It is possible to prove with clang-check if some execution flow may be unreachable ? And because of this, for example, null de-reference can occur ?
For example, in case of val <= 2 passed to foo, ptr still equal to nullptr.
struct mystruct { int field; };
mystruct *foo(bool arg1, int val)
{
mystruct ptr = nullptr;
if (!arg1) return ptr;
if (val > 2 )
ptr = new mystruct;
ptr->field = val; // <<<< -- here
return ptr;
}
Thank you.
Prove? No.
Turing's Halting problem shows you can't prove all properties of programs in general. Fundamentally no program ("static analysis tool") can decide if an arbitrary predicate is (always) true or (always) false.
Thus you cannot build a static analyzer than can correctly tell you that this code sometimes produces a null pointer:
p* x=null;
if (somefunction())
x=&...;
return x;
[In OP's example, how would he expect the tool to determine that val is not always greater than 2?]
You can build a heuristic tool that can trivially decide that a function might return true or false. In that case, it can report that "x is possibly null". The bad news is that your analysis now likely reports that for many, many variations on this code. If these reports are false positives, your tool will be rejected by programmers, fast, as being a time waster.
What many static analysis tools do with an assessment that something bad may happen, is generally not to report it all to avoid the flood of false positives.