public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/102671] New: -Wanalyzer-null-dereference false positive when compiling GNU Emacs
@ 2021-10-09 19:06 eggert at cs dot ucla.edu
2021-10-11 3:03 ` [Bug analyzer/102671] " eggert at cs dot ucla.edu
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: eggert at cs dot ucla.edu @ 2021-10-09 19:06 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102671
Bug ID: 102671
Summary: -Wanalyzer-null-dereference false positive when
compiling GNU Emacs
Product: gcc
Version: 11.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: eggert at cs dot ucla.edu
Target Milestone: ---
Created attachment 51577
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51577&action=edit
Compile with -fanalyzer -O2 -S on x86-64 to illustrate the bug
I ran into this problem when compiling GNU Emacs with gcc (GCC) 11.2.1 20210728
(Red Hat 11.2.1-1) on x86-64. Compile with:
gcc -fanalyzer -O2 -S analyzer-null-defererence-bug.i
and the output will be the diagnostic at the end of this bug report, which is a
false alarm. Removing the unrelated function wset_buffer suppresses the false
alarm, which suggests that the analysis of wset_buffer is somehow messing up
the analysis of delete_all_child_windows.
I do not observe this problem when compiling with gcc (Ubuntu 10.3.0-1ubuntu1)
10.3.0.
analyzer-null-defererence-bug.i: In function 'PSEUDOVECTORP.part.0':
analyzer-null-defererence-bug.i:23:13: warning: dereference of NULL 'a'
[CWE-476] [-Wanalyzer-null-dereference]
23 | return ((a->size & (PSEUDOVECTOR_FLAG | PVEC_TYPE_MASK))
| ~^~~~~~
'delete_all_child_windows': events 1-4
|
| 155 | delete_all_child_windows (struct lisp *window)
| | ^~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) entry to 'delete_all_child_windows'
|......
| 158 | if (!NILP (w->next))
| | ~
| | |
| | (2) following 'true' branch...
| 159 | delete_all_child_windows (w->next);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) ...to here
| | (4) calling 'delete_all_child_windows' from
'delete_all_child_windows'
|
+--> 'delete_all_child_windows': events 5-8
|
| 155 | delete_all_child_windows (struct lisp *window)
| | ^~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (5) entry to 'delete_all_child_windows'
|......
| 158 | if (!NILP (w->next))
| | ~
| | |
| | (6) following 'true' branch...
| 159 | delete_all_child_windows (w->next);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (7) ...to here
| | (8) calling 'delete_all_child_windows' from
'delete_all_child_windows'
|
+--> 'delete_all_child_windows': events 9-14
|
| 155 | delete_all_child_windows (struct lisp *window)
| | ^~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (9) entry to 'delete_all_child_windows'
|......
| 158 | if (!NILP (w->next))
| | ~
| | |
| | (10) following 'false' branch...
| 159 | delete_all_child_windows (w->next);
| 160 | if (WINDOWP (w->contents))
| | ~~~~~~~~~~~~~~~~~~~~~~
| | ||
| | |(11) ...to here
| | (12) following 'true' branch...
| 161 | {
| 162 | delete_all_child_windows (w->contents);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (13) ...to here
| | (14) calling 'delete_all_child_windows' from
'delete_all_child_windows'
|
+--> 'delete_all_child_windows': events 15-19
|
| 155 | delete_all_child_windows (struct lisp
*window)
| | ^~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (15) entry to 'delete_all_child_windows'
|......
| 158 | if (!NILP (w->next))
| | ~
| | |
| | (16) following 'false' branch...
| 159 | delete_all_child_windows (w->next);
| 160 | if (WINDOWP (w->contents))
| | ~~~~~~~~~~~~~~~~~~~~~~
| | ||
| | |(17) ...to here
| | (18) following 'false' branch...
|......
| 165 | }
| | ~
| | |
| | (19) ...to here
|
<------+
|
'delete_all_child_windows': events 20-22
|
| 108 | w->contents = val;
| | ~~~~~~~~~~~~~~~~~
| | |
| | (21) '(((char *)&*window +
11))[768614336404564650].contents' is NULL
| | (22) '(((char *)&*window +
11))[768614336404564650].contents' is NULL
|......
| 162 | delete_all_child_windows (w->contents);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (20) returning to 'delete_all_child_windows'
from 'delete_all_child_windows'
|
<------+
|
'delete_all_child_windows': events 23-26
|
| 159 | delete_all_child_windows (w->next);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (23) return of NULL to 'delete_all_child_windows' from
'delete_all_child_windows'
| 160 | if (WINDOWP (w->contents))
| | ~
| | |
| | (24) following 'true' branch...
