public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "cvs-commit at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/102692] -Wanalyzer-null-dereference false alarm with (!p || q || !p->next) Date: Tue, 15 Feb 2022 21:34:11 +0000 [thread overview] Message-ID: <bug-102692-4-zXWDRcTxZv@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-102692-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102692 --- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:1e2fe6715a949f80c1204ae244baad3cd80ffaf0 commit r12-7251-g1e2fe6715a949f80c1204ae244baad3cd80ffaf0 Author: David Malcolm <dmalcolm@redhat.com> Date: Fri Feb 11 16:43:21 2022 -0500 analyzer: fix uninit false +ve due to optimized conditionals [PR102692] There is false positive from -Wanalyzer-use-of-uninitialized-value on gcc.dg/analyzer/pr102692.c here: âfix_overlays_beforeâ: events 1-3 | | 75 | while (tail | | ~~~~ | 76 | && (tem = make_lisp_ptr (tail, 5), | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) following âfalseâ branch (when âtailâ is NULL)... | 77 | (end = marker_position (XOVERLAY (tem)->end)) >= pos)) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |...... | 82 | if (!tail || end < prev || !tail->next) | | ~~~~~ ~~~~~~~~~~ | | | | | | | (3) use of uninitialized value âendâ here | | (2) ...to here | The issue is that inner || of the conditionals have been folded within the frontend from a chain of control flow: 5 â if (tail == 0B) goto <D.1986>; else goto <D.1988>; 6 â <D.1988>: 7 â if (end < prev) goto <D.1986>; else goto <D.1989>; 8 â <D.1989>: 9 â _1 = tail->next; 10 â if (_1 == 0B) goto <D.1986>; else goto <D.1987>; 11 â <D.1986>: to an OR expr (and then to a bitwise-or by the gimplifier): 5 â _1 = tail == 0B; 6 â _2 = end < prev; 7 â _3 = _1 | _2; 8 â if (_3 != 0) goto <D.1986>; else goto <D.1988>; 9 â <D.1988>: 10 â _4 = tail->next; 11 â if (_4 == 0B) goto <D.1986>; else goto <D.1987>; This happens for sufficiently simple conditionals in fold_truth_andor. In particular, the (end < prev) is short-circuited without optimization, but is evaluated with optimization, leading to the false positive. Given how early this folding occurs, it seems the simplest fix is to try to detect places where this optimization appears to have happened, and suppress uninit warnings within the statement that would have been short-circuited. gcc/analyzer/ChangeLog: PR analyzer/102692 * exploded-graph.h (impl_region_model_context::get_stmt): New. * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h", "tree-ssa-operands.h", and "ssa-iterators.h". (within_short_circuited_stmt_p): New. (region_model::check_for_poison): Don't warn about uninit values if within_short_circuited_stmt_p. * region-model.h (region_model_context::get_stmt): New vfunc. (noop_region_model_context::get_stmt): New. gcc/testsuite/ChangeLog: PR analyzer/102692 * gcc.dg/analyzer/pr102692-2.c: New test. * gcc.dg/analyzer/pr102692.c: Remove xfail. Remove -O2 from options and move to... * gcc.dg/analyzer/torture/pr102692.c: ...here. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
next prev parent reply other threads:[~2022-02-15 21:34 UTC|newest] Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-10-11 21:47 [Bug analyzer/102692] New: " eggert at cs dot ucla.edu 2021-10-11 22:21 ` [Bug analyzer/102692] " eggert at cs dot ucla.edu 2022-01-07 22:46 ` dmalcolm at gcc dot gnu.org 2022-01-11 14:17 ` cvs-commit at gcc dot gnu.org 2022-02-11 17:40 ` dmalcolm at gcc dot gnu.org 2022-02-15 21:34 ` cvs-commit at gcc dot gnu.org [this message] 2022-02-15 21:39 ` dmalcolm at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-102692-4-zXWDRcTxZv@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).