public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "dmalcolm at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/108028] Misleading -fanalyzer messages at -O2 and above Date: Tue, 13 Dec 2022 22:38:23 +0000 [thread overview] Message-ID: <bug-108028-4-0gFI52epMK@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-108028-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108028 David Malcolm <dmalcolm at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|--Wanalyzer-null-dereferenc |Misleading -fanalyzer |e false positive with *q = |messages at -O2 and above |1 | --- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> --- Thanks for filing this bug. There are several things going on here. (A): the analyzer is considering the function "f" as called standalone, as well as the case where it's called from "main", rather than merely considering it when it's called from "main". There are a few other bug reports about that; it's not clear to me what we should do for this case; is it expected that such functions are only ever called from main? The situation is clearer if we simply delete "main" from the reproducer. With that, we see: 'f': events 1-3 | | 7 | if (p && (0 == q)) | | ^ | | | | | (1) following 'true' branch... | 8 | { | 9 | __analyzer_eval(p && (0 == q)); | | ~~~~~~~~~~~~~~~ | | | | | (2) ...to here |...... | 14 | *q = 1; | | ~~~~~~ | | | | | (3) dereference of NULL '0' | (B) arguably the CFG event (1) to (2) is poorly worded; at (1) we have "following 'true' branch...", which suggests it always follows the 'true' branch, whereas it's merely considering what happens *if* we take the 'true' branch. If it read: e.g.: 'f': events 1-3 | | 7 | if (p && (0 == q)) | | ^ | | | | | (1) considering following 'true' branch (implying that 'q' is NULL)... | 8 | { | 9 | __analyzer_eval(p && (0 == q)); | | ~~~~~~~~~~~~~~~ | | | | | (2) ...to here |...... | 14 | *q = 1; | | ~~~~~~ | | | | | (3) dereference of NULL '0' | the analyzer would be more obviously correct and useful. Or even "considering when 'q' is NULL; following 'true' branch..." I've been experimenting with making the wording here clearer (i): should make a distinction between when the analyzer chooses one of several paths to consider, versus when the choice of execution path is already determined by previous choices (ii): would be nice to capture that q's nullness is the most interesting property at the "if" statement with respect to the warning, and express that to the user. (C) The analyzer runs relatively late compared to most static analyzers, so the optimization levels affect things. In particular, consider the gimple IR seen by -fanalyzer for the assignment: *q = 1; in the block guarded by (0 == q). At -O1 we have: *q_10(D) = 1; but at -O2 it converts it to: MEM[(int *)0B] = 1; Arguably it's a bug here that we only warn at -O2 and above; analyzing "f" standalone, we ought to be complaining about the null dereference without needing -O2. (specifically, at -O2 -fanalyzer sees a deref of NULL, whereas at -O1 it merely sees a deref of INIT_VAL(q), whilst knowing the constraint that INIT_VAL(q) is NULL. The __analyzer_eval results are also due to gimple IR differences caused by the optimizer. Also, perhaps we should run earlier; I probably ought to file a bug about that, it's a big can of worms.
next prev parent reply other threads:[~2022-12-13 22:38 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-12-09 7:08 [Bug analyzer/108028] New: --Wanalyzer-null-dereference false posiative with *q = 1 mengli.ming at outlook dot com 2022-12-13 22:38 ` dmalcolm at gcc dot gnu.org [this message] 2022-12-13 22:55 ` [Bug analyzer/108028] Misleading -fanalyzer messages at -O2 and above dmalcolm at gcc dot gnu.org 2022-12-14 15:27 ` mengli.ming at outlook dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-108028-4-0gFI52epMK@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).