[LLVMbugs] [Bug 18915] New: static analyzer fails to evaluate strlen
bugzilla-daemon at llvm.org
bugzilla-daemon at llvm.org
Thu Feb 20 16:24:22 PST 2014
http://llvm.org/bugs/show_bug.cgi?id=18915
Bug ID: 18915
Summary: static analyzer fails to evaluate strlen
Product: clang
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: Static Analyzer
Assignee: kremenek at apple.com
Reporter: ed0.88.prez at gmail.com
CC: llvmbugs at cs.uiuc.edu
Classification: Unclassified
Example from the Juliet test suite:
$ cat strlenbug.c
#include <stdlib.h>
#include <string.h>
void f()
{
char *c = (char *)malloc(100*sizeof(char));
if (!c)
return;
c[0] = '\0';
size_t cLen = strlen(c);
if (100-cLen > 1)
; //ok
else {
if (c[1] == '\0') // should not go here!
;
}
free(c);
}
EOF
When I run the analyzer I get:
$ scan-build --use-analyzer /usr/bin/clang -o buildres/ clang -c strlenbug.c -o
/dev/null > /dev/null
strlenbug.c:14:18: warning: The left operand of '==' is a garbage value
if (c[1] == '\0') // should not go here!
~~~~ ^
1 warning generated.
In the html-generated file, the analyzer takes the 'false' branch for the
condition "100-cLen > 1", which is not possible, but if I replace line 10 with
the inlined version of strlen():
size_t cLen = 0;
while(c[cLen] != '\0')
++c;
the report goes away (and alpha checker reports correctly "never executed"
warning for the expressions '++c;' and 'if (c[1] == '\0')').
Unrelated problem: if I remove the 'does malloc return null' line, I don't get
any message regarding the possible null pointer dereference in "c[0] = '\0';"
when malloc fails, even with alpha check enabled.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20140221/af6d999c/attachment.html>
More information about the llvm-bugs
mailing list