llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
29.44k stars 12.17k forks source link

UndrefReturn false positive #45560

Open kimgr opened 4 years ago

kimgr commented 4 years ago
Bugzilla Link 46215
Version trunk
OS Linux
CC @devincoughlin,@haoNoQ

Extended Description

The following minimal program triggers a false positive in Clang SA's UndefReturn checker:

// t.c char T(char *d) { char entries[2]; entries[0] = d[0]; char buf1 = (char )entries; return buf1[1]; }

$ clang-11 -cc1 -analyze -analyzer-checker=core.uninitialized.UndefReturn t.c t.c:9:2: warning: Undefined or garbage value returned to caller [core.uninitialized.UndefReturn] return buf1[1]; ^~~~~~ 1 warning generated.

I've tried to debug this, and it looks like the region store gets confused about the type and size of the region. I believe I narrowed it down to this old FIXME: https://github.com/llvm/llvm-project/blob/e93f7e6d1ab973be717e00966f66739930361a80/clang/lib/StaticAnalyzer/Core/RegionStore.cpp#L1455.

We hit a similar issue for production code when hashing an array of pointer values, but

a) it triggers in UndefResultChecker, not ReturnUndefChecker b) I haven't been able to reduce it as effectively

They both seem to be based on the region store's isUndef logic, so I suspect they're related.

kimgr commented 4 years ago

Thanks, Artem.

Let me know if there's anything (however little) I can do to help.

haoNoQ commented 4 years ago

Yup, this is probably the most common source of false positives that we have on more or less arbitrary C code right now. There's llvm/llvm-project#43459 with some discussion.

I really wish i could squeeze out some time to address those.

kimgr commented 4 years ago

assigned to @haoNoQ