[Bug analyzer/102671] -Wanalyzer-null-dereference false positive when compiling GNU Emacs

eggert at cs dot ucla.edu via Gcc-bugs Sat, 06 Jan 2024 10:37:44 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102671


--- Comment #5 from Paul Eggert <eggert at cs dot ucla.edu> ---
Created attachment 56997
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56997&action=edit
xselect.i example from GNU Emacs

Attached is another example taken from bleeding-edge GNU Emacs, compiled with
gcc (Ubuntu 13.2.0-4ubuntu3) 13.2.0 on x86-64. Compile with:

gunzip xselect.i
gcc -O2 -S -fanalyzer xselect.i

and the incorrect output is:

xselect.i: In function ‘x_get_local_selection’:
xselect.i:81397:58: warning: dereference of NULL ‘dpyinfo’ [CWE-476]
[-Wanalyzer-null-dereference]
81397 |     local_value = assq_no_quit (selection_symbol,
dpyinfo->terminal->Vselection_alist);
      |                                                   ~~~~~~~^~~~~~~~~~
  ‘Fx_get_local_selection’: events 1-2
    |
    |83313 | __attribute__((section (".subrs"))) static union Aligned_Lisp_Subr
Sx_get_local_selection = {{{ PVEC_SUBR << PSEUDOVECTOR_AREA_BITS }, { .a2 =
Fx_get_local_selection }, 0, 2, "x-get-local-selection", {0}, 0}}; Lisp_Object
Fx_get_local_selection
    |      |                                                                   
                                                                               
