public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "eggert at cs dot ucla.edu" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/102671] -Wanalyzer-null-dereference false positive when compiling GNU Emacs
Date: Sat, 06 Jan 2024 18:32:05 +0000 [thread overview]
Message-ID: <bug-102671-4-BEyzQEcjlT@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-102671-4@http.gcc.gnu.org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102671
--- Comment #4 from Paul Eggert <eggert at cs dot ucla.edu> ---
Created attachment 56996
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56996&action=edit
marker.i example from GNU Emacs
Here is another example of the problem, taken from bleeding-edge GNU Emacs
compiled with gcc (Ubuntu 13.2.0-4ubuntu3) 13.2.0. Reproduce the bug via:
gcc -O2 -S -fanalyzer marker.i
The incorrect output (false positive) is:
marker.i: In function ‘BUF_ZV’:
marker.i:11203:6: warning: dereference of NULL ‘buf’ [CWE-476]
[-Wanalyzer-null-dereference]
11203 | : NILP (((buf)->zv_marker_)) ? buf->zv
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
‘set_marker_restricted’: events 1-2
|
|17941 | set_marker_restricted (Lisp_Object marker, Lisp_Object position,
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) entry to ‘set_marker_restricted’
|......
|17944 | return set_marker_internal (marker, position, buffer,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) calling ‘set_marker_internal’ from
‘set_marker_restricted’
|17945 | 1
| | ~
|17946 | );
| | ~
|
+--> ‘set_marker_internal’: events 3-4
|
|17882 | set_marker_internal (Lisp_Object marker, Lisp_Object
position,
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (3) entry to ‘set_marker_internal’
|......
|17888 | struct buffer *b = live_buffer (buffer);
| | ~
| | |
| | (4) inlined call to ‘live_buffer’ from
‘set_marker_internal’
|
+--> ‘live_buffer’: event 5
|
|17877 | return BUFFER_LIVE_P (b) ? b :
| | ~~~~~~~~~~~~~~~~~~~~~~^
| | |
| | (5) following ‘false’
branch...
|17878 | ((void *)0)
| | ~~~~~~~~~~~
|
<------+
|
‘set_marker_internal’: event 6
|
|cc1:
| (6): ...to here
|
‘set_marker_internal’: event 7
|
|17889 | CHECK_MARKER (marker);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (7) calling ‘CHECK_MARKER’ from ‘set_marker_internal’
|
+--> ‘CHECK_MARKER’: event 8
|
|17584 | CHECK_MARKER (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (8) entry to ‘CHECK_MARKER’
|
+--> ‘CHECK_MARKER’: event 9
|
|17586 | CHECK_TYPE (MARKERP (x),
builtin_lisp_symbol (974), x);
| | ^
| | |
| | (9) inlined call to ‘MARKERP’
from ‘CHECK_MARKER’
|
+--> ‘MARKERP’: event 10
|
| 8374 | return PSEUDOVECTORP (x,
PVEC_MARKER);
| | ^
| | |
| | (10) inlined call to
‘PSEUDOVECTORP’ from ‘MARKERP’
|
+--> ‘PSEUDOVECTORP’: event 11
|
| 6413 | return (TAGGEDP ((a),
Lisp_Vectorlike) && ((((union vectorlike_header *) ((uintptr_t) XLP ((a)) -
(uintptr_t) ((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(11) following ‘true’ branch...
| 6414 | >> (3 - 1)) / 2 <
| | ~~~~~~~~~~~~~~~~~
| 6415 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6416 | ) ? 0 :
VALBITS))))->size & ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6417 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6418 | -
| | ~
| 6419 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6420 | / 2) | PVEC_TYPE_MASK))
== ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6421 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6422 | -
| | ~
| 6423 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6424 | / 2) | ((code) <<
PSEUDOVECTOR_AREA_BITS))));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
<--------------------+
|
‘CHECK_MARKER’: event 12
|
|17587 | }
| | ^
| | |
| | (12) ...to here
|
<------+
|
‘set_marker_internal’: events 13-15
|
|17889 | CHECK_MARKER (marker);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (13) returning to ‘set_marker_internal’ from
‘CHECK_MARKER’
|17890 | m = XMARKER (marker);
|17891 | if (NILP (position)
| | ~
| | |
| | (14) following ‘false’ branch (when ‘position’ is
non-NULL)...
