[llvm-bugs] [Bug 50604] New: Loss of array extent in type punning triggers two incorrect analyzer core warnings
via llvm-bugs
llvm-bugs at lists.llvm.org
Mon Jun 7 10:54:10 PDT 2021
https://bugs.llvm.org/show_bug.cgi?id=50604
Bug ID: 50604
Summary: Loss of array extent in type punning triggers two
incorrect analyzer core warnings
Product: clang
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P
Component: Static Analyzer
Assignee: dcoughlin at apple.com
Reporter: chris.hamilton at ericsson.com
CC: dcoughlin at apple.com, llvm-bugs at lists.llvm.org
Created attachment 24916
--> https://bugs.llvm.org/attachment.cgi?id=24916&action=edit
Small reproducer
After commit b30521c28a4d, we started seeing two false-positive static analyzer
warnings. Small reproducer (also attached):
eahcmrh at seroius03977[19:32][repo/eahcmrh/nrbbphy]$ cat reproducer.c
int sim_printf(const char*, ...);
static const unsigned RV[1][5] = {{1,2,3,4,5}, };
void clang_analyzer_dump(void*);
void clang_analyzer_printState();
void bar() {
const unsigned* rvp = &(RV[0][0]);
clang_analyzer_dump(rvp);
clang_analyzer_dump(&(RV[0][0]));
sim_printf("%u", rvp[4]);
}
unsigned *foo(unsigned * buf_p) {
const unsigned* rvp = &(RV[0][0]);
return buf_p + rvp[4];
}
I added clang_analyzer_* calls in hopes of spotlighting the root cause for
those who understand this code better than myself. Here's the output with
commit b30521c28a4d:
bash> clang -Xanalyzer -analyzer-werror --analyze reproducer.c
reproducer.c:11:3: error: 2nd function call argument is an uninitialized
value [core.CallAndMessage]
sim_printf("%u", rvp[4]);
^~~~~~~~~~~~~~~~~~~~~~~~
reproducer.c:16:16: error: The right operand of '+' is a garbage value
[core.UndefinedBinaryOperatorResult]
return buf_p + rvp[4];
^ ~~~~~~
2 errors generated.
Enabling the clang_analyzer_* debug output gives:
bash> clang -Xanalyzer -analyzer-werror -Xanalyzer
-analyzer-checker=debug.ExprInspection --analyze reproducer.c
reproducer.c:9:3: error: &Element{RV,0 S64b,unsigned int}
[debug.ExprInspection]
clang_analyzer_dump(rvp);
^~~~~~~~~~~~~~~~~~~~~~~~
reproducer.c:10:3: error: &Element{Element{RV,0 S64b,unsigned int [5]},0
S64b,unsigned int} [debug.ExprInspection]
clang_analyzer_dump(&(RV[0][0]));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
reproducer.c:11:3: error: 2nd function call argument is an uninitialized
value [core.CallAndMessage]
sim_printf("%u", rvp[4]);
^~~~~~~~~~~~~~~~~~~~~~~~
reproducer.c:16:16: error: The right operand of '+' is a garbage value
[core.UndefinedBinaryOperatorResult]
return buf_p + rvp[4];
^ ~~~~~~
4 errors generated.
Note that the 'rvp' expression has lost extent information (unsigned int [5])
in this output, while the expression it was assigned from still has this info.
For contrast, here's the output with debug dumps enabled from a build without
commit b30521c28a4d:
bash> clang -Xanalyzer -analyzer-werror -Xanalyzer
-analyzer-checker=debug.ExprInspection --analyze reproducer.c
reproducer.c:9:3: error: &Element{Element{RV,0 S64b,unsigned int [5]},0
S64b,unsigned int} [debug.ExprInspection]
clang_analyzer_dump(rvp);
^~~~~~~~~~~~~~~~~~~~~~~~
reproducer.c:10:3: error: &Element{Element{RV,0 S64b,unsigned int [5]},0
S64b,unsigned int} [debug.ExprInspection]
clang_analyzer_dump(&(RV[0][0]));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 errors generated.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210607/aedf0590/attachment-0001.html>
More information about the llvm-bugs
mailing list