search

Geoffrey1014 / SA_Bugs

record bugs of static analyzers
3 stars 1 forks source link

CSA emits confusing unrolling info with widen-loops configs #4

Closed Geoffrey1014 closed 1 year ago

Geoffrey1014 commented 1 year ago

date: 2022-11-11 commit: 8c1a508616b438ace29429f4da3f4912772c5503 args: -Xclang -analyzer-config -Xclang widen-loops=true --analyze --analyzer-output text -Xclang -analyzer-display-progress test:

# include <stdio.h>

int a() {
  int b;
  int c;
  int *d = &c;
  for (b = 0; b <= 2; b++)
    if (d != 0,1) { // instrument_npd49.c:7:9: note: Assuming 'd' is equal to null
      printf("NPD_FLAG\n"); 
      *d;
    }
}
void main() { a(); }

report: https://github.com/llvm/llvm-project/issues/61506 fix: original: /home/heweigang.hewg/working-place/fuzz_place/clang_16.0.0_2022_10_28_12_45/fuzz_0/reachable/bak_reduce/instrument_npd132.c

muchang commented 1 year ago

/home/heweigang.hewg/working-place/fuzz_place/clang_16.0.0_2022_10_28_12_45/fuzz_0/reachable/bak_reduce/instrument_npd49c

# include <stdio.h>

int a() {
  int b;
  int c;
  int *d = &c;
  for (b = 0; b <= 2; b++)
    if (d != 0,1) { // instrument_npd49.c:7:9: note: Assuming 'd' is equal to null
      printf("NPD_FLAG\n"); 
      *d;
    }
}
void main() { a(); }

the path note about the for loop for (b = 0; b <= 2; b++) is confusing. (Too many " Entering loop body" and wrong note "instrument_npd49.c:6:15: note: Value assigned to 'd'".)

<source>:10:7: warning: Dereference of null pointer (loaded from variable 'd') [core.NullDereference]
      *d;
      ^
<source>:13:15: note: Calling 'a'
void main() { a(); }
              ^~~
<source>:7:3: note: Loop condition is true.  Entering loop body
  for (b = 0; b <= 2; b++)
  ^
<source>:8:5: note: Taking true branch
    if (d != 0,1) { // instrument_npd49.c:7:9: note: Assuming 'd' is equal to null
    ^
<source>:7:3: note: Loop condition is true.  Entering loop body
  for (b = 0; b <= 2; b++)
  ^
<source>:8:5: note: Taking true branch
    if (d != 0,1) { // instrument_npd49.c:7:9: note: Assuming 'd' is equal to null
    ^
<source>:7:3: note: Loop condition is true.  Entering loop body
  for (b = 0; b <= 2; b++)
  ^
<source>:8:5: note: Taking true branch
    if (d != 0,1) { // instrument_npd49.c:7:9: note: Assuming 'd' is equal to null
    ^
<source>:7:15: note: Value assigned to 'd'
  for (b = 0; b <= 2; b++)
              ^
<source>:7:15: note: Assuming 'b' is <= 2
  for (b = 0; b <= 2; b++)
              ^~~~~~
<source>:7:3: note: Loop condition is true.  Entering loop body
  for (b = 0; b <= 2; b++)
  ^
<source>:8:9: note: Assuming 'd' is equal to null
    if (d != 0,1) { // instrument_npd49.c:7:9: note: Assuming 'd' is equal to null
        ^~~~~~
<source>:8:9: note: Assuming pointer value is null
    if (d != 0,1) { // instrument_npd49.c:7:9: note: Assuming 'd' is equal to null
        ^~~~~~
<source>:8:5: note: Taking true branch
    if (d != 0,1) { // instrument_npd49.c:7:9: note: Assuming 'd' is equal to null
    ^
<source>:10:7: note: Dereference of null pointer (loaded from variable 'd')
      *d;
      ^~
1 warning generated.
Geoffrey1014 commented 1 year ago

duplicate of https://github.com/Geoffrey1014/SA_Bugs/issues/6