[cfe-dev] clang and clang-sa do not detect uninitialized variable

Ali Shuja Siddiqui (alissidd) via cfe-dev cfe-dev at lists.llvm.org
Tue May 4 07:30:14 PDT 2021 

Hi Nathan,
Thanks for the reply. Can you please elaborate on how to let clang-sa to learn about printf? I tried using CTU analysis [1], but I’m unsure how to add mappings for libc functions.

Thanks,
Ali

[1] https://clang.llvm.org/docs/analyzer/user-docs/CrossTranslationUnit.html

From: Nathan Sidwell <nathanmsidwell at gmail.com> on behalf of Nathan Sidwell <nathan at acm.org>
Date: Friday, April 30, 2021 at 9:00 AM
To: Ali Shuja Siddiqui (alissidd) <alissidd at cisco.com>, cfe-dev at lists.llvm.org <cfe-dev at lists.llvm.org>
Subject: Re: [cfe-dev] clang and clang-sa do not detect uninitialized variable
On 4/29/21 4:41 PM, Ali Shuja Siddiqui (alissidd) via cfe-dev wrote:
> Hello,
>
> With the following code
>
> //-------------------------
>
> #include <stdio.h>
>
> extern int t;
>
> void use_b (int *b){
>
>      printf("%p\n",b);
>
> }
>
> void func(){
>
>      int b;
>
>      use_b(&b);
>
>      if (b)
>
>          b+=33;
>
> }
>
> //---------------------------
>
> Running clang -Wuninitialized or running clang –analyze, I don’t see any
> warning for uninitialized variables. However, if I change the code to:
>
> //----------------------
>
> #include <stdio.h>
>
> extern int t;
>
> void use_b (int *b){
>
>      if (t==5)
>
>          return;
>
>      printf("%p\n",b);
>
> }
>
> void func(){
>
>      int b;
>
>      use_b(&b);
>
>      if (b)
>
>          b+=33;
>
> }
>
> //--------------------
>
> I do see this warning with the static analyzer:
>
> sa_try.c:13:9: warning: Branch condition evaluates to a garbage value
> [core.uninitialized.Branch]
>
>      if (b)
>
>          ^
>
> 1 warning generated.
>
> My question is why am I not getting any warning for the first case? Is
> it being considered that printf is updating the value of b in some way?

Presuming it has no knowledge of printf's semantics, then yes.  that
function could write through the pointer (and indeed would, if 'b' was
an output parameter).

It could learn that printf doesn't do that (except for %n).

nathan


nathan
--
Nathan Sidwell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20210504/68f0a04b/attachment-0001.html>

More information about the cfe-dev mailing list