public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "eggert at cs dot ucla.edu" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/113253] New: gcc -g causes -fanalyzer to issue false positive
Date: Sat, 06 Jan 2024 19:08:50 +0000 [thread overview]
Message-ID: <bug-113253-4@http.gcc.gnu.org/bugzilla/> (raw)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113253
Bug ID: 113253
Summary: gcc -g causes -fanalyzer to issue false positive
Product: gcc
Version: 13.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: eggert at cs dot ucla.edu
Target Milestone: ---
Created attachment 56998
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56998&action=edit
marker1.i file illustrating -fanalyzer -g bug
This is a weird one, taken from bleeding-edge GNU Emacs, compiled with gcc
(GCC) 13.2.1 20231205 (Red Hat 13.2.1-6) on x86-64. Compile the attached with:
gcc -O2 -S -g -fanalyzer marker1.i
I get the following diagnostic, which is a false positive. If I do not use the
gcc's "-g" option, the compile is clean with no diagnostics.
marker1.i: In function ‘set_marker_internal’:
marker1.i:17754:7: warning: check of ‘(long unsigned int)buffer +
18446744073709551611’ for NULL after already dereferencing it
[-Wanalyzer-deref-before-check]
17752 | if (NILP (position)
| ~~~~~~~~~~~~~~~
17753 | || (MARKERP (position) && !XMARKER (position)->buffer)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17754 | || !b)
| ^~~~~
‘set_marker_restricted’: events 1-2
|
|17803 | set_marker_restricted (Lisp_Object marker, Lisp_Object position,
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) entry to ‘set_marker_restricted’
|......
|17806 | return set_marker_internal (marker, position, buffer,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) calling ‘set_marker_internal’ from
‘set_marker_restricted’
|17807 | 1
| | ~
|17808 | );
| | ~
|
+--> ‘set_marker_internal’: events 3-4
|
|17743 | set_marker_internal (Lisp_Object marker, Lisp_Object
position,
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (3) entry to ‘set_marker_internal’
|......
|17749 | struct buffer *b = live_buffer (buffer);
| | ~
| | |
| | (4) inlined call to ‘live_buffer’ from
‘set_marker_internal’
|
+--> ‘live_buffer’: event 5
|
|17737 | struct buffer *b = decode_buffer (buffer);
| | ^~~~~~~~~~~~~~~~~~~~~~
| | |
| | (5) calling ‘decode_buffer’
from ‘set_marker_internal’
|
‘decode_buffer’: events 6-9
|
|11274 | decode_buffer (Lisp_Object b)
| | ^~~~~~~~~~~~~
| | |
| | (6) entry to ‘decode_buffer’
|11275 | {
|11276 | return NILP (b) ?
(current_thread->m_current_buffer) : (CHECK_BUFFER (b), XBUFFER (b));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| |
| |
| (8) ...to here
| |
| (9) calling ‘CHECK_BUFFER’ from ‘decode_buffer’
| |
(7) following ‘false’ branch (when ‘b’ is non-NULL)...
|
+--> ‘CHECK_BUFFER’: event 10
|
|10892 | CHECK_BUFFER (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (10) entry to ‘CHECK_BUFFER’
|
+--> ‘CHECK_BUFFER’: event 11
|
|10894 | CHECK_TYPE (BUFFERP (x),
builtin_lisp_symbol (346), x);
| | ^
| | |
| | (11) inlined call to
‘BUFFERP’ from ‘CHECK_BUFFER’
|
+--> ‘BUFFERP’: event 12
|
|10889 | return PSEUDOVECTORP (a,
PVEC_BUFFER);
| | ^
| | |
| | (12) inlined call to
‘PSEUDOVECTORP’ from ‘BUFFERP’
|
+--> ‘PSEUDOVECTORP’: event 13
|
| 6274 | return (TAGGEDP ((a),
Lisp_Vectorlike) && ((((union vectorlike_header *) ((uintptr_t) XLP ((a)) -
(uintptr_t) ((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(13) following ‘true’ branch...
| 6275 | >> (3 - 1)) / 2
<
| |
~~~~~~~~~~~~~~~~~
| 6276 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 6277 | ) ? 0 :
VALBITS))))->size & ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6278 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 6279 | -
| | ~
| 6280 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 6281 | / 2) |
PVEC_TYPE_MASK)) == ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6282 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 6283 | -
| | ~
| 6284 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 6285 | / 2) | ((code)
<< PSEUDOVECTOR_AREA_BITS))));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
<--------------------+
|
‘CHECK_BUFFER’: event 14
|
|10889 | return PSEUDOVECTORP (a, PVEC_BUFFER);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (14) ...to here
|
<------+
|
‘decode_buffer’: event 15
|
|11276 | return NILP (b) ?
