https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113253
Bug ID: 113253
Summary: gcc -g causes -fanalyzer to issue false positive
Product: gcc
Version: 13.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: eggert at cs dot ucla.edu
Target Milestone: ---
Created attachment 56998
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56998&action=edit
marker1.i file illustrating -fanalyzer -g bug
This is a weird one, taken from bleeding-edge GNU Emacs, compiled with gcc
(GCC) 13.2.1 20231205 (Red Hat 13.2.1-6) on x86-64. Compile the attached with:
gcc -O2 -S -g -fanalyzer marker1.i
I get the following diagnostic, which is a false positive. If I do not use the
gcc's "-g" option, the compile is clean with no diagnostics.
marker1.i: In function ‘set_marker_internal’:
marker1.i:17754:7: warning: check of ‘(long unsigned int)buffer +
18446744073709551611’ for NULL after already dereferencing it
[-Wanalyzer-deref-before-check]
17752 | if (NILP (position)
| ~~~~~~~~~~~~~~~
17753 | || (MARKERP (position) && !XMARKER (position)->buffer)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17754 | || !b)
| ^~~~~
‘set_marker_restricted’: events 1-2
|
|17803 | set_marker_restricted (Lisp_Object marker, Lisp_Object position,
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) entry to ‘set_marker_restricted’
|......
|17806 | return set_marker_internal (marker, position, buffer,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) calling ‘set_marker_internal’ from
‘set_marker_restricted’
|17807 | 1
| | ~
|17808 | );
| | ~
|
+--> ‘set_marker_internal’: events 3-4
|
|17743 | set_marker_internal (Lisp_Object marker, Lisp_Object
position,
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (3) entry to ‘set_marker_internal’
|......
|17749 | struct buffer *b = live_buffer (buffer);
| | ~
| | |
| | (4) inlined call to ‘live_buffer’ from
‘set_marker_internal’
|
+--> ‘live_buffer’: event 5
|
|17737 | struct buffer *b = decode_buffer (buffer);
| | ^~~~~~~~~~~~~~~~~~~~~~
| | |
| | (5) calling ‘decode_buffer’
from ‘set_marker_internal’
|
‘decode_buffer’: events 6-9
|
|11274 | decode_buffer (Lisp_Object b)
| | ^~~~~~~~~~~~~
| | |
| | (6) entry to ‘decode_buffer’
|11275 | {
|11276 | return NILP (b) ?
(current_thread->m_current_buffer) : (CHECK_BUFFER (b), XBUFFER (b));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| |
| |
| (8) ...to here
| |
| (9) calling ‘CHECK_BUFFER’ from ‘decode_buffer’
| |
(7) following ‘false’ branch (when ‘b’ is non-NULL)...
|
+--> ‘CHECK_BUFFER’: event 10
|
|10892 | CHECK_BUFFER (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (10) entry to ‘CHECK_BUFFER’
|
+--> ‘CHECK_BUFFER’: event 11
|
|10894 | CHECK_TYPE (BUFFERP (x),
builtin_lisp_symbol (346), x);
| | ^
| | |
| | (11) inlined call to
‘BUFFERP’ from ‘CHECK_BUFFER’
|
+--> ‘BUFFERP’: event 12
|
|10889 | return PSEUDOVECTORP (a,
PVEC_BUFFER);
| | ^
| | |
| | (12) inlined call to
‘PSEUDOVECTORP’ from ‘BUFFERP’
|
+--> ‘PSEUDOVECTORP’: event 13
|
| 6274 | return (TAGGEDP ((a),
Lisp_Vectorlike) && ((((union vectorlike_header *) ((uintptr_t) XLP ((a)) -
(uintptr_t) ((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(13) following ‘true’ branch...
| 6275 | >> (3 - 1)) / 2
<
| |
~~~~~~~~~~~~~~~~~
| 6276 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 6277 | ) ? 0 :
VALBITS))))->size & ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6278 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 6279 | -
| | ~
| 6280 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 6281 | / 2) |
PVEC_TYPE_MASK)) == ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6282 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 6283 | -
| | ~
| 6284 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 6285 | / 2) | ((code)
<< PSEUDOVECTOR_AREA_BITS))));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
<--------------------+
|
‘CHECK_BUFFER’: event 14
|
|10889 | return PSEUDOVECTORP (a, PVEC_BUFFER);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (14) ...to here
|
<------+
|
‘decode_buffer’: event 15
|
|11276 | return NILP (b) ?
