[LLVMbugs] [Bug 22289] New: False positive 'Assigned value is garbage or undefined'

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Wed Jan 21 15:55:17 PST 2015 

http://llvm.org/bugs/show_bug.cgi?id=22289

            Bug ID: 22289
           Summary: False positive 'Assigned value is garbage or
                    undefined'
           Product: clang
           Version: 3.5
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: kremenek at apple.com
          Reporter: me at wilfred.me.uk
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

Given the following program:

// START

#include <string.h>
#include <stdlib.h>

void eval_program(char *program) {
    int program_len = strlen(program);
    int instruction_index = 0;

    char c;
    while (instruction_index < program_len) {
        c = *(program + instruction_index);

        switch (c) {
        default:
            instruction_index++;
            break;
        }
    }
}

char *read_stdin() {
    char *s = NULL;

    s = malloc(1);
    s[0] = '\0';

    return s;
}
int main() {
    char *program = read_stdin();
    eval_program(program);
    free(program);

    return 0;
}

// END

I get the following false positive warning:

$ scan-build -v clang -Wall -g -std=c99 main.c 
scan-build: Using '/usr/bin/clang' for static analysis
scan-build: Emitting reports for this run to
'/tmp/scan-build-2015-01-21-234825-5905-1'.
main.c:10:11: warning: Assigned value is garbage or undefined
        c = *(program + instruction_index);
          ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
scan-build: 1 bug found.

I'm using clang v3.5.1. It seems that it's not able to reason that the string
access is within the legal range:

void eval_program(char *program) {
5       int program_len = strlen(program);
6       int instruction_index = 0;
7
8       char c;
9       while (instruction_index < program_len) {
      2 ← Assuming 'instruction_index' is < 'program_len'
      3 ← Loop condition is true. Entering loop body
      6 ← Assuming 'instruction_index' is < 'program_len'
      7 ← Loop condition is true. Entering loop body
10          c = *(program + instruction_index);
      8 ← Assigned value is garbage or undefined
11
12          switch (c) {
      4 ← Control jumps to the 'default' case at line 13
13          default:
14              instruction_index++;
15              break;
      5 ← Execution continues on line 9
16          }
17    }
18}

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20150121/b65d8308/attachment.html>

More information about the llvm-bugs mailing list