https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111229
Bug ID: 111229
Summary: -fanalyzer confused about conditional operator branch
name
Product: gcc
Version: 13.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: medhefgo at web dot de
Target Milestone: ---
In the following test case, the analyzer has the conditional operator's
branches confused: It thinks the "true" branch is "false" and vice-versa.
$cat test.c
char test_true() {
char *c, v = 1;
if (v) {
c = (char *)0;
} else {
c = "a";
}
return *c;
}
char test_false() {
char *c, v = 1;
c = v ? (char *)0 : "a";
return *c;
}
$ gcc -o/dev/null -c test.c -fanalyzer
test.c: In function ‘test_true’:
test.c:8:10: warning: dereference of NULL ‘c’ [CWE-476]
[-Wanalyzer-null-dereference]
8 | return *c;
| ^~
‘test_true’: events 1-4
|
| 3 | if (v) {
| | ^
| | |
| | (1) following ‘true’ branch (when ‘v != 0’)...
| 4 | c = (char *)0;
| | ~~~~~~~~~~~~~
| | |
| | (2) ...to here
| | (3) ‘c’ is NULL
|......
| 8 | return *c;
| | ~~
| | |
| | (4) dereference of NULL ‘c’
|
test.c: In function ‘test_false’:
test.c:13:10: warning: dereference of NULL ‘c’ [CWE-476]
[-Wanalyzer-null-dereference]
13 | return *c;
| ^~
‘test_false’: events 1-5
|
| 12 | c = v ? (char *)0 : "a";
| | ~~~~~~~~~~~~~~~~~~^~~~~
| | | |
| | | (1) following ‘false’ branch (when ‘v !=
0’)...
| | | (2) ...to here
| | | (3) ‘0’ is NULL
| | (4) ‘c’ is NULL
| 13 | return *c;
| | ~~
| | |
| | (5) dereference of NULL ‘c’
|
https://godbolt.org/z/hTvn9PMb4
