[LLVMbugs] [Bug 16129] New: scan-build null dereference false positive

[bugzilla-daemon at llvm.org]

http://llvm.org/bugs/show_bug.cgi?id=16129

            Bug ID: 16129
           Summary: scan-build null dereference false positive
           Product: clang
           Version: 3.2
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: kremenek at apple.com
          Reporter: nbowler at draconx.ca
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

Created attachment 10575
  --> http://llvm.org/bugs/attachment.cgi?id=10575&action=edit
Annotated source file.

Consider the following C program (key locations marked in comments):

  #include <stdio.h>
  #include <stdlib.h>

  int main(int argc, char **argv)
  {
      int *x = NULL, n = argc;

      if (!x && !argv[n]) /* (A) */
          return EXIT_FAILURE;

      if (argv[n]) /* (B) */
          ;
      else
          printf("%d\n", *x); /* (C) */

      return EXIT_SUCCESS;
  }

The scan-build report suggests that a NULL pointer dereference is possible by
the following path:

  1: false branch at (A)
  2: false branch at (B)
  3: NULL dereference at (C).

This is clearly a false positive.  By taking the false branch at A, that
implies that at least one of x and argv[n] is non-zero (ignore the fact that
in this test case both values are always zero).  By taking the false branch at
B, this implies that argv[n] is zero.  So given the first 2 decisions, we can
conclude that x must be non-zero at (C), and thus there is no NULL
dereference.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20130523/9d6ab3a7/attachment.html>