[clang static analyzer] `clang_analyzer_eval` affects the analyzer's result

Geoffrey1014 / SA_Bugs

record bugs of static analyzers

1 stars 1 forks source link

[clang static analyzer] `clang_analyzer_eval` affects the analyzer's result #48

Closed 0-0x41 closed 1 year ago

0-0x41 commented 1 year ago

date: 2023-1-15 commit: 0c0681b7414c385d0fd5fad302c0d48607262050 args: --analyze -Xclang -analyzer-stats -Xclang -analyzer-checker=core,debug.ExprInspection test:

void clang_analyzer_eval();

void f(int b)
{
    int c = 1;
    clang_analyzer_eval(c && (c = 0) | b);
    if (c && (c = 0) | b)
    {
        clang_analyzer_eval(c && (c = 0) | b);
        if (c && (c = 0) | b)
        {
            *(int *)0;
        }
    }
}

report: https://github.com/llvm/llvm-project/issues/60120 fix: original:

0-0x41 commented 1 year ago

In this case, when clang_analyzer_eval is added at line 6 (https://godbolt.org/z/7o9647f17), the eval statement inside the if branch has no output. However, when line 6 is commented out (https://godbolt.org/z/szb8v58b9), then it is output.

Also, the eval result of (c && (c = 0) | b) (line 9) should probably be TRUE after analyzer goes inside the if branch.