979f598: Clang Static Analyzer Report #12961

issue kallewoof opened this issue on April 12, 2018

kallewoof commented at 2:25 AM on April 12, 2018: member
BRANCH: master COMMIT: 979f59850c72624137d25f80be4188c3ba6b5fa0 ISSUE COUNT: 16 [11 unconfirmed, 5 pending fix] EXCLUDED: nothing SUPERCEDES: #9573 ANALYZER BUILD: checker-279 (2016-11-14 15:34:09)

This report includes upstream repositories (leveldb, secp256k1). We may not want to fix them, but we should at least know about them, in case they cause issues. I can provide detailed reports for any of these, on request (see example of such a report for the rpc/mining.cpp error below).

DISCLAIMER: These results have not been thoroughly confirmed, and may be improbable or flat out invalid, but it's worth having a list of these somewhere.

BITCOIN CORE [4 issues]

LOGIC ERRORS [1 present, 1 confirmed]:
- src/rpc/mining.cpp:652:39: Called C++ object pointer is null (see report) (RESOLVED BY #12963)
```
    result.pushKV("mintime", (int64_t)pindexPrev->GetMedianTimePast()+1);
                                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
DEAD STORE [2 present, 2 confirmed]:
- src/test/util_tests.cpp:952:13: Value stored to 'rv' is never read (RESOLVED BY #12963)
```
            rv = write(fd, &ch, 1);
            ^    ~~~~~~~~~~~~~~~~~
```
- src/wallet/test/coinselector_tests.cpp:550:9: Value stored to 'target' is never read (RESOLVED BY #12963)
```
        target = 0;
        ^        ~
```
MEMORY ERROR [1 present, 0 confirmed]:
- src/httpserver.cpp:606:15: Potential leak of memory pointed to by 'ev'
```
    replySent = true;
    ~~~~~~~~~~^~~~~~
```
LEVELDB [4 issues]

LOGIC ERRORS [1 present, 1 confirmed]:
- src/leveldb/port/port_posix.cc:60:15: The left operand of '&' is a garbage value (RESOLVED BY https://github.com/bitcoin-core/leveldb/pull/16)
```
  return (ecx & (1 << 20)) != 0;
          ~~~ ^
```
DEAD STORE [3 present, 0 confirmed]:
- src/leveldb/db/log_reader.cc:42:5: Value stored to 'offset_in_block' is never read
```
    offset_in_block = 0;
    ^                 ~
```
- src/leveldb/db/log_reader.cc:103:13: Value stored to 'in_fragmented_record' is never read
```
            in_fragmented_record = false;
            ^                      ~~~~~
```
- src/leveldb/db/log_reader.cc:121:13: Value stored to 'in_fragmented_record' is never read
```
            in_fragmented_record = false;
            ^                      ~~~~~
```
SECP256K1 [8 issues]

LOGIC ERRORS [7 present, 0 confirmed]:
- src/field_5x52_impl.h:406:13: Assigned value is garbage or undefined
```
    r->n[0] += a->n[0];
            ^  ~~~~~~~
```
- src/field_5x52_impl.h:390:13: The left expression of the compound assignment is an uninitialized value. The computed value will also be garbage
```
    r->n[0] *= a;
    ~~~~~~~ ^
```
- src/field_5x52_impl.h:406:13: The left expression of the compound assignment is an uninitialized value. The computed value will also be garbage
```
    r->n[0] += a->n[0];
    ~~~~~~~ ^
```
- src/util.h:24:5: Access to field 'fn' results in a dereference of a null pointer (loaded from variable 'cb')
```
    cb->fn(text, (void*)cb->data);
    ^~~~~~
```
- src/scalar_4x64_impl.h:60:20: The left operand of '<' is a garbage value
```
    no |= (a->d[3] < SECP256K1_N_3); /* No need for a > check. */
           ~~~~~~~ ^
```
- src/ecmult_impl.h:217:12: Access to field 'pre_g' results in a dereference of a null pointer (loaded from variable 'ctx')
```
    return ctx->pre_g != NULL;
           ^~~~~~~~~~
```
- src/ecmult_gen_impl.h:95:12: Access to field 'prec' results in a dereference of a null pointer (loaded from variable 'ctx')
```
    return ctx->prec != NULL;
           ^~~~~~~~~
```
DEAD STORE [1 present, 1 confirmed]
- src/ecmult_gen_impl.h:153:5: Value stored to 'bits' is never read (RESOLVED BY https://github.com/bitcoin-core/secp256k1/pull/485)
```
    bits = 0;
    ^      ~
```
fanquake commented at 2:57 AM on April 12, 2018: member

leveldb:

logic errors

https://github.com/bitcoin-core/leveldb/pull/16

dead store

From what I can tell these will be handled in https://github.com/bitcoin-core/leveldb/pull/17

secp256k1:

dead store

https://github.com/bitcoin-core/secp256k1/pull/485
kallewoof commented at 3:32 AM on April 12, 2018: member

@fanquake Added "RESOLVED BY"s. The leveldb dead stores I could not verify as the branch currently fails to compile on my end (https://github.com/bitcoin-core/leveldb/pull/17#issuecomment-380666692).
practicalswift commented at 6:33 AM on April 12, 2018: contributor

Thanks for doing these! Could you add Clang version used to the excellent summary table at the top?
kallewoof commented at 6:41 AM on April 12, 2018: member

@practicalswift Done (it's old, but seems to be the latest version).
practicalswift commented at 11:29 AM on April 12, 2018: contributor

Anyone who would like to look at the reported Potential leak of memory pointed to by 'ev' in src/httpserver.cpp? The others have been addressed in #12963.
kallewoof commented at 5:28 AM on April 13, 2018: member

I'll make a path report public for the 'ev' thing later today. I suspect it's the analyzer getting confused over something, though.
MarcoFalke commented at 2:46 PM on May 14, 2018: member

What is the status of this?
MarcoFalke referenced this in commit c5870ab689 on May 14, 2018
practicalswift commented at 2:58 PM on May 14, 2018: contributor

@kallewoof The PR #12963 has now been merged. What about closing this PR and opening a new for the May 2018 edition of the report? :-)
kallewoof commented at 3:53 PM on May 14, 2018: member

There is the 'ev' thing that I never got around to but closing for now. If someone wants to look into it I can provide details.
kallewoof closed this on May 14, 2018
practicalswift commented at 7:47 AM on September 4, 2018: contributor

@kallewoof Time for another report? :-)
UdjinM6 referenced this in commit 531d8ceade on May 21, 2021
UdjinM6 referenced this in commit 32e84f8ea4 on May 25, 2021
DrahtBot locked this on Sep 8, 2021