https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116995
Bug ID: 116995
Summary: Missed Detection of Null Pointer Dereference Issues
Product: gcc
Version: 11.4.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: tianxinghe at smail dot nju.edu.cn
Target Milestone: ---
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu
11.4.0-1ubuntu1~22.04' --with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr
--with-gcc-major-version-only --program-suffix=-11
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--with-default-libstdcxx-abi=new --enable-gnu-unique-object
--disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib
--enable-libphobos-checking=release --with-target-system-zlib=auto
--enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet
--with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32
--enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none=/build/gcc-11-XeT9lY/gcc-11-11.4.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-XeT9lY/gcc-11-11.4.0/debian/tmp-gcn/usr
--without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu
--host=x86_64-linux-gnu --target=x86_64-linux-gnu
--with-build-config=bootstrap-lto-lean --enable-link-serialization=2
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
gcc 1.c -fanalyzer
inputs can be ./t 1826809252 0 0
The checker miss the null dereference bug in line: v7 = *v6;
This bug can be detected by GCC 14.2.0.
The bug path:
main: entry - block2 - block5
func: entry - block1 - block4 - block5 - block2 - block6
minimal test case:
#include <stdint.h>
#include <stdio.h>
#ifndef __cplusplus
typedef unsigned char bool;
#endif
void init(char**);
uint8_t* malloc(uint64_t);
uint64_t atol(uint8_t*);
void free(uint8_t*);
int main(int, char **);
void func(uint64_t**, uint64_t*, uint64_t**, uint64_t);
uint64_t* args;
void init(char** argv) {
args = (uint64_t*) malloc(3 * sizeof(uint64_t));
for (int i = 1; i <= 3; ++i) {
args[i - 1] = atol(argv[i]);
}
}
int main(int argc, char ** argv) {
uint64_t input0;
uint64_t* v1;
uint64_t* v2;
uint64_t v3;
uint64_t v4;
bool v5;
uint64_t v6;
init(argv);
input0 = args[0];
v3 = input0 * 37;
v2 = (uint64_t*)/*NULL*/0;
v6 = 1320690439;
if (input0 == 1826809252) {
goto block2;
} else {
goto block3;
}
block5:
v1 = &v4;
*v1 = 171952983;
func(&v1, &v3, &v2, input0);
return 0;
block2:
if (input0 >= 2606378767) {
goto block4;
} else {
goto block5;
}
block3:
v2 = &v6;
goto block2;
block4:
v2 = &v6;
goto block5;
}
void func(uint64_t** a1, uint64_t* a2, uint64_t** a3, uint64_t a4) {
uint64_t v1;
uint8_t v2;
uint64_t v3;
uint64_t v4;
uint64_t* v5;
uint64_t* v6;
uint64_t v7;
uint64_t* v8;
uint64_t** v9;
uint64_t* v10;
uint64_t** v11;
uint64_t* v12;
uint64_t v13;
uint64_t* v14;
v2 = ((uint8_t)a4);
v3 = *a2;
v4 = ((int64_t)(int8_t)v2);
if (v4 >= (int64_t)v3) {
goto block1;
} else {
goto block2;
}
block5:
goto block2;
block4:
v5 = *v9;
*v5 = 1;
goto block5;
block6:
v6 = *a3;
v7 = *v6;
v13 = v7;
return;
block3:
*v9 = (&v1);
goto block4;
block2:
v8 = *a1;
*v8 = 1;
goto block6;
block1:
v9 = (&v14);
v14 = &v13;
if ((int64_t)v3 <= (int64_t)v4) {
goto block3;
} else {
goto block4;
}
}
