llvmbot
commented
2 weeks ago @llvm/issue-subscribers-clang-static-analyzer
Author: Tianxing He (tianxinghe)
commit https://github.com/llvm/llvm-project/commit/3e4788377bb29ed389b46521fcba0d06aa985bcf (HEAD -> main, origin/main, origin/HEAD)
Author: Giulio Eulisse [10544+ktf@users.noreply.github.com](mailto:10544+ktf@users.noreply.github.com)
Date: Thu Sep 5 10:16:51 2024 +0200
clang --analyze --analyzer-no-default-checks -Xanalyzer -analyzer-checker=core.NullDereference -Xanalyzer -analyzer-config -Xanalyzer -mode=deep -Xanalyzer -analyzer-output=text
I will further minimize it later.
The input can be ./t 1826809252 0 0
It will trigger the null pointer dereference in this line:
_280 = *_279;
The test case is:
/* Provide Declarations */
#include <stdint.h>
#include <stdio.h>
#ifndef __cplusplus
typedef unsigned char bool;
#endif
#ifndef _MSC_VER
#define __forceinline __attribute__((always_inline)) inline
#endif
#if defined(__GNUC__)
#define __ATTRIBUTELIST__(x) __attribute__(x)
#else
#define __ATTRIBUTELIST__(x)
#endif
#ifdef _MSC_VER /* Can only support "linkonce" vars with GCC */
#define __attribute__(X)
#endif
/* External Global Variable Declarations */
/* Function Declarations */
void init(uint32_t, uint8_t**) __ATTRIBUTELIST__((noinline, nothrow));
uint8_t* malloc(uint64_t) __ATTRIBUTELIST__((nothrow));
uint64_t atol(uint8_t*) __ATTRIBUTELIST__((nothrow, pure));
void free(uint8_t*) __ATTRIBUTELIST__((nothrow));
int main(int, char **) __ATTRIBUTELIST__((noinline, nothrow));
uint8_t* func2(uint8_t**, uint64_t**, uint64_t*, uint64_t**, uint64_t, uint8_t);
/* Global Variable Definitions and Initialization */
uint32_t num_args = 3;
uint64_t* args;
/* Function Bodies */
void init(uint32_t _1, uint8_t** argv) {
args = (uint64_t*) malloc(num_args * sizeof(uint64_t));
for (int i = 1; i <= 3; ++i) {
args[i - 1] = atol(argv[i]);
}
}
int main(int argc, char ** argv) {
uint32_t _35 = (uint32_t)argc;
uint8_t** _36 = (uint8_t**)argv;
uint64_t* _37;
uint64_t* llvm_cbe_inptr;
uint64_t llvm_cbe_input0;
uint64_t* llvm_cbe_inptr22;
uint64_t* llvm_cbe_inptr23;
uint64_t* llvm_cbe_a; /* Address-exposed local */
uint64_t* llvm_cbe_a39; /* Address-exposed local */
bool* llvm_cbe_a61; /* Address-exposed local */
uint64_t llvm_cbe_a72; /* Address-exposed local */
uint8_t llvm_cbe_a83; /* Address-exposed local */
uint8_t llvm_cbe_a89; /* Address-exposed local */
uint64_t llvm_cbe_a90; /* Address-exposed local */
uint8_t* llvm_cbe_a92; /* Address-exposed local */
uint64_t* llvm_cbe_a112; /* Address-exposed local */
uint64_t llvm_cbe_ld;
bool llvm_cbe_cmp;
uint64_t* llvm_cbe_gep;
uint8_t llvm_cbe_ld123;
uint8_t* llvm_cbe_gep124;
uint8_t llvm_cbe_ld125;
uint8_t llvm_cbe_bop126;
uint8_t* _39;
uint8_t llvm_cbe_a138; /* Address-exposed local */
uint64_t llvm_cbe_ld139;
uint8_t llvm_cbe_ld140;
uint64_t _42;
uint64_t llvm_cbe_bop141;
