search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
28.69k stars 11.87k forks source link

False positive on loop with complex condition #23100

Open llvmbot opened 9 years ago

llvmbot commented 9 years ago
Bugzilla Link 22726
Version 3.5
OS Linux
Attachments False positive case, A little bit simplified version
Reporter LLVM Bugzilla Contributor
CC @zygoloid

Extended Description

Analyzer reports garbage for initialized variable:

clang --analyze -Xanalyzer -analyzer-output=text source.c source.c:18:18: warning: The left operand of '!=' is a garbage value if(result[i] != 0)


source.c:6:14: note: Assuming 'i' is >= 'count1'
  for(i = 0; i < count1; i++)
             ^~~~~~~~~~
source.c:6:3: note: Loop condition is false. Execution continues on line 11
  for(i = 0; i < count1; i++)
  ^
source.c:11:3: note: Loop condition is false. Execution continues on line 16
  for(i = count1; i < count2; i++)
  ^
source.c:16:3: note: Loop condition is true. Entering loop body
  for(i = 0; i < count1 + count2; i++)
  ^
source.c:18:18: note: The left operand of '!=' is a garbage value
    if(result[i] != 0)
       ~~~~~~~~~ ^
1 warning generated.
llvmbot commented 9 years ago

Version with fixed-sized array Here is the output:

clang --analyze -Xanalyzer -analyzer-output=text source.c source.c:18:18: warning: The left operand of '!=' is a garbage value if(result[i] != 0)


source.c:6:3: note: Taking false branch
  if(count1 + count2 > 10)
  ^
source.c:11:3: note: Loop condition is false. Execution continues on line 16
  for(i = 0; i < count1 + count2; i++)
  ^
source.c:16:3: note: Loop condition is true. Entering loop body
  for(i = 0; i < count1 + count2; i++)
  ^
source.c:18:18: note: The left operand of '!=' is a garbage value
    if(result[i] != 0)
       ~~~~~~~~~ ^
1 warning generated.
llvmbot commented 9 years ago

Your first attachment has a bug. You only initialize the first max(count1, count2) elements, but then read from the first count1 + count2 elements of result.

What does the static analyzer report for the second attachment?

Does the problem still occur if you use a fixed-size array rather than a VLA?

Sorry for inconvenience.

For the second attachment output is next:

clang --analyze -Xanalyzer -analyzer-output=text source.c source.c:13:18: warning: The left operand of '!=' is a garbage value if(result[i] != 0)


source.c:6:3: note: Loop condition is false. Execution continues on line 11
  for(i = 0; i < count1 + count2; i++)
  ^
source.c:11:3: note: Loop condition is true. Entering loop body
  for(i = 0; i < count1 + count2; i++)
  ^
source.c:13:18: note: The left operand of '!=' is a garbage value
    if(result[i] != 0)
       ~~~~~~~~~ ^
1 warning generated.
ec04fc15-fa35-46f2-80e1-5d271f2ef708 commented 9 years ago

Your first attachment has a bug. You only initialize the first max(count1, count2) elements, but then read from the first count1 + count2 elements of result.

What does the static analyzer report for the second attachment?

Does the problem still occur if you use a fixed-size array rather than a VLA?

llvmbot commented 9 years ago

assigned to @tkremenek