|17892 | || (MARKERP (position) && !XMARKER
(position)->buffer))
| | ~
| | |
| | (15) inlined call to ‘MARKERP’ from
‘set_marker_internal’
|
+--> ‘MARKERP’: event 16
|
| 8374 | return PSEUDOVECTORP (x, PVEC_MARKER);
| | ^
| | |
| | (16) inlined call to ‘PSEUDOVECTORP’ from
‘MARKERP’
|
+--> ‘PSEUDOVECTORP’: event 17
|
| 6413 | return (TAGGEDP ((a), Lisp_Vectorlike) &&
((((union vectorlike_header *) ((uintptr_t) XLP ((a)) - (uintptr_t)
((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| | ^
| | |
| | (17) inlined call to ‘TAGGEDP’ from
‘PSEUDOVECTORP’
|
+--> ‘TAGGEDP’: event 18
|
| 2352 | return (! (((unsigned) (XLI (a) >>
(((0x7fffffffffffffffL
| | ^
| | |
| | (18) inlined
call to ‘XLI’ from ‘TAGGEDP’
|
+--> ‘XLI’: event 19
|
| 2327 | return ((EMACS_INT) (o));
| | ~^~~~~~~~~~~~~~~~
| | |
| | (19) ...to here
|
<---------------------------+
|
‘set_marker_internal’: events 20-22
|
|17914 | charpos = clip_to_bounds
| | ^~~~~~~~~~~~~~
| | |
| | (20) following ‘true’ branch (when
‘restricted != 0’)...
|17915 | (restricted ? BUF_BEGV (b) : BUF_BEG (b), charpos,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|17916 | restricted ? BUF_ZV (b) : ((b)->text->z));
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (21) ...to here
| | (22) calling ‘BUF_ZV’ from
‘set_marker_internal’
|
+--> ‘BUF_ZV’: events 23-26
|
|11200 | BUF_ZV (struct buffer *buf)
| | ^~~~~~
| | |
| | (23) entry to ‘BUF_ZV’
|11201 | {
|11202 | return (buf == (current_thread->m_current_buffer)
? ((current_thread->m_current_buffer)->zv)
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|11203 | : NILP (((buf)->zv_marker_)) ? buf->zv
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (25) ...to here
| | | (26) dereference of NULL ‘buf’
| | (24) following ‘false’ branch...
|11204 | : marker_position (((buf)->zv_marker_)));
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
marker.i: In function ‘set_marker_internal’:
marker.i:17916:33: warning: dereference of NULL ‘0’ [CWE-476]
[-Wanalyzer-null-dereference]
17916 | restricted ? BUF_ZV (b) : ((b)->text->z));
| ~~~^~~~~~
‘Fcopy_marker’: events 1-2
|
|18042 | __attribute__((section (".subrs"))) static union Aligned_Lisp_Subr
Scopy_marker = {{{ PVEC_SUBR << PSEUDOVECTOR_AREA_BITS }, { .a2 = Fcopy_marker
}, 0, 2, "copy-marker", {0}, 0}}; Lisp_Object Fcopy_marker
| |
^~~~~~~~~~~~
| |
|
| |
(1) entry to ‘Fcopy_marker’
|......
|18049 | Fset_marker (new, marker,
| | ~
| | |
| | (2) inlined call to ‘Fset_marker’ from ‘Fcopy_marker’
|
+--> ‘Fset_marker’: event 3
|
|17936 | return set_marker_internal (marker, position, buffer,
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) calling ‘set_marker_internal’ from
‘Fcopy_marker’
|17937 | 0
| | ~
|17938 |
);
| |
~
|
‘set_marker_internal’: events 4-5
|
|17882 | set_marker_internal (Lisp_Object marker, Lisp_Object
position,
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (4) entry to ‘set_marker_internal’
|......
|17888 | struct buffer *b = live_buffer (buffer);
| | ~
| | |
| | (5) inlined call to ‘live_buffer’ from
‘set_marker_internal’
|
+--> ‘live_buffer’: event 6
|
|17876 | struct buffer *b = decode_buffer (buffer);
| | ^~~~~~~~~~~~~~~~~~~~~~
| | |
| | (6) calling ‘decode_buffer’
from ‘set_marker_internal’
|
‘decode_buffer’: events 7-9
|
|11413 | decode_buffer (Lisp_Object b)
| | ^~~~~~~~~~~~~
| | |
| | (7) entry to ‘decode_buffer’
|11414 | {
|11415 | return NILP (b) ?
(current_thread->m_current_buffer) : (CHECK_BUFFER (b), XBUFFER (b));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
|
| | (9) ...to here
(8) following ‘true’ branch (when ‘b’ is NULL)...
|
<------+
|
‘set_marker_internal’: event 10
|
|17888 | struct buffer *b = live_buffer (buffer);
| | ^
| | |
| | (10) inlined call to ‘live_buffer’
from ‘set_marker_internal’
|
+--> ‘live_buffer’: events 11-12
|
|17876 | struct buffer *b = decode_buffer (buffer);
| | ^~~~~~~~~~~~~~~~~~~~~~
| | |
| | (11) returning to
‘set_marker_internal’ from ‘decode_buffer’
|17877 | return BUFFER_LIVE_P (b) ? b :
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (12) following
‘false’ branch...
