[cfe-dev] [analyzer] Global vs Local null-pointer dereferencing?
Valeriy Savchenko via cfe-dev
cfe-dev at lists.llvm.org
Tue May 26 08:29:28 PDT 2020
It is expected. Global variables are infamous for being extremely hard to analyze statically. Clang static analyser is no exception. Basically it analyzes functions independently (inlining some of the calls), and this model doesn’t allow it to reason about global variables. It doesn’t know when foo is called because maybe some other function have already modified x. Even if we put direct assignment x = 0 into foo, it is still hard to reason about. Any call to another function is a potential modification of x.
I hope that answers you question!
-Valeriy Savchenko
> On 26 May 2020, at 16:11, Denis Petrov via cfe-dev <cfe-dev at lists.llvm.org> wrote:
>
> Run clang --analyze on these two code snippets:
> global ptr:
> int *x = 0;
> void foo() {
> int y = *x;
> }
> local ptr:
> void foo() {
> int *x = 0;
> int y = *x;
> }
> I met a weird result.
> The global version does not generate a warning like the local one does?
> test.cpp:3:11: warning: Dereference of null pointer (loaded from variable 'x') [core.NullDereference]
> Another observation is that for the global verion analyzer does not handle init expression (int *x = 0;), but for the local one it does. Therefore it stores x as &SymRegion{reg_$0<int * x>} for the global and 0 for the local.
>
> Example graphs attached.
>
> Who can explain why it is so?
>
> Denys Petrov
> Senior С++ Developer | Kharkiv, Ukraine
>
> <local_nullptr.html><global_nullptr.html>_______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev <https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20200526/f08a4929/attachment-0001.html>
More information about the cfe-dev
mailing list