
However, the assumption that function is analyzed only in given contexts
can reduce amount of false positives.
In our opinion, we should analyze all the functions and skip
out-of-context analysis of functions that are:
1. not externally visible or
2. are private class members.
But this is a subject for discussion.
> Hi All,
>
> Given the following code:
>
> // test.cpp
> int foo(int len) {
> int j = 0;
> if (len < 10)
> j = 42 / j;
> return j;
> }
>
> the command
>
> clang --analyze test.cpp
>
> issues the bug report
>
> tu.cpp:6:10: warning: Division by zero
> j = 42 / j;
> ~~~^~~
>
> However, it seems that merely introducing another function which calls
> foo() with an argument that would not trigger a division by zero nullifies
> the bug report. For instance, analyzing
>
> // test.cpp
> int foo(int len) {
> int j = 0;
> if (len < 10)
> j = 42 / j;
> return j;
> }
>
> void bar() {
> int m = 12;
> foo(m);
> }
>
> in the same way will NOT issue a bug report. Isn't this a bug in the static
> analyzer?
>
> Note: I tested this with clang 3.7.0 and 3.8.0.
--
Best regards,
Aleksei Sidorin
Software Engineer,
IMSWL-IMCG, SRR, Samsung Electronics
More information about the cfe-dev
mailing list