public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "cvs-commit at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/102692] -Wanalyzer-null-dereference false alarm with (!p || q || !p->next) Date: Tue, 11 Jan 2022 14:17:26 +0000 [thread overview] Message-ID: <bug-102692-4-Gn6TPPB2ie@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-102692-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102692 --- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:4f34f8cc1d064bfaaed723312c71e92f495d429b commit r12-6476-g4f34f8cc1d064bfaaed723312c71e92f495d429b Author: David Malcolm <dmalcolm@redhat.com> Date: Fri Jan 7 17:44:23 2022 -0500 analyzer: fix false +ve on bitwise binops (PR analyzer/102692) PR analyzer/102692 reports a false positive at -O2 from -Wanalyzer-null-dereference on: if (!p || q || !p->next) At the gimple level, -O2 has converted the first || into bitwise or controlling a jump: _4 = _2 | _3; if (_4 != 0) and a recursive call has been converted to iteration. The analyzer hits the symbolic value complexity limit whilst analyzing the iteration and hits a case where _2 is (_Bool)1 (i.e. true) and _3 (i.e. q) is UNKNOWN(_Bool). There are two issues leading to the false positive; fixing either issue fixes the false positive; this patch fixes both for good measure: (a) The analyzer erronously treats bitwise ops on UNKNOWN(_Bool) as UNKNOWN, even for case like (1 | UNKNOWN) where we know the result, leading to bogus edges in the exploded graph. The patch fixes these cases. (b) The state-handling code creates "UNKNOWN" symbolic values, as a way to give up when symbolic expressions get too complicated, and in various other cases. This makes sense when building the exploded graph, since we want the analysis to terminate, but doesn't make sense when checking the feasibility along a specific path, where we want precision. The patch prevents all use of "unknown" symbolic values when performing feasibility checking of a path (before it merely stopped doing complexity-checking), by creating a unique placeholder_svalue instead. This fixes the -Wanalyzer-null-dereference false positive. Unfortunately, with GCC 12 there's also a false positive from -Wanalyzer-use-of-uninitialized-value on this code, which is a separate issue that the patch does not fix. gcc/analyzer/ChangeLog: PR analyzer/102692 * diagnostic-manager.cc (class auto_disable_complexity_checks): Rename to... (class auto_checking_feasibility): ...this, updating the calls accordingly. (epath_finder::explore_feasible_paths): Update for renaming. * region-model-manager.cc (region_model_manager::region_model_manager): Update for change from m_check_complexity to m_checking_feasibility. (region_model_manager::reject_if_too_complex): Likewise. (region_model_manager::get_or_create_unknown_svalue): Handle m_checking_feasibility. (region_model_manager::create_unique_svalue): New. (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and BIT_IOR_EXPRs on booleans where we know the result. * region-model.cc (test_binop_svalue_folding): Add test coverage for the above. * region-model.h (region_model_manager::create_unique_svalue): New decl. (region_model_manager::enable_complexity_check): Replace with... (region_model_manager::begin_checking_feasibility): ...this. (region_model_manager::disable_complexity_check): Replace with... (region_model_manager::end_checking_feasibility): ...this. (region_model_manager::m_check_complexity): Replace with... (region_model_manager::m_checking_feasibility): ...this. (region_model_manager::m_managed_dynamic_svalues): New field. gcc/testsuite/ChangeLog: PR analyzer/102692 * gcc.dg/analyzer/pr102692.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
next prev parent reply other threads:[~2022-01-11 14:17 UTC|newest] Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-10-11 21:47 [Bug analyzer/102692] New: " eggert at cs dot ucla.edu 2021-10-11 22:21 ` [Bug analyzer/102692] " eggert at cs dot ucla.edu 2022-01-07 22:46 ` dmalcolm at gcc dot gnu.org 2022-01-11 14:17 ` cvs-commit at gcc dot gnu.org [this message] 2022-02-11 17:40 ` dmalcolm at gcc dot gnu.org 2022-02-15 21:34 ` cvs-commit at gcc dot gnu.org 2022-02-15 21:39 ` dmalcolm at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-102692-4-Gn6TPPB2ie@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).