False positive null dereference on impossible path #3643
Description
| Bugzilla Link | 3271 |
| Resolution | DUPLICATE |
| Resolved on | Feb 22, 2010 12:49 |
| Version | unspecified |
| OS | Linux |
| Attachments | Full example program, Report of false null-deref. |
| CC | @tkremenek |
Extended Description
Clang is warning me about the second path, saying that prev may be unitilized. However for prev to be unitialized, then it must be the first item in the list, hence list->first == del, hence the first path will be taken.
It's a tricky case, but it's from a real code.
I've attached a fairly small program which shows the behaviour, this is basically the same algorithm as in the real code, but this shows the result much simpler. The node_del() call below is in the source. Also the example program should follow the code path as close as possible to below.
It was built and checked out from SVN today:
Low Level Virtual Machine (http://llvm.org/):
llvm version 2.5svn
DEBUG build with assertions.
Built Dec 31 2008(11:58:11).
Let me know if there is any other information you would like. I'll attach the report in a moment.
int
node_del(struct listhead *list, int id){
struct node *prev, *del;
for (del = list->first, prev = NULL ;
del && id != del->id ; del = del->next){
printf("Iterate\n");
prev = del;
}
if (!del) return -1;
printf("Loop Condition: %d (%p && %d != %d)\n", del && id != del->id,
del,id,del->id);
printf("Current state: list->first: %p del: %p prev: %p\n",
list->first, del, prev);
if (list->first == del){
list->first = del->next;
} else {
prev->next = del->next; /* < Clang error here */
}
free(del);
return 0;
}