llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
28.96k stars 11.94k forks source link

False positive null pointer dereference with integer arithmetic #16227

Open llvmbot opened 11 years ago

llvmbot commented 11 years ago
Bugzilla Link 15855
Version trunk
OS MacOS X
Reporter LLVM Bugzilla Contributor
CC @belkadan

Extended Description

Overview:

I get a null pointer dereference warning that assumes a certain variable is negative, when in fact one can easily deduce that the variable cannot be negative.

Steps to reproduce:

Analyze this code:


static void Foo( int numFaces ) { int* ptr = 0;

int absFaces;
if (numFaces > 0)
{
    absFaces = numFaces;
}
else
{
    absFaces = - numFaces;
}

if (absFaces < 0)
{
    *ptr = 99;
}

}

Actual results:

"Dereference of null pointer (loaded from variable 'ptr') 'ptr' initialized to a null pointer value Assuming 'numFaces' is <= 0 Assuming 'absFaces' is < 0"

Expected results:

No warnings, or maybe something saying that a line is unreachable.

Build date:

clang version 3.3 (trunk 180622) Target: x86_64-apple-darwin11.4.2 Thread model: posix

llvmbot commented 11 years ago

Oops, maybe it's not a false positive. In the unlikely case that numFaces is the most negative number (0x80000000 when using 32 bits), absFaces is the same, and the dereference is reached.

belkadan commented 11 years ago

This embarrassing false positive is due to not reasoning about unary minus. In theory there are difficulties when hitting implementation-defined and undefined behavior, but in practice the analyzer's pretty heavily geared towards -fwrapv semantics right now.

Tracked by rdar://problem/12351075.

llvmbot commented 11 years ago

assigned to @tkremenek