From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 05E443857817; Sat, 9 Oct 2021 19:06:28 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 05E443857817 From: "eggert at cs dot ucla.edu" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/102671] New: -Wanalyzer-null-dereference false positive when compiling GNU Emacs Date: Sat, 09 Oct 2021 19:06:28 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 11.2.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: eggert at cs dot ucla.edu X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Oct 2021 19:06:29 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D102671 Bug ID: 102671 Summary: -Wanalyzer-null-dereference false positive when compiling GNU Emacs Product: gcc Version: 11.2.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: eggert at cs dot ucla.edu Target Milestone: --- Created attachment 51577 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D51577&action=3Dedit Compile with -fanalyzer -O2 -S on x86-64 to illustrate the bug I ran into this problem when compiling GNU Emacs with gcc (GCC) 11.2.1 2021= 0728 (Red Hat 11.2.1-1) on x86-64. Compile with: gcc -fanalyzer -O2 -S analyzer-null-defererence-bug.i and the output will be the diagnostic at the end of this bug report, which = is a false alarm. Removing the unrelated function wset_buffer suppresses the fal= se alarm, which suggests that the analysis of wset_buffer is somehow messing up the analysis of delete_all_child_windows. I do not observe this problem when compiling with gcc (Ubuntu 10.3.0-1ubunt= u1) 10.3.0. analyzer-null-defererence-bug.i: In function 'PSEUDOVECTORP.part.0': analyzer-null-defererence-bug.i:23:13: warning: dereference of NULL 'a' [CWE-476] [-Wanalyzer-null-dereference] 23 | return ((a->size & (PSEUDOVECTOR_FLAG | PVEC_TYPE_MASK)) | ~^~~~~~ 'delete_all_child_windows': events 1-4 | | 155 | delete_all_child_windows (struct lisp *window) | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to 'delete_all_child_windows' |...... | 158 | if (!NILP (w->next)) | | ~ | | | | | (2) following 'true' branch... | 159 | delete_all_child_windows (w->next); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) ...to here | | (4) calling 'delete_all_child_windows' from 'delete_all_child_windows' | +--> 'delete_all_child_windows': events 5-8 | | 155 | delete_all_child_windows (struct lisp *window) | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'delete_all_child_windows' |...... | 158 | if (!NILP (w->next)) | | ~ | | | | | (6) following 'true' branch... | 159 | delete_all_child_windows (w->next); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | | (8) calling 'delete_all_child_windows' from 'delete_all_child_windows' | +--> 'delete_all_child_windows': events 9-14 | | 155 | delete_all_child_windows (struct lisp *window) | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) entry to 'delete_all_child_windows' |...... | 158 | if (!NILP (w->next)) | | ~ | | | | | (10) following 'false' branch... | 159 | delete_all_child_windows (w->next); | 160 | if (WINDOWP (w->contents)) | | ~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(11) ...to here | | (12) following 'true' branch... | 161 | { | 162 | delete_all_child_windows (w->contents); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) ...to here | | (14) calling 'delete_all_child_windows' fr= om 'delete_all_child_windows' | +--> 'delete_all_child_windows': events 15-19 | | 155 | delete_all_child_windows (struct lisp *window) | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (15) entry to 'delete_all_child_windows' |...... | 158 | if (!NILP (w->next)) | | ~ | | | | | (16) following 'false' branch... | 159 | delete_all_child_windows (w->next); | 160 | if (WINDOWP (w->contents)) | | ~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(17) ...to here | | (18) following 'false' branch... |...... | 165 | } | | ~ | | | | | (19) ...to here | <------+ | 'delete_all_child_windows': events 20-22 | | 108 | w->contents =3D val; | | ~~~~~~~~~~~~~~~~~ | | | | | (21) '(((char *)&*window + 11))[768614336404564650].contents' is NULL | | (22) '(((char *)&*window + 11))[768614336404564650].contents' is NULL |...... | 162 | delete_all_child_windows (w->contents); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) returning to 'delete_all_child_window= s' from 'delete_all_child_windows' | <------+ | 'delete_all_child_windows': events 23-26 | | 159 | delete_all_child_windows (w->next); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) return of NULL to 'delete_all_child_windows' f= rom 'delete_all_child_windows' | 160 | if (WINDOWP (w->contents)) | | ~ | | | | | (24) following 'true' branch... | 161 | { | 162 | delete_all_child_windows (w->contents); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) ...to here | | (26) calling 'delete_all_child_windows' from 'delete_all_child_windows' | +--> 'delete_all_child_windows': events 27-30 | | 90 | return PSEUDOVECTORP (a, 12); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (30) calling 'PSEUDOVECTORP' from 'delete_all_child_windows' |...... | 155 | delete_all_child_windows (struct lisp *window) | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (27) entry to 'delete_all_child_windows' |...... | 158 | if (!NILP (w->next)) | | ~ | | | | | (28) following 'false' branch... | 159 | delete_all_child_windows (w->next); | 160 | if (WINDOWP (w->contents)) | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) ...to here | +--> 'PSEUDOVECTORP': events 31-32 | | 28 | PSEUDOVECTORP (struct lisp *a, int code) | | ^~~~~~~~~~~~~ | | | | | (31) entry to 'PSEUDOVECTORP' | 29 | { | 30 | if (! VECTORLIKEP (a)) | | ~ | | | | | (32) following 'false' branch... | 'PSEUDOVECTORP': event 33 | |cc1: | (33): ...to here | 'PSEUDOVECTORP': event 34 | |cc1: | (34): calling 'PSEUDOVECTORP.part.0' from 'PSEUDOVECTORP' | +--> 'PSEUDOVECTORP.part.0': events 35-36 | | 23 | return ((a->size & (PSEUDOVECTOR_FLAG | PVEC_TYPE_MASK)) | | ~~~~~~~ | | | | | (36) dereference of NU= LL 'a' |...... | 28 | PSEUDOVECTORP (struct lisp *a, int code) | | ^~~~~~~~~~~~~ | | | | | (35) entry to 'PSEUDOVECTORP.part.= 0' |=