[cfe-dev] [analyzer] Speaking about reaching definitions...

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Thu Jun 27 13:56:19 PDT 2019

This is very loosely related to Kristof's GSoC and this is my favorite 
subject: weird assumption chains.


   void foo1() {
     int *a = bar();
     int *b = a;
     if (b) { /* ... */ }
     *a = 1;

This is a valid null dereference bug. Like, 'b' is probably null 
(otherwise why check?), therefore 'a', which is equal to 'b', may also 
be null.

Now consider:

   void foo2() {
     int *a = bar();
     int *b = nullptr;
     if (coin()) {
       b = a;
     if (b) { /* ... */ }
     *a = 1;

In foo2 we will report a null dereference as well, however the null 
check for 'b' is well-justified even if bar() never returns null, 
therefore it's a false positive.

How 'bout we suppress the null dereference warning when the 
reaching-definition analysis for 'b' that starts at 'if (b)' - i.e. at 
the collapse point - yields multiple definitions and some of them is a 
plain null?

Note that the plain-null definition would never be a part of the bug 
path because it would not have a corresponding collapse point (it's 
already a concrete null).

More information about the cfe-dev mailing list