https://bugs.llvm.org/show_bug.cgi?id=46215
Bug ID: 46215
Summary: UndrefReturn false positive
Product: clang
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: Static Analyzer
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected]
The following minimal program triggers a false positive in Clang SA's
UndefReturn checker:
// t.c
char T(char **d) {
char *entries[2];
entries[0] = d[0];
char *buf1 = (char *)entries;
return buf1[1];
}
$ clang-11 -cc1 -analyze -analyzer-checker=core.uninitialized.UndefReturn t.c
t.c:9:2: warning: Undefined or garbage value returned to caller
[core.uninitialized.UndefReturn]
return buf1[1];
^~~~~~~~~~~~~~
1 warning generated.
I've tried to debug this, and it looks like the region store gets confused
about the type and size of the region. I believe I narrowed it down to this old
FIXME:
https://github.com/llvm/llvm-project/blob/e93f7e6d1ab973be717e00966f66739930361a80/clang/lib/StaticAnalyzer/Core/RegionStore.cpp#L1455.
We hit a similar issue for production code when hashing an array of pointer
values, but
a) it triggers in UndefResultChecker, not ReturnUndefChecker
b) I haven't been able to reduce it as effectively
They both seem to be based on the region store's isUndef logic, so I suspect
they're related.
--
You are receiving this mail because:
You are on the CC list for the bug._______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
