Open kimgr opened 4 years ago
Thanks, Artem.
Let me know if there's anything (however little) I can do to help.
Yup, this is probably the most common source of false positives that we have on more or less arbitrary C code right now. There's llvm/llvm-project#43459 with some discussion.
I really wish i could squeeze out some time to address those.
assigned to @haoNoQ
Extended Description
The following minimal program triggers a false positive in Clang SA's UndefReturn checker:
// t.c char T(char *d) { char entries[2]; entries[0] = d[0]; char buf1 = (char )entries; return buf1[1]; }
$ clang-11 -cc1 -analyze -analyzer-checker=core.uninitialized.UndefReturn t.c t.c:9:2: warning: Undefined or garbage value returned to caller [core.uninitialized.UndefReturn] return buf1[1]; ^
~~~~~ 1 warning generated.I've tried to debug this, and it looks like the region store gets confused about the type and size of the region. I believe I narrowed it down to this old FIXME: https://github.com/llvm/llvm-project/blob/e93f7e6d1ab973be717e00966f66739930361a80/clang/lib/StaticAnalyzer/Core/RegionStore.cpp#L1455.
We hit a similar issue for production code when hashing an array of pointer values, but
a) it triggers in UndefResultChecker, not ReturnUndefChecker b) I haven't been able to reduce it as effectively
They both seem to be based on the region store's isUndef logic, so I suspect they're related.