                                                                          
^~~~~~~~~~~~~~~~~~~~~~
    |      |                                                                   
                                                                               
                                                                           |
    |      |                                                                   
                                                                               
                                                                           (1)
entry to ‘Fx_get_local_selection’
    |......
    |83318 |   CHECK_SYMBOL (target);
    |      |   ~~~~~~~~~~~~~~~~~~~~~                                            
    |      |   |
    |      |   (2) calling ‘CHECK_SYMBOL’ from ‘Fx_get_local_selection’
    |
    +--> ‘CHECK_SYMBOL’: events 3-4
           |
           | 7282 | (CHECK_SYMBOL) (Lisp_Object x)
           |      |  ^~~~~~~~~~~~
           |      |  |
           |      |  (3) entry to ‘CHECK_SYMBOL’
           | 7283 | {
           | 7284 |   CHECK_TYPE (SYMBOLP (x), builtin_lisp_symbol (1360), x);
           |      |   ~
           |      |   |
           |      |   (4) inlined call to ‘CHECK_TYPE’ from ‘CHECK_SYMBOL’
           |
           +--> ‘CHECK_TYPE’: event 5
                  |
                  | 3127 |   ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
                  |      |  
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |                    |
                  |      |                    (5) following ‘true’ branch...
                  |
           <------+
           |
         ‘CHECK_SYMBOL’: event 6
           |
           | 7285 | }
           |      | ^
           |      | |
           |      | (6) ...to here
           |
    <------+
    |
  ‘Fx_get_local_selection’: events 7-8
    |
    |83318 |   CHECK_SYMBOL (target);
    |      |   ^~~~~~~~~~~~~~~~~~~~~
    |      |   |
    |      |   (7) returning to ‘Fx_get_local_selection’ from ‘CHECK_SYMBOL’
    |83319 |   Lisp_Object v = value; CHECK_CONS (v);
    |      |                          ~~~~~~~~~~~~~~
    |      |                          |
    |      |                          (8) calling ‘CHECK_CONS’ from
‘Fx_get_local_selection’
    |
    +--> ‘CHECK_CONS’: events 9-10
           |
           | 7468 | CHECK_CONS (Lisp_Object x)
           |      | ^~~~~~~~~~
           |      | |
           |      | (9) entry to ‘CHECK_CONS’
           | 7469 | {
           | 7470 |   CHECK_TYPE (CONSP (x), builtin_lisp_symbol (443), x);
           |      |   ~
           |      |   |
           |      |   (10) inlined call to ‘CHECK_TYPE’ from ‘CHECK_CONS’
           |
           +--> ‘CHECK_TYPE’: event 11
                  |
                  | 3127 |   ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
                  |      |  
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |                    |
                  |      |                    (11) following ‘false’ branch...
                  |
           <------+
           |
         ‘CHECK_CONS’: event 12
           |
           | 7471 | }
           |      | ^
           |      | |
           |      | (12) ...to here
           |
    <------+
    |
  ‘Fx_get_local_selection’: events 13-14
    |
    |83319 |   Lisp_Object v = value; CHECK_CONS (v);
    |      |                          ^~~~~~~~~~~~~~
    |      |                          |
    |      |                          (13) returning to
‘Fx_get_local_selection’ from ‘CHECK_CONS’
    |83320 |   name = XCAR (v); v = XCDR (v); CHECK_CONS (v);
    |      |                                  ~~~~~~~~~~~~~~
    |      |                                  |
    |      |                                  (14) calling ‘CHECK_CONS’ from
‘Fx_get_local_selection’
    |
    +--> ‘CHECK_CONS’: events 15-16
           |
           | 7468 | CHECK_CONS (Lisp_Object x)
           |      | ^~~~~~~~~~
           |      | |
           |      | (15) entry to ‘CHECK_CONS’
           | 7469 | {
           | 7470 |   CHECK_TYPE (CONSP (x), builtin_lisp_symbol (443), x);
           |      |   ~
           |      |   |
           |      |   (16) inlined call to ‘CHECK_TYPE’ from ‘CHECK_CONS’
           |
           +--> ‘CHECK_TYPE’: event 17
                  |
                  | 3127 |   ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
                  |      |  
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |                    |
                  |      |                    (17) following ‘false’ branch...
                  |
           <------+
           |
         ‘CHECK_CONS’: event 18
           |
           | 7471 | }
           |      | ^
           |      | |
           |      | (18) ...to here
           |
    <------+
    |
  ‘Fx_get_local_selection’: events 19-20
    |
    |83320 |   name = XCAR (v); v = XCDR (v); CHECK_CONS (v);
    |      |                                  ^~~~~~~~~~~~~~
    |      |                                  |
    |      |                                  (19) returning to
‘Fx_get_local_selection’ from ‘CHECK_CONS’
    |83321 |   v = XCDR (v); CHECK_CONS (v);
    |      |                 ~~~~~~~~~~~~~~    
    |      |                 |
    |      |                 (20) calling ‘CHECK_CONS’ from
‘Fx_get_local_selection’
    |
    +--> ‘CHECK_CONS’: events 21-22
           |
           | 7468 | CHECK_CONS (Lisp_Object x)
           |      | ^~~~~~~~~~
           |      | |
           |      | (21) entry to ‘CHECK_CONS’
           | 7469 | {
           | 7470 |   CHECK_TYPE (CONSP (x), builtin_lisp_symbol (443), x);
           |      |   ~
           |      |   |
           |      |   (22) inlined call to ‘CHECK_TYPE’ from ‘CHECK_CONS’
