[LLVMbugs] [Bug 14537] New: False positive: Access to field ... results in a dereference of a null pointer

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Fri Dec 7 06:30:49 PST 2012 

http://llvm.org/bugs/show_bug.cgi?id=14537

             Bug #: 14537
           Summary: False positive: Access to field ... results in a
                    dereference of a null pointer
           Product: clang
           Version: 3.2
          Platform: Macintosh
        OS/Version: MacOS X
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
        AssignedTo: kremenek at apple.com
        ReportedBy: hanauska at equinux.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified


Created attachment 9650
  --> http://llvm.org/bugs/attachment.cgi?id=9650
Test C File

See attached file. When analyzing, I get the following warning:

test.c:31:13: warning: Access to field 'foo' results in a dereference of a null
pointer (loaded from variable 'hdr')
        foo = hdr->foo;
              ~~~  ^
1 warning generated.

This is in theory correct, the `data` argument might be NULL, thus `hdr` might
be NULL as well and neither one is checked. 

Why do I think it is a false positive? The analyzer usually does not check
input arguments like this. Change `CHECK_TAG` to 0 and re-try. No warning.
However, `data` and thus `hdr` might still be NULL, regardless if `tag` is
checked or not.

I have thousands of functions that would generate warnings like the one above
if the analyzer would always assume an input argument may be NULL. Yet I get no
warnings for any of these. I only get a warning for this one function and only
because `tag` is checked here. Actually you can even replace the tag-check line
with

if (tag) {}

and you will still get the warning, even though this is a NOP that the compiler
will ignore entirely.

Also note that the fact that `tag` is NULL does *NOT* imply that data is NULL.
In case of version 1 it is ALWAYS explicitly set to NULL.

IMHO this is a false positive. Either that, or the analyzer should always check
input functions like this and in that case I would get thousands of warnings
and would have to check all input pointers of all my functions for NULL.

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list