search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
29.38k stars 12.15k forks source link

clang analyzer doesn't consider equality assumption in dataflow #39047

Open ea7d95e0-10ff-42d2-9b8e-f875ad2084fd opened 6 years ago

ea7d95e0-10ff-42d2-9b8e-f875ad2084fd commented 6 years ago
Bugzilla Link 39699
Version 7.0
OS All
Attachments tidy-minimal.c
CC @devincoughlin,@DougGregor,@zygoloid

Extended Description

Hi all, if I run analyzer on the following piece of code with:

$ clang-tidy tidy-minimal.c -checks=* --

The complete code is:

include

include

void something(); void something_else();

void *subfunction(const char *error, void ds) { void *fs = something_else();

if (fs == NULL) { if (error != NULL) { *error = "error"; } if (ds != NULL) { free(ds); } return NULL; } if (ds == fs) { return ds; } if (ds != NULL) { free(ds); } ds = fs; return ds; }

void *myfunction(const char *error) { void ds = something(); ds = subfunction(error, ds); return ds; }

int main() { const char error; void result = myfunction(&error); if (result == NULL) { printf("Error is %s", error); } else { free(result); } }

I get:

/.../tidy-minimal/tidy-minimal.c:35:5: warning: 2nd function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage] printf("Error is %s", error); ^ /.../tidy-minimal/tidy-minimal.c:32:3: note: 'error' declared without an initial value const char error; ^ /.../tidy-minimal/tidy-minimal.c:33:18: note: Calling 'myfunction' void result = myfunction(&error); ^ /.../tidy-minimal/tidy-minimal.c:27:8: note: Calling 'subfunction' ds = subfunction(error, ds); ^ /.../tidy-minimal/tidy-minimal.c:10:7: note: Assuming 'fs' is not equal to NULL if (fs == NULL) { ^ /.../tidy-minimal/tidy-minimal.c:10:3: note: Taking false branch if (fs == NULL) { ^ /.../tidy-minimal/tidy-minimal.c:17:7: note: Assuming 'ds' is equal to 'fs' if (ds == fs) { ^ /.../tidy-minimal/tidy-minimal.c:17:3: note: Taking true branch if (ds == fs) { ^ /.../tidy-minimal/tidy-minimal.c:18:5: note: Returning without writing to 'error' return ds; ^ /.../tidy-minimal/tidy-minimal.c:27:8: note: Returning from 'subfunction' ds = subfunction(error, ds); ^ /.../tidy-minimal/tidy-minimal.c:28:3: note: Returning without writing to 'error' return ds; ^ /.../tidy-minimal/tidy-minimal.c:33:18: note: Returning from 'myfunction' void *result = myfunction(&error); ^ /.../tidy-minimal/tidy-minimal.c:34:7: note: Assuming 'result' is equal to NULL if (result == NULL) { ^ /.../tidy-minimal/tidy-minimal.c:34:3: note: Taking true branch if (result == NULL) { ^ /.../tidy-minimal/tidy-minimal.c:35:5: note: 2nd function call argument is an uninitialized value printf("Error is %s", error); ^

The problem I see: fs is assumed to be not NULL, ds is assumed as equal to fs, ds is returned, the result is assumed to be NULL which contradicts with fs being not null

please let me know if preprocessed version would be helpful

ea7d95e0-10ff-42d2-9b8e-f875ad2084fd commented 6 years ago

assigned to @devincoughlin