(current_thread->m_current_buffer) : (CHECK_BUFFER (b), XBUFFER (b));
| |
^~~~~~~~~~~~~~~~
| |
|
| |
(15) returning to ‘decode_buffer’ from ‘CHECK_BUFFER’
|
<------+
|
‘set_marker_internal’: event 16
|
|17749 | struct buffer *b = live_buffer (buffer);
| | ^
| | |
| | (16) inlined call to ‘live_buffer’
from ‘set_marker_internal’
|
+--> ‘live_buffer’: events 17-18
|
|17737 | struct buffer *b = decode_buffer (buffer);
| | ^~~~~~~~~~~~~~~~~~~~~~
| | |
| | (17) returning to
‘set_marker_internal’ from ‘decode_buffer’
|17738 | return BUFFER_LIVE_P (b) ? b :
| | ~
| | |
| | (18) inlined call to ‘BUFFER_LIVE_P’ from
‘live_buffer’
|
+--> ‘BUFFER_LIVE_P’: event 19
|
|11203 | return !NILP (((b)->name_));
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (19) pointer ‘(long unsigned
int)buffer + 18446744073709551611’ is dereferenced here
|
<------+
|
‘live_buffer’: event 20
|
|17738 | return BUFFER_LIVE_P (b) ? b :
| | ~~~~~~~~~~~~~~~~~~~~~~^
| | |
| | (20) following ‘true’
branch...
|17739 | ((void *)0)
| | ~~~~~~~~~~~
|
<------+
|
‘set_marker_internal’: events 21-22
|
|17749 | struct buffer *b = live_buffer (buffer);
| | ^~~~~~~~~~~~~~~~~~~~
| | |
| | (21) ...to here
|17750 | CHECK_MARKER (marker);
| | ~~~~~~~~~~~~~~~~~~~~~
| | |
| | (22) calling ‘CHECK_MARKER’ from ‘set_marker_internal’
|
+--> ‘CHECK_MARKER’: event 23
|
|17445 | CHECK_MARKER (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (23) entry to ‘CHECK_MARKER’
|
+--> ‘CHECK_MARKER’: event 24
|
|17447 | CHECK_TYPE (MARKERP (x),
builtin_lisp_symbol (974), x);
| | ^
| | |
| | (24) inlined call to ‘MARKERP’
from ‘CHECK_MARKER’
|
+--> ‘MARKERP’: event 25
|
| 8235 | return PSEUDOVECTORP (x,
PVEC_MARKER);
| | ^
| | |
| | (25) inlined call to
‘PSEUDOVECTORP’ from ‘MARKERP’
|
+--> ‘PSEUDOVECTORP’: event 26
|
| 6274 | return (TAGGEDP ((a),
Lisp_Vectorlike) && ((((union vectorlike_header *) ((uintptr_t) XLP ((a)) -
(uintptr_t) ((Lisp_Word_tag) (Lisp_Vectorlike) << (((0x7fffffffffffffffL
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(26) following ‘true’ branch...
| 6275 | >> (3 - 1)) / 2 <
| | ~~~~~~~~~~~~~~~~~
| 6276 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6277 | ) ? 0 :
VALBITS))))->size & ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6278 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6279 | -
| | ~
| 6280 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6281 | / 2) | PVEC_TYPE_MASK))
== ((
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6282 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6283 | -
| | ~
| 6284 | (9223372036854775807L)
| | ~~~~~~~~~~~~~~~~~~~~~~
| 6285 | / 2) | ((code) <<
PSEUDOVECTOR_AREA_BITS))));
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
<--------------------+
|
‘CHECK_MARKER’: event 27
|
| 8235 | return PSEUDOVECTORP (x, PVEC_MARKER);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (27) ...to here
|
<------+
|
‘set_marker_internal’: events 28-31
|
| 8233 | MARKERP (Lisp_Object x)
| | ~~~~~~~
| | |
| | (30) ...to here
|......
|17750 | CHECK_MARKER (marker);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (28) returning to ‘set_marker_internal’ from
‘CHECK_MARKER’
|17751 | m = XMARKER (marker);
|17752 | if (NILP (position)
| | ~~~~~~~~~~~~~~~~
| | |
| | (29) following ‘false’ branch (when ‘position’ is
non-NULL)...
|17753 | || (MARKERP (position) && !XMARKER
(position)->buffer)
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|17754 | || !b)
| | ~~~~~
| | |
| | (31) pointer ‘(long unsigned int)buffer +
18446744073709551611’ is checked for NULL here but it was already dereferenced
at (19)
|
