[LLVMbugs] [Bug 9332] New: 5 False positive in "Dereference of null pointer"

[bugzilla-daemon at llvm.org]

http://llvm.org/bugs/show_bug.cgi?id=9332

           Summary: 5 False positive in "Dereference of null pointer"
           Product: clang
           Version: trunk
          Platform: Sun
        OS/Version: OpenBSD
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
        AssignedTo: kremenek at apple.com
        ReportedBy: amitkulz at gmail.com
                CC: llvmbugs at cs.uiuc.edu


Created an attachment (id=6242)
 --> (http://llvm.org/bugs/attachment.cgi?id=6242)
tcp_input.c null deref 1

clang version 2.9 (trunk 126522)

AMD64, OpenBSD current

5 False positives in

http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/netinet/tcp_input.c?rev=1.240;content-type=text%2Fplain


in function syn_cache_respond()

Basically, once sc->sc_src.sa.sa_family is selected to be either case AF_INET
or case AF_INET6, the other case "ip header" variables which are initially
uninitialized are found to be null.

initially
struct ip *ip = NULL;
struct ip6_hdr *ip6 = NULL;

Clang arbitrarily switches case (i.e first it takes case IP4 and then
***still*** inside function it takes case IPv6,) inside this function
syn_cache_respond(), and finds the other variables as deference to null
pointers i.e if initially it was case AF_INET, ip6 is found to be NULL.

either case AF_INET or case AF_INET6 is impossible to switch once you have
entered the atomic function syn_cache_respond().

Please look at attachment to easily figure out the problem, looking at the
switch(sc->sc_src.sa.sa_family). There are 4 more attachments all in this same
function. Can't add multiple attachments?

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.