[Bug analyzer/109365] Double delete yields -Wanalyzer-use-after-free instead of -Wanalyzer-double-free

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109365 --- Comment #1 from David Malcolm --- (In reply to Benjamin Priour from comment #0) [...] > (Note: sorry David, I've binged through bugzilla doc and gcc bugs page yet I > cannot seem to find the way to add this to the 'analyzer-c++' block, nor

[Bug analyzer/109361] RFE: SARIF output could contain timing/profile information

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109361 --- Comment #1 from David Malcolm --- Some existing SARIF properties we could generate: 3.20.7 startTimeUtc property An invocation object MAY contain a property named

[Bug analyzer/109361] New: RFE: SARIF output could contain timing/profile information

Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- My integration tests for -fanalyzer don't yet track how long the analyzer takes on the real-world cases. It would be nice for the .sarif

[Bug other/109163] SARIF (and other JSON) output files are non-deterministic

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109163 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|WAITING

[Bug testsuite/109360] New: RFE: check that generated .sarif files validate against the SARIF schema

: normal Priority: P3 Component: testsuite Assignee: unassigned at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Created attachment 54798 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54798=edit WIP progress patch I h

[Bug analyzer/105273] -Wanalyzer-use-of-uninitialized-value warns on "missing" default for switch when callers can be statically determined

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105273 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED

[Bug analyzer/108733] -Wanalyzer-use-of-uninitialized-value false positives seen with __attribute__((cleanup))

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108733 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED

[Bug analyzer/108704] Many -Wanalyzer-use-of-uninitialized-value false positives seen in qemu's softfloat.c

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108704 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED

[Bug analyzer/106325] -Wanalyzer-null-dereference false positive due to analyzer not making assumptions for `__attribute__((nonnull))`

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106325 --- Comment #10 from David Malcolm --- Should be fixed on gcc 12 branch by the above (for the eventual gcc 12.3 release). Still affects GCC 11 and GCC 10.

[Bug analyzer/107582] - -Wanalyzer-use-of-uninitialized-value false positive with while loop in pthread_cleanup_push

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107582 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|---

[Bug analyzer/107345] -Wanalyzer-null-dereference false positive with giving weird path infomation

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107345 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED

[Bug analyzer/108562] [meta-bug] tracker bug for issues with -Wanalyzer-null-dereference

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108562 Bug 108562 depends on bug 107345, which changed state. Bug 107345 Summary: -Wanalyzer-null-dereference false positive with giving weird path infomation https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107345 What|Removed

[Bug analyzer/105784] -Wanalyzer-use-of-uninitialized-value false positive on partly initialized array

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105784 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED

[Bug analyzer/109094] Uninit false positive from -fanalyzer when longjmp unwinds frames with return stmts

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109094 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|---

[Bug c/107002] [13 Regression] ICE in column_range, at diagnostic-show-locus.cc:2236 since r13-2386-gbedfca647a9e9c1a

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107002 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|---

[Bug c/107002] [13 Regression] ICE in column_range, at diagnostic-show-locus.cc:2236 since r13-2386-gbedfca647a9e9c1a

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107002 --- Comment #4 from David Malcolm --- Created attachment 54778 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54778=edit Untested patch (In reply to Jakub Jelinek from comment #3) > David, any progress here? I've currently testing the

[Bug analyzer/109266] Wanalyzer-null-dereference does not warn when struct is at null

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109266 --- Comment #4 from David Malcolm --- (In reply to David Malcolm from comment #3) > (In reply to Jonny Grant from comment #2) [...] > > > > I wondered if you know how to turn on that "cc1plus: note: source object is > > likely at address zero?

