Geek Answers Handbook

Clang static analyzer skips some checks

I am using clang 4.0.0 static analyzer. In the following example

int fun(){

    int aa = 1,bb = 0;
    int cc = aa/bb; // 1) devide by zero. // Reported by clang

    int *pt = nullptr;
    int a = *pt;    // 2) null pointer dereference. // NOT Reported by clang

    int b;
    int c = a + b;  // 3) Unused initialization. // Reported by clang

    return cc;
}

The Clang static analyzer reports only two problems 1 and 3 and skips question 2.

If I changed the release order, like this

int fun(){

    int *pt = nullptr;
    int a = *pt;    // 1) null pointer dereference. // Reported by clang

    int aa = 1,bb = 0;
    int cc = aa/bb; // 2) devide by zero. // NOT Reported by clang

    int b;
    int c = a + b;  // 3) Unused initialization. // Reported by clang

    return cc;
}

then write static analysis reports 1 and 3 and skip 2.

I run the clang static analyzer with this command

clang-check.exe -analyze D: \ testsrc \ anothercpp.cpp

This is a very controversial behavior. Regardless of the order in which problems arise, one of the questions is skipped. In addition, I tested this script with clang 5.0.1 only to get the same results.

Does anyone know why this is happening with a static analyzer?

Thanks in advance.

-Hemant

+6
2

, , , , .

DereferenceChecker, , , " node", .

void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S,
                                   CheckerContext &C) const {
  // Generate an error node.
ExplodedNode *N = C.generateErrorNode(State);

CheckerContext:: generateErrorNode , .

  /// \brief Generate a transition to a node that will be used to report
  /// an error. This node will be a sink. That is, it will stop exploration of
  /// the given path.
  ///
  /// @param State The state of the generated node.
  /// @param Tag The tag to uniquely identify the creation site. If null,
  ///        the default tag for the checker will be used.
  ExplodedNode *generateErrorNode(ProgramStateRef State = nullptr,
                                  const ProgramPointTag *Tag = nullptr) {
    return generateSink(State, Pred,
                       (Tag ? Tag : Location.getTag()));
}

, , , , . undefined ++, - . , , . , .

, , , .

. .

+4

, . " ". , - (, , - ) Clang , , , , undefined. - . . , : . , /, . - , .

+1

More articles:


All Articles