[llvm-bugs] [Bug 4550] track linear constraints
via llvm-bugs
llvm-bugs at lists.llvm.org
Fri Nov 13 15:35:07 PST 2015
https://llvm.org/bugs/show_bug.cgi?id=4550
Devin Coughlin <dcoughlin at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
CC| |dcoughlin at apple.com
Version|unspecified |trunk
Resolution|FIXED |---
--- Comment #5 from Devin Coughlin <dcoughlin at apple.com> ---
Reopening because the static analyzer still does not track linear constraints.
The attached example (reproduced below) no longer shows a false positive in
more recent clangs because the analyzer changed its heuristics about when to
analyze functions at the top level, without context.
With these changed heuristics, the analyzer doesn't analyze msort() as a
top-level function but rather only in context (inlining) for the three calls in
main(). If you were to comment out main, the analysis would analyze msort() at
the top-level (making no assumptions about len) and show the false positive
again: "Dereference of null pointer (loaded from variable 'q')".
#include <stdlib.h>
#include <stdio.h>
static int dummy = 42;
void
msort(int len)
{
int *p, *q = NULL;
int half, n;
if (len <= 1)
return;
half = len >> 1;
p = &dummy;
for (n = half; --n >= 0; ) {
q = p;
}
printf("%d\n", *q); // <-- False positive here.
}
int
main(int argc, char **argv)
{
msort(1);
msort(2);
msort(3);
return (0);
}
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20151113/1f58f114/attachment.html>
More information about the llvm-bugs
mailing list