[cfe-dev] [analyzer] Should analyzer report about potential null-dereferencing?

Fri Apr 17 03:04:49 PDT 2020

Why would the analyzer report potential null in the second example? I 
honestly don't see anything wrong with this code. There's no indication 
anywhere that the pointer may be null.

Sink node simply indicates that the execution path is impossible. In 
this case it indicates that after the analyzer admits that the pointer 
was dereferenced (in order to proceed with the analysis), it must also 
admit that the pointer wasn't null to begin with. It's not absolutely 
necessary to generate an explicit sink node in this case but there's not 
much harm in that either.

On 4/16/20 5:28 PM, Denis Petrov via cfe-dev wrote:
>
> Next code generates a sink node and a bug report:
>
>
> int setPtr(const int&);
> int* getPtr();
> void f(bool is, const int x, const int y)
> {
>   const int *ptr = &x;
>   if (is) {
>     ptr = *nullptr*;
>   }
>   setPtr(*ptr);
> }
>
>
> But next code just generates a sink node *without *a bug report:
>
>
> int setPtr(const int&);
> int* getPtr();
> void f(bool is, const int x, const int y)
> {
>   const int *ptr = &x;
>   if (is) {
>     ptr = *getPtr**()*;
> }
>   setPtr(*ptr);
> }
>
>
> Why does analyzer act like that? Is there any command line option to 
> turn this on?
>
> ------------------------------------------------------------------------
> *Denys Petrov*
> Senior С++ Developer | Kharkiv, Ukraine
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev