[Bug analyzer/108428] New: - -Wanayzer-null-dereference false negative with *f = 1

[Bug analyzer/108428] New: - -Wanayzer-null-dereference false negative with *f = 1

[geoffreydgr at icloud dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108428

            Bug ID: 108428
           Summary: - -Wanayzer-null-dereference false negative with  *f =
                    1
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: geoffreydgr at icloud dot com
  Target Milestone: ---

I got a false negative error when compiling the following program with `
gcc(trunk) -fanalyzer -O0 ` .  It is obvious that `*f = 1;` ( at line 15 ) will
lead to a NPD error, but gcc static analyzer can not find it. 

And i found that analyzer did not know `__analyzer_eval(0 == e);` and 
`__analyzer_eval(0 == f);` were both true.
In addition,  i observed that analyzer seemed to enter the loop for two times
(it evaluated `__analyzer_eval(0 == e);` for two times). I think this may hint
at something wrong. 
https://godbolt.org/z/EjYqhsrWe

```c
#include <stdio.h>
extern void __analyzer_eval (int);
int main() {   
  int e = 1;
  int *f;

  for (int i = 0; i < 1; i++) {
    e = 0;
    __analyzer_eval(0 == e);
  }
  __analyzer_eval(0 == e);
  f = (int*) e;

  __analyzer_eval(0 == f);
  *f = 1;

  return 0;
}
```
Output:
```bash
<source>: In function 'main':
<source>:12:7: warning: cast to pointer from integer of different size
[-Wint-to-pointer-cast]
   12 |   f = (int*) e;
      |       ^
<source>:9:5: warning: TRUE
    9 |     __analyzer_eval(0 == e);
      |     ^~~~~~~~~~~~~~~~~~~~~~~
<source>:9:5: warning: TRUE
<source>:11:3: warning: UNKNOWN
   11 |   __analyzer_eval(0 == e);
      |   ^~~~~~~~~~~~~~~~~~~~~~~
<source>:14:3: warning: UNKNOWN
   14 |   __analyzer_eval(0 == f);
      |   ^~~~~~~~~~~~~~~~~~~~~~~
Compiler returned: 0
```

However, if I change `int e = 1` to `int e = 0` or to `int * e`, analyzer can
find the NPD error correctly. So maybe the casting  to pointer from integer
leads to the problem.

[Bug analyzer/108428] - -Wanayzer-null-dereference false negative with *f = 1

[geoffreydgr at icloud dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108428

--- Comment #1 from Geoffrey <geoffreydgr at icloud dot com> ---
In addition, CSA can correctly report the NPD warning :
https://godbolt.org/z/54n5so49P

[Bug analyzer/108428] -Wanalyzer-null-dereference false negative with *f = 1

[geoffreydgr at icloud dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108428

--- Comment #2 from Geoffrey <geoffreydgr at icloud dot com> ---
Hi, David! Could you spare a little time to explain this case for me? Please
^v^