From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id AE20E385800D; Thu, 11 Jan 2024 19:43:19 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org AE20E385800D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1705002199;
	bh=U8TZ7ShZmbZClkM8xfJJB8RTItgdkUuraQapZJx1z+s=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=vEWH5q9GOOkl7zygwYk2axJC2yuYEvzA02+/P3t2JVBVfAxDE+3KGsKU2M68LdN9c
	 PP0BHEkYU7hwva10QPQPdcrxXpIHrOSATliHam7Be4r5LmAF7FGSz87yuFuMHr6Cp/
	 aW7qHjdzONDgvRlqXzCZXCnh4xttNx9ds6ecmpZc=
From: "dmalcolm at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/113333] analyzer: False positives with calloc()
Date: Thu, 11 Jan 2024 19:43:19 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 14.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: dmalcolm at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: cf_reconfirmed_on bug_status everconfirmed
Message-ID: <bug-113333-4-K39YeAmyGC@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-113333-4@http.gcc.gnu.org/bugzilla/>
References: <bug-113333-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D113333

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2024-01-11
             Status|UNCONFIRMED                 |ASSIGNED
     Ever confirmed|0                           |1

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug.

Looking at trunk with:

extern void __analyzer_describe (int verbosity, ...);
extern void __analyzer_eval (int);

#include <stdlib.h>
char **f(void) {
    char **vec =3D calloc(1, sizeof(char *));
    if (vec)
        {
           char **p=3Dvec;=20=20=20=20=20=20=20
          __analyzer_describe (0, p);
          __analyzer_describe (0, *p);
          __analyzer_eval (*p =3D=3D 0);
        }
    return vec;
}

https://gcc.godbolt.org/z/z3vnxbTaT

source>: In function 'f':
<source>:10:11: warning: svalue: '&HEAP_ALLOCATED_REGION(14)'
   10 |           __analyzer_describe (0, p);
      |           ^~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:11:11: warning: svalue: 'CAST(char *, REPEATED(outer_size: (long
unsigned int)8, inner_val: (char)0))'
   11 |           __analyzer_describe (0, *p);
      |           ^~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:12:11: warning: UNKNOWN
   12 |           __analyzer_eval (*p =3D=3D 0);
      |           ^~~~~~~~~~~~~~~~~~~~~~~~~

i.e. the analyzer "sees" that *p is the 0-byte repeated 8 times, cast to a =
char
*, but doesn't simplify that to just a NULL pointer.

I'm looking at a fix.=