From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 2C5483858D33; Sat, 7 Jan 2023 05:27:45 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2C5483858D33 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1673069265; bh=EtDiiVzjv1ZVh1q6ew+UxDzCH0iY/joBMaTUSNzYl5U=; h=From:To:Subject:Date:From; b=HakE+4uwyfPtD+87NgayHqPMCfHOO/xyhltn3+7nCxFZmCO47KAF0/5ZRdlkpgMH7 zyqMzPzvU12qfqaC7iqCTFhEuHrkbtBZq1+F3qoFjjE38bkHs7mxpGwMy6/OzYffSW SGiQ7HZK3ZfR55SbiaPQMFWtDwHIL4J8ZTBj4joA= From: "mengli.ming at outlook dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/108325] New: -Wanalyzer-null-dereference false positive with *f = 42 Date: Sat, 07 Jan 2023 05:27:44 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mengli.ming at outlook dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108325 Bug ID: 108325 Summary: -Wanalyzer-null-dereference false positive with *f =3D 42 Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: mengli.ming at outlook dot com Target Milestone: --- I got a false positive error when compiling the following program with gcc(trunk) `-O0 -fanalyzer` in https://godbolt.org/z/db7v3PGYe.=20 In this case, the eval statement in line 16 gives two results, FALSE and UNKNOWN. The UNKNOWN here is a little odd, and then analyzer analyzes the c= odes inside the if statement, however, these are unreachable codes. Input: ``` #include "stdio.h" #include "stdbool.h" void __analyzer_eval(int); struct a { int b; } c() { struct a d =3D {1}; int e =3D 0; int *f =3D (int *)e; for (d.b =3D 0; e =3D=3D 0; e++) { __analyzer_eval(true =3D=3D ((!d.b) && e)); if ((!d.b) && e) { __analyzer_eval(true =3D=3D ((!d.b) && e)); *f =3D 42; } } } void main() { c(); } ``` Output: ``` : In function 'c': :16:9: warning: FALSE 16 | __analyzer_eval(true =3D=3D ((!d.b) && e)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :16:9: warning: UNKNOWN :19:13: warning: TRUE 19 | __analyzer_eval(true =3D=3D ((!d.b) && e)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :16:9: warning: FALSE 16 | __analyzer_eval(true =3D=3D ((!d.b) && e)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :16:9: warning: FALSE :16:9: warning: UNKNOWN :19:13: warning: TRUE 19 | __analyzer_eval(true =3D=3D ((!d.b) && e)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :16:9: warning: FALSE 16 | __analyzer_eval(true =3D=3D ((!d.b) && e)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :20:16: warning: dereference of NULL 'f' [CWE-476] [-Wanalyzer-null-dereference] 20 | *f =3D 42; | ~~~^~~~ 'c': events 1-20 | | 12 | int *f =3D (int *)e; | | ^ | | | | | (1) 'f' is NULL | 13 |=20 | 14 | for (d.b =3D 0; e =3D=3D 0; e++) | | ~~~~~~ ~~~ | | | | | | | (11) ...to here | | (2) following 'true' branch (when 'e =3D= =3D 0')... | | (12) following 'true' branch (when 'e =3D= =3D 0')... | 15 | { | 16 | __analyzer_eval(true =3D=3D ((!d.b) && e)); | | ~~~~~~~~~~~~~ | | | | | | | (4) following 'true' branch... | | | (5) ...to here | | | (6) following 'false' branch (when 'e =3D=3D 0')... | | | (7) ...to here | | | (14) following 'true' branch... | | | (15) ...to here | | (3) ...to here | | (13) ...to here | 17 | if ((!d.b) && e) | | ~~~~~~~~~~~~ | | | | | | | (9) ...to here | | | (10) following 'false' branch (when 'e =3D= =3D 0')... | | | (17) ...to here | | (8) following 'true' branch... | | (16) following 'true' branch... | 18 | { | 19 | __analyzer_eval(true =3D=3D ((!d.b) && e)); | | ~~~~~~~~~~~~~ | | | | | (18) following 'tr= ue' branch... | | (19) ...to here | 20 | *f =3D 42; | | ~~~~~~~ | | | | | (20) dereference of NULL 'f' | ``` I set it directly to 0 in the initialization of `d.b`, and then keep the semantics of the for loop executing only one time, and after making the following transformation (https://godbolt.org/z/nvePK1sdb), the NPD warning disappeared, and the eval statement in line 19 is not output. Thank you for taking the time to review these cases.=