search

Geoffrey1014 / SA_Bugs

record bugs of static analyzers
1 stars 1 forks source link

CSA evaluates `((b)+0)<((b)+1)` to be FALSE with the facts that variable `b` is a pointer and is NULL #35

Closed Geoffrey1014 closed 1 year ago

Geoffrey1014 commented 1 year ago

date: 2023-1-10 commit: args: --analyze -Xclang -analyzer-stats -Xclang -analyzer-checker=core,debug.ExprInspection test:

#include "stdio.h"
#include <stdint.h>
#include <stdbool.h>

void clang_analyzer_eval();
void a() {
  uint32_t *b = 0;
  if (b == b) {
    clang_analyzer_eval((b == b)==true);
    clang_analyzer_eval(((b)!=(b))==false);
    clang_analyzer_eval(((b)+0)==((b)+0));
    clang_analyzer_eval(((b)+0)<((b)+1));
    clang_analyzer_eval(((b)+1)==((b)+1));
    clang_analyzer_eval(((b)+0)<((b)+2));
    clang_analyzer_eval(((b)+1)<((b)+2));
    clang_analyzer_eval(((b)+2)==((b)+2));
    clang_analyzer_eval(((b)-0)==((b)-0));
    clang_analyzer_eval(true);
    ;
  }
}

report: fix: original:

Geoffrey1014 commented 1 year ago

https://godbolt.org/z/q79v87744

Output:

<source>:9:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval((b == b)==true);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:10:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(((b)!=(b))==false);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:11:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(((b)+0)==((b)+0));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:12:5: warning: FALSE [debug.ExprInspection]
    clang_analyzer_eval(((b)+0)<((b)+1));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:13:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(((b)+1)==((b)+1));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:14:5: warning: FALSE [debug.ExprInspection]
    clang_analyzer_eval(((b)+0)<((b)+2));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:5: warning: FALSE [debug.ExprInspection]
    clang_analyzer_eval(((b)+1)<((b)+2));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(((b)+2)==((b)+2));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:17:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(((b)-0)==((b)-0));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval(true);
    ^~~~~~~~~~~~~~~~~~~~~~~~~
===-------------------------------------------------------------------------===
                                Analyzer timers
===-------------------------------------------------------------------------===
  Total Execution Time: 0.0030 seconds (0.0334 wall clock)

   ---User Time---   --System Time--   --User+System--   ---Wall Time---  --- Name ---
   0.0014 ( 50.3%)   0.0000 (  0.0%)   0.0014 ( 49.1%)   0.0205 ( 61.4%)  Path exploration time
   0.0004 ( 12.4%)   0.0001 (100.0%)   0.0004 ( 14.5%)   0.0118 ( 35.4%)  Syntax-based analysis time
   0.0011 ( 37.3%)   0.0000 (  0.0%)   0.0011 ( 36.4%)   0.0011 (  3.2%)  Path-sensitive report post-processing time
   0.0029 (100.0%)   0.0001 (100.0%)   0.0030 (100.0%)   0.0334 (100.0%)  Total

10 warnings generated.
Compiler returned: 0

Compile and run:

image
Geoffrey1014 commented 1 year ago

duplicate of https://github.com/Geoffrey1014/SA_Bugs/issues/30