From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id DB9553858C1F; Tue, 15 Feb 2022 21:34:11 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DB9553858C1F
From: "cvs-commit at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/102692] -Wanalyzer-null-dereference false alarm with
 (!p || q || !p->next)
Date: Tue, 15 Feb 2022 21:34:11 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 11.2.1
X-Bugzilla-Keywords: diagnostic
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-102692-4-zXWDRcTxZv@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-102692-4@http.gcc.gnu.org/bugzilla/>
References: <bug-102692-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2022 21:34:12 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D102692

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:1e2fe6715a949f80c1204ae244baad3cd80ffaf0

commit r12-7251-g1e2fe6715a949f80c1204ae244baad3cd80ffaf0
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Feb 11 16:43:21 2022 -0500

    analyzer: fix uninit false +ve due to optimized conditionals [PR102692]

    There is false positive from -Wanalyzer-use-of-uninitialized-value on
    gcc.dg/analyzer/pr102692.c here:

      =C3=A2fix_overlays_before=C3=A2: events 1-3
        |
        |   75 |   while (tail
        |      |          ~~~~
        |   76 |          && (tem =3D make_lisp_ptr (tail, 5),
        |      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        |      |          |
        |      |          (1) following =C3=A2false=C3=A2 branch (when =C3=
=A2tail=C3=A2 is
NULL)...
        |   77 |              (end =3D marker_position (XOVERLAY (tem)->end=
)) >=3D
pos))
        |      |=20=20=20=20=20=20=20=20=20=20=20=20=20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        |......
        |   82 |   if (!tail || end < prev || !tail->next)
        |      |       ~~~~~    ~~~~~~~~~~
        |      |       |            |
        |      |       |            (3) use of uninitialized value =C3=A2en=
d=C3=A2
here
        |      |       (2) ...to here
        |

    The issue is that inner || of the conditionals have been folded within =
the
    frontend from a chain of control flow:

       5   =C3=A2   if (tail =3D=3D 0B) goto <D.1986>; else goto <D.1988>;
       6   =C3=A2   <D.1988>:
       7   =C3=A2   if (end < prev) goto <D.1986>; else goto <D.1989>;
       8   =C3=A2   <D.1989>:
       9   =C3=A2   _1 =3D tail->next;
      10   =C3=A2   if (_1 =3D=3D 0B) goto <D.1986>; else goto <D.1987>;
      11   =C3=A2   <D.1986>:

    to an OR expr (and then to a bitwise-or by the gimplifier):

       5   =C3=A2   _1 =3D tail =3D=3D 0B;
       6   =C3=A2   _2 =3D end < prev;
       7   =C3=A2   _3 =3D _1 | _2;
       8   =C3=A2   if (_3 !=3D 0) goto <D.1986>; else goto <D.1988>;
       9   =C3=A2   <D.1988>:
      10   =C3=A2   _4 =3D tail->next;
      11   =C3=A2   if (_4 =3D=3D 0B) goto <D.1986>; else goto <D.1987>;

    This happens for sufficiently simple conditionals in fold_truth_andor.
    In particular, the (end < prev) is short-circuited without optimization,
    but is evaluated with optimization, leading to the false positive.

    Given how early this folding occurs, it seems the simplest fix is to
    try to detect places where this optimization appears to have happened,
    and suppress uninit warnings within the statement that would have
    been short-circuited.

    gcc/analyzer/ChangeLog:
            PR analyzer/102692
            * exploded-graph.h (impl_region_model_context::get_stmt): New.
            * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
            "tree-ssa-operands.h", and "ssa-iterators.h".
            (within_short_circuited_stmt_p): New.
            (region_model::check_for_poison): Don't warn about uninit values
            if within_short_circuited_stmt_p.
            * region-model.h (region_model_context::get_stmt): New vfunc.
            (noop_region_model_context::get_stmt): New.

    gcc/testsuite/ChangeLog:
            PR analyzer/102692
            * gcc.dg/analyzer/pr102692-2.c: New test.
            * gcc.dg/analyzer/pr102692.c: Remove xfail.  Remove -O2 from
            options and move to...
            * gcc.dg/analyzer/torture/pr102692.c: ...here.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>=