[llvm-bugs] [Bug 46215] New: UndrefReturn false positive

[via llvm-bugs]

https://bugs.llvm.org/show_bug.cgi?id=46215

            Bug ID: 46215
           Summary: UndrefReturn false positive
           Product: clang
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: dcoughlin at apple.com
          Reporter: kim.grasman at gmail.com
                CC: dcoughlin at apple.com, llvm-bugs at lists.llvm.org

The following minimal program triggers a false positive in Clang SA's
UndefReturn checker:

  // t.c
  char T(char **d) {
        char *entries[2];
        entries[0] = d[0];
        char *buf1 = (char *)entries;
        return buf1[1];
  }

  $ clang-11 -cc1 -analyze -analyzer-checker=core.uninitialized.UndefReturn t.c 
  t.c:9:2: warning: Undefined or garbage value returned to caller
[core.uninitialized.UndefReturn]
          return buf1[1];
          ^~~~~~~~~~~~~~
  1 warning generated.

I've tried to debug this, and it looks like the region store gets confused
about the type and size of the region. I believe I narrowed it down to this old
FIXME:
https://github.com/llvm/llvm-project/blob/e93f7e6d1ab973be717e00966f66739930361a80/clang/lib/StaticAnalyzer/Core/RegionStore.cpp#L1455.

We hit a similar issue for production code when hashing an array of pointer
values, but

a) it triggers in UndefResultChecker, not ReturnUndefChecker
b) I haven't been able to reduce it as effectively

They both seem to be based on the region store's isUndef logic, so I suspect
they're related.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200605/9e537ab5/attachment.html>