GCC --Wanalyzer-null-dereference false negative with `*c = 0`

Question

GCC --Wanalyzer-null-dereference false negative with `*c = 0`

Opened this issue 2 years ago · 3 comments

date: 2023-03-14
commit: 0c0681b7414c385d0fd5fad302c0d48607262050
args: --analyze -Xclang -analyzer-stats -Xclang -analyzer-checker=core,debug.ExprInspection
test:

extern void __analyzer_eval();
extern void __analyzer_dump_path();

int a()
{
    int d;
    for (d = -1; d; ++d)
    {
        ;
    }
    __analyzer_dump_path();
    return d;
}

int b()
{
    int t = a();
    int *c = (void *)t;
    __analyzer_eval(c == 0);
    *c = 0;
}

int main() { b(); }

report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109225
report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109292
fix:
original:

Answer 1 · 2023-03-14T16:22:30.000Z

If i change the for statement to if statement with the same semantics, there is no false negative about NPD.

See it live: https://godbolt.org/z/PGdbb6osj
See it live: https://godbolt.org/z/n61zPPxd7

Answer 2 · 2023-03-27T08:53:43.000Z

GCC Static Analyzer has a NPD false negative about *c = 0;(line 20).
It seems that GSA does not know the value of the simple iterator d of for loop.

If i change the for statement to if statement with the same semantics, there is no false negative about NPD.

See it live: https://godbolt.org/z/PGdbb6osj
See it live: https://godbolt.org/z/n61zPPxd7

Input

extern void __analyzer_eval();
extern void __analyzer_dump_path();

int a()
{
    int d;
    for (d = -1; d; ++d)
    {
        ;
    }
    __analyzer_dump_path();
    return d;
}

int b()
{
    int t = a();
    int *c = (void *)t;
    __analyzer_eval(c == 0);
    *c = 0;
}

int main() { b(); }

Output:

<source>: In function 'b':
<source>:18:14: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
   18 |     int *c = (void *)t;
      |              ^
<source>:19:5: warning: UNKNOWN
   19 |     __analyzer_eval(c == 0);
      |     ^~~~~~~~~~~~~~~~~~~~~~~
<source>:19:5: warning: UNKNOWN
<source>: In function 'a':
<source>:11:5: note: path
   11 |     __analyzer_dump_path();
      |     ^~~~~~~~~~~~~~~~~~~~~~
  'a': events 1-3
    |
    |    7 |     for (d = -1; d; ++d)
    |      |                  ^  ~~~
    |      |                  |  |
    |      |                  |  (2) ...to here
    |      |                  (1) following 'true' branch (when 'd != 0')...
    |......
    |   11 |     __analyzer_dump_path();
    |      |     ~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (3) here
    |
Compiler returned: 0

Answer 3 · 2023-09-05T05:56:24.000Z

CSA can handle: https://godbolt.org/z/srqssWv3r
pinpoint can not