public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/109196] New: GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but function `a()` is a unknown function
@ 2023-03-19 16:01 geoffreydgr at icloud dot com
2023-03-20 20:44 ` [Bug analyzer/109196] " dmalcolm at gcc dot gnu.org
0 siblings, 1 reply; 2+ messages in thread
From: geoffreydgr at icloud dot com @ 2023-03-19 16:01 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109196
Bug ID: 109196
Summary: GSA evaluates
`__analyzer_eval(((a())<(0))||((a())==(0)));` to be
TRUE, but function `a()` is a unknown function
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: geoffreydgr at icloud dot com
Target Milestone: ---
GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but
function `a()` is a unknown function.
But if I delete `for(;;)`, every evaluation expression is evaluated to be
UNKNOWN.
See it live: https://godbolt.org/z/7e5bKdvde , https://godbolt.org/z/sj4bq4Krx
Input:
```c
#include "stdint.h"
#include <stdbool.h>
int a();
uint16_t b() {
for(;;)
if (a() <= 0) {
__analyzer_eval((a() <= 0)==true);
__analyzer_eval(((a())<(0))||((a())==(0)));
__analyzer_eval(((a())+0)<=((0)+0));
__analyzer_eval(((a())+0)<=((0)+1));
__analyzer_eval(((a())+1)<=((0)+1));
__analyzer_eval(((a())+0)<=((0)+2));
__analyzer_eval(((a())+1)<=((0)+2));
__analyzer_eval(((a())+2)<=((0)+2));
__analyzer_eval(((a())-0)<=((0)-0));
__analyzer_eval((!(a() <= 0))==false);
__analyzer_eval((((a())>=(0))&&((a())!=(0)))==false);
__analyzer_eval(true);
;
}
}
```
Output:
```
<source>: In function 'b':
<source>:9:7: warning: UNKNOWN
9 | __analyzer_eval((a() <= 0)==true);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:10:7: warning: TRUE
10 | __analyzer_eval(((a())<(0))||((a())==(0)));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:11:7: warning: UNKNOWN
11 | __analyzer_eval(((a())+0)<=((0)+0));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:12:7: warning: UNKNOWN
12 | __analyzer_eval(((a())+0)<=((0)+1));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:13:7: warning: UNKNOWN
13 | __analyzer_eval(((a())+1)<=((0)+1));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:14:7: warning: UNKNOWN
14 | __analyzer_eval(((a())+0)<=((0)+2));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:7: warning: UNKNOWN
15 | __analyzer_eval(((a())+1)<=((0)+2));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:7: warning: UNKNOWN
16 | __analyzer_eval(((a())+2)<=((0)+2));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:17:7: warning: UNKNOWN
17 | __analyzer_eval(((a())-0)<=((0)-0));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:7: warning: UNKNOWN
18 | __analyzer_eval((!(a() <= 0))==false);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:19:7: warning: FALSE
19 | __analyzer_eval((((a())>=(0))&&((a())!=(0)))==false);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:20:7: warning: TRUE
20 | __analyzer_eval(true);
| ^~~~~~~~~~~~~~~~~~~~~
<source>:10:7: warning: UNKNOWN
10 | __analyzer_eval(((a())<(0))||((a())==(0)));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:11:7: warning: UNKNOWN
11 | __analyzer_eval(((a())+0)<=((0)+0));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:12:7: warning: UNKNOWN
12 | __analyzer_eval(((a())+0)<=((0)+1));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:13:7: warning: UNKNOWN
13 | __analyzer_eval(((a())+1)<=((0)+1));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:14:7: warning: UNKNOWN
14 | __analyzer_eval(((a())+0)<=((0)+2));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:7: warning: UNKNOWN
15 | __analyzer_eval(((a())+1)<=((0)+2));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:7: warning: UNKNOWN
16 | __analyzer_eval(((a())+2)<=((0)+2));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:17:7: warning: UNKNOWN
17 | __analyzer_eval(((a())-0)<=((0)-0));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:7: warning: UNKNOWN
18 | __analyzer_eval((!(a() <= 0))==false);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:19:7: warning: UNKNOWN
19 | __analyzer_eval((((a())>=(0))&&((a())!=(0)))==false);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:20:7: warning: TRUE
20 | __analyzer_eval(true);
| ^~~~~~~~~~~~~~~~~~~~~
Compiler returned: 0
```
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug analyzer/109196] GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but function `a()` is a unknown function
2023-03-19 16:01 [Bug analyzer/109196] New: GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but function `a()` is a unknown function geoffreydgr at icloud dot com
@ 2023-03-20 20:44 ` dmalcolm at gcc dot gnu.org
0 siblings, 0 replies; 2+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-03-20 20:44 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109196
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|UNCONFIRMED |RESOLVED
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Simpler reproducer:
https://godbolt.org/z/h3WcPP9q8
Looking at the gimple dump, I see:
<bb 5> :
iftmp.0_14 = 1;
goto <bb 7>; [INV]
<bb 6> :
iftmp.0_13 = 0;
<bb 7> :
# iftmp.0_4 = PHI <iftmp.0_14(5), iftmp.0_13(6)>
__analyzer_eval (iftmp.0_4);
i.e. that __analyzer_eval is being called with either 0 or 1. What you're
seeing here is a result of how the analyzer is merging state along different
paths.
Adding -fno-analyzer-state-merge:
https://godbolt.org/z/7Tn5xqo4x
converts the output to:
<source>: In function 'b':
<source>:9:9: warning: TRUE
9 | __analyzer_eval(((a())<(0))||((a())==(0)));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:9:9: warning: FALSE
i.e. the result of ||-ing the conditions could be true, and it could be false.
__analyzer_eval is intended as a feature for debugging the analyzer, rather
than being end-user-facing, so I'm going to mark this as WONTFIX. Hope this
makes sense.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-20 20:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-19 16:01 [Bug analyzer/109196] New: GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but function `a()` is a unknown function geoffreydgr at icloud dot com
2023-03-20 20:44 ` [Bug analyzer/109196] " dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).