[LLVMbugs] [Bug 8525] New: False positive due to analyzer suggesting impossible flow

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Mon Nov 1 13:21:28 PDT 2010 

http://llvm.org/bugs/show_bug.cgi?id=8525

           Summary: False positive due to analyzer suggesting impossible
                    flow
           Product: clang
           Version: trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
        AssignedTo: kremenek at apple.com
        ReportedBy: alexei.svitkine at gmail.com
                CC: llvmbugs at cs.uiuc.edu


Consider the following simple example:

int foo(char *start)
{
    int result;
    char *end = start + 1;
    char *index = start;

    if (start == (char*)-1)
        return -1;

    while (index < end) {
        result = 0;
        break;
     }

    return result;
}


Clang analyzer warns:

mytest.c:16:2: warning: Undefined or garbage value returned to caller
        return result;
        ^      ~~~~~~

This is a false positive. Clang considers the case where the loop body is never
entered.

In this case, this cannot happen. There are two possibilities, either "end ==
start + 1", or "start + 1" resulted in an overflow and end == 0.

The overflow case is detected by:

    if (start == (char*)-1)
        return -1;

So if we don't hit that, we will always execute the loop body.

The problem also happens if the overflow check is modified to be:

    if (end == 0)
        return -1;

Now, let's consider for a moment the hypothetical case where analyzer is fixed
to detect the overflow check above and do the right thing (not warn because of
it).

I want to argue that even without the overflow check in place, clang should
still do something different here.

Either it should not warn at all (because something like start + 1 is unlikely
to overflow and cause this code to misbehave), or it should say "assuming
integer overflow" as one of the steps leading up to the analysis warning.

This should also be the case if the value being added is any unsigned integer
(coming from a variable), and not just a literal 1 as is the case in my
example.

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list