What does Coverity/clang static analysis actually do?

Walter Bright newshound1 at digitalmars.com
Thu Oct 1 14:02:17 PDT 2009


Nick Sabalausky wrote:
> "Walter Bright" <newshound1 at digitalmars.com> wrote in message 
>> 2. possible dereference of NULL pointers (some reaching definitions of a 
>> pointer are NULL)
>> 2. Optimizer collects the info, but ignores this, because people are 
>> annoyed by false positives.
>>
> 
> If you mean something like this:
> 
> Foo f;
> if(cond)
>     f = new Foo();
> f.bar();
> 
> Then I *want* the compiler to tell me. C# does this and I've never been 
> annoyed by it, in fact I've always appreciated it. I'm not aware of any 
> other C# user that has a problem with that either. If that's not what you 
> mean though, then could you elaborate?

The problem crops up when there are two connected variables:

   void foo(bool flag)
   {
     char* p = null;
     if (flag)
	p = "hello";
     ...
     if (flag)
	bar(*p);
   }

The code is logically correct, there is no null pointer dereference 
possible. However, the data flow analysis will see the *p and see two 
reaching definitions for p: null and "hello", even though only one 
actually reaches.

Hence the false positive. To eliminate the false error report, the user 
would have to insert a redundant null check.

Does this happen in practice? Yes.



More information about the Digitalmars-d mailing list