|17878 | ((void *)0)
| | ~~~~~~~~~~~
|
<------+
|
‘set_marker_internal’: event 13
|
|cc1:
| (13): ...to here
|
‘set_marker_internal’: event 14
|
|17889 | CHECK_MARKER (marker);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (14) calling ‘CHECK_MARKER’ from ‘set_marker_internal’
|
+--> ‘CHECK_MARKER’: event 15
|
|17584 | CHECK_MARKER (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (15) entry to ‘CHECK_MARKER’
|
+--> ‘CHECK_MARKER’: event 16
|
|17586 | CHECK_TYPE (MARKERP (x),
builtin_lisp_symbol (974), x);
| | ^
| | |
| | (16) inlined call to ‘MARKERP’
from ‘CHECK_MARKER’
|
+--> ‘MARKERP’: event 17
|
| 8374 | return PSEUDOVECTORP (x,
PVEC_MARKER);
| | ^
| | |
| | (17) inlined call to
‘PSEUDOVECTORP’ from ‘MARKERP’
|
+--> ‘PSEUDOVECTORP’: event 18
|
| 6413 | return (TAGGEDP ((a),
Lisp_Vectorlike) && ((((union vectorlike_header *) ((uintptr_t) XLP ((a)) -
(uintptr_t) ((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(18) following ‘true’ branch...
| 6414 | >> (3 - 1)) / 2 <
| | ~~~~~~~~~~~~~~~~~
| 6415 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6416 | ) ? 0 :
VALBITS))))->size & ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6417 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6418 | -
| | ~
| 6419 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6420 | / 2) | PVEC_TYPE_MASK))
== ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6421 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6422 | -
| | ~
| 6423 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6424 | / 2) | ((code) <<
PSEUDOVECTOR_AREA_BITS))));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
<--------------------+
|
‘CHECK_MARKER’: event 19
|
|17587 | }
| | ^
| | |
| | (19) ...to here
|
<------+
|
‘set_marker_internal’: events 20-22
|
|17889 | CHECK_MARKER (marker);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (20) returning to ‘set_marker_internal’ from
‘CHECK_MARKER’
|17890 | m = XMARKER (marker);
|17891 | if (NILP (position)
| | ~
| | |
| | (21) following ‘false’ branch (when ‘position’ is
non-NULL)...
|17892 | || (MARKERP (position) && !XMARKER
(position)->buffer))
| | ~
| | |
| | (22) inlined call to ‘MARKERP’ from
‘set_marker_internal’
|
+--> ‘MARKERP’: event 23
|
| 8374 | return PSEUDOVECTORP (x, PVEC_MARKER);
| | ^
| | |
| | (23) inlined call to ‘PSEUDOVECTORP’ from
‘MARKERP’
|
+--> ‘PSEUDOVECTORP’: event 24
|
| 6413 | return (TAGGEDP ((a), Lisp_Vectorlike) &&
((((union vectorlike_header *) ((uintptr_t) XLP ((a)) - (uintptr_t)
((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| | ^
| | |
| | (24) inlined call to ‘TAGGEDP’ from
‘PSEUDOVECTORP’
|
+--> ‘TAGGEDP’: event 25
|
| 2352 | return (! (((unsigned) (XLI (a) >>
(((0x7fffffffffffffffL
| | ^
| | |
| | (25) inlined
call to ‘XLI’ from ‘TAGGEDP’
|
+--> ‘XLI’: event 26
|
| 2327 | return ((EMACS_INT) (o));
| | ~^~~~~~~~~~~~~~~~
| | |
| | (26) ...to here
|
<---------------------------+
|
‘set_marker_internal’: events 27-29
|
|17914 | charpos = clip_to_bounds
| | ^~~~~~~~~~~~~~
| | |
| | (27) following ‘false’ branch (when
‘restricted == 0’)...
|17915 | (restricted ? BUF_BEGV (b) : BUF_BEG (b), charpos,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|17916 | restricted ? BUF_ZV (b) : ((b)->text->z));
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (28) ...to here
| | (29) dereference of NULL
‘<unknown>’
|
next prev parent reply other threads:[~2024-01-06 18:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-09 19:06 [Bug analyzer/102671] New: " eggert at cs dot ucla.edu
2021-10-11 3:03 ` [Bug analyzer/102671] " eggert at cs dot ucla.edu
2021-10-11 21:49 ` eggert at cs dot ucla.edu
2023-03-09 21:21 ` cvs-commit at gcc dot gnu.org
2024-01-06 18:32 ` eggert at cs dot ucla.edu [this message]
2024-01-06 18:37 ` eggert at cs dot ucla.edu
2024-01-06 19:11 ` eggert at cs dot ucla.edu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-102671-4-BEyzQEcjlT@http.gcc.gnu.org/bugzilla/ \
--to=gcc-bugzilla@gcc.gnu.org \
--cc=gcc-bugs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).