Walter Bright Wrote:
> >> 2. Optimizer collects the info, but ignores this, because people are
> >> annoyed by false positives.
clang analyzer tries to avoid false positives very hard. To the point that
every error message has link for sending a bug report.
> The problem crops up when there are two connected variables:
>
> void foo(bool flag)
> {
> char* p = null;
> if (flag)
> p = "hello";
> ...
> if (flag)
> bar(*p);
> }
>
> The code is logically correct, there is no null pointer dereference
> possible. However, the data flow analysis will see the *p and see two
> reaching definitions for p: null and "hello", even though only one
> actually reaches.
>
> Hence the false positive. To eliminate the false error report, the user
> would have to insert a redundant null check.
>
> Does this happen in practice? Yes.
I've tested this exact code in clang analyzer and it's actually smart enough no
to report that as error!
if (flag)
bar(*p)
is not reported, but:
if (!flag)
bar(*p)
is reported, so the analyzer can follow connected variables properly.
