Description
Description of the false positive
The query for unreachable code (BasicBlock where not bb1.isReachable()) incorrectly detects live code as dead code in C/C++.
Specifically, in the function Tcl_TranslateFileName, it incorrectly flags a for loop that is clearly reachable and executed in normal control flow.
tclPlatform is a global variable, so the condition if (tclPlatform == TCL) can be true at runtime, making the code reachable.
This leads to several false positives in real codebases.
Code samples or links to source code
Here is an example:
char *Tcl_TranslateFileName(Tcl_Interp *interp, CONST char *name, Tcl_DString *bufferPtr)
{
Tcl_Obj *path = Tcl_NewStringObj(name, -1);
Tcl_Obj *transPtr;
Tcl_IncrRefCount(path);
transPtr = Tcl_FSGetTranslatedPath(interp, path);
if (transPtr == NULL)
{
Tcl_DecrRefCount(path);
return NULL;
}
Tcl_DStringInit(bufferPtr);
Tcl_DStringAppend(bufferPtr, Tcl_GetString(transPtr), -1);
Tcl_DecrRefCount(path);
Tcl_DecrRefCount(transPtr);
if (tclPlatform == TCL)
{
char *p;
for (p = Tcl_DStringValue(bufferPtr); *p != '\0'; p++) // <-- this block is reported as unreachable, but it is reachable
{
if (*p == '/')
{
*p = '\\';
}
}
}
return Tcl_DStringValue(bufferPtr);
}
Query used to detect unreachable blocks:
import cpp
predicate isUserFile(File f) {
not f.getFile().getAbsolutePath().matches("%/include/%") and
not (f.toString().matches("%file://:0:0:0:0%"))
}
from BasicBlock bb1
where
isUserFile(bb1.getEnclosingFunction().getFile()) and
not bb1.isReachable()
select
bb1.getEnclosingFunction().getName(),
bb1.getEnclosingFunction().getLocation(),
bb1.getStart().getLocation().getStartLine(),
bb1.getEnd().getLocation().getStartLine()
The block:
{
char *p;
for (p = Tcl_DStringValue(bufferPtr); *p != '\0'; p++)
is wrongly reported as unreachable (dead code), but it is active and necessary to correctly translate file paths.
This false positive happens in several similar real-world cases, and makes the dead code detection query unreliable.