| 161 | {
| 162 | delete_all_child_windows (w->contents);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (25) ...to here
| | (26) calling 'delete_all_child_windows' from
'delete_all_child_windows'
|
+--> 'delete_all_child_windows': events 27-30
|
| 90 | return PSEUDOVECTORP (a, 12);
| | ~~~~~~~~~~~~~~~~~~~~~
| | |
| | (30) calling 'PSEUDOVECTORP' from
'delete_all_child_windows'
|......
| 155 | delete_all_child_windows (struct lisp *window)
| | ^~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (27) entry to 'delete_all_child_windows'
|......
| 158 | if (!NILP (w->next))
| | ~
| | |
| | (28) following 'false' branch...
| 159 | delete_all_child_windows (w->next);
| 160 | if (WINDOWP (w->contents))
| | ~~~~~~~~~~~~~~~~~~~~~
| | |
| | (29) ...to here
|
+--> 'PSEUDOVECTORP': events 31-32
|
| 28 | PSEUDOVECTORP (struct lisp *a, int code)
| | ^~~~~~~~~~~~~
| | |
| | (31) entry to 'PSEUDOVECTORP'
| 29 | {
| 30 | if (! VECTORLIKEP (a))
| | ~
| | |
| | (32) following 'false' branch...
|
'PSEUDOVECTORP': event 33
|
|cc1:
| (33): ...to here
|
'PSEUDOVECTORP': event 34
|
|cc1:
| (34): calling 'PSEUDOVECTORP.part.0' from
'PSEUDOVECTORP'
|
+--> 'PSEUDOVECTORP.part.0': events 35-36
|
| 23 | return ((a->size &
(PSEUDOVECTOR_FLAG | PVEC_TYPE_MASK))
| | ~~~~~~~
| | |
| | (36) dereference of NULL
'a'
|......
| 28 | PSEUDOVECTORP (struct lisp *a, int
code)
| | ^~~~~~~~~~~~~
| | |
| | (35) entry to 'PSEUDOVECTORP.part.0'
|
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/102671] -Wanalyzer-null-dereference false positive when compiling GNU Emacs
2021-10-09 19:06 [Bug analyzer/102671] New: -Wanalyzer-null-dereference false positive when compiling GNU Emacs eggert at cs dot ucla.edu
@ 2021-10-11 3:03 ` eggert at cs dot ucla.edu
2021-10-11 21:49 ` eggert at cs dot ucla.edu
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: eggert at cs dot ucla.edu @ 2021-10-11 3:03 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102671
--- Comment #1 from eggert at cs dot ucla.edu ---
Created attachment 51582
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51582&action=edit
2nd test case illustrating the bug
I'm attaching a second test case, also taken from GNU Emacs, illustrating the
same bug or at least something similar. Compile it on the same platform with:
gcc -fanalyzer -O2 -S analyzer-null-dereference-2.i
and the output will be the following. The false alarm is incorrect here, too. I
plan to modify Emacs to disable the warnings in the two source-code files that
are generating these false alarms.
analyzer-null-dereference-2.i: In function 'Ftime_convert':
analyzer-null-dereference-2.i:36:13: warning: dereference of NULL 'time'
[CWE-476] [-Wanalyzer-null-dereference]
36 | return ((a->size & (PSEUDOVECTOR_FLAG | PVEC_TYPE_MASK))
| ~^~~~~~
'Ftime_convert': events 1-4
|
| 72 | Ftime_convert (struct lisp *time)
| | ^~~~~~~~~~~~~
| | |
| | (1) entry to 'Ftime_convert'
| 73 | {
| 74 | decode_time_components (time ? XCDR (time) : time);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) following 'false' branch (when 'time' is NULL)...
| | (3) ...to here
| | (4) calling 'decode_time_components' from 'Ftime_convert'
|
+--> 'decode_time_components': events 5-7
|
| 43 | if (! VECTORLIKEP (a))
| | ~
| | |
| | (6) following 'true' branch...
|......
| 65 | decode_time_components (struct lisp *low)
| | ^~~~~~~~~~~~~~~~~~~~~~
| | |
| | (5) entry to 'decode_time_components'
|......
| 69 | }
| | ~
| | |
| | (7) ...to here
|
<------+
|
'Ftime_convert': events 8-11
|
| 36 | return ((a->size & (PSEUDOVECTOR_FLAG | PVEC_TYPE_MASK))
| | ~~~~~~~
| | |
| | (10) ...to here
| | (11) dereference of NULL 'time'
|......
| 43 | if (! VECTORLIKEP (a))
| | ~
| | |
| | (9) following 'false' branch...
|......
