search

Quuxplusone / LLVMBugzillaTest

0 stars 0 forks source link

clang analyzer doesn't consider equality assumption in dataflow #38672

Open Quuxplusone opened 6 years ago

Quuxplusone commented 6 years ago
Bugzilla Link PR39699
Status NEW
Importance P normal
Reported by Renat Idriso (renat@idrisov.info)
Reported on 2018-11-17 22:56:27 -0800
Last modified on 2018-11-19 23:41:48 -0800
Version 7.0
Hardware All All
CC blitzrakete@gmail.com, dcoughlin@apple.com, dgregor@apple.com, erik.pilkington@gmail.com, llvm-bugs@lists.llvm.org, richard-llvm@metafoo.co.uk, rwbowdidge@gmail.com
Fixed by commit(s)
Attachments tidy-minimal.c (668 bytes, text/x-csrc)
Blocks
Blocked by
See also 
Created attachment 21127
tidy-minimal.c

Hi all,
if I run analyzer on the following piece of code with:

$ clang-tidy tidy-minimal.c -checks=* --

The complete code is:

#include <stdio.h>
#include <stdlib.h>

void *something();
void *something_else();

void *subfunction(const char **error, void *ds) {
  void *fs = something_else();

  if (fs == NULL) {
    if (error != NULL) {
      *error = "error";
    }
    if (ds != NULL) { free(ds); }
    return NULL;
  }
  if (ds == fs) {
    return ds;
  }
  if (ds != NULL) { free(ds); }
  ds = fs;
  return ds;
}

void *myfunction(const char **error) {
  void *ds = something();
  ds = subfunction(error, ds);
  return ds;
}

int main() {
  const char *error;
  void *result = myfunction(&error);
  if (result == NULL) {
    printf("Error is %s", error);
  } else {
    free(result);
  }
}

I get:

/.../tidy-minimal/tidy-minimal.c:35:5: warning: 2nd function call argument is
an uninitialized value [clang-analyzer-core.CallAndMessage]
    printf("Error is %s", error);
    ^
/.../tidy-minimal/tidy-minimal.c:32:3: note: 'error' declared without an
initial value
  const char *error;
  ^
/.../tidy-minimal/tidy-minimal.c:33:18: note: Calling 'myfunction'
  void *result = myfunction(&error);
                 ^
/.../tidy-minimal/tidy-minimal.c:27:8: note: Calling 'subfunction'
  ds = subfunction(error, ds);
       ^
/.../tidy-minimal/tidy-minimal.c:10:7: note: Assuming 'fs' is not equal to NULL
  if (fs == NULL) {
      ^
/.../tidy-minimal/tidy-minimal.c:10:3: note: Taking false branch
  if (fs == NULL) {
  ^
/.../tidy-minimal/tidy-minimal.c:17:7: note: Assuming 'ds' is equal to 'fs'
  if (ds == fs) {
      ^
/.../tidy-minimal/tidy-minimal.c:17:3: note: Taking true branch
  if (ds == fs) {
  ^
/.../tidy-minimal/tidy-minimal.c:18:5: note: Returning without writing to
'*error'
    return ds;
    ^
/.../tidy-minimal/tidy-minimal.c:27:8: note: Returning from 'subfunction'
  ds = subfunction(error, ds);
       ^
/.../tidy-minimal/tidy-minimal.c:28:3: note: Returning without writing to
'*error'
  return ds;
  ^
/.../tidy-minimal/tidy-minimal.c:33:18: note: Returning from 'myfunction'
  void *result = myfunction(&error);
                 ^
/.../tidy-minimal/tidy-minimal.c:34:7: note: Assuming 'result' is equal to NULL
  if (result == NULL) {
      ^
/.../tidy-minimal/tidy-minimal.c:34:3: note: Taking true branch
  if (result == NULL) {
  ^
/.../tidy-minimal/tidy-minimal.c:35:5: note: 2nd function call argument is an
uninitialized value
    printf("Error is %s", error);
    ^

The problem I see:
fs is assumed to be not NULL, ds is assumed as equal to fs, ds is returned, the
result is assumed to be NULL which contradicts with fs being not null

please let me know if preprocessed version would be helpful
Quuxplusone commented 6 years ago

Attached tidy-minimal.c (668 bytes, text/x-csrc): tidy-minimal.c