wrong path note: instrument_npd305.c:9:10: note: value assigned to `l`

[Geoffrey1014]

date: 2022-11-11 commit: 8c1a508616b438ace29429f4da3f4912772c5503 args: --analyze --analyzer-output text -Xclang -analyzer-config -Xclang widen-loops=true test:

#include <stdio.h>
unsigned char **a() {
  int d =0;

  int i;
  int *k = &i;
  int *j = k;
  int *l = j;
  for (; d < 7; d++)
    printf("NPD_FLAG\n");
  0 != l, *l;
}
void main() { a(); }

report: https://github.com/llvm/llvm-project/issues/61512 fix: original: /home/heweigang.hewg/working-place/fuzz_place/clang_16.0.0_2022_10_28_12_45/fuzz_0/reachable/reduce/instrument_npd305.c

[Geoffrey1014]

similar cases: /home/heweigang.hewg/working-place/fuzz_place/clang_16.0.0_2022_10_28_12_45/fuzz_0/reachable/reduce/instrument_npd425.c

[Geoffrey1014]

/home/heweigang.hewg/working-place/fuzz_place/clang_16.0.0_2022_10_28_12_45/fuzz_0/reachable/reduce/instrument_npd305.c

#include <stdio.h>
unsigned char **a() {
  int d =0;

  int i;
  int *k = &i;
  int *j = k;
  int *l = j;
  for (; d < 7; d++)
    printf("NPD_FLAG\n");
  0 != l, *l;
}
void main() { a(); }

compilation options : clang --analyze --analyzer-output text -Xclang -analyzer-config -Xclang widen-loops=true

instrument_npd305.c:11:11: warning: Dereference of null pointer (loaded from variable 'l') [core.NullDereference]
  0 != l, *l;
          ^
instrument_npd305.c:15:15: note: Calling 'a'
void main() { a(); }
              ^~~
instrument_npd305.c:9:3: note: Loop condition is true.  Entering loop body
  for (; d < 7; d++)
  ^
instrument_npd305.c:9:3: note: Loop condition is true.  Entering loop body
instrument_npd305.c:9:3: note: Loop condition is true.  Entering loop body
instrument_npd305.c:9:10: note: Value assigned to 'l'
  for (; d < 7; d++)
         ^
instrument_npd305.c:9:10: note: Assuming 'd' is >= 7
  for (; d < 7; d++)
         ^~~~~
instrument_npd305.c:9:3: note: Loop condition is false. Execution continues on line 11
  for (; d < 7; d++)
  ^
instrument_npd305.c:11:3: note: Assuming 'l' is equal to null
  0 != l, *l;
  ^~~~~~
instrument_npd305.c:11:3: note: Assuming pointer value is null
  0 != l, *l;
  ^~~~~~
instrument_npd305.c:11:11: note: Dereference of null pointer (loaded from variable 'l')
  0 != l, *l;
          ^~
1 warning generated.

wrong path note: instrument_npd305.c:9:10: note: Value assigned to 'l'

deleting the loop which is usless code, NPD warning disappear

#include <stdio.h>
unsigned char **a() {
  int d =0;

  int i;
  int *k = &i;
  int *j = k;
  int *l = j;
  //for (; d < 7; d++)
    printf("NPD_FLAG\n");
  0 != l, *l;
}

void main() { a(); }

[muchang]

Should we look into this bug further?

[Geoffrey1014]

Compiling this case without widen-loop options does not results in FP NPD warning. So, it seems that widen-loop has a negative effect. https://godbolt.org/z/MKhGbvohT

[Geoffrey1014]

duplicate of https://github.com/Geoffrey1014/SA_Bugs/issues/4