[Bug bootstrap/115167] [15 Regression] CFG edge visualization to path-printing bootstrap failure
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115167 David Malcolm changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #4 from David Malcolm --- > Also, gcc119 would be a much better choice than gcc111. Thanks; am trying on that. FWIW r15-636-g770657d02c986c added a new vfunc to libcpp: range_label::get_effects and it's *defined* in the header, so my immediately suspicion is that's the issue. Investigating...
[Bug bootstrap/115167] [15 Regression] CFG edge visualization to path-printing bootstrap failure
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115167 --- Comment #1 from David Malcolm --- Thanks for filing this, and sorry for the breakage. Is there a cfarm machine that I ought to be able to reproduce this on? I'm trying with cfarm111, but get this configure error: $ ../src/configure --with-gmp=/opt/cfarm/gmp-latest --with-mpfr=/opt/cfarm/mpfr-latest --with-mpc=/opt/cfarm/mpc-latest --disable-bootstrap --enable-languages=c,c++,fortran [...snip...] checking for the correct version of gmp.h... no configure: error: Building GCC requires GMP 4.2+, MPFR 3.1.0+ and MPC 0.8.0+. $ file /opt/cfarm/gmp-latest /opt/cfarm/gmp-latest: symbolic link to /home/iulius/autobuild/bin/gmp-6.1.2. $ ls /home/iulius/autobuild/bin/ [no output]
[Bug analyzer/114899] [14 regression] Segmentation fault with -fsanitize=undefined and -fanalyzer since r14-2029-g0e466e978c7
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114899 David Malcolm changed: What|Removed |Added Ever confirmed|0 |1 Summary|[14/15 regression] |[14 regression] |Segmentation fault with |Segmentation fault with |-fsanitize=undefined and|-fsanitize=undefined and |-fanalyzer since|-fanalyzer since |r14-2029-g0e466e978c7 |r14-2029-g0e466e978c7 Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2024-05-15 --- Comment #2 from David Malcolm --- Should be fixed on trunk for GCC 15 by the above patch; keeping open to track the backport to gcc 14.
[Bug analyzer/115089] -Wanalyzer-use-of-uninitialized-value false negative due to overzealous state merging
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115089 David Malcolm changed: What|Removed |Added Ever confirmed|0 |1 Summary|-Wanalyzer-use-of-uninitial |-Wanalyzer-use-of-uninitial |ized-value false negative |ized-value false negative ||due to overzealous state ||merging Status|UNCONFIRMED |NEW Last reconfirmed||2024-05-15
[Bug analyzer/115089] -Wanalyzer-use-of-uninitialized-value false negative
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115089
--- Comment #3 from David Malcolm ---
FWIW, adding -fno-analyzer-state-merge makes it find the issue; see
https://godbolt.org/z/Ecfe9oqjv
: In function 'main':
:16:16: warning: use of uninitialized value 'x' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
16 | return x; // maybe uninitialized use
|^
'main': events 1-4
|
| 11 | main(void)
| | ^~~~
| | |
| | (1) entry to 'main'
| 12 | {
| 13 | int x;
| | ~
| | |
| | (2) region created on stack here
| | (3) capacity: 4 bytes
| 14 |
| 15 | g();
| | ~
| | |
| | (4) calling 'g' from 'main'
|
+--> 'g': events 5-7
|
|4 | g(int *x)
| | ^
| | |
| | (5) entry to 'g'
|5 | {
|6 | if (arc4random() % 2)
| |~
| ||
| |(6) following 'false' branch...
|7 | *x = 42;
|8 | }
| | ~
| | |
| | (7) ...to here
|
<--+
|
'main': events 8-9
|
| 15 | g();
| | ^
| | |
| | (8) returning to 'main' from 'g'
| 16 | return x; // maybe uninitialized use
| |~
| ||
| |(9) use of uninitialized value 'x' here
|
Compiler returned: 0
Looks like we might be a bit overzealous about merging states with initialized
vs uninitialized values for variables.
[Bug analyzer/107646] RFE: can we reimplement gcc-python-plugin's cpychecker as a -fanalyzer plugin?
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107646 --- Comment #11 from David Malcolm --- I've created a wiki page to track this project: https://gcc.gnu.org/wiki/StaticAnalyzer/CPython
[Bug jit/110466] jit.dg FAILs on ppc64le
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110466 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED|RESOLVED --- Comment #12 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch.