uint64_t llvm_cbe_a903; /* Address-exposed local */
uint64_t* llvm_cbe_ld875;
uint64_t* llvm_cbe_gep876;
uint64_t llvm_cbe_ld877;
bool llvm_cbe_cmp878;
uint64_t* llvm_cbe_gep820;
uint8_t* llvm_cbe_gep827;
uint8_t* _58;
uint64_t* llvm_cbe_gep403;
uint64_t llvm_cbe_bop560;
bool llvm_cbe_cmp586;
bool llvm_cbe_a948; /* Address-exposed local */
bool* llvm_cbe_ld953;
uint64_t llvm_cbe_a954; /* Address-exposed local */
uint8_t* llvm_cbe_c960;
uint64_t* llvm_cbe_gep770;
uint64_t llvm_cbe_a885; /* Address-exposed local */
uint64_t llvm_cbe_gep771;
uint64_t llvm_cbe_gep772;
init(_35, _36);
_37 = args;
llvm_cbe_inptr = (&(*_37));
llvm_cbe_input0 = *llvm_cbe_inptr;
llvm_cbe_a112 = (&llvm_cbe_a90);
llvm_cbe_a83 = 37;
llvm_cbe_bop126 = (156u - 174u);
llvm_cbe_a72 = INT64_C(2291238112);
llvm_cbe_a92 = (&llvm_cbe_a138);
llvm_cbe_ld139 = *llvm_cbe_inptr;
llvm_cbe_ld140 = llvm_cbe_a83;
_42 = ((int64_t)(int8_t)llvm_cbe_ld140);
llvm_cbe_bop141 = (llvm_cbe_ld139 * _42);
llvm_cbe_a112 = ((uint64_t*)/*NULL*/0);
goto llvm_cbe_block18;
llvm_cbe_block:
goto llvm_cbe_exit;
llvm_cbe_block13:
llvm_cbe_a39 = (&llvm_cbe_a903);
llvm_cbe_a138 = 153u;
*llvm_cbe_a39 = 171952983;
llvm_cbe_gep771 = llvm_cbe_bop141;
func2((&llvm_cbe_a92), (&llvm_cbe_a39), (&llvm_cbe_gep771), (&llvm_cbe_a112), llvm_cbe_ld139, llvm_cbe_bop126);
goto llvm_cbe_block;
llvm_cbe_block15:
llvm_cbe_a90 = 984789025;
llvm_cbe_ld875 = llvm_cbe_a;
*llvm_cbe_ld875 = 2298943274;
llvm_cbe_cmp878 = ((int64_t)llvm_cbe_input0) >= ((int64_t)UINT64_C(2606378767));
if (llvm_cbe_cmp878) {
goto llvm_cbe_block21;
} else {
goto llvm_cbe_block13;
}
llvm_cbe_block16:
llvm_cbe_a = (&llvm_cbe_a72);
goto llvm_cbe_block15;
llvm_cbe_block17:
goto llvm_cbe_block16;
llvm_cbe_block18:
llvm_cbe_gep772 = 1320690439;
goto llvm_cbe_block446;
llvm_cbe_block422:
llvm_cbe_bop560 = (llvm_cbe_ld139 - 913404626);
llvm_cbe_cmp586 = 913404626 == llvm_cbe_bop560;
if (llvm_cbe_cmp586) {
goto llvm_cbe_block17;
} else {
goto llvm_cbe_block20;
}
llvm_cbe_exit:
llvm_cbe_a39 = (&llvm_cbe_a954);
return 0;
llvm_cbe_block20:
goto llvm_cbe_block720;
llvm_cbe_block603:
goto llvm_cbe_block16;
llvm_cbe_block21:
llvm_cbe_a112 = (&llvm_cbe_a885);
goto llvm_cbe_block13;
llvm_cbe_block446:
llvm_cbe_a90 = INT64_C(3336398127);
goto llvm_cbe_block422;
llvm_cbe_block720:
llvm_cbe_a112 = &llvm_cbe_gep772;
goto llvm_cbe_block603;
}
uint8_t* func2(uint8_t** _258, uint64_t** _259, uint64_t* _260, uint64_t** _261, uint64_t _262, uint8_t _263) {
uint64_t* llvm_cbe_a31; /* Address-exposed local */
uint8_t llvm_cbe_a34; /* Address-exposed local */
uint64_t llvm_cbe_a42; /* Address-exposed local */
uint64_t llvm_cbe_a49; /* Address-exposed local */
uint64_t llvm_cbe_a56; /* Address-exposed local */
uint8_t llvm_cbe_a69; /* Address-exposed local */
uint64_t llvm_cbe_a77; /* Address-exposed local */
uint8_t llvm_cbe_a83; /* Address-exposed local */
