Geoffrey1014
commented
1 year ago /home/heweigang.hewg/working-place/fuzz_place/clang_16.0.0_2022_10_28_12_45/fuzz_0/reachable/bak_reduce/instrument_npd103.c
#include <stdio.h>
int l ;
int *b( int *n) {
for (; l < 3;)
return n;
}
int d() {
int f;
int *g = &f;
int *i;
(i = b(g)) || 1; //instrument_npd103.c:12:4: note: Assuming 'i' is null, removing "|| 1" would change analysis result;
printf("NPD_FLAG\n");
*i;
}
void main() { d(); }
Compiling it with options --analyze --analyzer-output text in https://godbolt.org/z/Y41qhs8dx, CSA emits a FP warning as following:
<source>:15:3: warning: Dereference of null pointer (loaded from variable 'i') [core.NullDereference]
*i;
^
<source>:18:15: note: Calling 'd'
void main() { d(); }
^~~
<source>:13:4: note: Value assigned to 'i'
(i = b(g)) || 1; //instrument_npd103.c:12:4: note: Assuming 'i' is null, removing "|| 1" would change analysis result;
^~~~~~~~
<source>:13:4: note: Assuming 'i' is null
(i = b(g)) || 1; //instrument_npd103.c:12:4: note: Assuming 'i' is null, removing "|| 1" would change analysis result;
^
<source>:13:4: note: Assuming pointer value is null
(i = b(g)) || 1; //instrument_npd103.c:12:4: note: Assuming 'i' is null, removing "|| 1" would change analysis result;
^~~~~~~~
<source>:13:3: note: Left side of '||' is false
(i = b(g)) || 1; //instrument_npd103.c:12:4: note: Assuming 'i' is null, removing "|| 1" would change analysis result;
^
<source>:15:3: note: Dereference of null pointer (loaded from variable 'i')
*i;
^~
1 warning generated.I think it is ok for CSA to report the FP warning, but unrelated code || 1 at line 12 can affect the result of analysis: removing this || 1 , the FP disappears. This inconsistency may suggest some problem here.
date: 2022-11-11 commit: 8c1a508616b438ace29429f4da3f4912772c5503 args: --analyze --analyzer-output text test:
report: https://github.com/llvm/llvm-project/issues/58986 fix: origin: /home/heweigang.hewg/working-place/fuzz_place/clang_16.0.0_2022_10_28_12_45/fuzz_0/reachable/bak_reduce/instrument_npd103.c