public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/96894] New: Analyzer assumes pointer is NULL, even if pointer was tested to be non-null before
@ 2020-09-02 7:44 vries at gcc dot gnu.org
2020-09-02 19:14 ` [Bug analyzer/96894] " dmalcolm at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: vries at gcc dot gnu.org @ 2020-09-02 7:44 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96894
Bug ID: 96894
Summary: Analyzer assumes pointer is NULL, even if pointer was
tested to be non-null before
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: vries at gcc dot gnu.org
Target Milestone: ---
Created attachment 49174
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49174&action=edit
fibheap.c, preprocessed version from gdb/binutils master
Using gcc-11 (SUSE Linux) 11.0.0 20200901 (experimental) [revision
b1850c617b14eedaf60b358f3b7d4707cff73b8a].
Invoked like this:
...
$ gcc-11 fibheap.c -fanalyzer -S
...
We have:
...
fibheap.c: In function ‘fibnode_remove’:
fibheap.c:3122:42: warning: dereference of NULL ‘*(node).parent’ [CWE-690]
[-Wanalyzer-null-dereference]
3122 | && node->parent->child == node)
| ~~~~~~~~~~~~^~~~~~~
...
Looking at the source code, we have:
...
3118 if (node->parent !=
3119
3120 ((void *)0)
3121
3122 && node->parent->child == node)
3123 node->parent->child = ret;
...
So, just before dereferencing node->parent, we check that it's non-null, so the
warning that node->parent is dereferenced while it's null makes no sense.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/96894] Analyzer assumes pointer is NULL, even if pointer was tested to be non-null before
2020-09-02 7:44 [Bug analyzer/96894] New: Analyzer assumes pointer is NULL, even if pointer was tested to be non-null before vries at gcc dot gnu.org
@ 2020-09-02 19:14 ` dmalcolm at gcc dot gnu.org
2021-02-14 17:25 ` dimhen at gmail dot com
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2020-09-02 19:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96894
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Last reconfirmed| |2020-09-02
Status|UNCONFIRMED |ASSIGNED
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this; confirmed.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/96894] Analyzer assumes pointer is NULL, even if pointer was tested to be non-null before
2020-09-02 7:44 [Bug analyzer/96894] New: Analyzer assumes pointer is NULL, even if pointer was tested to be non-null before vries at gcc dot gnu.org
2020-09-02 19:14 ` [Bug analyzer/96894] " dmalcolm at gcc dot gnu.org
@ 2021-02-14 17:25 ` dimhen at gmail dot com
2021-03-03 18:37 ` [Bug analyzer/96894] State explosion on gdb's fibheap.c dmalcolm at gcc dot gnu.org
2021-03-12 21:52 ` dmalcolm at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: dimhen at gmail dot com @ 2021-02-14 17:25 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96894
Dmitry G. Dyachenko <dimhen at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dimhen at gmail dot com
--- Comment #2 from Dmitry G. Dyachenko <dimhen at gmail dot com> ---
gcc version 11.0.0 20210212 (experimental) [master revision
0c27fe96f81:d6ccd7dde1c:8c4137c7ead515baaf1ac8340edeb3a442388b5b]
PASS for me
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/96894] State explosion on gdb's fibheap.c
2020-09-02 7:44 [Bug analyzer/96894] New: Analyzer assumes pointer is NULL, even if pointer was tested to be non-null before vries at gcc dot gnu.org
2020-09-02 19:14 ` [Bug analyzer/96894] " dmalcolm at gcc dot gnu.org
2021-02-14 17:25 ` dimhen at gmail dot com
@ 2021-03-03 18:37 ` dmalcolm at gcc dot gnu.org
2021-03-12 21:52 ` dmalcolm at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-03-03 18:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96894
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Analyzer assumes pointer is |State explosion on gdb's
|NULL, even if pointer was |fibheap.c
|tested to be non-null |
|before |
--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
I'm not seeing the false positive any more with trunk.
Enabling -Wanalyzer-too-complex shows that the analyzer is still safety limits
and stopping (both per-program-point limits and the overall node limit).