| 74 | decode_time_components (time ? XCDR (time) : time);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (8) returning to 'Ftime_convert' from 'decode_time_components'
|
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/102671] -Wanalyzer-null-dereference false positive when compiling GNU Emacs
2021-10-09 19:06 [Bug analyzer/102671] New: -Wanalyzer-null-dereference false positive when compiling GNU Emacs eggert at cs dot ucla.edu
2021-10-11 3:03 ` [Bug analyzer/102671] " eggert at cs dot ucla.edu
@ 2021-10-11 21:49 ` eggert at cs dot ucla.edu
2023-03-09 21:21 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: eggert at cs dot ucla.edu @ 2021-10-11 21:49 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102671
--- Comment #2 from eggert at cs dot ucla.edu ---
I have filed what may be a related bug as GCC bug 102692.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/102671] -Wanalyzer-null-dereference false positive when compiling GNU Emacs
2021-10-09 19:06 [Bug analyzer/102671] New: -Wanalyzer-null-dereference false positive when compiling GNU Emacs eggert at cs dot ucla.edu
2021-10-11 3:03 ` [Bug analyzer/102671] " eggert at cs dot ucla.edu
2021-10-11 21:49 ` eggert at cs dot ucla.edu
@ 2023-03-09 21:21 ` cvs-commit at gcc dot gnu.org
2024-01-06 18:32 ` eggert at cs dot ucla.edu
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-03-09 21:21 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102671
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:4214bdb1d77ebee04d12f66c831730ed67fedf55
commit r13-6565-g4214bdb1d77ebee04d12f66c831730ed67fedf55
Author: David Malcolm <dmalcolm@redhat.com>
Date: Thu Mar 9 16:21:02 2023 -0500
testsuite: add various -Wanalyzer-null-dereference false +ve test cases
There are various -Wanalyzer-null-dereference false +ves in bugzilla
that I've been attempting to fix. Unfortunately I haven't made much
progress, but it seems worth at least capturing the reduced
reproducers as test cases, to make it easier to spot changes in
behavior.
gcc/testsuite/ChangeLog:
PR analyzer/102671
PR analyzer/105755
PR analyzer/108251
PR analyzer/108400
* gcc.dg/analyzer/null-deref-pr102671-1.c: New test, reduced
from Emacs.
* gcc.dg/analyzer/null-deref-pr102671-2.c: Likewise.
* gcc.dg/analyzer/null-deref-pr105755.c: Likewise.
*
gcc.dg/analyzer/null-deref-pr108251-smp_fetch_ssl_fc_has_early-O2.c:
New test, reduced from haproxy's src/ssl_sample.c.
* gcc.dg/analyzer/null-deref-pr108251-smp_fetch_ssl_fc_has_early.c:
Likewise.
* gcc.dg/analyzer/null-deref-pr108400-SoftEtherVPN-WebUi.c: New
test, reduced from SoftEtherVPN's src/Cedar/WebUI.c.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/102671] -Wanalyzer-null-dereference false positive when compiling GNU Emacs
2021-10-09 19:06 [Bug analyzer/102671] New: -Wanalyzer-null-dereference false positive when compiling GNU Emacs eggert at cs dot ucla.edu
` (2 preceding siblings ...)
2023-03-09 21:21 ` cvs-commit at gcc dot gnu.org
@ 2024-01-06 18:32 ` eggert at cs dot ucla.edu
2024-01-06 18:37 ` eggert at cs dot ucla.edu
2024-01-06 19:11 ` eggert at cs dot ucla.edu
5 siblings, 0 replies; 7+ messages in thread
From: eggert at cs dot ucla.edu @ 2024-01-06 18:32 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102671
--- Comment #4 from Paul Eggert <eggert at cs dot ucla.edu> ---
Created attachment 56996
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56996&action=edit
marker.i example from GNU Emacs
Here is another example of the problem, taken from bleeding-edge GNU Emacs
compiled with gcc (Ubuntu 13.2.0-4ubuntu3) 13.2.0. Reproduce the bug via:
gcc -O2 -S -fanalyzer marker.i
The incorrect output (false positive) is:
marker.i: In function ‘BUF_ZV’:
marker.i:11203:6: warning: dereference of NULL ‘buf’ [CWE-476]
[-Wanalyzer-null-dereference]
11203 | : NILP (((buf)->zv_marker_)) ? buf->zv
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
‘set_marker_restricted’: events 1-2
|
|17941 | set_marker_restricted (Lisp_Object marker, Lisp_Object position,
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) entry to ‘set_marker_restricted’
|......
|17944 | return set_marker_internal (marker, position, buffer,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) calling ‘set_marker_internal’ from
‘set_marker_restricted’
|17945 | 1
| | ~
|17946 | );
| | ~
|
+--> ‘set_marker_internal’: events 3-4
|
|17882 | set_marker_internal (Lisp_Object marker, Lisp_Object
position,
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (3) entry to ‘set_marker_internal’
|......