[Bug analyzer/109266] Wanalyzer-null-dereference does not warn when struct is at null

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109266 --- Comment #3 from David Malcolm --- (In reply to Jonny Grant from comment #2) > Thank you for your reply David. Your analyzer is very good already. > > I played around a bit, a base of nullptr doesn't give a warning. But > changing to 0x10

[Bug analyzer/109098] Encoding errors on SARIF output for non-UTF-8 source files

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109098 --- Comment #9 from David Malcolm --- (In reply to Hans-Peter Nilsson from comment #8) > (In reply to David Malcolm from comment #7) > > The invalid UTF-8 in the patch seems to have broken the server-side script: > > Maybe the not-really-utf8

[Bug analyzer/109266] Wanalyzer-null-dereference does not warn when struct is at null

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109266 --- Comment #1 from David Malcolm --- Thanks for filing this bug. We probably want to allow accesses to hard-coded addresses, for the case of embedded development, so we presumably need some way to distinguish between accesses of: ((struct

[Bug analyzer/109098] Encoding errors on SARIF output for non-UTF-8 source files

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109098 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|---

[Bug testsuite/105959] new test case c-c++-common/diagnostic-format-sarif-file-4.c from r13-967-g6cf276ddf22066 fails

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105959 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|WAITING

[Bug analyzer/109252] New: RFE: make use of existing GCC loop analysis within -fanalyzer (or otherwise revamp loop handling)

Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Currently the analyzer uses its widening_svalue and complexity limits on svalues/regions to attempt

[Bug analyzer/109251] New: -Wanalyzer-deref-before-check false positives seen in Linux kernel due to check in macros

Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Created attachment 54734 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54734=edit Reduced reprodu

[Bug analyzer/109239] -Wanalyzer-deref-before-check seen on Linux kernel due to inlining with -fno-delete-null-pointer-checks

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109239 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|UNCONFIRMED

[Bug analyzer/109239] New: -Wanalyzer-deref-before-check seen on Linux kernel due to inlining with -fno-delete-null-pointer-checks

: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Created attachment 54724 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54724=e

[Bug analyzer/109220] New: analyzer doesn't complain about unrecognized state machines with -fanalyzer-checker=NAME

Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- https://gcc.gnu.org/pipermail/gcc/2023-March/240928.html reports: > there is no error or warning whe

[Bug testsuite/105959] new test case c-c++-common/diagnostic-format-sarif-file-4.c from r13-967-g6cf276ddf22066 fails

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105959 David Malcolm changed: What|Removed |Added Keywords||patch URL|

[Bug analyzer/109199] GCC Static Analyzer evaluates `__analyzer_eval((((c) + 1) == (([0]) + 1)))` to be FALSE with the fact `c == [0]`

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109199 David Malcolm changed: What|Removed |Added Summary|GCC Static Analyzer |GCC Static Analyzer

[Bug analyzer/109191] GCC static analyzer does not warning `*b = 1` where `b` is 1.

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109191 --- Comment #2 from David Malcolm --- It is valid in the embedded space to do things like *(SOME_CONSTANT_ADDRESS) = SOME_VALUE;

[Bug analyzer/109197] Analyzer gets confused about conditionals involving bitfields

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109197 David Malcolm changed: What|Removed |Added Summary|GCC Static Analyzer does|Analyzer gets confused

[Bug analyzer/109196] GSA evaluates `__analyzer_eval(((a())<(0))||((a())==(0)));` to be TRUE, but function `a()` is a unknown function

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109196 David Malcolm changed: What|Removed |Added Resolution|--- |WONTFIX Status|UNCONFIRMED

[Bug analyzer/109195] GCC Static Analyzer does not know "a+0 <= b+1" in the true branch of if (a <= b), but knows "a+0 < b+1".

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109195 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|---

[Bug analyzer/104940] RFE: integrate analyzer with an SMT solver

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104940 --- Comment #3 from David Malcolm --- *** Bug 109195 has been marked as a duplicate of this bug. ***

[Bug analyzer/104940] RFE: integrate analyzer with an SMT solver

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104940 --- Comment #2 from David Malcolm --- *** Bug 109194 has been marked as a duplicate of this bug. ***

[Bug analyzer/109194] GCC Static Analyzer does not know "a+3 > b+1" in the true branch of "if (a > b) ", but it knows "a+2 > b+1"

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109194 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|---

[Bug analyzer/104940] RFE: integrate analyzer with an SMT solver

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104940 David Malcolm changed: What|Removed |Added CC||geoffreydgr at icloud dot com ---

[Bug analyzer/109193] GCC Static Analyzer does not know "1-a > 0-b" in the true branch of "if (a < b && 0 < a) "

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109193 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|---

[Bug analyzer/109194] GCC Static Analyzer does not know "a+3 > b+1" in the true branch of "if (a > b) ", but it knows "a+2 > b+1"

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109194 --- Comment #1 from David Malcolm --- Well, strictly speaking not all of these are true; consider a == INT_MAX b == INT_MAX - 1 Then a > b, but: * a + 1 is, I believe, undefined, but we may want to treat it as INT_MIN * b + 1 is INT_MAX

[Bug analyzer/109191] GCC static analyzer does not warning `*b = 1` where `b` is 1.

