[Bug analyzer/105783] New: -Wanalyzer-null-dereference false positive with union and functions

[Bug analyzer/105783] New: -Wanalyzer-null-dereference false positive with union and functions

[kamilcukrowski at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105783

            Bug ID: 105783
           Summary: -Wanalyzer-null-dereference false positive with union
                    and functions
           Product: gcc
           Version: 12.1.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: kamilcukrowski at gmail dot com
  Target Milestone: ---

> the exact version of GCC; the system type; the options given when GCC was configured/built;

```
$ gcc --version
gcc (GCC) 12.1.0
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ cat /etc/arch-release 
Arch Linux release
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/12.1.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure
--enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-bootstrap
--prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/
--with-linker-hash-style=gnu --with-system-zlib --enable-__cxa_atexit
--enable-cet=auto --enable-checking=release --enable-clocale=gnu
--enable-default-pie --enable-default-ssp --enable-gnu-indirect-function
--enable-gnu-unique-object --enable-linker-build-id --enable-lto
--enable-multilib --enable-plugin --enable-shared --enable-threads=posix
--disable-libssp --disable-libstdcxx-pch --disable-werror
--with-build-config=bootstrap-lto --enable-link-serialization=1
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.1.0 (GCC) 
```

> the complete command line that triggers the bug ; the compiler output (error messages, warnings, etc.);

I have the following MCVE:

```
struct ss_s {
    union out_or_counting_u {
        char *newstr;
        unsigned long long cnt;
    } uu;
    _Bool counting;
};

struct ss_s ss_init(void) {
   struct ss_s rr = { .counting = 1 };
   return rr;
}

void ss_out(struct ss_s *t, char cc) {
   if (!t->counting) {
       *t->uu.newstr++ = cc;
   }
}

int main() {
    struct ss_s ss = ss_init();
    ss_out(&ss, 'a');
}

```

Compiling with gcc12.1 with `-fanalyzer -O` results in
https://godbolt.org/z/K84Pr1zcx :

```
<source>: In function 'ss_out':
<source>:16:33: warning: dereference of NULL '0' [CWE-476]
[-Wanalyzer-null-dereference]
   16 |                 *t->uu.newstr++ = cc;
      |                 ~~~~~~~~~~~~~~~~^~~~
  'main': events 1-2
    |
    |   20 | int main() {
    |      |     ^~~~
    |      |     |
    |      |     (1) entry to 'main'
    |   21 |     struct ss_s ss = ss_init();
    |   22 |         ss_out(&ss, 'a');
    |      |         ~~~~~~~~~~~~~~~~
    |      |         |
    |      |         (2) calling 'ss_out' from 'main'
    |
    +--> 'ss_out': events 3-7
           |
           |   14 | void ss_out(struct ss_s *t, char cc) {
           |      |      ^~~~~~
           |      |      |
           |      |      (3) entry to 'ss_out'
           |   15 |         if (!t->counting) {
           |      |            ~
           |      |            |
           |      |            (4) following 'false' branch...
           |   16 |                 *t->uu.newstr++ = cc;
           |      |                 ~~~~~~~~~~~~~~~~~~~~
           |      |                 |     |         |
           |      |                 |     |         (7) dereference of NULL
'*t.uu.newstr'
           |      |                 |     (6) '0' is NULL
           |      |                 (5) ...to here
           |
```

It will not be null, because `t->counting` is true. Gcc seems to take wrong
branch on line 15 `if (t->counting) {` inside `ss_out`. I feel like changing
random things makes the problem go away, like changing `counting` from `bool`
to `int` or changing `count` from `size_t` to `unsigned`.

Thanks for amazing gcc!

[Bug analyzer/105783] -Wanalyzer-null-dereference false positive with union and functions

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105783

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2022-10-06

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug.

Confirmed with trunk.

Adding:
    __analyzer_describe (0, t->counting);
immediately before the conditional shows we have:
<source>:16:5: warning: svalue: 'CAST(int, BITS_WITHIN('_Bool', start: 0, size:
1, next: 1, inner_val: (unsigned char)1))'
   16 |     __analyzer_describe (0, t->counting);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

so presumably the analyzer isn't smart enough to determine that that's nonzero.

Note to self: MCVE is Stack Overflow's acronym for a "minimal, complete and
verifiable example"
(https://stackoverflow.com/help/minimal-reproducible-example)

[Bug analyzer/105783] -Wanalyzer-null-dereference false positive with union and functions

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105783

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:f09b99550a3c6cd16f5e9150ebd4b1d87033dcbd

commit r13-3168-gf09b99550a3c6cd16f5e9150ebd4b1d87033dcbd
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Oct 7 12:41:59 2022 -0400

    analyzer: extract bits from integer constants [PR105783]

    Fix a false positive from -Wanalyzer-null-dereference due to -fanalyzer
    failing to grok the value of a particular boolean field initialized to a
    constant.

    gcc/analyzer/ChangeLog:
            PR analyzer/105783
            * region-model.cc (selftest::get_bit): New function.
            (selftest::test_bits_within_svalue_folding): New.
            (selfftest::analyzer_region_model_cc_tests): Call it.
            * svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
            case of extracting a single bit.

    gcc/testsuite/ChangeLog:
            PR analyzer/105783
            * gcc.dg/analyzer/pr105783.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105783] -Wanalyzer-null-dereference false positive with union and functions

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105783

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed on trunk for GCC 13 by the above patch.