Geoffrey1014
commented
1 year ago Hi, I found a problem that CSA does not report the out-of-bounds warning for the following test case, but GCC Static Analyzer does. It seems that CSA does not handle -- opertator correctly, hence miss reporting the out-of-bounds warning.
Thank you for taking the time to review this case.
CSA : https://godbolt.org/z/rM9jjEx6j GSA: https://godbolt.org/z/Tsjaxvf1f
Compilation options: --analyze -Xclang -analyzer-stats -Xclang -analyzer-constraints=range -Xclang -setup-static-analyzer -Xclang -analyzer-config -Xclang eagerly-assume=false -Xclang -analyzer-checker=core,alpha.security.taint,debug.ExprInspection,debug.TaintTest
Input :
#include "stdio.h"
#include <stdint.h>
#include <stdbool.h>
void clang_analyzer_eval();
int16_t a() {
uint16_t b = 1;
uint16_t *c = &b;
if (*c-- && 4073709551613L) {
clang_analyzer_eval((*c-- && 4073709551613L)==true);
clang_analyzer_eval((!(*c-- && 4073709551613L))==false);
clang_analyzer_eval(((!(*c--))||(!(4073709551613L)))==false);
clang_analyzer_eval(*c--);
clang_analyzer_eval(!(4073709551613L) == false);
clang_analyzer_eval((!(*c--))==false);
clang_analyzer_eval((!(4073709551613L))==false);
clang_analyzer_eval(((!(*c--))&&(4073709551613L))==false);
clang_analyzer_eval(((*c--)&&(!(4073709551613L)))==false);
clang_analyzer_eval(((!(*c--))&&(!(4073709551613L)))==false);
clang_analyzer_eval(true);
int d = *c--;
}
}Output:
<source>:12:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval((*c-- && 4073709551613L)==true);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:13:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval((!(*c-- && 4073709551613L))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:14:5: warning: UNKNOWN [debug.ExprInspection]
clang_analyzer_eval(*c--);
^~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:5: warning: UNKNOWN [debug.ExprInspection]
clang_analyzer_eval((!(*c--))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((!(*c--))&&(4073709551613L))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:17:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((*c--)&&(!(4073709551613L)))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:5: warning: TRUE [debug.ExprInspection]
clang_analyzer_eval(((!(*c--))&&(!(4073709551613L)))==false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:19:5: warning: Value stored to 'd' is never read [deadcode.DeadStores]
d = *c--;
^ ~~~~
===-------------------------------------------------------------------------===
Analyzer timers
===-------------------------------------------------------------------------===
Total Execution Time: 0.0037 seconds (0.0136 wall clock)
---User Time--- --System Time-- --User+System-- ---Wall Time--- --- Name ---
0.0022 ( 67.6%) 0.0000 ( 0.0%) 0.0022 ( 59.7%) 0.0075 ( 55.5%) Path exploration time
0.0002 ( 7.5%) 0.0004 (100.0%) 0.0007 ( 18.3%) 0.0052 ( 38.6%) Syntax-based analysis time
0.0008 ( 24.9%) 0.0000 ( 0.0%) 0.0008 ( 22.0%) 0.0008 ( 5.9%) Path-sensitive report post-processing time
0.0032 (100.0%) 0.0004 (100.0%) 0.0037 (100.0%) 0.0136 (100.0%) Total
8 warnings generated.
Compiler returned: 0
date: 2023-1-11 commit: args: --analyze -Xclang -analyzer-stats -Xclang -analyzer-constraints=range -Xclang -setup-static-analyzer -Xclang -analyzer-config -Xclang eagerly-assume=false -Xclang -analyzer-checker=core,alpha.security.taint,debug.ExprInspection,debug.TaintTest test:
report: https://github.com/llvm/llvm-project/issues/60041 fix: original: