False positive null pointer dereference with integer arithmetic

[Quuxplusone]

Bugzilla Link	PR15855
Status	NEW
Importance	P normal
Reported by	bugzilla@jwwalker.com
Reported on	2013-04-26 17:24:53 -0700
Last modified on	2013-04-30 03:29:01 -0700
Version	trunk
Hardware	Macintosh MacOS X
CC	bugzilla@jwwalker.com, daniel@fahlgren.se, jrose@belkadan.com, llvm-bugs@lists.llvm.org
Fixed by commit(s)
Attachments
Blocks
Blocked by
See also

Overview:

I get a null pointer dereference warning that assumes a certain variable is
negative, when in fact one can easily deduce that the variable cannot be
negative.

Steps to reproduce:

Analyze this code:

-------------------------
static void Foo( int numFaces )
{
    int* ptr = 0;

    int absFaces;
    if (numFaces > 0)
    {
        absFaces = numFaces;
    }
    else
    {
        absFaces = - numFaces;
    }

    if (absFaces < 0)
    {
        *ptr = 99;
    }
}
-------------------------

Actual results:

"Dereference of null pointer (loaded from variable 'ptr')
  'ptr' initialized to a null pointer value
  Assuming 'numFaces' is <= 0
  Assuming 'absFaces' is < 0"

Expected results:

No warnings, or maybe something saying that a line is unreachable.

Build date:

clang version 3.3 (trunk 180622)
Target: x86_64-apple-darwin11.4.2
Thread model: posix

[Quuxplusone]

This embarrassing false positive is due to not reasoning about unary minus. In theory there are difficulties when hitting implementation-defined and undefined behavior, but in practice the analyzer's pretty heavily geared towards -fwrapv semantics right now.

Tracked by rdar://problem/12351075.

[Quuxplusone]

Oops, maybe it's not a false positive. In the unlikely case that numFaces is the most negative number (0x80000000 when using 32 bits), absFaces is the same, and the dereference is reached.