False positive - Assigned value is garbage or undefined

[Quuxplusone]

Bugzilla Link	PR7913
Status	NEW
Importance	P normal
Reported by	Charles (clang-bugzilla@macspice.com)
Reported on	2010-08-15 09:52:38 -0700
Last modified on	2012-09-25 15:56:47 -0700
Version	unspecified
Hardware	Macintosh MacOS X
CC	bugs+llvm+org@sebastianhahn.net, jrose@belkadan.com, kremenek@apple.com, llvm-bugs@lists.llvm.org, sean@rogue-research.com, xu_zhong_xing@163.com
Fixed by commit(s)
Attachments	main.c (676 bytes, application/octet-stream) minimal.c (155 bytes, text/plain) main.c (460 bytes, text/plain)
Blocks
Blocked by
See also

Created attachment 5370
Code exhibiting issue

The attached sample code comprises two versions of a short routine called
'shrink'. They should be equivalent but the second one  produces a false
positive 'Assigned value is garbage or undefined'. Such a warning would make
sense if the value of op->npar was a volatile, but it isn't.

Thanks.

Charles

---------

$ /Developer/usr/bin/clang -v --analyze /Users/X/Documents/clang-bug/main.c -o
foo.html
Apple clang version 1.5 (tags/Apple/clang-60)
Target: x86_64-apple-darwin10
Thread model: posix
 "/Developer/usr/bin/clang" -cc1 -triple x86_64-apple-darwin10.0.0 -analyze -disable-free -disable-llvm-verifier -main-file-name main.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-check-dead-stores -analyzer-check-objc-mem -analyzer-eagerly-assume -analyzer-check-objc-methodsigs -analyzer-check-objc-unused-ivars -analyzer-output plist -w -pic-level 1 -mdisable-fp-elim -munwind-tables -target-cpu core2 -v -resource-dir /Developer/usr/lib/clang/1.5 -ferror-limit 19 -fmessage-length 103 -stack-protector 1 -fblocks -fdiagnostics-show-option -fcolor-diagnostics -o foo.html -x c /Users/X/Documents/clang-bug/main.c
clang -cc1 version 1.5 based upon llvm 2.7svn hosted on x86_64-apple-darwin10
#include "..." search starts here:
#include <...> search starts here:
 /Developer/usr/lib/clang/1.5/include
 /usr/local/include
 /usr/include
 /System/Library/Frameworks (framework directory)
 /Library/Frameworks (framework directory)
End of search list.
/Users/X/Documents/clang-bug/main.c:16:3: warning: Assigned value is garbage or
undefined
                t[i] = s[i];
                ^      ~~~~
1 warning generated.

[Quuxplusone]

Attached main.c (676 bytes, application/octet-stream): Code exhibiting issue

[Quuxplusone]

I think we lose the control-dependency here because 'N' is assigned a conjured value. We aren't modeling the field value because it is a double.

[Quuxplusone]

Attached minimal.c (155 bytes, text/plain): Minimal example not using doubles

[Quuxplusone]

I can't get an error for the case without floating-point involvement on ToT. For the one with, here's what I see as the main problem, or at least a low-hanging fruit: if you perform the same cast twice, you get the same result. Is there any way we can model that?

[Quuxplusone]

Indeed, I can confirm that my example doesn't give an error anymore. Thanks to whoever fixed it :)

[Quuxplusone]

Attached main.c (460 bytes, text/plain): ``` Similar false positive after casting array of uint16_t to uint8_t*