[llvm-bugs] [Bug 39042] New: scan-build reports false positive nullptr dereference because it apparently incorrectly tracks properties of std::initializer_list as argument of a constructor

via llvm-bugs llvm-bugs at lists.llvm.org
Fri Sep 21 15:22:54 PDT 2018 

https://bugs.llvm.org/show_bug.cgi?id=39042

            Bug ID: 39042
           Summary: scan-build reports false positive nullptr dereference
                    because it apparently incorrectly tracks properties of
                    std::initializer_list as argument of a  constructor
           Product: clang
           Version: 7.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Static Analyzer
          Assignee: dcoughlin at apple.com
          Reporter: thomas.ullmann at mpibpc.mpg.de
                CC: llvm-bugs at lists.llvm.org

Created attachment 20908
  --> https://bugs.llvm.org/attachment.cgi?id=20908&action=edit
The full source and output of scan-build including the html-output

I encountered false positive reports of nullptr dereferences
when constructing objects from std::initializer_list and storing
information from the initializer lists in member arrays. The
actual problem occurred with nested initializer lists, but I
could reproduce the problem also with a simple 1D case:

/*---------------------------------------------------------
 The test program
-----------------------------------------------------------*/

#include <memory>
#include <initializer_list>
#include <iostream>

class TestClass
{
    public:
        size_t* ptr_;

        TestClass() : ptr_(nullptr) {}

        TestClass(const std::initializer_list<size_t> &ini)
            : TestClass()
        {
            // check whether the list contains elements
            // The scan-build HTML-report wrongly suggests
            // that this condition is true and that the constructor
            // returns from here resulting in no change to ptr_.
            if (ini.size() == 0)
            {
                return;
            }

            // save the number of elements in *ptr_
            // The program actually arrives here as it should.
            ptr_ = new size_t;
            *ptr_ = ini.size();
       }

       ~TestClass() { delete ptr_; }
};

int main ()
{
    // Scan-build doesn't recognize that testObj.ptr_ is not nullptr
    // after constructing the object from the initializer list.
    TestClass testObj =
    {
        1,
    };

    // This correctly outputs 1, and the program also gives no errors
    // when checked with valgrind. However, scan-build reports a
    // nullptr dereference.
    std::cout << "*testObj.ptr_ = " << *testObj.ptr_ << std::endl;

    return 0;
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180921/296895d3/attachment.html>

More information about the llvm-bugs mailing list