public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/108403] New: -Wanalyzer-null-dereference false negative with *q == 0
@ 2023-01-14 7:30 mengli.ming at outlook dot com
2023-02-13 8:20 ` [Bug analyzer/108403] " geoffreydgr at icloud dot com
0 siblings, 1 reply; 2+ messages in thread
From: mengli.ming at outlook dot com @ 2023-01-14 7:30 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108403
Bug ID: 108403
Summary: -Wanalyzer-null-dereference false negative with *q ==
0
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: mengli.ming at outlook dot com
Target Milestone: ---
I got a false negative error when compiling the following program with
gcc(trunk) `-O0 -fanalyzer` in https://godbolt.org/z/4f7e3z8dE.
In this case, after entering the first if branch, the result of eval on line 10
is TRUE. At this time, the fact known to the analyzer is that the pointer `q`
is NULL, and then, for `*q == 0` on line 11, analyzer does not generate an NPD
warning, which is a little odd.
Here is the analysis results of the case. Thank you for taking the time to
review this case.
Input:
```c
#include "stdio.h"
void __analyzer_eval(int);
int *f(int *);
int *f(int *q)
{
__analyzer_eval(q == 0);
if (q == 0)
{
__analyzer_eval(q == 0);
if (*q == 0)
{
printf("Hello World!");
}
}
}
```
Output:
```bash
<source>: In function 'f':
<source>:7:5: warning: UNKNOWN
7 | __analyzer_eval(q == 0);
| ^~~~~~~~~~~~~~~~~~~~~~~
<source>:10:9: warning: TRUE
10 | __analyzer_eval(q == 0);
| ^~~~~~~~~~~~~~~~~~~~~~~
```
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug analyzer/108403] -Wanalyzer-null-dereference false negative with *q == 0
2023-01-14 7:30 [Bug analyzer/108403] New: -Wanalyzer-null-dereference false negative with *q == 0 mengli.ming at outlook dot com
@ 2023-02-13 8:20 ` geoffreydgr at icloud dot com
0 siblings, 0 replies; 2+ messages in thread
From: geoffreydgr at icloud dot com @ 2023-02-13 8:20 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108403
Geoffrey <geoffreydgr at icloud dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |geoffreydgr at icloud dot com
--- Comment #1 from Geoffrey <geoffreydgr at icloud dot com> ---
Hi, David.I think this case may be a duplicate of Bug 107733
(https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107733), because I can reduce it
to the following case_1. But, I tried to modify this case to the following
case_2 (https://godbolt.org/z/qTze3Mh6T). It seems that GCC adds two
contradictory conditions (q == 0 and *q == 0) to equivlent classes. I do not
think this still counts a duplicate of case_1. But I am not very sure. Could
you spare some time to help me understand this case? Maybe I can help to
contribute to GCC Static Analyzer. Thanks a lot!
case_1
```c
#include "stdio.h"
int *f(int *q)
{
if (q == 0)
{
*q == 0;
}
}
```
case_2
```c
#include "stdint.h"
#include "stdio.h"
#include <stdbool.h>
#include <stdlib.h>
extern void __analyzer_describe ();
extern void __analyzer_eval ();
extern void __analyzer_dump ();
extern void __analyzer_dump_state (const char *name, ...);
extern void __analyzer_dump_region_model ();
extern void __analyzer_dump_exploded_nodes ();
int *f(int *q)
{
if (q == 0 && *q == 0)
{
__analyzer_dump ();
__analyzer_eval (q == 0);
__analyzer_eval (*q == 0);
}
}
```
output of case_2:
```
rmodel:
stack depth: 1
frame (index 0): frame: 'f'@1
clusters within root region
cluster for: (*INIT_VAL(q_8(D)))
ESCAPED
m_called_unknown_fn: FALSE
constraint_manager:
equiv classes:
ec0: {(int)0 == INIT_VAL((*INIT_VAL(q_8(D)))) == [m_constant]'0'}
ec1: {(void *)0B == INIT_VAL(q_8(D)) == [m_constant]'0B'}
constraints:
<source>: In function 'f':
<source>:19:9: warning: TRUE
19 | __analyzer_eval (q == 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~
<source>:20:9: warning: TRUE
20 | __analyzer_eval (*q == 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~~
Compiler returned: 0
```
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-02-13 8:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-14 7:30 [Bug analyzer/108403] New: -Wanalyzer-null-dereference false negative with *q == 0 mengli.ming at outlook dot com
2023-02-13 8:20 ` [Bug analyzer/108403] " geoffreydgr at icloud dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).