|17888 | struct buffer *b = live_buffer (buffer);
| | ~
| | |
| | (4) inlined call to ‘live_buffer’ from
‘set_marker_internal’
|
+--> ‘live_buffer’: event 5
|
|17877 | return BUFFER_LIVE_P (b) ? b :
| | ~~~~~~~~~~~~~~~~~~~~~~^
| | |
| | (5) following ‘false’
branch...
|17878 | ((void *)0)
| | ~~~~~~~~~~~
|
<------+
|
‘set_marker_internal’: event 6
|
|cc1:
| (6): ...to here
|
‘set_marker_internal’: event 7
|
|17889 | CHECK_MARKER (marker);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (7) calling ‘CHECK_MARKER’ from ‘set_marker_internal’
|
+--> ‘CHECK_MARKER’: event 8
|
|17584 | CHECK_MARKER (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (8) entry to ‘CHECK_MARKER’
|
+--> ‘CHECK_MARKER’: event 9
|
|17586 | CHECK_TYPE (MARKERP (x),
builtin_lisp_symbol (974), x);
| | ^
| | |
| | (9) inlined call to ‘MARKERP’
from ‘CHECK_MARKER’
|
+--> ‘MARKERP’: event 10
|
| 8374 | return PSEUDOVECTORP (x,
PVEC_MARKER);
| | ^
| | |
| | (10) inlined call to
‘PSEUDOVECTORP’ from ‘MARKERP’
|
+--> ‘PSEUDOVECTORP’: event 11
|
| 6413 | return (TAGGEDP ((a),
Lisp_Vectorlike) && ((((union vectorlike_header *) ((uintptr_t) XLP ((a)) -
(uintptr_t) ((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(11) following ‘true’ branch...
| 6414 | >> (3 - 1)) / 2 <
| | ~~~~~~~~~~~~~~~~~
| 6415 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6416 | ) ? 0 :
VALBITS))))->size & ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6417 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6418 | -
| | ~
| 6419 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6420 | / 2) | PVEC_TYPE_MASK))
== ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6421 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6422 | -
| | ~
| 6423 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6424 | / 2) | ((code) <<
PSEUDOVECTOR_AREA_BITS))));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
<--------------------+
|
‘CHECK_MARKER’: event 12
|
|17587 | }
| | ^
| | |
| | (12) ...to here
|
<------+
|
‘set_marker_internal’: events 13-15
|
|17889 | CHECK_MARKER (marker);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (13) returning to ‘set_marker_internal’ from
‘CHECK_MARKER’
|17890 | m = XMARKER (marker);
|17891 | if (NILP (position)
| | ~
| | |
| | (14) following ‘false’ branch (when ‘position’ is
non-NULL)...
|17892 | || (MARKERP (position) && !XMARKER
(position)->buffer))
| | ~
| | |
| | (15) inlined call to ‘MARKERP’ from
‘set_marker_internal’
|
+--> ‘MARKERP’: event 16
|
| 8374 | return PSEUDOVECTORP (x, PVEC_MARKER);
| | ^
| | |
| | (16) inlined call to ‘PSEUDOVECTORP’ from
‘MARKERP’
|
+--> ‘PSEUDOVECTORP’: event 17
|
| 6413 | return (TAGGEDP ((a), Lisp_Vectorlike) &&
((((union vectorlike_header *) ((uintptr_t) XLP ((a)) - (uintptr_t)
((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| | ^
| | |
| | (17) inlined call to ‘TAGGEDP’ from
‘PSEUDOVECTORP’
|
+--> ‘TAGGEDP’: event 18
|
| 2352 | return (! (((unsigned) (XLI (a) >>
(((0x7fffffffffffffffL
| | ^
| | |
| | (18) inlined
call to ‘XLI’ from ‘TAGGEDP’
|
+--> ‘XLI’: event 19
|
| 2327 | return ((EMACS_INT) (o));
| | ~^~~~~~~~~~~~~~~~
| | |
| | (19) ...to here
|
<---------------------------+
|
‘set_marker_internal’: events 20-22
|
|17914 | charpos = clip_to_bounds
| | ^~~~~~~~~~~~~~
| | |
| | (20) following ‘true’ branch (when
‘restricted != 0’)...
|17915 | (restricted ? BUF_BEGV (b) : BUF_BEG (b), charpos,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|17916 | restricted ? BUF_ZV (b) : ((b)->text->z));
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (21) ...to here
| | (22) calling ‘BUF_ZV’ from
‘set_marker_internal’
|
+--> ‘BUF_ZV’: events 23-26
|
|11200 | BUF_ZV (struct buffer *buf)
| | ^~~~~~
| | |
| | (23) entry to ‘BUF_ZV’
|11201 | {
|11202 | return (buf == (current_thread->m_current_buffer)
? ((current_thread->m_current_buffer)->zv)
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|11203 | : NILP (((buf)->zv_marker_)) ? buf->zv
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (25) ...to here
| | | (26) dereference of NULL ‘buf’
| | (24) following ‘false’ branch...