           |
           +--> ‘CHECK_TYPE’: event 23
                  |
                  | 3127 |   ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
                  |      |  
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |                    |
                  |      |                    (23) following ‘false’ branch...
                  |
           <------+
           |
         ‘CHECK_CONS’: event 24
           |
           | 7471 | }
           |      | ^
           |      | |
           |      | (24) ...to here
           |
    <------+
    |
  ‘Fx_get_local_selection’: events 25-26
    |
    |83321 |   v = XCDR (v); CHECK_CONS (v);
    |      |                 ^~~~~~~~~~~~~~
    |      |                 |
    |      |                 (25) returning to ‘Fx_get_local_selection’ from
‘CHECK_CONS’
    |83322 |   timestamp = XCAR (v); v = XCDR (v); CHECK_CONS (v);
    |      |                                       ~~~~~~~~~~~~~~
    |      |                                       |
    |      |                                       (26) calling ‘CHECK_CONS’
from ‘Fx_get_local_selection’
    |
    +--> ‘CHECK_CONS’: events 27-28
           |
           | 7468 | CHECK_CONS (Lisp_Object x)
           |      | ^~~~~~~~~~
           |      | |
           |      | (27) entry to ‘CHECK_CONS’
           | 7469 | {
           | 7470 |   CHECK_TYPE (CONSP (x), builtin_lisp_symbol (443), x);
           |      |   ~
           |      |   |
           |      |   (28) inlined call to ‘CHECK_TYPE’ from ‘CHECK_CONS’
           |
           +--> ‘CHECK_TYPE’: event 29
                  |
                  | 3127 |   ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
                  |      |  
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |                    |
                  |      |                    (29) following ‘false’ branch...
                  |
           <------+
           |
         ‘CHECK_CONS’: event 30
           |
           | 7471 | }
           |      | ^
           |      | |
           |      | (30) ...to here
           |
    <------+
    |
  ‘Fx_get_local_selection’: events 31-32
    |
    |83322 |   timestamp = XCAR (v); v = XCDR (v); CHECK_CONS (v);
    |      |                                       ^~~~~~~~~~~~~~
    |      |                                       |
    |      |                                       (31) returning to
‘Fx_get_local_selection’ from ‘CHECK_CONS’
    |83323 |   frame = XCAR (v);
    |83324 |   CHECK_SYMBOL (name);
    |      |   ~~~~~~~~~~~~~~~~~~~                  
    |      |   |
    |      |   (32) calling ‘CHECK_SYMBOL’ from ‘Fx_get_local_selection’
    |
    +--> ‘CHECK_SYMBOL’: events 33-34
           |
           | 7282 | (CHECK_SYMBOL) (Lisp_Object x)
           |      |  ^~~~~~~~~~~~
           |      |  |
           |      |  (33) entry to ‘CHECK_SYMBOL’
           | 7283 | {
           | 7284 |   CHECK_TYPE (SYMBOLP (x), builtin_lisp_symbol (1360), x);
           |      |   ~
           |      |   |
           |      |   (34) inlined call to ‘CHECK_TYPE’ from ‘CHECK_SYMBOL’
           |
           +--> ‘CHECK_TYPE’: event 35
                  |
                  | 3127 |   ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
                  |      |  
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |                    |
                  |      |                    (35) following ‘true’ branch...
                  |
           <------+
           |
         ‘CHECK_SYMBOL’: event 36
           |
           | 7285 | }
           |      | ^
           |      | |
           |      | (36) ...to here
           |
    <------+
    |
  ‘Fx_get_local_selection’: events 37-38
    |
    |83324 |   CHECK_SYMBOL (name);
    |      |   ^~~~~~~~~~~~~~~~~~~
    |      |   |
    |      |   (37) returning to ‘Fx_get_local_selection’ from ‘CHECK_SYMBOL’
    |......
    |83330 |   result = x_get_local_selection (name, target,
    |      |            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |            |
    |      |            (38) calling ‘x_get_local_selection’ from
‘Fx_get_local_selection’
    |83331 |                                                1
    |      |                                                ~
    |83332 |                                                    ,
    |      |                                                    ~
    |83333 |      ((void *)0)
    |      |      ~~~~~~~~~~~
    |83334 |          , value,
    |      |          ~~~~~~~~
    |83335 |                   0
    |      |                   ~
    |83336 |                        );
    |      |                        ~
    |
    +--> ‘x_get_local_selection’: events 39-42
           |
           |81381 | x_get_local_selection (Lisp_Object selection_symbol,
Lisp_Object target_type,
           |      | ^~~~~~~~~~~~~~~~~~~~~
           |      | |
           |      | (39) entry to ‘x_get_local_selection’
           |......
           |81396 |   if (NILP (local_value))
           |      |      ~
           |      |      |
           |      |      (40) following ‘true’ branch (when ‘local_value’ is
NULL)...
           |81397 |     local_value = assq_no_quit (selection_symbol,
dpyinfo->terminal->Vselection_alist);
           |      |                                                  
~~~~~~~~~~~~~~~~~
           |      |                                                          |
           |      |                                                         
(41) ...to here
           |      |                                                         
(42) dereference of NULL ‘dpyinfo’
           |

[Bug analyzer/102671] -Wanalyzer-null-dereference false positive when compiling GNU Emacs

Reply via email to