public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/105783] New: -Wanalyzer-null-dereference false positive with union and functions
@ 2022-05-31 1:45 kamilcukrowski at gmail dot com
2022-10-06 21:04 ` [Bug analyzer/105783] " dmalcolm at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: kamilcukrowski at gmail dot com @ 2022-05-31 1:45 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105783
Bug ID: 105783
Summary: -Wanalyzer-null-dereference false positive with union
and functions
Product: gcc
Version: 12.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: kamilcukrowski at gmail dot com
Target Milestone: ---
> the exact version of GCC; the system type; the options given when GCC was configured/built;
```
$ gcc --version
gcc (GCC) 12.1.0
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ cat /etc/arch-release
Arch Linux release
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/12.1.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure
--enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-bootstrap
--prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/
--with-linker-hash-style=gnu --with-system-zlib --enable-__cxa_atexit
--enable-cet=auto --enable-checking=release --enable-clocale=gnu
--enable-default-pie --enable-default-ssp --enable-gnu-indirect-function
--enable-gnu-unique-object --enable-linker-build-id --enable-lto
--enable-multilib --enable-plugin --enable-shared --enable-threads=posix
--disable-libssp --disable-libstdcxx-pch --disable-werror
--with-build-config=bootstrap-lto --enable-link-serialization=1
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.1.0 (GCC)
```
> the complete command line that triggers the bug ; the compiler output (error messages, warnings, etc.);
I have the following MCVE:
```
struct ss_s {
union out_or_counting_u {
char *newstr;
unsigned long long cnt;
} uu;
_Bool counting;
};
struct ss_s ss_init(void) {
struct ss_s rr = { .counting = 1 };
return rr;
}
void ss_out(struct ss_s *t, char cc) {
if (!t->counting) {
*t->uu.newstr++ = cc;
}
}
int main() {
struct ss_s ss = ss_init();
ss_out(&ss, 'a');
}
```
Compiling with gcc12.1 with `-fanalyzer -O` results in
https://godbolt.org/z/K84Pr1zcx :
```
<source>: In function 'ss_out':
<source>:16:33: warning: dereference of NULL '0' [CWE-476]
[-Wanalyzer-null-dereference]
16 | *t->uu.newstr++ = cc;
| ~~~~~~~~~~~~~~~~^~~~
'main': events 1-2
|
| 20 | int main() {
| | ^~~~
| | |
| | (1) entry to 'main'
| 21 | struct ss_s ss = ss_init();
| 22 | ss_out(&ss, 'a');
| | ~~~~~~~~~~~~~~~~
| | |
| | (2) calling 'ss_out' from 'main'
|
+--> 'ss_out': events 3-7
|
| 14 | void ss_out(struct ss_s *t, char cc) {
| | ^~~~~~
| | |
| | (3) entry to 'ss_out'
| 15 | if (!t->counting) {
| | ~
| | |
| | (4) following 'false' branch...
| 16 | *t->uu.newstr++ = cc;
| | ~~~~~~~~~~~~~~~~~~~~
| | | | |
| | | | (7) dereference of NULL
'*t.uu.newstr'
| | | (6) '0' is NULL
| | (5) ...to here
|
```
It will not be null, because `t->counting` is true. Gcc seems to take wrong
branch on line 15 `if (t->counting) {` inside `ss_out`. I feel like changing
random things makes the problem go away, like changing `counting` from `bool`
to `int` or changing `count` from `size_t` to `unsigned`.
Thanks for amazing gcc!
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/105783] -Wanalyzer-null-dereference false positive with union and functions
2022-05-31 1:45 [Bug analyzer/105783] New: -Wanalyzer-null-dereference false positive with union and functions kamilcukrowski at gmail dot com
@ 2022-10-06 21:04 ` dmalcolm at gcc dot gnu.org
2022-10-07 16:44 ` cvs-commit at gcc dot gnu.org
2022-10-07 16:47 ` dmalcolm at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-10-06 21:04 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105783
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0 |1
Last reconfirmed| |2022-10-06
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug.
Confirmed with trunk.
Adding:
__analyzer_describe (0, t->counting);
immediately before the conditional shows we have:
<source>:16:5: warning: svalue: 'CAST(int, BITS_WITHIN('_Bool', start: 0, size:
1, next: 1, inner_val: (unsigned char)1))'
16 | __analyzer_describe (0, t->counting);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
so presumably the analyzer isn't smart enough to determine that that's nonzero.
Note to self: MCVE is Stack Overflow's acronym for a "minimal, complete and
verifiable example"
(https://stackoverflow.com/help/minimal-reproducible-example)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/105783] -Wanalyzer-null-dereference false positive with union and functions
2022-05-31 1:45 [Bug analyzer/105783] New: -Wanalyzer-null-dereference false positive with union and functions kamilcukrowski at gmail dot com
2022-10-06 21:04 ` [Bug analyzer/105783] " dmalcolm at gcc dot gnu.org
@ 2022-10-07 16:44 ` cvs-commit at gcc dot gnu.org
2022-10-07 16:47 ` dmalcolm at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-10-07 16:44 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105783
--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:f09b99550a3c6cd16f5e9150ebd4b1d87033dcbd
commit r13-3168-gf09b99550a3c6cd16f5e9150ebd4b1d87033dcbd
Author: David Malcolm <dmalcolm@redhat.com>
Date: Fri Oct 7 12:41:59 2022 -0400
analyzer: extract bits from integer constants [PR105783]
Fix a false positive from -Wanalyzer-null-dereference due to -fanalyzer
failing to grok the value of a particular boolean field initialized to a
constant.
gcc/analyzer/ChangeLog:
PR analyzer/105783
* region-model.cc (selftest::get_bit): New function.
(selftest::test_bits_within_svalue_folding): New.
(selfftest::analyzer_region_model_cc_tests): Call it.
* svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
case of extracting a single bit.
gcc/testsuite/ChangeLog:
PR analyzer/105783
* gcc.dg/analyzer/pr105783.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/105783] -Wanalyzer-null-dereference false positive with union and functions
2022-05-31 1:45 [Bug analyzer/105783] New: -Wanalyzer-null-dereference false positive with union and functions kamilcukrowski at gmail dot com
2022-10-06 21:04 ` [Bug analyzer/105783] " dmalcolm at gcc dot gnu.org
2022-10-07 16:44 ` cvs-commit at gcc dot gnu.org
@ 2022-10-07 16:47 ` dmalcolm at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-10-07 16:47 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105783
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed on trunk for GCC 13 by the above patch.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-10-07 16:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-31 1:45 [Bug analyzer/105783] New: -Wanalyzer-null-dereference false positive with union and functions kamilcukrowski at gmail dot com
2022-10-06 21:04 ` [Bug analyzer/105783] " dmalcolm at gcc dot gnu.org
2022-10-07 16:44 ` cvs-commit at gcc dot gnu.org
2022-10-07 16:47 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).