[cfe-dev] [analyzer] Questions about the null dereference checker

via cfe-dev cfe-dev at lists.llvm.org
Mon Sep 20 05:33:01 PDT 2021


Let's examine this code snippet:


  void simply_deref_null() {

    int *p = 0;

    *p ; // no warning?

    *p = 42; // warns!



Turns out the NullDereference checker treats the two pointer derefs

For simply reading through a null pointer is allowed but storing a value is


Why don't we prohibit reading through null pointers?




By returning a null pointer from a function it suddenly we no longer report
an error:


  int *get() { return 0; }

  void foo() {

    int *p = get();

    *p = 42; // no warning?



According to my investigation the bug actually found and a sink node will be
generated in the Exploded graph, but the bug report will be marked as
invalid by the ReturnVisitor.

This behavior could be altered to prevent such suppression from happening by
setting the `suppress-null-return-paths` analyzer option to `true`.


Am I right that this is the intentional behavior and if we want to catch
bugs like this, then we should enable the aforementioned option?






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20210920/b5d3015b/attachment-0001.html>

More information about the cfe-dev mailing list