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109191 --- Comment #1 from David Malcolm --- GCC does emit a -Wint-to-pointer-cast warning on this code, for the int to void * conversion. Is this reduced from a real-world example, or just synthesized by hand? I suppose in theory the analyzer

[Bug analyzer/99669] RFE: detect division by zero in analyzer

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99669 David Malcolm changed: What|Removed |Added CC||geoffreydgr at icloud dot com ---

[Bug analyzer/109201] GCC Static Analyzer does not generate a div-by-zero warning for the `if ((d.b = 1) / f)` where `f` is 0

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109201 David Malcolm changed: What|Removed |Added Resolution|--- |DUPLICATE

[Bug analyzer/109200] GCC Static Analyzer does not generate a div-by-zero warning for the `0 <= (f = 0) % e.b` where `e.b == 0`

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109200 David Malcolm changed: What|Removed |Added Resolution|--- |DUPLICATE

[Bug analyzer/109201] GCC Static Analyzer does not generate a div-by-zero warning for the `if ((d.b = 1) / f)` where `f` is 0

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109201 --- Comment #2 from David Malcolm --- *** Bug 109200 has been marked as a duplicate of this bug. ***

[Bug analyzer/109201] GCC Static Analyzer does not generate a div-by-zero warning for the `if ((d.b = 1) / f)` where `f` is 0

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109201 --- Comment #1 from David Malcolm --- The division by zero warning on: if ((d.b = 1) / 0) is from -Wdiv-by-zero, which isn't from the analyzer ( https://godbolt.org/z/433PhKhvM ) The analyzer currently only implements

[Bug analyzer/109094] Uninit false positive from -fanalyzer when longjmp unwinds frames with return stmts

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109094 David Malcolm changed: What|Removed |Added Keywords|ice-checking| Target Milestone|13.0

[Bug analyzer/109094] [13 Regression] ICE in -fanalyzer seen in qemu's target/i386/tcg/translate.c

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109094 --- Comment #8 from David Malcolm --- Created attachment 54700 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54700=edit Patch that I'm about to put through full testing

[Bug analyzer/109094] [13 Regression] ICE in -fanalyzer seen in qemu's target/i386/tcg/translate.c

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109094 --- Comment #7 from David Malcolm --- Trunk: https://godbolt.org/z/MKh4h1ccP 12.2: https://godbolt.org/z/73EY4TMcx (no ICE, but assertions likely disabled)

[Bug analyzer/109094] [13 Regression] ICE in -fanalyzer seen in qemu's target/i386/tcg/translate.c

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109094 David Malcolm changed: What|Removed |Added Attachment #54637|0 |1 is obsolete|

[Bug other/109163] SARIF (and other JSON) output files are non-deterministic

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109163 David Malcolm changed: What|Removed |Added URL||https://gcc.gnu.org/piperma

[Bug testsuite/105959] new test case c-c++-common/diagnostic-format-sarif-file-4.c from r13-967-g6cf276ddf22066 fails

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105959 --- Comment #13 from David Malcolm --- Created attachment 54698 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54698=edit Patch that I'm about to put through full testing

[Bug testsuite/105959] new test case c-c++-common/diagnostic-format-sarif-file-4.c from r13-967-g6cf276ddf22066 fails

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105959 --- Comment #12 from David Malcolm --- Thanks for the ideas. If I hack in the following into dg-scan (to force the scanned file to be treated as UTF-8 as it is read), then the existing case works with both: LC_ALL=C LC_ALL=en_US.UTF-8 so

[Bug testsuite/105959] new test case c-c++-common/diagnostic-format-sarif-file-4.c from r13-967-g6cf276ddf22066 fails

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105959 --- Comment #11 from David Malcolm --- (In reply to Hans-Peter Nilsson from comment #10) > (I see an identifier using ideographs? > Wouldn't want to review that code... Might as well use Linear A -which you > indeed can in UTF-8- - it's all

[Bug other/109163] SARIF (and other JSON) output files are non-deterministic

||2023-03-16 Assignee|unassigned at gcc dot gnu.org |dmalcolm at gcc dot gnu.org Ever confirmed|0 |1 --- Comment #2 from David Malcolm --- I'm working on a fix for this.