|11204 | : marker_position (((buf)->zv_marker_)));
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
marker.i: In function ‘set_marker_internal’:
marker.i:17916:33: warning: dereference of NULL ‘0’ [CWE-476]
[-Wanalyzer-null-dereference]
17916 | restricted ? BUF_ZV (b) : ((b)->text->z));
| ~~~^~~~~~
‘Fcopy_marker’: events 1-2
|
|18042 | __attribute__((section (".subrs"))) static union Aligned_Lisp_Subr
Scopy_marker = {{{ PVEC_SUBR << PSEUDOVECTOR_AREA_BITS }, { .a2 = Fcopy_marker
}, 0, 2, "copy-marker", {0}, 0}}; Lisp_Object Fcopy_marker
| |
^~~~~~~~~~~~
| |
|
| |
(1) entry to ‘Fcopy_marker’
|......
|18049 | Fset_marker (new, marker,
| | ~
| | |
| | (2) inlined call to ‘Fset_marker’ from ‘Fcopy_marker’
|
+--> ‘Fset_marker’: event 3
|
|17936 | return set_marker_internal (marker, position, buffer,
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) calling ‘set_marker_internal’ from
‘Fcopy_marker’
|17937 | 0
| | ~
|17938 |
);
| |
~
|
‘set_marker_internal’: events 4-5
|
|17882 | set_marker_internal (Lisp_Object marker, Lisp_Object
position,
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (4) entry to ‘set_marker_internal’
|......
|17888 | struct buffer *b = live_buffer (buffer);
| | ~
| | |
| | (5) inlined call to ‘live_buffer’ from
‘set_marker_internal’
|
+--> ‘live_buffer’: event 6
|
|17876 | struct buffer *b = decode_buffer (buffer);
| | ^~~~~~~~~~~~~~~~~~~~~~
| | |
| | (6) calling ‘decode_buffer’
from ‘set_marker_internal’
|
‘decode_buffer’: events 7-9
|
|11413 | decode_buffer (Lisp_Object b)
| | ^~~~~~~~~~~~~
| | |
| | (7) entry to ‘decode_buffer’
|11414 | {
|11415 | return NILP (b) ?
(current_thread->m_current_buffer) : (CHECK_BUFFER (b), XBUFFER (b));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
|
| | (9) ...to here
(8) following ‘true’ branch (when ‘b’ is NULL)...
|
<------+
|
‘set_marker_internal’: event 10
|
|17888 | struct buffer *b = live_buffer (buffer);
| | ^
| | |
| | (10) inlined call to ‘live_buffer’
from ‘set_marker_internal’
|
+--> ‘live_buffer’: events 11-12
|
|17876 | struct buffer *b = decode_buffer (buffer);
| | ^~~~~~~~~~~~~~~~~~~~~~
| | |
| | (11) returning to
‘set_marker_internal’ from ‘decode_buffer’
|17877 | return BUFFER_LIVE_P (b) ? b :
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (12) following
‘false’ branch...
|17878 | ((void *)0)
| | ~~~~~~~~~~~
|
<------+
|
‘set_marker_internal’: event 13
|
|cc1:
| (13): ...to here
|
‘set_marker_internal’: event 14
|
|17889 | CHECK_MARKER (marker);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (14) calling ‘CHECK_MARKER’ from ‘set_marker_internal’
|
+--> ‘CHECK_MARKER’: event 15
|
|17584 | CHECK_MARKER (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (15) entry to ‘CHECK_MARKER’
|
+--> ‘CHECK_MARKER’: event 16
|
|17586 | CHECK_TYPE (MARKERP (x),
builtin_lisp_symbol (974), x);
| | ^
| | |
| | (16) inlined call to ‘MARKERP’
from ‘CHECK_MARKER’
|
+--> ‘MARKERP’: event 17
|
| 8374 | return PSEUDOVECTORP (x,
PVEC_MARKER);
| | ^
| | |
| | (17) inlined call to
‘PSEUDOVECTORP’ from ‘MARKERP’
|
+--> ‘PSEUDOVECTORP’: event 18
|
| 6413 | return (TAGGEDP ((a),
Lisp_Vectorlike) && ((((union vectorlike_header *) ((uintptr_t) XLP ((a)) -
(uintptr_t) ((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(18) following ‘true’ branch...