uint64_t llvm_cbe_a91; /* Address-exposed local */
uint8_t llvm_cbe_a97; /* Address-exposed local */
uint64_t llvm_cbe_a105; /* Address-exposed local */
uint8_t* llvm_cbe_a121; /* Address-exposed local */
uint8_t llvm_cbe_a125; /* Address-exposed local */
uint64_t llvm_cbe_a126; /* Address-exposed local */
uint64_t* llvm_cbe_ld;
uint8_t _264;
uint64_t llvm_cbe_ld134;
uint64_t _265;
uint64_t llvm_cbe_bop136;
uint64_t llvm_cbe_bop137;
uint8_t llvm_cbe_ld139;
uint64_t _266;
bool llvm_cbe_cmp;
uint64_t llvm_cbe_ld142;
uint64_t llvm_cbe_ld144;
uint64_t _267;
bool llvm_cbe_cmp145;
uint64_t* llvm_cbe_ld411;
uint64_t** llvm_cbe_gep412;
uint64_t* llvm_cbe_ld413;
uint64_t llvm_cbe_ld414;
uint8_t _271;
bool llvm_cbe_cmp387;
uint64_t llvm_cbe_ld351;
uint64_t llvm_cbe_bop352;
uint64_t* llvm_cbe_ld353;
uint64_t llvm_cbe_ld354;
uint64_t llvm_cbe_ld362;
uint64_t* llvm_cbe_ld312;
uint8_t llvm_cbe_ld316;
uint64_t* _279;
uint64_t _280;
uint64_t* llvm_cbe_ld293;
uint64_t llvm_cbe_ld294;
uint8_t llvm_cbe_ld300;
bool llvm_cbe_cmp306;
uint8_t _286;
uint8_t llvm_cbe_bop247;
uint64_t llvm_cbe_bop261;
uint8_t llvm_cbe_ld262;
uint64_t _287;
uint64_t llvm_cbe_bop263;
uint8_t llvm_cbe_ld264;
uint64_t _288;
bool llvm_cbe_cmp265;
uint64_t* llvm_cbe_ld436;
uint64_t llvm_cbe_ld437;
uint64_t** llvm_cbe_gep170;
uint8_t* llvm_cbe_ld176;
uint8_t llvm_cbe_ld177;
uint64_t llvm_cbe_bop193;
uint64_t _294;
bool llvm_cbe_cmp202;
uint8_t* _296;
uint8_t llvm_cbe_ld342;
uint64_t* llvm_cbe_ld345;
uint64_t** llvm_cbe_gep346;
uint64_t* llvm_cbe_ld347;
uint64_t _278;
uint64_t* llvm_cbe_gep347;
llvm_cbe_a34 = _263;
_264 = ((uint8_t)_262);
llvm_cbe_ld134 = *_260;
_265 = ((int64_t)(int8_t)_264);
llvm_cbe_bop136 = (llvm_cbe_ld134 + _265);
llvm_cbe_bop137 = (llvm_cbe_ld134 % INT64_C(3895987946));
llvm_cbe_a49 = llvm_cbe_ld134;
llvm_cbe_ld139 = llvm_cbe_a34;
_266 = ((int64_t)(int8_t)llvm_cbe_ld139);
llvm_cbe_ld142 = llvm_cbe_a49;
llvm_cbe_a42 = llvm_cbe_ld134;
llvm_cbe_a121 = (&llvm_cbe_a34);
*_259 = (&llvm_cbe_a56);
llvm_cbe_ld144 = llvm_cbe_a49;
_267 = ((int64_t)(int8_t)_264);
llvm_cbe_cmp145 = ((int64_t)_267) >= ((int64_t)llvm_cbe_ld144);
if (llvm_cbe_cmp145) {
goto llvm_cbe_block18;
} else {
goto llvm_cbe_block;
}
llvm_cbe_block2:
llvm_cbe_ld411 = llvm_cbe_a31;
llvm_cbe_gep412 = (&llvm_cbe_gep347);
llvm_cbe_ld413 = *llvm_cbe_gep412;
llvm_cbe_ld414 = *llvm_cbe_ld413;
*llvm_cbe_ld411 = llvm_cbe_ld414;
*_261 = (&llvm_cbe_a91);
goto llvm_cbe_exit;
llvm_cbe_block4:
_271 = ((uint8_t)llvm_cbe_ld362);
llvm_cbe_a69 = _271;
llvm_cbe_a31 = (&llvm_cbe_a126);
*_258 = (&llvm_cbe_a97);
llvm_cbe_cmp387 = ((int64_t)llvm_cbe_ld134) >= ((int64_t)llvm_cbe_bop352);
if (llvm_cbe_cmp387) {
goto llvm_cbe_block17;
} else {
goto llvm_cbe_block2;
}
llvm_cbe_block10:
llvm_cbe_ld351 = *_260;
llvm_cbe_bop352 = (llvm_cbe_bop137 * llvm_cbe_ld351);
llvm_cbe_ld353 = *llvm_cbe_gep170;