[Bug other/109163] SARIF (and other JSON) output files are non-deterministic

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109163 --- Comment #1 from David Malcolm --- This would also help with one of the requests from a SARIF expert's review of GCC's output: https://github.com/oasis-tcs/sarif-spec/issues/531#issuecomment-1181191100 which is that the "version" property

[Bug testsuite/105959] new test case c-c++-common/diagnostic-format-sarif-file-4.c from r13-967-g6cf276ddf22066 fails

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105959 --- Comment #9 from David Malcolm --- (In reply to David Malcolm from comment #7) [...snip...] > There some variation due to json::object using a hash_map for the key/value > pairs, which means (annoyingly) it outputs things in arbitrary

[Bug other/109163] New: SARIF (and other JSON) output files are non-deterministic

Priority: P3 Component: other Assignee: unassigned at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- gcc/json.cc's json::object uses a hash_map for tracking the key/value pairs, and object::print iterates through them in arbitrary order, so

[Bug testsuite/105959] new test case c-c++-common/diagnostic-format-sarif-file-4.c from r13-967-g6cf276ddf22066 fails

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105959 --- Comment #8 from David Malcolm --- Note that section 3.1 ("File Format" > "General") specifies: "A SARIF log file SHALL be encoded in UTF-8 [RFC3629]." https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html Though I suppose it

[Bug testsuite/105959] new test case c-c++-common/diagnostic-format-sarif-file-4.c from r13-967-g6cf276ddf22066 fails

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105959 David Malcolm changed: What|Removed |Added Last reconfirmed|2023-01-30 00:00:00 |2023-03-16 Ever confirmed|0

[Bug analyzer/109094] [13 Regression] ICE in -fanalyzer seen in qemu's target/i386/tcg/translate.c

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109094 David Malcolm changed: What|Removed |Added Last reconfirmed||2023-03-16

[Bug analyzer/109094] [13 Regression] ICE in -fanalyzer seen in qemu's target/i386/tcg/translate.c

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109094 --- Comment #4 from David Malcolm --- (In reply to Martin Liška from comment #3) > Fixed? Sadly no, the comment above is just to mention that at least the crash is now captured in the .sarif dump.

[Bug analyzer/109097] No SARIF output happens on an ICE

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109097 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|UNCONFIRMED

[Bug analyzer/105909] RFE: SARIF output could contain metadata about limitations of the analysis

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105909 --- Comment #1 from David Malcolm --- Perhaps via 3.58 notification object: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317894 which: "describes a condition encountered during the execution of an analysis tool

[Bug analyzer/109131] New: -Wanalyzer-deref-before-check false positive seen in git's builtin/show-ref.c

: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Created attachment 54664 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54664=edit Reduced reproducer Tr

[Bug analyzer/109120] False positive -Wanalyzer-malloc-leak with failed iconv_open() with glibc 2.36 onwards

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109120 --- Comment #6 from David Malcolm --- Note to self: there's a usage example in the glibc manual here: https://www.gnu.org/software/libc/manual/html_node/iconv-Examples.html

[Bug analyzer/109120] False positive -Wanalyzer-malloc-leak with failed iconv_open() with glibc 2.36 onwards

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109120 --- Comment #5 from David Malcolm --- Potentially could be worked around from the gcc side by adding a known_function implementation for iconv_{open,close}.

[Bug analyzer/109120] False positive -Wanalyzer-malloc-leak with failed iconv_open()

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109120 --- Comment #4 from David Malcolm --- ...and thus presumably glibc 2.36 onwards uses the attribute on iconv_open.