| 6414 | >> (3 - 1)) / 2 <
| | ~~~~~~~~~~~~~~~~~
| 6415 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6416 | ) ? 0 :
VALBITS))))->size & ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6417 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6418 | -
| | ~
| 6419 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6420 | / 2) | PVEC_TYPE_MASK))
== ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6421 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6422 | -
| | ~
| 6423 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6424 | / 2) | ((code) <<
PSEUDOVECTOR_AREA_BITS))));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
<--------------------+
|
‘CHECK_MARKER’: event 19
|
|17587 | }
| | ^
| | |
| | (19) ...to here
|
<------+
|
‘set_marker_internal’: events 20-22
|
|17889 | CHECK_MARKER (marker);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (20) returning to ‘set_marker_internal’ from
‘CHECK_MARKER’
|17890 | m = XMARKER (marker);
|17891 | if (NILP (position)
| | ~
| | |
| | (21) following ‘false’ branch (when ‘position’ is
non-NULL)...
|17892 | || (MARKERP (position) && !XMARKER
(position)->buffer))
| | ~
| | |
| | (22) inlined call to ‘MARKERP’ from
‘set_marker_internal’
|
+--> ‘MARKERP’: event 23
|
| 8374 | return PSEUDOVECTORP (x, PVEC_MARKER);
| | ^
| | |
| | (23) inlined call to ‘PSEUDOVECTORP’ from
‘MARKERP’
|
+--> ‘PSEUDOVECTORP’: event 24
|
| 6413 | return (TAGGEDP ((a), Lisp_Vectorlike) &&
((((union vectorlike_header *) ((uintptr_t) XLP ((a)) - (uintptr_t)
((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| | ^
| | |
| | (24) inlined call to ‘TAGGEDP’ from
‘PSEUDOVECTORP’
|
+--> ‘TAGGEDP’: event 25
|
| 2352 | return (! (((unsigned) (XLI (a) >>
(((0x7fffffffffffffffL
| | ^
| | |
| | (25) inlined
call to ‘XLI’ from ‘TAGGEDP’
|
+--> ‘XLI’: event 26
|
| 2327 | return ((EMACS_INT) (o));
| | ~^~~~~~~~~~~~~~~~
| | |
| | (26) ...to here
|
<---------------------------+
|
‘set_marker_internal’: events 27-29
|
|17914 | charpos = clip_to_bounds
| | ^~~~~~~~~~~~~~
| | |
| | (27) following ‘false’ branch (when
‘restricted == 0’)...
|17915 | (restricted ? BUF_BEGV (b) : BUF_BEG (b), charpos,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|17916 | restricted ? BUF_ZV (b) : ((b)->text->z));
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (28) ...to here
| | (29) dereference of NULL
‘<unknown>’
|
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/102671] -Wanalyzer-null-dereference false positive when compiling GNU Emacs
2021-10-09 19:06 [Bug analyzer/102671] New: -Wanalyzer-null-dereference false positive when compiling GNU Emacs eggert at cs dot ucla.edu
` (3 preceding siblings ...)
2024-01-06 18:32 ` eggert at cs dot ucla.edu
@ 2024-01-06 18:37 ` eggert at cs dot ucla.edu
2024-01-06 19:11 ` eggert at cs dot ucla.edu
5 siblings, 0 replies; 7+ messages in thread
From: eggert at cs dot ucla.edu @ 2024-01-06 18:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102671
--- Comment #5 from Paul Eggert <eggert at cs dot ucla.edu> ---
Created attachment 56997
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56997&action=edit
xselect.i example from GNU Emacs
Attached is another example taken from bleeding-edge GNU Emacs, compiled with
gcc (Ubuntu 13.2.0-4ubuntu3) 13.2.0 on x86-64. Compile with:
gunzip xselect.i
gcc -O2 -S -fanalyzer xselect.i
and the incorrect output is:
xselect.i: In function ‘x_get_local_selection’:
xselect.i:81397:58: warning: dereference of NULL ‘dpyinfo’ [CWE-476]
[-Wanalyzer-null-dereference]
81397 | local_value = assq_no_quit (selection_symbol,
dpyinfo->terminal->Vselection_alist);
| ~~~~~~~^~~~~~~~~~
‘Fx_get_local_selection’: events 1-2
|
|83313 | __attribute__((section (".subrs"))) static union Aligned_Lisp_Subr
Sx_get_local_selection = {{{ PVEC_SUBR << PSEUDOVECTOR_AREA_BITS }, { .a2 =
Fx_get_local_selection }, 0, 2, "x-get-local-selection", {0}, 0}}; Lisp_Object
Fx_get_local_selection
| |
^~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(1)
entry to ‘Fx_get_local_selection’
|......
|83318 | CHECK_SYMBOL (target);
| | ~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) calling ‘CHECK_SYMBOL’ from ‘Fx_get_local_selection’
|
+--> ‘CHECK_SYMBOL’: events 3-4
|
| 7282 | (CHECK_SYMBOL) (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (3) entry to ‘CHECK_SYMBOL’
| 7283 | {
| 7284 | CHECK_TYPE (SYMBOLP (x), builtin_lisp_symbol (1360), x);
| | ~
| | |
| | (4) inlined call to ‘CHECK_TYPE’ from ‘CHECK_SYMBOL’
|
+--> ‘CHECK_TYPE’: event 5
|
| 3127 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (5) following ‘true’ branch...
