[clang static analyzer] core.NullDereference false positive with `*r = 42`

[0-0x41]

date: 2023-1-12 commit: 0c0681b7414c385d0fd5fad302c0d48607262050 args: --analyze -Xclang -analyzer-stats -Xclang -analyzer-checker=core,debug.ExprInspection test:

#include "stdio.h"
#include <stdbool.h>
void clang_analyzer_eval();

struct a
{
    int b;
    int c;
};

union d
{
    struct a e
} main()
{
    union d g = {};
    int *p = (int *)0;
    clang_analyzer_eval((-g.e.b && g.e.c) == false);
    if (-g.e.b && g.e.c)
    {
        *p = 42;
    }
}

report: https://github.com/llvm/llvm-project/issues/60026 fix: original:

[0-0x41]

I got a false positive error when compiling the following program with clang(trunk) -Xanalyzer -analyzer-output=text --analyze -Xanalyzer -analyzer-checker=debug.ExprInspection in https://godbolt.org/z/GsaeKh8eY.

In this case, the eval result on line 17 is TRUE, and apparently the CSA is known to fact that the result of (-g.e.b && g.e.c) is FALSE, yet it continues to do analysis of the code inside the if statement, which is unreachable code. This is a bit odd.

Here is the analysis results of the case. Thank you for taking the time to review this case.

Input:

#include "stdio.h"
#include <stdbool.h>
void clang_analyzer_eval();

struct a
{
    int b;
    int c;
};

union d
{
    struct a e
} main()
{
    union d g = {};
    int *p = (int *)0;
    clang_analyzer_eval((-g.e.b && g.e.c) == false);
    if (-g.e.b && g.e.c)
    {
        *p = 42;
    }
}

Output:

<source>:17:5: warning: TRUE [debug.ExprInspection]
    clang_analyzer_eval((-g.e.b && g.e.c) == false);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:20:12: warning: Dereference of null pointer (loaded from variable 'p') [core.NullDereference]
        *p = 42;

[Geoffrey1014]

structure is supported .

see it live: https://godbolt.org/z/ejGdKxhcW