From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 4718A3986438; Fri, 9 Dec 2022 07:08:59 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4718A3986438 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1670569739; bh=XJilrTfO0xy78dSZB+9ic9jzhjUHbPWF4GJCGWkMKXw=; h=From:To:Subject:Date:From; b=JENvvzgurQBtBYbdy+MGpw9WJQV5lyh8C/mPvYB1AF4GNDNyJL5N3QdwPkbURaN5p ePDrsZQoa68oqw8IzEQl0I3rHXFMjXrzELihIsZqdw+J4mF1RVMS0rp0hmt8iI91Hn NfAsbf2k5SKbphF1LK0OPWhnYB6xFSjDfbNVWcDU= From: "mengli.ming at outlook dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/108028] New: --Wanalyzer-null-dereference false posiative with *q = 1 Date: Fri, 09 Dec 2022 07:08:58 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mengli.ming at outlook dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108028 Bug ID: 108028 Summary: --Wanalyzer-null-dereference false posiative with *q =3D 1 Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: mengli.ming at outlook dot com Target Milestone: --- I got a false positive error when compiling the following program with gcc(trunk) -fanalyzer -O2 in https://godbolt.org/z/W37MzrPqd. The `__analyzer_eval()` statement is added at some suitable places in the code = in order to keep track of the information already available to the analyzer at some point in the static analysis of the program. After that, I found that under -O0, for this program (https://godbolt.org/z/Y1GMEMaG9), `__analyzer_eval(p && (0 =3D=3D q))`, `__analyzer_eval(p)`, `__analyzer_eva= l(0 =3D=3D q)` give the same result at the same program point as -O2 without generating the NPD warning. The following is the result of the analysis obtained using -O2, please take a look, thank you. ``` #include "stdio.h" int f(int, int *); int f(int p, int *q) { __analyzer_eval(p && (0 =3D=3D q)); if (p && (0 =3D=3D q)) { __analyzer_eval(p && (0 =3D=3D q)); __analyzer_eval(p); __analyzer_eval(0 =3D=3D p); __analyzer_eval(q); __analyzer_eval(0 =3D=3D q); *q =3D 1; } printf("NPD_FLAG\n"); } int main() { int a =3D 0; int *b =3D (void*)0; f(a, b); } ``` ``` : In function 'f': :6:5: warning: FALSE 6 | __analyzer_eval(p && (0 =3D=3D q)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :6:5: warning: UNKNOWN :9:9: warning: TRUE 9 | __analyzer_eval(p && (0 =3D=3D q)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :10:9: warning: TRUE 10 | __analyzer_eval(p); | ^~~~~~~~~~~~~~~~~~ :11:9: warning: FALSE 11 | __analyzer_eval(0 =3D=3D p); | ^~~~~~~~~~~~~~~~~~~~~~~ :12:9: warning: UNKNOWN 12 | __analyzer_eval(q); | ^~~~~~~~~~~~~~~~~~ :13:9: warning: TRUE 13 | __analyzer_eval(0 =3D=3D q); | ^~~~~~~~~~~~~~~~~~~~~~~ :14:12: warning: dereference of NULL '0' [CWE-476] [-Wanalyzer-null-dereference] 14 | *q =3D 1; | ~~~^~~ 'f': events 1-3 | | 7 | if (p && (0 =3D=3D q)) | | ^ | | | | | (1) following 'true' branch... | 8 | { | 9 | __analyzer_eval(p && (0 =3D=3D q)); | | ~~~~~~~~~~~~~~~ | | | | | (2) ...to here |...... | 14 | *q =3D 1; | | ~~~~~~ | | | | | (3) dereference of NULL '0' ``` In the analysis under -O2 above, lines 12 and 13 are somewhat contradictory= , as `__analyzer_eval(q)` results in UNKNOWN while `__analyzer_eval(0 =3D=3D q)`= results in TRUE.=