public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/109196] New: GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but function `a()` is a unknown function
@ 2023-03-19 16:01 geoffreydgr at icloud dot com
  2023-03-20 20:44 ` [Bug analyzer/109196] " dmalcolm at gcc dot gnu.org
  0 siblings, 1 reply; 2+ messages in thread
From: geoffreydgr at icloud dot com @ 2023-03-19 16:01 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109196

            Bug ID: 109196
           Summary: GSA evaluates
                    `__analyzer_eval(((a())<(0))||((a())==(0)));` to be
                    TRUE, but function `a()` is a unknown function
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: geoffreydgr at icloud dot com
  Target Milestone: ---

GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but
function `a()` is a unknown function.

But if I delete `for(;;)`, every evaluation expression is evaluated to be
UNKNOWN.

See it live: https://godbolt.org/z/7e5bKdvde ,  https://godbolt.org/z/sj4bq4Krx

Input:
```c
#include "stdint.h"
#include <stdbool.h>
int a(); 

uint16_t b() {
    for(;;)
    if (a() <= 0) {
      __analyzer_eval((a() <= 0)==true);
      __analyzer_eval(((a())<(0))||((a())==(0)));
      __analyzer_eval(((a())+0)<=((0)+0));
      __analyzer_eval(((a())+0)<=((0)+1));
      __analyzer_eval(((a())+1)<=((0)+1));
      __analyzer_eval(((a())+0)<=((0)+2));
      __analyzer_eval(((a())+1)<=((0)+2));
      __analyzer_eval(((a())+2)<=((0)+2));
      __analyzer_eval(((a())-0)<=((0)-0));
      __analyzer_eval((!(a() <= 0))==false);
      __analyzer_eval((((a())>=(0))&&((a())!=(0)))==false);
      __analyzer_eval(true);
      ;
    }
}
```

Output:
```
<source>: In function 'b':
<source>:9:7: warning: UNKNOWN
    9 |       __analyzer_eval((a() <= 0)==true);
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:10:7: warning: TRUE
   10 |       __analyzer_eval(((a())<(0))||((a())==(0)));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:11:7: warning: UNKNOWN
   11 |       __analyzer_eval(((a())+0)<=((0)+0));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:12:7: warning: UNKNOWN
   12 |       __analyzer_eval(((a())+0)<=((0)+1));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:13:7: warning: UNKNOWN
   13 |       __analyzer_eval(((a())+1)<=((0)+1));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:14:7: warning: UNKNOWN
   14 |       __analyzer_eval(((a())+0)<=((0)+2));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:7: warning: UNKNOWN
   15 |       __analyzer_eval(((a())+1)<=((0)+2));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:7: warning: UNKNOWN
   16 |       __analyzer_eval(((a())+2)<=((0)+2));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:17:7: warning: UNKNOWN
   17 |       __analyzer_eval(((a())-0)<=((0)-0));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:7: warning: UNKNOWN
   18 |       __analyzer_eval((!(a() <= 0))==false);
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:19:7: warning: FALSE
   19 |       __analyzer_eval((((a())>=(0))&&((a())!=(0)))==false);
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:20:7: warning: TRUE
   20 |       __analyzer_eval(true);
      |       ^~~~~~~~~~~~~~~~~~~~~
<source>:10:7: warning: UNKNOWN
   10 |       __analyzer_eval(((a())<(0))||((a())==(0)));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:11:7: warning: UNKNOWN
   11 |       __analyzer_eval(((a())+0)<=((0)+0));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:12:7: warning: UNKNOWN
   12 |       __analyzer_eval(((a())+0)<=((0)+1));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:13:7: warning: UNKNOWN
   13 |       __analyzer_eval(((a())+1)<=((0)+1));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:14:7: warning: UNKNOWN
   14 |       __analyzer_eval(((a())+0)<=((0)+2));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:7: warning: UNKNOWN
   15 |       __analyzer_eval(((a())+1)<=((0)+2));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:16:7: warning: UNKNOWN
   16 |       __analyzer_eval(((a())+2)<=((0)+2));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:17:7: warning: UNKNOWN
   17 |       __analyzer_eval(((a())-0)<=((0)-0));
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:18:7: warning: UNKNOWN
   18 |       __analyzer_eval((!(a() <= 0))==false);
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:19:7: warning: UNKNOWN
   19 |       __analyzer_eval((((a())>=(0))&&((a())!=(0)))==false);
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:20:7: warning: TRUE
   20 |       __analyzer_eval(true);
      |       ^~~~~~~~~~~~~~~~~~~~~
Compiler returned: 0
```

^ permalink raw reply	[flat|nested] 2+ messages in thread
* [Bug analyzer/109196] GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but function `a()` is a unknown function
  2023-03-19 16:01 [Bug analyzer/109196] New: GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but function `a()` is a unknown function geoffreydgr at icloud dot com
@ 2023-03-20 20:44 ` dmalcolm at gcc dot gnu.org
  0 siblings, 0 replies; 2+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-03-20 20:44 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109196

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Simpler reproducer:
  https://godbolt.org/z/h3WcPP9q8

Looking at the gimple dump, I see:

  <bb 5> :
  iftmp.0_14 = 1;
  goto <bb 7>; [INV]

  <bb 6> :
  iftmp.0_13 = 0;

  <bb 7> :
  # iftmp.0_4 = PHI <iftmp.0_14(5), iftmp.0_13(6)>
  __analyzer_eval (iftmp.0_4);

i.e. that __analyzer_eval is being called with either 0 or 1.  What you're
seeing here is a result of how the analyzer is merging state along different
paths.

Adding  -fno-analyzer-state-merge:
  https://godbolt.org/z/7Tn5xqo4x
converts the output to:
  <source>: In function 'b':
  <source>:9:9: warning: TRUE
      9 |         __analyzer_eval(((a())<(0))||((a())==(0)));
        |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  <source>:9:9: warning: FALSE

i.e. the result of ||-ing the conditions could be true, and it could be false.

__analyzer_eval is intended as a feature for debugging the analyzer, rather
than being end-user-facing, so I'm going to mark this as WONTFIX.  Hope this
makes sense.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-20 20:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-19 16:01 [Bug analyzer/109196] New: GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but function `a()` is a unknown function geoffreydgr at icloud dot com
2023-03-20 20:44 ` [Bug analyzer/109196] " dmalcolm at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).