[Bug analyzer/109120] False positive -Wanalyzer-malloc-leak with failed iconv_open()

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109120 --- Comment #3 from David Malcolm --- (In reply to David Malcolm from comment #2) > Looks like the attribute was added to iconv_open in glibc in this commit: > > https://sourceware.org/git/?p=glibc.git;a=commitdiff; >

[Bug analyzer/109120] False positive -Wanalyzer-malloc-leak with failed iconv_open()

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109120 --- Comment #2 from David Malcolm --- Looks like the attribute was added to iconv_open in glibc in this commit: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=260a430dd841072020c4dae91468322e619e7330 Unfortunately, as currently

[Bug analyzer/109120] False positive -Wanalyzer-malloc-leak with failed iconv_open()

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109120 --- Comment #1 from David Malcolm --- Thanks for filing this bug. Seems to affect GCC 11 onwards, as GCC 10 didn't support the 2nd argument to __attribute__((malloc)): Trunk: https://godbolt.org/z/MbWezaxrz GCC 12.2:

[Bug testsuite/105959] new test case c-c++-common/diagnostic-format-sarif-file-4.c from r13-967-g6cf276ddf22066 fails

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105959 --- Comment #4 from David Malcolm --- Created attachment 54653 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54653=edit Generated diagnostic-format-sarif-file-4.c.sarif output file on my machine (In reply to Hans-Peter Nilsson from

[Bug analyzer/105906] fanalyzer strdup false positive leak in loop

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105906 --- Comment #3 from David Malcolm --- (In reply to David Malcolm from comment #2) > Looks like this is fixed on trunk for GCC 13; seem to have been via > 688fc162b76dc6747a30fcfd470f4770da0f4924 aka r13-5113-g688fc162b76dc6

[Bug analyzer/105906] fanalyzer strdup false positive leak in loop

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105906 --- Comment #2 from David Malcolm --- Looks like this is fixed on trunk for GCC 13; seem to have been via 688fc162b76dc6747a30fcfd470f4770da0f4924

[Bug analyzer/107017] RFE: support printf-style formatted functions in -fanalyzer

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107017 David Malcolm changed: What|Removed |Added CC||geoffreydgr at icloud dot com ---

[Bug analyzer/109106] GCC Static Analyzer doesn't model printf

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109106 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|---

[Bug analyzer/109098] Encoding errors on SARIF output for non-UTF-8 source files

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109098 --- Comment #4 from David Malcolm --- (In reply to Andrew Pinski from comment #2) > So I think there is a bug in that code ... The issue is in sarif_builder::maybe_make_artifact_content_object, which uses; char *text_utf8 = maybe_read_file

[Bug analyzer/109098] Encoding errors on SARIF output for non-UTF-8 source files

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109098 --- Comment #3 from David Malcolm --- (In reply to Andrew Pinski from comment #1) > I would have assumed you need -finput-charset= for the non-utf8 ones really > if your LANG/LANGUAGE is not set to C/UTF8 really. Yeah, but when complaining

[Bug analyzer/109098] Encoding errors on SARIF output for non-UTF-8 source files

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109098 David Malcolm changed: What|Removed |Added Last reconfirmed||2023-03-11

[Bug analyzer/109098] New: Encoding errors on SARIF output for non-UTF-8 source files

Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- I've run into issues with -fanalyzer integration testing when a diagnostic occurs in a source file with non-UTF-8 bytes

[Bug analyzer/109097] New: No SARIF output happens on an ICE

Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- If an ICE occurs inside cc1 with -fdiagnostics-format=sarif-file, then no .sarif file is written out. This is a nuisance e.g. for my integration testing of -fanalyzer, which I'm

[Bug analyzer/109094] [13 Regression] ICE in -fanalyzer seen in qemu's target/i386/tcg/translate.c

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109094 --- Comment #1 from David Malcolm --- Created attachment 54637 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54637=edit Unreduced reproducer

[Bug analyzer/109094] New: [13 Regression] ICE in -fanalyzer seen in qemu's target/i386/tcg/translate.c

: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Trunk ICEs on the attached: $ ./xgcc -B. -fanalyzer -S ../../src/target_i386_tcg_translate.c \ -Wall -Wno-array

[Bug analyzer/109059] -Wanalyzer-malloc-leak false +ve seen on haproxy's cfgparse.c: cfg_register_postparser

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109059 David Malcolm changed: What|Removed |Added Last reconfirmed||2023-03-10 Ever confirmed|0