(current_thread->m_current_buffer) : (CHECK_BUFFER (b), XBUFFER (b));
| |
^~~~~~~~~~~~~~~~
| |
|
| |
(15) returning to ‘decode_buffer’ from ‘CHECK_BUFFER’
|
<------+
|
‘set_marker_internal’: event 16
|
|17749 | struct buffer *b = live_buffer (buffer);
| | ^
| | |
| | (16) inlined call to ‘live_buffer’
from ‘set_marker_internal’
|
+--> ‘live_buffer’: events 17-18
|
|17737 | struct buffer *b = decode_buffer (buffer);
| | ^~~~~~~~~~~~~~~~~~~~~~
| | |
| | (17) returning to
‘set_marker_internal’ from ‘decode_buffer’
|17738 | return BUFFER_LIVE_P (b) ? b :
| | ~
| | |
| | (18) inlined call to ‘BUFFER_LIVE_P’ from
‘live_buffer’
|
+--> ‘BUFFER_LIVE_P’: event 19
|
|11203 | return !NILP (((b)->name_));
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (19) pointer ‘(long unsigned
int)buffer + 18446744073709551611’ is dereferenced here
|
<------+
|
‘live_buffer’: event 20
|
|17738 | return BUFFER_LIVE_P (b) ? b :
| | ~~~~~~~~~~~~~~~~~~~~~~^
| | |
| | (20) following ‘true’
branch...
|17739 | ((void *)0)
| | ~~~~~~~~~~~
|
<------+
|
‘set_marker_internal’: events 21-22
|
|17749 | struct buffer *b = live_buffer (buffer);
| | ^~~~~~~~~~~~~~~~~~~~
| | |
| | (21) ...to here
|17750 | CHECK_MARKER (marker);
| | ~~~~~~~~~~~~~~~~~~~~~
| | |
| | (22) calling ‘CHECK_MARKER’ from ‘set_marker_internal’
|
+--> ‘CHECK_MARKER’: event 23
|
|17445 | CHECK_MARKER (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (23) entry to ‘CHECK_MARKER’
|
+--> ‘CHECK_MARKER’: event 24
|
|17447 | CHECK_TYPE (MARKERP (x),
builtin_lisp_symbol (974), x);
| | ^
| | |
| | (24) inlined call to ‘MARKERP’
from ‘CHECK_MARKER’
|
+--> ‘MARKERP’: event 25
|
| 8235 | return PSEUDOVECTORP (x,
PVEC_MARKER);
| | ^
| | |
| | (25) inlined call to
‘PSEUDOVECTORP’ from ‘MARKERP’
|
+--> ‘PSEUDOVECTORP’: event 26
|
| 6274 | return (TAGGEDP ((a),
Lisp_Vectorlike) && ((((union vectorlike_header *) ((uintptr_t) XLP ((a)) -
(uintptr_t) ((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(26) following ‘true’ branch...
| 6275 | >> (3 - 1)) / 2 <
| | ~~~~~~~~~~~~~~~~~
| 6276 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6277 | ) ? 0 :
VALBITS))))->size & ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6278 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6279 | -
| | ~
| 6280 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6281 | / 2) | PVEC_TYPE_MASK))
== ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6282 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6283 | -
| | ~
| 6284 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6285 | / 2) | ((code) <<
PSEUDOVECTOR_AREA_BITS))));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
<--------------------+
|
‘CHECK_MARKER’: event 27
|
| 8235 | return PSEUDOVECTORP (x, PVEC_MARKER);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (27) ...to here
|
<------+
|
‘set_marker_internal’: events 28-31
|
| 8233 | MARKERP (Lisp_Object x)
| | ~~~~~~~
| | |
| | (30) ...to here
|......
|17750 | CHECK_MARKER (marker);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (28) returning to ‘set_marker_internal’ from
‘CHECK_MARKER’
|17751 | m = XMARKER (marker);
|17752 | if (NILP (position)
| | ~~~~~~~~~~~~~~~~
| | |
| | (29) following ‘false’ branch (when ‘position’ is
non-NULL)...
|17753 | || (MARKERP (position) && !XMARKER
(position)->buffer)
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|17754 | || !b)
| | ~~~~~
| | |
| | (31) pointer ‘(long unsigned int)buffer +
18446744073709551611’ is checked for NULL here but it was already dereferenced
at (19)
|
next reply other threads:[~2024-01-06 19:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-06 19:08 eggert at cs dot ucla.edu [this message]
2024-01-31 16:26 ` [Bug analyzer/113253] " dmalcolm at gcc dot gnu.org
2024-01-31 16:26 ` dmalcolm at gcc dot gnu.org
2024-01-31 19:07 ` dmalcolm at gcc dot gnu.org
2024-01-31 23:28 ` cvs-commit at gcc dot gnu.org
2024-01-31 23:34 ` dmalcolm at gcc dot gnu.org
2024-04-14 5:03 ` [Bug analyzer/113253] [11/12/13 Regression] " pinskia at gcc dot gnu.org
2024-05-09 17:12 ` cvs-commit at gcc dot gnu.org
2024-05-09 17:50 ` [Bug analyzer/113253] [11/12 " dmalcolm at gcc dot gnu.org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-113253-4@http.gcc.gnu.org/bugzilla/ \
--to=gcc-bugzilla@gcc.gnu.org \
--cc=gcc-bugs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).