llvm_cbe_ld354 = llvm_cbe_a105;
*llvm_cbe_ld353 = llvm_cbe_ld354;
llvm_cbe_ld362 = llvm_cbe_a49;
llvm_cbe_a105 = llvm_cbe_ld134;
goto llvm_cbe_block4;
llvm_cbe_block11:
llvm_cbe_ld312 = *llvm_cbe_gep170;
*llvm_cbe_ld312 = llvm_cbe_ld142;
llvm_cbe_ld316 = llvm_cbe_a125;
llvm_cbe_a34 = llvm_cbe_ld316;
goto llvm_cbe_block10;
llvm_cbe_block12:
*_258 = (&llvm_cbe_a69);
*_261 = (&llvm_cbe_a77);
goto llvm_cbe_exit;
llvm_cbe_block13:
_279 = *_261;
_280 = *_279;
_278 = _280;
goto llvm_cbe_exit;
llvm_cbe_block14:
llvm_cbe_ld293 = *_259;
llvm_cbe_ld294 = *_260;
*llvm_cbe_ld293 = llvm_cbe_ld294;
llvm_cbe_ld300 = llvm_cbe_a125;
llvm_cbe_a83 = llvm_cbe_ld300;
llvm_cbe_cmp306 = ((int64_t)llvm_cbe_ld134) < ((int64_t)llvm_cbe_ld142);
if (llvm_cbe_cmp306) {
goto llvm_cbe_block22;
} else {
goto llvm_cbe_block11;
}
llvm_cbe_block16:
*llvm_cbe_gep170 = (&llvm_cbe_a105);
_286 = ((uint8_t)llvm_cbe_bop193);
llvm_cbe_bop247 = (_264 * _286);
llvm_cbe_a125 = llvm_cbe_bop247;
llvm_cbe_bop261 = (_266 / 726294153);
llvm_cbe_ld262 = llvm_cbe_a125;
_287 = ((int64_t)(int8_t)llvm_cbe_ld262);
llvm_cbe_bop263 = (_287 * _294);
llvm_cbe_ld264 = llvm_cbe_a125;
_288 = ((int64_t)(int8_t)llvm_cbe_ld264);
llvm_cbe_cmp265 = ((int64_t)_288) <= ((int64_t)llvm_cbe_bop261);
if (llvm_cbe_cmp265) {
goto llvm_cbe_block14;
} else {
goto llvm_cbe_block12;
}
llvm_cbe_block17:
llvm_cbe_a105 = llvm_cbe_ld134;
llvm_cbe_ld436 = *_259;
llvm_cbe_ld437 = llvm_cbe_a42;
*llvm_cbe_ld436 = llvm_cbe_ld437;
goto llvm_cbe_block13;
llvm_cbe_block18:
llvm_cbe_gep170 = (&llvm_cbe_gep347);
llvm_cbe_ld176 = llvm_cbe_a121;
llvm_cbe_ld177 = *llvm_cbe_ld176;
llvm_cbe_bop193 = (llvm_cbe_ld144 * llvm_cbe_bop136);
_294 = ((int64_t)(int8_t)llvm_cbe_ld177);
llvm_cbe_cmp202 = ((int64_t)llvm_cbe_ld134) <= ((int64_t)_265);
if (llvm_cbe_cmp202) {
goto llvm_cbe_block16;
} else {
goto llvm_cbe_block21;
}
llvm_cbe_block:
goto llvm_cbe_block17;
llvm_cbe_block21:
goto llvm_cbe_block11;
llvm_cbe_exit:
return _296;
llvm_cbe_block22:
llvm_cbe_ld342 = llvm_cbe_a83;
*llvm_cbe_ld176 = llvm_cbe_ld342;
llvm_cbe_ld345 = *llvm_cbe_gep170;
*llvm_cbe_ld345 = llvm_cbe_ld134;
llvm_cbe_gep346 = (&llvm_cbe_gep347);
llvm_cbe_ld347 = *llvm_cbe_gep346;
*llvm_cbe_ld347 = llvm_cbe_bop263;
*_261 = llvm_cbe_ld345;
goto llvm_cbe_block10;
}
steakhal
commit https://github.com/llvm/llvm-project/commit/3e4788377bb29ed389b46521fcba0d06aa985bcf (HEAD -> main, origin/main, origin/HEAD) Author: Giulio Eulisse 10544+ktf@users.noreply.github.com Date: Thu Sep 5 10:16:51 2024 +0200
clang --analyze --analyzer-no-default-checks -Xanalyzer -analyzer-checker=core.NullDereference -Xanalyzer -analyzer-config -Xanalyzer -mode=deep -Xanalyzer -analyzer-output=text
I will further minimize it later.
The input can be ./t 1826809252 0 0
It will trigger the null pointer dereference in this line: _280 = *_279;
The test case is: