[Bug analyzer/107733] New: GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors

[Bug analyzer/107733] New: GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors

[geoffreydgr at icloud dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733

            Bug ID: 107733
           Summary: GCC - -Wanayzer-null-dereference false positive with
                    wrong path note "(3) 'e' is NULL" and inconsistent
                    behaviors
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: geoffreydgr at icloud dot com
  Target Milestone: ---

I got a false positive warning when compiling the following program with 
`gcc(trunk)  -fanalyzer -O0`  in https://godbolt.org/z/YbeGcc5cd. After
deleting ` int *d = 0;`,  the NPD disappears. I think it is ok for gcc to emit
this FP warning, but deleting the unrelated code ` int *d = 0;` should not
affect the result. And the path note `(3) 'e' is NULL` is wrong, this may
suggest some problems.

I have tried this with gcc 12, gcc 11, and gcc 10,  and all of them have this
phenomenon.

Program:
```c
#include <stdio.h>
void a( int* e) { 
  printf("NPD_FLAG\n");
  if(e == 0){
       int *d = 0;
        *e = 1;
  } 
}
int main() {
    int i =5;
    a(&i);
}
```
Warning:
```bash
<source>: In function 'a':
<source>:6:12: warning: dereference of NULL 'e' [CWE-476]
[-Wanalyzer-null-dereference]
    6 |         *e = 1;
      |         ~~~^~~
  'a': events 1-4
    |
    |    4 |   if(e == 0){
    |      |     ^
    |      |     |
    |      |     (1) following 'true' branch (when 'e' is NULL)...
    |    5 |        int *d = 0;
    |      |             ~
    |      |             |
    |      |             (2) ...to here
    |      |             (3) 'e' is NULL
    |    6 |         *e = 1;
    |      |         ~~~~~~
    |      |            |
    |      |            (4) dereference of NULL 'e'
    |
```

[Bug analyzer/107733] GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug.

It's analyzing "a" twice: as called by main, and as a standalone function.

The warning comes from the analysis of "a" as a standalone function; if I
delete "main" from the reproducer, it still reports it:
  https://godbolt.org/z/eKnGPYWee
and we have code where:

   if (e == 0) {
       /* ...snip... */
       *e = 1;
   }

which definitely feels like something we ought to warn about.

So I think the issue here is that you weren't expecting "a" to be analyzed
standalone, but rather as called by "main", where "e" is known to be non-NULL
and hence that code is dead.  

Is this reduced from a less trivial example?

I'm not quite sure what to do about such cases.

[Bug analyzer/107733] GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
...and also, as you note:
  * deleting the unrelated code ` int *d = 0;` should not affect the result
(but does)


> the path note `(3) 'e' is NULL` is wrong, this may suggest some problems.

Note (3) seems correct to me; (1) says "following 'true' branch (when 'e' is
NULL)..." so we're on the "e is NULL" branch.

[Bug analyzer/107733] GCC - -Wanayzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors

[geoffreydgr at icloud dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733

--- Comment #3 from Geoffrey <geoffreydgr at icloud dot com> ---
(In reply to David Malcolm from comment #2)


Thanks for your explanation. It helps a lot. 

> _It's analyzing "a" twice: as called by main, and as a standalone function._

I am wondering if is there any option for gcc to specify `main` as the only
top-level function, i.e., do not let `a` be analyzed standalone.

> _deleting the unrelated code ` int *d = 0;` should not affect the result (but does)_

I am also curious about why deleting ` int *d = 0;` affects the analyzing
results. Do you have thoughts on this?

[Bug analyzer/107733] -Wanalyzer-null-dereference false positive with wrong path note "(3) 'e' is NULL" and inconsistent behaviors

[geoffreydgr at icloud dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733

--- Comment #4 from Geoffrey <geoffreydgr at icloud dot com> ---
(In reply to David Malcolm from comment #2)
> ...and also, as you note:
>   * deleting the unrelated code ` int *d = 0;` should not affect the result
> (but does)
> 
> 
> > the path note `(3) 'e' is NULL` is wrong, this may suggest some problems.
> 
> Note (3) seems correct to me; (1) says "following 'true' branch (when 'e' is
> NULL)..." so we're on the "e is NULL" branch.

Hi. David. Could you spare some time to explain this phenomenon to me ?