From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 93DCD3858CDB; Thu,  2 Mar 2023 21:34:02 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 93DCD3858CDB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1677792842;
	bh=aHnLvfxXOe2eKA/KGeBPalVmU9VfNWjOiAKN64dk2z8=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=oHsv1IeHcJ5rnNTJCh6JzjeXs7KkZwKX0zPz4xtw79V85uXeKHvojLN9pK0nZ63Gb
	 ZZZtPjHhxiHR705w27FwX63lYR+2MR4dLQhcqIEcfO9oz4UjWQ48xcTqe4q2lpevcz
	 J/bpbYPx45g2mVP6E8r06+gfKwCYVssNy8YLJ1+I=
From: "andrew.cooper3 at citrix dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/108968] fanalyzer false positive with the
 uninitalised-ness of the stack pointer
Date: Thu, 02 Mar 2023 21:34:02 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 13.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: andrew.cooper3 at citrix dot com
X-Bugzilla-Status: WAITING
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-108968-4-rFQZCeILMa@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-108968-4@http.gcc.gnu.org/bugzilla/>
References: <bug-108968-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108968

--- Comment #13 from Andrew Cooper <andrew.cooper3 at citrix dot com> ---
I've constructed an example which might be the knockon effect you were worr=
ied
about?

void foo(char *other)
{
    char *ptr =3D NULL;

    if ( current->domain )
        ptr =3D other;

    asm volatile ("cmc");

    if ( current->domain )
        ptr[0] =3D ~ptr[0];
}

yields=20

arch/x86/tmp.c: In function 'foo':
arch/x86/tmp.c:14:22: error: dereference of NULL 'ptr' [CWE-476]
[-Werror=3Danalyzer-null-dereference]
   14 |         ptr[0] =3D ~ptr[0];
      |                   ~~~^~~
  'foo': events 1-5
    |
    |    8 |     if ( current->domain )
    |      |        ^
    |      |        |
    |      |        (1) following 'false' branch...
    |......
    |   11 |     asm volatile ("cmc");
    |      |     ~~~=20
    |      |     |
    |      |     (2) ...to here
    |   12 |=20
    |   13 |     if ( current->domain )
    |      |        ~
    |      |        |
    |      |        (3) following 'true' branch...
    |   14 |         ptr[0] =3D ~ptr[0];
    |      |         ~~~       ~~~~~~
    |      |         |            |
    |      |         |            (5) dereference of NULL 'ptr'
    |      |         (4) ...to here
    |=