From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 4EE883858C50; Mon, 27 Mar 2023 23:14:27 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4EE883858C50 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1679958867; bh=4o2CbhtlILqeSPT5SRL83jT8pskzkvsG0TZ9CEjjJL4=; h=From:To:Subject:Date:In-Reply-To:References:From; b=MTrRCOOStdxPJXLhIyKLA7Jq0iQj8KUDl5OHbshW9vlL5YXF1igasmS9VXWjBC5mz lMI21iGADJPI12hijRnfxmRn+KfFfnMEN7l0h7YXqS/38vnHd5Gpl9MD1pXCVz7Az0 qtGtGIPL47H1BNy6Kjd/5xFZnXHyCo8tsIdv+lSk= From: "dmalcolm at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/109266] Wanalyzer-null-dereference does not warn when struct is at null Date: Mon, 27 Mar 2023 23:14:26 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: dmalcolm at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109266 --- Comment #3 from David Malcolm --- (In reply to Jonny Grant from comment #2) > Thank you for your reply David. Your analyzer is very good already. >=20 > I played around a bit, a base of nullptr doesn't give a warning. But > changing to 0x10 does give array-bounds warning. > cc1plus: note: source object is likely at address zero > :13:13: warning: array subscript 0 is outside array bounds of 'a_t > [0]' [-Warray-bounds=3D] >=20 > https://godbolt.org/z/PhhT48xxP FWIW, note that [-Warray-bounds=3D] is separate from -fanalyzer. >=20 > Found Andrew Pinski comment says 4096 is not accessible: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D106699#c1 Aha - thanks for the link! I think that's the thing that I was half-remembering (well, its dup, PR 99578), and that it was, in fact, in GC= C. Looks like I should extend -Wanalyzer-null-dereference to warn about access= es to constant addresses, but have it respect --param=3Dmin-pagesize=3D (see r11-9731-g91f7d7e1bb6827bf8e0b7ba7eb949953a5b1bd18). This would have = to wait for GCC 14 at this point in the release cycle. >=20 > I wondered if you know how to turn on that "cc1plus: note: source object = is > likely at address zero? It seems different from normal warnings. Grepping the sources shows it's from gcc/pointer-query.cc: access_ref::inform_access; I think it's one of the middle-end warnings that triggers that, but I'm not sure exactly which (the analyzer doesn't use tha= t at the moment). > It would be fantastic if there was a way for me to specify on the gcc > command line an address range I didn't want read and/or writable. That wo= uld > be great to get build warnings from those addresses if the compiler could > see them being accessed. Is this always for stuff near the 0 address, or are there other use cases?= =20 (embedded?) Are you able to post an example here of what the input might l= ook like? >=20 > At the moment, I always need to use the JTAG debugger to set some hw > breakpoints on read from various addresses to catch those accesses (as th= ey > are mapped to the interrupt vector from 0x0). On Windows I've had various > crashes where the access was address 0x10 so felt like that was probably a > struct offset too >=20 > I don't know very much about gcc internals. I did wonder if the analyzer = can > see the base address of the struct being passed as 0x0 in the RTL file? > I tried -fdump-rtl-all but couldn't see the 0x0 address, or when I changed > to 0x10 either The analyzer works on the gimple-ssa representation, which is before it bec= ome RTL. If you want to see the gory details, have a look in: https://gcc.gnu.org/onlinedocs/gccint/Analyzer-Internals.html in the gcc internal docs, and: https://gcc-newbies-guide.readthedocs.io/en/latest/inside-cc1.html in the guide for new gcc contributors I wrote.=