[Bug analyzer/109060] -Wanalyzer-deref-before-check false positives seen in haproxy's cfgparse.c: parse_process_number

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109060 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|---

[Bug analyzer/108475] -Wanalyzer-deref-before-check false positives seen in haproxy's tcpcheck.c

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108475 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|---

[Bug analyzer/109058] RFE: analyzer should elide repeated calls to strcmp in execution paths

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109058 --- Comment #2 from David Malcolm --- (In reply to David Malcolm from comment #0) > Seen on a diagnostic in haproxy's cfgparse-global.c: cfg_parse_global For reference, see cfg_parse_global in:

[Bug analyzer/109060] New: -Wanalyzer-deref-before-check false positives seen in haproxy's cfgparse.c: parse_process_number

Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Created attachment 54603 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54603=edit Reprodu

[Bug analyzer/109059] New: -Wanalyzer-malloc-leak false +ve seen on haproxy's cfgparse.c: cfg_register_postparser

Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Given: /* Reduced from haproxy

[Bug analyzer/109058] RFE: analyzer should elide repeated calls to strcmp in execution paths

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109058 --- Comment #1 from David Malcolm --- Even better would be for the event condition to express the string, when it's a string literal, so that it reads: ../../src/gcc/testsuite/gcc.dg/analyzer/strcmp-path-1.c:27:5: note: path 27 |

[Bug analyzer/109058] New: RFE: analyzer should elide repeated calls to strcmp in execution paths

Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Seen on a diagnostic in haproxy's cfgparse-global.c: cfg_parse_global Consider

[Bug tree-optimization/108988] gimple_fold_builtin_fputs doesn't preserve gimple_builtin_call_types_compatible_p

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108988 --- Comment #8 from David Malcolm --- (In reply to Jakub Jelinek from comment #6) > Fixed. Thanks!

[Bug analyzer/109016] New: Analyzer doesn't know about OMP builtins

Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Created attachment 54581 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54581=edit Work in progress patch Currently the analyzer does

[Bug analyzer/109015] New: Analyzer doesn't know about atomic builtins

: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Created attachment 54580 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54580=edit Work in progress patch Currently the analyzer doesn't recognize atomic built

[Bug analyzer/109014] -Wanalyzer-use-of-uninitialized-value seen in pcre2-10.42's pcre2test.c

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109014 --- Comment #1 from David Malcolm --- I believe the issue here is that: * display_properties partially initializes the "found" buffer, writing a -1 terminator at the end of the initialized part at: fv[m] = -1; * display_properties then

[Bug analyzer/109014] New: -Wanalyzer-use-of-uninitialized-value seen in pcre2-10.42's pcre2test.c

: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Created attachment 54579 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54579=edit Partially reducer reproducer

[Bug jit/107999] [13 Regression] jit.dg/test-error-array-bounds.c now fails because [-Warray-bounds] was updated to [-Warray-bounds=] in error messages after r13-4410-g7c01d029fca669263b9c2

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107999 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|---

[Bug analyzer/108968] fanalyzer false positive with the uninitalised-ness of the stack pointer

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108968 --- Comment #18 from David Malcolm --- Looks like it doesn't even need the asm stmt at line 32 to consider that it could take the false-then-true path.

[Bug analyzer/108968] fanalyzer false positive with the uninitalised-ness of the stack pointer

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108968 --- Comment #17 from David Malcolm --- ...where trunk emits: test.c:35:22: warning: dereference of NULL 'ptr' [CWE-476] [-Wanalyzer-null-dereference] 35 | ptr[0] = ~ptr[0]; | ~~~^~~ 'foo': events 1-6 |

[Bug analyzer/108968] fanalyzer false positive with the uninitalised-ness of the stack pointer

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108968 --- Comment #16 from David Malcolm --- Minimized version of attachment 54572: struct cpu_info { /* [...snip...] */ struct vcpu *current_vcpu; /* [...snip...] */

[Bug analyzer/108968] fanalyzer false positive with the uninitalised-ness of the stack pointer

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108968 --- Comment #12 from David Malcolm --- (In reply to Andrew Cooper from comment #9) [...snip...] > Our code does fundamentally rely on get_cpu_info() always returning the same > pointer (on a single CPU). For example, `current` is defined as >

<    1   2   3   4   5   6   7   8   9   10   >