[Bug analyzer/108403] New: -Wanalyzer-null-dereference false negative with *q == 0

[Bug analyzer/108403] New: -Wanalyzer-null-dereference false negative with *q == 0

[mengli.ming at outlook dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108403

            Bug ID: 108403
           Summary: -Wanalyzer-null-dereference false negative with *q ==
                    0
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: mengli.ming at outlook dot com
  Target Milestone: ---

I got a false negative error when compiling the following program with
gcc(trunk) `-O0 -fanalyzer` in https://godbolt.org/z/4f7e3z8dE.

In this case, after entering the first if branch, the result of eval on line 10
is TRUE. At this time, the fact known to the analyzer is that the pointer `q`
is NULL, and then, for `*q == 0` on line 11, analyzer does not generate an NPD
warning, which is a little odd.

Here is the analysis results of the case. Thank you for taking the time to
review this case.

Input:

```c
#include "stdio.h"
void __analyzer_eval(int);
int *f(int *);

int *f(int *q)
{
    __analyzer_eval(q == 0);
    if (q == 0)
    {
        __analyzer_eval(q == 0);
        if (*q == 0)
        {
            printf("Hello World!");
        }
    }
}

```

Output:

```bash
<source>: In function 'f':
<source>:7:5: warning: UNKNOWN
    7 |     __analyzer_eval(q == 0);
      |     ^~~~~~~~~~~~~~~~~~~~~~~
<source>:10:9: warning: TRUE
   10 |         __analyzer_eval(q == 0);
      |         ^~~~~~~~~~~~~~~~~~~~~~~

```

[Bug analyzer/108403] -Wanalyzer-null-dereference false negative with *q == 0

[geoffreydgr at icloud dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108403

Geoffrey <geoffreydgr at icloud dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |geoffreydgr at icloud dot com

--- Comment #1 from Geoffrey <geoffreydgr at icloud dot com> ---
Hi, David.I think this case may be a duplicate of Bug 107733
(https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733), because I can reduce it
to the following case_1. But, I tried to modify this case to the following
case_2 (https://godbolt.org/z/qTze3Mh6T). It seems that GCC adds two
contradictory conditions (q == 0 and *q == 0) to equivlent classes. I do not
think this still counts a duplicate of case_1. But I am not very sure. Could
you spare some time to help me understand this case?  Maybe I can help to
contribute to GCC Static Analyzer. Thanks a lot!

case_1
```c
#include "stdio.h"
int *f(int *q)
{
    if (q == 0)
    {
        *q == 0;
    }
}
```

case_2
```c
#include "stdint.h"
#include "stdio.h"
#include <stdbool.h>
#include <stdlib.h>

extern void __analyzer_describe ();
extern void __analyzer_eval ();
extern void __analyzer_dump ();
extern void __analyzer_dump_state (const char *name, ...);
extern void __analyzer_dump_region_model ();
extern void __analyzer_dump_exploded_nodes ();


int *f(int *q)
{
    if (q == 0 && *q == 0)
    {
        __analyzer_dump ();
        __analyzer_eval (q == 0);
        __analyzer_eval (*q == 0);
    }
}
```

output of case_2:
```
rmodel:
stack depth: 1
  frame (index 0): frame: 'f'@1
clusters within root region
  cluster for: (*INIT_VAL(q_8(D)))
    ESCAPED
m_called_unknown_fn: FALSE
constraint_manager:
  equiv classes:
    ec0: {(int)0 == INIT_VAL((*INIT_VAL(q_8(D)))) == [m_constant]'0'}
    ec1: {(void *)0B == INIT_VAL(q_8(D)) == [m_constant]'0B'}
  constraints:
<source>: In function 'f':
<source>:19:9: warning: TRUE
   19 |         __analyzer_eval (q == 0);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~
<source>:20:9: warning: TRUE
   20 |         __analyzer_eval (*q == 0);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~
Compiler returned: 0
```