public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/107733] New: GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors
@ 2022-11-17 9:19 geoffreydgr at icloud dot com
2022-11-18 13:10 ` [Bug analyzer/107733] " dmalcolm at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: geoffreydgr at icloud dot com @ 2022-11-17 9:19 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733
Bug ID: 107733
Summary: GCC - -Wanayzer-null-dereference false positive with
wrong path note "(3) 'e' is NULL" and inconsistent
behaviors
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: geoffreydgr at icloud dot com
Target Milestone: ---
I got a false positive warning when compiling the following program with
`gcc(trunk) -fanalyzer -O0` in https://godbolt.org/z/YbeGcc5cd. After
deleting ` int *d = 0;`, the NPD disappears. I think it is ok for gcc to emit
this FP warning, but deleting the unrelated code ` int *d = 0;` should not
affect the result. And the path note `(3) 'e' is NULL` is wrong, this may
suggest some problems.
I have tried this with gcc 12, gcc 11, and gcc 10, and all of them have this
phenomenon.
Program:
```c
#include <stdio.h>
void a( int* e) {
printf("NPD_FLAG\n");
if(e == 0){
int *d = 0;
*e = 1;
}
}
int main() {
int i =5;
a(&i);
}
```
Warning:
```bash
<source>: In function 'a':
<source>:6:12: warning: dereference of NULL 'e' [CWE-476]
[-Wanalyzer-null-dereference]
6 | *e = 1;
| ~~~^~~
'a': events 1-4
|
| 4 | if(e == 0){
| | ^
| | |
| | (1) following 'true' branch (when 'e' is NULL)...
| 5 | int *d = 0;
| | ~
| | |
| | (2) ...to here
| | (3) 'e' is NULL
| 6 | *e = 1;
| | ~~~~~~
| | |
| | (4) dereference of NULL 'e'
|
```
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/107733] GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors
2022-11-17 9:19 [Bug analyzer/107733] New: GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors geoffreydgr at icloud dot com
@ 2022-11-18 13:10 ` dmalcolm at gcc dot gnu.org
2022-11-18 13:11 ` dmalcolm at gcc dot gnu.org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-11-18 13:10 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug.
It's analyzing "a" twice: as called by main, and as a standalone function.
The warning comes from the analysis of "a" as a standalone function; if I
delete "main" from the reproducer, it still reports it:
https://godbolt.org/z/eKnGPYWee
and we have code where:
if (e == 0) {
/* ...snip... */
*e = 1;
}
which definitely feels like something we ought to warn about.
So I think the issue here is that you weren't expecting "a" to be analyzed
standalone, but rather as called by "main", where "e" is known to be non-NULL
and hence that code is dead.
Is this reduced from a less trivial example?
I'm not quite sure what to do about such cases.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/107733] GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors
2022-11-17 9:19 [Bug analyzer/107733] New: GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors geoffreydgr at icloud dot com
2022-11-18 13:10 ` [Bug analyzer/107733] " dmalcolm at gcc dot gnu.org
@ 2022-11-18 13:11 ` dmalcolm at gcc dot gnu.org
2022-11-21 13:18 ` geoffreydgr at icloud dot com
2023-04-03 12:21 ` [Bug analyzer/107733] -Wanalyzer-null-dereference " geoffreydgr at icloud dot com
3 siblings, 0 replies; 5+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-11-18 13:11 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
...and also, as you note:
* deleting the unrelated code ` int *d = 0;` should not affect the result
(but does)
> the path note `(3) 'e' is NULL` is wrong, this may suggest some problems.
Note (3) seems correct to me; (1) says "following 'true' branch (when 'e' is
NULL)..." so we're on the "e is NULL" branch.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/107733] GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors
2022-11-17 9:19 [Bug analyzer/107733] New: GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors geoffreydgr at icloud dot com
2022-11-18 13:10 ` [Bug analyzer/107733] " dmalcolm at gcc dot gnu.org
2022-11-18 13:11 ` dmalcolm at gcc dot gnu.org
@ 2022-11-21 13:18 ` geoffreydgr at icloud dot com
2023-04-03 12:21 ` [Bug analyzer/107733] -Wanalyzer-null-dereference " geoffreydgr at icloud dot com
3 siblings, 0 replies; 5+ messages in thread
From: geoffreydgr at icloud dot com @ 2022-11-21 13:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733
--- Comment #3 from Geoffrey <geoffreydgr at icloud dot com> ---
(In reply to David Malcolm from comment #2)
Thanks for your explanation. It helps a lot.
> _It's analyzing "a" twice: as called by main, and as a standalone function._
I am wondering if is there any option for gcc to specify `main` as the only
top-level function, i.e., do not let `a` be analyzed standalone.
> _deleting the unrelated code ` int *d = 0;` should not affect the result (but does)_
I am also curious about why deleting ` int *d = 0;` affects the analyzing
results. Do you have thoughts on this?
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/107733] -Wanalyzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors
2022-11-17 9:19 [Bug analyzer/107733] New: GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors geoffreydgr at icloud dot com
` (2 preceding siblings ...)
2022-11-21 13:18 ` geoffreydgr at icloud dot com
@ 2023-04-03 12:21 ` geoffreydgr at icloud dot com
3 siblings, 0 replies; 5+ messages in thread
From: geoffreydgr at icloud dot com @ 2023-04-03 12:21 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733
--- Comment #4 from Geoffrey <geoffreydgr at icloud dot com> ---
(In reply to David Malcolm from comment #2)
> ...and also, as you note:
> * deleting the unrelated code ` int *d = 0;` should not affect the result
> (but does)
>
>
> > the path note `(3) 'e' is NULL` is wrong, this may suggest some problems.
>
> Note (3) seems correct to me; (1) says "following 'true' branch (when 'e' is
> NULL)..." so we're on the "e is NULL" branch.
Hi. David. Could you spare some time to explain this phenomenon to me ?
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-04-03 12:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-17 9:19 [Bug analyzer/107733] New: GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors geoffreydgr at icloud dot com
2022-11-18 13:10 ` [Bug analyzer/107733] " dmalcolm at gcc dot gnu.org
2022-11-18 13:11 ` dmalcolm at gcc dot gnu.org
2022-11-21 13:18 ` geoffreydgr at icloud dot com
2023-04-03 12:21 ` [Bug analyzer/107733] -Wanalyzer-null-dereference " geoffreydgr at icloud dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).