search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
28.8k stars 11.91k forks source link

[clang static analyzer] core.NullDereference false negative with `*(int *)0` #60161

Open 0-0x41 opened 1 year ago

0-0x41 commented 1 year ago

I got a false negative error when compiling the following program with clang(trunk) --analyze -Xclang -analyzer-stats -Xclang -analyzer-checker=core,debug.ExprInspection https://godbolt.org/z/YxWK86exG.

Input:

void clang_analyzer_eval();

struct a b;
struct a {};

void main()
{
    if (&b == &b)
    {
        clang_analyzer_eval(((&b) + 1) < ((&b) + 2));
        if (((&b) + 1) < ((&b) + 2))
        {
            *(int *)0;
        }
    }
}

Output:

<source>:11:9: warning: TRUE [debug.ExprInspection]
        clang_analyzer_eval(((&b) + 1) < ((&b) + 2));
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Compiling and running this case through clang(trunk) shows that ((&b) + 1) < ((&b) + 2) results in FALSE, while analyzer gives TRUE. Based on the TRUE result, it appears that analyzer does not enter the if branch for analysis (and does not generate a core.NullDereference warning for *(int *)0).

In a way, from the user's point of view, this might be seen as a false negative. Thanks a lot for taking the time to review this case. We hope clang static analyzer will be better. Thanks.

llvmbot commented 1 year ago

@llvm/issue-subscribers-clang-static-analyzer