public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "cvs-commit at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/102692] -Wanalyzer-null-dereference false alarm with (!p || q || !p->next)
Date: Tue, 15 Feb 2022 21:34:11 +0000	[thread overview]
Message-ID: <bug-102692-4-zXWDRcTxZv@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-102692-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102692

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:1e2fe6715a949f80c1204ae244baad3cd80ffaf0

commit r12-7251-g1e2fe6715a949f80c1204ae244baad3cd80ffaf0
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Feb 11 16:43:21 2022 -0500

    analyzer: fix uninit false +ve due to optimized conditionals [PR102692]

    There is false positive from -Wanalyzer-use-of-uninitialized-value on
    gcc.dg/analyzer/pr102692.c here:

      âfix_overlays_beforeâ: events 1-3
        |
        |   75 |   while (tail
        |      |          ~~~~
        |   76 |          && (tem = make_lisp_ptr (tail, 5),
        |      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        |      |          |
        |      |          (1) following âfalseâ branch (when âtailâ is
NULL)...
        |   77 |              (end = marker_position (XOVERLAY (tem)->end)) >=
pos))
        |      |             
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        |......
        |   82 |   if (!tail || end < prev || !tail->next)
        |      |       ~~~~~    ~~~~~~~~~~
        |      |       |            |
        |      |       |            (3) use of uninitialized value âendâ
here
        |      |       (2) ...to here
        |

    The issue is that inner || of the conditionals have been folded within the
    frontend from a chain of control flow:

       5   â   if (tail == 0B) goto <D.1986>; else goto <D.1988>;
       6   â   <D.1988>:
       7   â   if (end < prev) goto <D.1986>; else goto <D.1989>;
       8   â   <D.1989>:
       9   â   _1 = tail->next;
      10   â   if (_1 == 0B) goto <D.1986>; else goto <D.1987>;
      11   â   <D.1986>:

    to an OR expr (and then to a bitwise-or by the gimplifier):

       5   â   _1 = tail == 0B;
       6   â   _2 = end < prev;
       7   â   _3 = _1 | _2;
       8   â   if (_3 != 0) goto <D.1986>; else goto <D.1988>;
       9   â   <D.1988>:
      10   â   _4 = tail->next;
      11   â   if (_4 == 0B) goto <D.1986>; else goto <D.1987>;

    This happens for sufficiently simple conditionals in fold_truth_andor.
    In particular, the (end < prev) is short-circuited without optimization,
    but is evaluated with optimization, leading to the false positive.

    Given how early this folding occurs, it seems the simplest fix is to
    try to detect places where this optimization appears to have happened,
    and suppress uninit warnings within the statement that would have
    been short-circuited.

    gcc/analyzer/ChangeLog:
            PR analyzer/102692
            * exploded-graph.h (impl_region_model_context::get_stmt): New.
            * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
            "tree-ssa-operands.h", and "ssa-iterators.h".
            (within_short_circuited_stmt_p): New.
            (region_model::check_for_poison): Don't warn about uninit values
            if within_short_circuited_stmt_p.
            * region-model.h (region_model_context::get_stmt): New vfunc.
            (noop_region_model_context::get_stmt): New.

    gcc/testsuite/ChangeLog:
            PR analyzer/102692
            * gcc.dg/analyzer/pr102692-2.c: New test.
            * gcc.dg/analyzer/pr102692.c: Remove xfail.  Remove -O2 from
            options and move to...
            * gcc.dg/analyzer/torture/pr102692.c: ...here.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

  parent reply	other threads:[~2022-02-15 21:34 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-11 21:47 [Bug analyzer/102692] New: " eggert at cs dot ucla.edu
2021-10-11 22:21 ` [Bug analyzer/102692] " eggert at cs dot ucla.edu
2022-01-07 22:46 ` dmalcolm at gcc dot gnu.org
2022-01-11 14:17 ` cvs-commit at gcc dot gnu.org
2022-02-11 17:40 ` dmalcolm at gcc dot gnu.org
2022-02-15 21:34 ` cvs-commit at gcc dot gnu.org [this message]
2022-02-15 21:39 ` dmalcolm at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-102692-4-zXWDRcTxZv@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).