[cfe-dev] Before we go cleaning up LLVM+Clang of all Static Analyzer Warnings...

Apelete Seketeli via cfe-dev cfe-dev at lists.llvm.org
Thu May 12 14:05:08 PDT 2016


On Thu, May-12-2016 at 11:33:28 AM -0700, David Blaikie wrote:
> On Fri, May 6, 2016 at 3:09 AM, Apelete Seketeli <apelete at seketeli.net>
> wrote:
> 
> > Hi David,
> >
> > On Thu, May-05-2016 at 11:20:06 AM -0700, David Blaikie wrote:
> >
> > > * Initializing variables that are only used when initialized through some
> > > existing codepath - this can make tools like Memory Sanitizer less useful,
> > > because now the value is initialized even in some path where that valu is
> > > never intended to be used
> >
> > * I guess this case could be related to http://reviews.llvm.org/D19971
> >   and http://reviews.llvm.org/D19975 for instance.
> >   I wasn't happy with the fixes in the first place but I
> >   ended-up trusting the tool because it proposed a codepath where the
> >   variables were used without being initialized. I don't know about
> >   msan (yet :) but if the warnings are false positives is there a way
> >   to tell scan-build in such cases ?
> >
> 
> My first guess with any warning like this would be that there's some
> complex invariant (eg: A implies B, so if the variable is conditionally
> initialized under A then used under B it's actually fine) that is obvious
> enough in the code, but opaque to the static analyzer.
> 
> My first guess would be to assert this (assert the condition of A in the
> use under B) and only if we find a case where that fails, add a test case
> and initialize the variable as appropriate. Adding the variable
> initialization without a test case seems suspect.
> 
> MSan is a tool for dynamic analysis - it would track the uninitialized
> memory and tell us when/where we've used it without initializing it.

Ok, the invariant example is a good insight I wish I kept in mind when
I started. I took interest in Clang Static Analyzer reports because I
wondered how the tool works (and how well). Knowing how to treat the
warnings will definitely help making better decisions (and better
patches).

Any further advice will be greatly appreciated :).

> > > * Adding assertions for pointers that are known to be non-null - in some
> > > cases this is helpful, when the algorithm that ensures the non-null-ness is
> > > sufficiently opaque. But for function parameters - we have /lots/ of
> > > non-null function parameters. I think it'd be impractical to assert on all
> > > of them.
> >
> > * This is where I ended-up asserting function parameters in a
> >   mechanical manner to some extent (as a result of 40+ warnings about
> >   some object pointers being null). Let's take http://reviews.llvm.org/D19385
> >   for instance.
> >   The right fix in that case was to pass the non-null parameter by
> >   reference instead of asserting its value, not unlike what you were
> >   discussing in the previous post (sorry I'm not quoting the right
> >   post here). For the cases where using references might not be
> >   possible, how do we deal with the warnings ?
> >
> 
> I think the tool needs to be fixed, or not used on the LLVM codebase if it
> assumes all pointer parameters may be null. But it seems like it doesn't
> assume that or I would expect way more errors from the tool, no? I was
> pretty sure the Clang Static Analyzer had been designed to only warn about
> null dereferences if it saw a pointer null test somewhere in the function
> for that pointer.
> 
> Do you know what's going on here?

Judging from the 55 warnings I got by running the analyzer on
LLVM+Clang+Compiler-RT codebase when I started, it does *not* seem to
assume all pointer parameters may be null indeed.
However, the tool seems to be able to warn not only about "null
dereferences if it saw a pointer null test", but also about null
dereferences if it saw a may-be-null pointer passed as a parameter
in a function call in the same compilation unit.

This last sentence should read: the tool also seems to be able to follow the
function call flow inside a compilation unit and warn about null
dereferences at any point during that call flow (e.g.
http://reviews.llvm.org/D19084 in lib/AST/NestedNameSpecifier.cpp).

Some of these latter warnings may well be false positives I agree, but
what makes it hard to ignore is when the tool actually suggests a call
path to the null dereference. Ignoring it then looks to me like a
case of "the pointer is *expected* to be non-null, so the warning
should be ignored regardless of the hints provided by the tool".

I'd rather add an assert in a defensive stance in that case, but
that's just me; in the end I take the reviewer's advice into account :).

Cheers.
-- 
        Apelete



More information about the cfe-dev mailing list