NoQ added a comment.
In D97183#2701441 <https://reviews.llvm.org/D97183#2701441>, @steakhal wrote:
> I think we can conclude that `P` must be non-null (since it was
> unconditionally dereferenced), thus the previous check on the inner pointer
> and the branch it guards must be dead!
Under the same logic we also can't report null dereference in the following
code:
void bar() {
A *p = nullptr;
p->foo();
}
Indeed, the null pointer `p` is unconditionally dereferenced, therefore the
entire function `bar()` must be dead!
Or maybe the entire executable binary into which this code is linked is never
run. Some users definitely complain about static analyzer analyzing code that
was entirely dead from the start, suggested integrating with the dynamic PGO
facilities to analyze hot code first.
It's important to realize that with pure static analysis it is absolutely
impossible to reliably report a bug more severe than dead code. Any form of
static analysis only ever finds //code that doesn't make sense//. It cannot
make assumptions about how often the code is executed in practice or how severe
and impactful the bug is to the users of the program under analysis. When we
report anything that doesn't directly scream "dead code", like null
dereference, we're still always implicitly saying "This code doesn't make sense
because it either has dead parts or _____". In fact we should probably do a
better job at managing expectations because users do become upset when we
promise them use-after-frees but in reality only find dead code that "would
have caused use-after-frees if it was ever run".
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D97183/new/
https://reviews.llvm.org/D97183
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
