[cfe-dev] Undiagnosed null pointer dereference

Martin J. O'Riordan via cfe-dev cfe-dev at lists.llvm.org
Mon Sep 11 01:48:14 PDT 2017


Thanks John,

 

I decided to try this with GCC v4.8.3, v6.3.0 and VC2015, and none of these compiler detect it either.  However, as you expected, the static analyser does identify this perfectly:

 

ANALYZE (Syntax): bug.cpp func(int *)

ANALYZE (Path,  Inline_Regular): bug.cpp func(int *)

bug.cpp:5:13: warning: Dereference of null pointer (loaded from variable 'b')

    int c = *b;

            ^~

1 warning generated.

 

All the best,

 

            MartinO

 

From: rjmccall at apple.com [mailto:rjmccall at apple.com] 
Sent: 08 September 2017 20:55
To: Martin J. O'Riordan <MartinO at theheart.ie>
Cc: clang developer list <cfe-dev at lists.llvm.org>
Subject: Re: [cfe-dev] Undiagnosed null pointer dereference

 

 

On Sep 8, 2017, at 12:53 PM, Martin J. O'Riordan via cfe-dev <cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org> > wrote:

 

I was looking at a bug that a customer reported to me, and have reduced the code to the following fragment:

void func(int *z) {

  int *b = 0; // This is the customer bug

 

  for (int j = 0; j < 16; j++) {

    int c = *b;

    c -= *z++;

    *b++ = c;

  }

}

It is clearly undefined behaviour, and this produces the following IR:

; Function Attrs: norecurse nounwind

define void @func(i32* nocapture readonly) local_unnamed_addr #0 {

  unreachable

}

which emits a label for the function in assembly, but no instructions.  But if I comment out any of the lines in the loop, I get:

; Function Attrs: norecurse nounwind readnone

define void @func(i32* nocapture) local_unnamed_addr #0 {

  ret void

}

then it emits an function which returns immediately.

 

I was surprised though, that even with ‘-Wall -Wextra’ the de-reference of the null pointer is not diagnosed.

 

The compiler frontend doesn't normally do the kind of cross-statement data-flow analysis that would be necessary to report this.  I'm sure the static analyzer would report it, though.   It would also be exposed dynamically if you built with UBSan.

 

I don't really see a bug here.

 

John.

 

 

I guess this is a bug, but I haven’t yet gone through the process of reporting bugs.

 

            MartinO

 

_______________________________________________
cfe-dev mailing list
 <mailto:cfe-dev at lists.llvm.org> cfe-dev at lists.llvm.org
 <http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170911/ca2461d9/attachment.html>


More information about the cfe-dev mailing list