[cfe-dev] [analyzer] Questions about the null dereference checker
via cfe-dev
cfe-dev at lists.llvm.org
Mon Sep 20 05:33:01 PDT 2021
Hi,
Let's examine this code snippet:
void simply_deref_null() {
int *p = 0;
*p ; // no warning?
*p = 42; // warns!
}
Turns out the NullDereference checker treats the two pointer derefs
differently.
For simply reading through a null pointer is allowed but storing a value is
prohibited.
Why don't we prohibit reading through null pointers?
----
By returning a null pointer from a function it suddenly we no longer report
an error:
int *get() { return 0; }
void foo() {
int *p = get();
*p = 42; // no warning?
}
According to my investigation the bug actually found and a sink node will be
generated in the Exploded graph, but the bug report will be marked as
invalid by the ReturnVisitor.
This behavior could be altered to prevent such suppression from happening by
setting the `suppress-null-return-paths` analyzer option to `true`.
Am I right that this is the intentional behavior and if we want to catch
bugs like this, then we should enable the aforementioned option?
/CC NoQ
Regards,
Balazs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20210920/b5d3015b/attachment-0001.html>
More information about the cfe-dev
mailing list