[clang static analyzer] core.NullDereference false positive with `*p`

Geoffrey1014 / SA_Bugs

record bugs of static analyzers

3 stars 1 forks source link

[clang static analyzer] core.NullDereference false positive with `*p` #66

Open ghost opened 1 year ago

ghost commented 1 year ago

date:2023-04-06 args: --analyze -Xclang -analyzer-stats -Xclang -analyzer-checker=core,debug.ExprInspection test:

void clang_analyzer_warnIfReached();

int contains_null_check(int t)
{
    int *p = (void *)t;
    clang_analyzer_eval(t == 0);
    if (p == 0)
    {
        clang_analyzer_eval(p == 0);
        return *p;
    }
    else
    {
        clang_analyzer_eval(p == 0);
        return *p;
    }
}

int main()
{
    if (0)
    {
        clang_analyzer_warnIfReached();
        contains_null_check(1);
    }
}

report: https://github.com/llvm/llvm-project/issues/61884 fix: original:

ghost commented 1 year ago

[core.NullDereference] disappears when the if branch is reachable, however, [core.NullDereference] appears when the if branch is non-reachable. In both cases, the p is not a null pointer.

See it live: https://godbolt.org/z/P46z5eYxr https://godbolt.org/z/df4E8cPoP