|
<------+
|
‘CHECK_SYMBOL’: event 6
|
| 7285 | }
| | ^
| | |
| | (6) ...to here
|
<------+
|
‘Fx_get_local_selection’: events 7-8
|
|83318 | CHECK_SYMBOL (target);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (7) returning to ‘Fx_get_local_selection’ from ‘CHECK_SYMBOL’
|83319 | Lisp_Object v = value; CHECK_CONS (v);
| | ~~~~~~~~~~~~~~
| | |
| | (8) calling ‘CHECK_CONS’ from
‘Fx_get_local_selection’
|
+--> ‘CHECK_CONS’: events 9-10
|
| 7468 | CHECK_CONS (Lisp_Object x)
| | ^~~~~~~~~~
| | |
| | (9) entry to ‘CHECK_CONS’
| 7469 | {
| 7470 | CHECK_TYPE (CONSP (x), builtin_lisp_symbol (443), x);
| | ~
| | |
| | (10) inlined call to ‘CHECK_TYPE’ from ‘CHECK_CONS’
|
+--> ‘CHECK_TYPE’: event 11
|
| 3127 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (11) following ‘false’ branch...
|
<------+
|
‘CHECK_CONS’: event 12
|
| 7471 | }
| | ^
| | |
| | (12) ...to here
|
<------+
|
‘Fx_get_local_selection’: events 13-14
|
|83319 | Lisp_Object v = value; CHECK_CONS (v);
| | ^~~~~~~~~~~~~~
| | |
| | (13) returning to
‘Fx_get_local_selection’ from ‘CHECK_CONS’
|83320 | name = XCAR (v); v = XCDR (v); CHECK_CONS (v);
| | ~~~~~~~~~~~~~~
| | |
| | (14) calling ‘CHECK_CONS’ from
‘Fx_get_local_selection’
|
+--> ‘CHECK_CONS’: events 15-16
|
| 7468 | CHECK_CONS (Lisp_Object x)
| | ^~~~~~~~~~
| | |
| | (15) entry to ‘CHECK_CONS’
| 7469 | {
| 7470 | CHECK_TYPE (CONSP (x), builtin_lisp_symbol (443), x);
| | ~
| | |
| | (16) inlined call to ‘CHECK_TYPE’ from ‘CHECK_CONS’
|
+--> ‘CHECK_TYPE’: event 17
|
| 3127 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (17) following ‘false’ branch...
|
<------+
|
‘CHECK_CONS’: event 18
|
| 7471 | }
| | ^
| | |
| | (18) ...to here
|
<------+
|
‘Fx_get_local_selection’: events 19-20
|
|83320 | name = XCAR (v); v = XCDR (v); CHECK_CONS (v);
| | ^~~~~~~~~~~~~~
| | |
| | (19) returning to
‘Fx_get_local_selection’ from ‘CHECK_CONS’
|83321 | v = XCDR (v); CHECK_CONS (v);
| | ~~~~~~~~~~~~~~
| | |
| | (20) calling ‘CHECK_CONS’ from
‘Fx_get_local_selection’
|
+--> ‘CHECK_CONS’: events 21-22
|
| 7468 | CHECK_CONS (Lisp_Object x)
| | ^~~~~~~~~~
| | |
| | (21) entry to ‘CHECK_CONS’
| 7469 | {
| 7470 | CHECK_TYPE (CONSP (x), builtin_lisp_symbol (443), x);
| | ~
| | |
| | (22) inlined call to ‘CHECK_TYPE’ from ‘CHECK_CONS’
|
+--> ‘CHECK_TYPE’: event 23
|
| 3127 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (23) following ‘false’ branch...
|
<------+
|
‘CHECK_CONS’: event 24
|
| 7471 | }
| | ^
| | |
| | (24) ...to here
|
<------+
|
‘Fx_get_local_selection’: events 25-26
|
|83321 | v = XCDR (v); CHECK_CONS (v);
| | ^~~~~~~~~~~~~~
| | |
| | (25) returning to ‘Fx_get_local_selection’ from
‘CHECK_CONS’
|83322 | timestamp = XCAR (v); v = XCDR (v); CHECK_CONS (v);
| | ~~~~~~~~~~~~~~
| | |
| | (26) calling ‘CHECK_CONS’
from ‘Fx_get_local_selection’
|
+--> ‘CHECK_CONS’: events 27-28
|
| 7468 | CHECK_CONS (Lisp_Object x)
| | ^~~~~~~~~~
| | |
| | (27) entry to ‘CHECK_CONS’
| 7469 | {
| 7470 | CHECK_TYPE (CONSP (x), builtin_lisp_symbol (443), x);
| | ~
| | |
| | (28) inlined call to ‘CHECK_TYPE’ from ‘CHECK_CONS’
|
+--> ‘CHECK_TYPE’: event 29
|
| 3127 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (29) following ‘false’ branch...
