[LLVMbugs] [Bug 8525] New: False positive due to analyzer suggesting impossible flow

Mon, 01 Nov 2010 13:24:11 -0700 

http://llvm.org/bugs/show_bug.cgi?id=8525

           Summary: False positive due to analyzer suggesting impossible
                    flow
           Product: clang
           Version: trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
        AssignedTo: [email protected]
        ReportedBy: [email protected]
                CC: [email protected]


Consider the following simple example:

int foo(char *start)
{
    int result;
    char *end = start + 1;
    char *index = start;

    if (start == (char*)-1)
        return -1;

    while (index < end) {
        result = 0;
        break;
     }

    return result;
}


Clang analyzer warns:

mytest.c:16:2: warning: Undefined or garbage value returned to caller
        return result;
        ^      ~~~~~~

This is a false positive. Clang considers the case where the loop body is never
entered.

In this case, this cannot happen. There are two possibilities, either "end ==
start + 1", or "start + 1" resulted in an overflow and end == 0.

The overflow case is detected by:

    if (start == (char*)-1)
        return -1;

So if we don't hit that, we will always execute the loop body.

The problem also happens if the overflow check is modified to be:

    if (end == 0)
        return -1;

Now, let's consider for a moment the hypothetical case where analyzer is fixed
to detect the overflow check above and do the right thing (not warn because of
it).

I want to argue that even without the overflow check in place, clang should
still do something different here.

Either it should not warn at all (because something like start + 1 is unlikely
to overflow and cause this code to misbehave), or it should say "assuming
integer overflow" as one of the steps leading up to the analysis warning.

This should also be the case if the value being added is any unsigned integer
(coming from a variable), and not just a literal 1 as is the case in my
example.

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
LLVMbugs mailing list
[email protected]
http://lists.cs.uiuc.edu/mailman/listinfo/llvmbugs

Reply via email to