If I bump up the limits, it fully explores the egraph, without showing any
diagnostics:
./xgcc -B. -S -fanalyzer ../../src/pr96894.c \
-Wanalyzer-too-complex \
--param analyzer-max-enodes-per-program-point=200 \
--param analyzer-bb-explosion-factor=50
So it appears that the false positive from -Wanalyzer-null-dereference is
fixed, but there's some kind of state explosion bug going on; we ought to be
able to explore this file without hitting the safety limits.
Retitling this bug accordingly
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/96894] State explosion on gdb's fibheap.c
2020-09-02 7:44 [Bug analyzer/96894] New: Analyzer assumes pointer is NULL, even if pointer was tested to be non-null before vries at gcc dot gnu.org
` (2 preceding siblings ...)
2021-03-03 18:37 ` [Bug analyzer/96894] State explosion on gdb's fibheap.c dmalcolm at gcc dot gnu.org
@ 2021-03-12 21:52 ` dmalcolm at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-03-12 21:52 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96894
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |99390
--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
The warnings from -Wanalyzer-too-complex show some deeply nested callstrings
e.g.:
./xgcc -B. -S -fanalyzer ../../src/pr96894.c -Wanalyzer-too-complex --param
analyzer-bb-explosion-factor=50
../../src/pr96894.c: In function ‘fibheap_consolidate’:
../../src/pr96894.c:3011:23: warning: terminating analysis for this program
point: callstring: [(SN: 89 -> SN: 97 in fibheap_delete), (SN: 59 -> SN: 86 in
fibheap_extr_min_node)] before (SN: 56 stmt: 0): i_34 = i_16 + 1;EN: 2004, EN:
2014, EN: 2143, EN: 2157, EN: 2275, EN: 2363, EN: 2424, EN: 2697
[-Wanalyzer-too-complex]
3011 | for (i = 0; i < D; i++)
| ~^~
../../src/pr96894.c:3011:23: warning: terminating analysis for this program
point: callstring: [(SN: 89 -> SN: 97 in fibheap_delete), (SN: 59 -> SN: 86 in
fibheap_extr_min_node)] before (SN: 56 stmt: 0): i_34 = i_16 + 1;EN: 2004, EN:
2014, EN: 2143, EN: 2157, EN: 2275, EN: 2363, EN: 2424, EN: 2697
[-Wanalyzer-too-complex]
../../src/pr96894.c:3011:23: warning: terminating analysis for this program
point: callstring: [(SN: 144 -> SN: 106 in fibheap_delete_node), (SN: 89 -> SN:
141 in fibheap_extract_min), (SN: 59 -> SN: 86 in fibheap_extr_min_node)]
before (SN: 56 stmt: 0): i_34 = i_16 + 1;EN: 4777, EN: 4787, EN: 4916, EN:
4930, EN: 5048, EN: 5136, EN: 5197, EN: 6058 [-Wanalyzer-too-complex]
../../src/pr96894.c:3011:23: warning: terminating analysis for this program
point: callstring: [(SN: 144 -> SN: 106 in fibheap_delete_node), (SN: 89 -> SN:
141 in fibheap_extract_min), (SN: 59 -> SN: 86 in fibheap_extr_min_node)]
before (SN: 56 stmt: 0): i_34 = i_16 + 1;EN: 4777, EN: 4787, EN: 4916, EN:
4930, EN: 5048, EN: 5136, EN: 5197, EN: 6058 [-Wanalyzer-too-complex]
so this is likely an issue with call summarization failing. Adding to call
summaries tracker.
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99390
[Bug 99390] [meta-bug] tracker bug for call summaries in -fanalyzer
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-03-12 21:52 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-02 7:44 [Bug analyzer/96894] New: Analyzer assumes pointer is NULL, even if pointer was tested to be non-null before vries at gcc dot gnu.org
2020-09-02 19:14 ` [Bug analyzer/96894] " dmalcolm at gcc dot gnu.org
2021-02-14 17:25 ` dimhen at gmail dot com
2021-03-03 18:37 ` [Bug analyzer/96894] State explosion on gdb's fibheap.c dmalcolm at gcc dot gnu.org
2021-03-12 21:52 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).