|
<------+
|
‘CHECK_CONS’: event 30
|
| 7471 | }
| | ^
| | |
| | (30) ...to here
|
<------+
|
‘Fx_get_local_selection’: events 31-32
|
|83322 | timestamp = XCAR (v); v = XCDR (v); CHECK_CONS (v);
| | ^~~~~~~~~~~~~~
| | |
| | (31) returning to
‘Fx_get_local_selection’ from ‘CHECK_CONS’
|83323 | frame = XCAR (v);
|83324 | CHECK_SYMBOL (name);
| | ~~~~~~~~~~~~~~~~~~~
| | |
| | (32) calling ‘CHECK_SYMBOL’ from ‘Fx_get_local_selection’
|
+--> ‘CHECK_SYMBOL’: events 33-34
|
| 7282 | (CHECK_SYMBOL) (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (33) entry to ‘CHECK_SYMBOL’
| 7283 | {
| 7284 | CHECK_TYPE (SYMBOLP (x), builtin_lisp_symbol (1360), x);
| | ~
| | |
| | (34) inlined call to ‘CHECK_TYPE’ from ‘CHECK_SYMBOL’
|
+--> ‘CHECK_TYPE’: event 35
|
| 3127 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (35) following ‘true’ branch...
|
<------+
|
‘CHECK_SYMBOL’: event 36
|
| 7285 | }
| | ^
| | |
| | (36) ...to here
|
<------+
|
‘Fx_get_local_selection’: events 37-38
|
|83324 | CHECK_SYMBOL (name);
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (37) returning to ‘Fx_get_local_selection’ from ‘CHECK_SYMBOL’
|......
|83330 | result = x_get_local_selection (name, target,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (38) calling ‘x_get_local_selection’ from
‘Fx_get_local_selection’
|83331 | 1
| | ~
|83332 | ,
| | ~
|83333 | ((void *)0)
| | ~~~~~~~~~~~
|83334 | , value,
| | ~~~~~~~~
|83335 | 0
| | ~
|83336 | );
| | ~
|
+--> ‘x_get_local_selection’: events 39-42
|
|81381 | x_get_local_selection (Lisp_Object selection_symbol,
Lisp_Object target_type,
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (39) entry to ‘x_get_local_selection’
|......
|81396 | if (NILP (local_value))
| | ~
| | |
| | (40) following ‘true’ branch (when ‘local_value’ is
NULL)...
|81397 | local_value = assq_no_quit (selection_symbol,
dpyinfo->terminal->Vselection_alist);
| |
~~~~~~~~~~~~~~~~~
| | |
| |
(41) ...to here
| |
(42) dereference of NULL ‘dpyinfo’
|
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/102671] -Wanalyzer-null-dereference false positive when compiling GNU Emacs
2021-10-09 19:06 [Bug analyzer/102671] New: -Wanalyzer-null-dereference false positive when compiling GNU Emacs eggert at cs dot ucla.edu
` (4 preceding siblings ...)
2024-01-06 18:37 ` eggert at cs dot ucla.edu
@ 2024-01-06 19:11 ` eggert at cs dot ucla.edu
5 siblings, 0 replies; 7+ messages in thread
From: eggert at cs dot ucla.edu @ 2024-01-06 19:11 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102671
--- Comment #6 from Paul Eggert <eggert at cs dot ucla.edu> ---
(In reply to Paul Eggert from comment #4)
> Created attachment 56996 [details]
> marker.i example from GNU Emacs
>
> Here is another example of the problem, taken from bleeding-edge GNU Emacs
Ooops, please ignore this marker.i example; I included it by mistake here. This
was work product while I was working on bug 113253. The xselect.i example
should be good.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-01-06 19:11 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-09 19:06 [Bug analyzer/102671] New: -Wanalyzer-null-dereference false positive when compiling GNU Emacs eggert at cs dot ucla.edu
2021-10-11 3:03 ` [Bug analyzer/102671] " eggert at cs dot ucla.edu
2021-10-11 21:49 ` eggert at cs dot ucla.edu
2023-03-09 21:21 ` cvs-commit at gcc dot gnu.org
2024-01-06 18:32 ` eggert at cs dot ucla.edu
2024-01-06 18:37 ` eggert at cs dot ucla.edu
2024-01-06 19:11 ` eggert at cs dot ucla.edu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).