[Bug analyzer/106325] -Wanalyzer-null-dereference false positive due to analyzer not making assumptions for `__attribute__((nonnull))`

[cvs-commit at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106325

--- Comment #9 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-12 branch has been updated by David Malcolm
<dmalc...@gcc.gnu.org>:

https://gcc.gnu.org/g:02fbda165b74179469d9eae436fed613aa6a6ebb

commit r12-9362-g02fbda165b74179469d9eae436fed613aa6a6ebb
Author: David Malcolm <dmalc...@redhat.com>
Date:   Wed Mar 29 14:16:48 2023 -0400

    analyzer: use __attribute__((nonnull)) at top level of analysis [PR106325]

    PR analyzer/106325 reports false postives from
    -Wanalyzer-null-dereference on code like this:

    __attribute__((nonnull))
    void foo_a (Foo *p)
    {
      foo_b (p);

      switch (p->type)
        {
          /* ... */
        }
    }

    where foo_b (p) has a:

      g_return_if_fail (p);

    that expands to:

      if (!p)
        {
          return;
        }

    The analyzer "sees" the comparison against NULL in foo_b, and splits the
    analysis into the NULL and not-NULL cases; later, back in foo_a,  at
      switch (p->type)
    it complains that p is NULL.

    Previously we were only using __attribute__((nonnull)) as something to
    complain about when it was violated; we weren't using it as a source of
    knowledge.

    This patch fixes things by making the analyzer respect
    __attribute__((nonnull)) at the top-level of the analysis: any such
    params are now assumed to be non-NULL, so that the analyzer assumes the
    g_return_if_fail inside foo_b doesn't fail when called from foo_a

    Doing so fixes the false positives.

    Backported from r13-4520-gdcfc7ac94dbcf6.

    gcc/analyzer/ChangeLog:
            PR analyzer/106325
            * region-model-manager.cc
            (region_model_manager::get_or_create_null_ptr): New.
            * region-model.cc (region_model::on_top_level_param): Add
            "nonnull" param and make use of it.
            (region_model::push_frame): When handling a top-level entrypoint
            to the analysis, determine which params __attribute__((nonnull))
            applies to, and pass to on_top_level_param.
            * region-model.h (region_model_manager::get_or_create_null_ptr):
            New decl.
            (region_model::on_top_level_param): Add "nonnull" param.

    gcc/testsuite/ChangeLog:
            PR analyzer/106325
            * gcc.dg/analyzer/attr-nonnull-pr106325.c: New test.
            * gcc.dg/analyzer/attribute-nonnull.c (test_6): New.
            (test_7): New.

    Signed-off-by: David Malcolm <dmalc...@redhat.com>