[Bug driver/111700] ICE: SIGSEGV in needs_read_p (input.cc:598) with -fdiagnostics-format=sarif-file or -fdiagnostics-format=sarif-stderr on pre-processed input
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111700 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #5 from David Malcolm --- Should be fixed by the above patch for GCC 13 for the upcoming GCC 13.3
[Bug middle-end/114348] Corrupt SARIF output on stderr
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114348 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #8 from David Malcolm --- Should be fixed on GCC 13 for the upcoming GCC 13.3 by the above patch. I'm not planning to backport this further; closing.
[Bug analyzer/110112] [11/12 Regression] gcc -fanalyzer takes an excessive amount of time
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110112 David Malcolm changed: What|Removed |Added Summary|[11/12/13 Regression] gcc |[11/12 Regression] gcc |-fanalyzer takes an |-fanalyzer takes an |excessive amount of time|excessive amount of time --- Comment #7 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch. Keeping open to track backporting to older branches.
[Bug analyzer/109577] -Wanalyzer-allocation-size mishandles __builtin_mul_overflow
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109577 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED|RESOLVED Summary|[13 Regression] |-Wanalyzer-allocation-size |-Wanalyzer-allocation-size |mishandles |mishandles |__builtin_mul_overflow |__builtin_mul_overflow | --- Comment #8 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patches.
[Bug analyzer/110014] -Wanalyzer-allocation-size mishandles realloc (..., .... * sizeof (object))
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110014 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED Summary|[13 Regression] |-Wanalyzer-allocation-size |-Wanalyzer-allocation-size |mishandles realloc (..., |mishandles realloc (...,| * sizeof (object)) | * sizeof (object)) | --- Comment #5 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch.
[Bug analyzer/110700] [12 Regression] ICE with -fanalyzer --analyzer-checker=taint on division of tainted floating-point values
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110700 David Malcolm changed: What|Removed |Added Summary|[12/13 Regression] ICE with |[12 Regression] ICE with |-fanalyzer |-fanalyzer |--analyzer-checker=taint on |--analyzer-checker=taint on |division of tainted |division of tainted |floating-point values |floating-point values --- Comment #5 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch. Keeping open to track backporting to older branches.
[Bug analyzer/110882] ICE with -fanalyzer on zero-sized array
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110882 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED Summary|[13 Regression] ICE with|ICE with -fanalyzer on |-fanalyzer on zero-sized|zero-sized array |array | --- Comment #9 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch.
[Bug analyzer/112889] [11/12 Regression] ICE with -fanalyzer seen on Linux kernel drivers/infiniband/hw/cxgb4/cm.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112889 David Malcolm changed: What|Removed |Added Summary|[11/12/13 Regression] ICE |[11/12 Regression] ICE with |with -fanalyzer seen on |-fanalyzer seen on Linux |Linux kernel|kernel |drivers/infiniband/hw/cxgb4 |drivers/infiniband/hw/cxgb4 |/cm.c |/cm.c --- Comment #6 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch. Keeping open to track backporting to older branches.
[Bug analyzer/106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 Bug 106358 depends on bug 112790, which changed state. Bug 112790 Summary: -Wanalyzer-deref-before-check false positives seen in Linux kernel due to inlining https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112790 What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED
[Bug analyzer/112790] -Wanalyzer-deref-before-check false positives seen in Linux kernel due to inlining
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112790 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Summary|[13 Regression] |-Wanalyzer-deref-before-che |-Wanalyzer-deref-before-che |ck false positives seen in |ck false positives seen in |Linux kernel due to |Linux kernel due to |inlining |inlining| Status|ASSIGNED|RESOLVED --- Comment #6 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch.
[Bug analyzer/113333] [11/12 Regression] analyzer: False positives with calloc()
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=11 David Malcolm changed: What|Removed |Added Summary|[11/12/13 Regression] |[11/12 Regression] |analyzer: False positives |analyzer: False positives |with calloc() |with calloc() --- Comment #6 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch. Keeping open to track backporting to older branches.
[Bug analyzer/112969] [11/12 Regression] -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112969 David Malcolm changed: What|Removed |Added Summary|[11/12/13 Regression] |[11/12 Regression] |-Wanalyzer-exposure-through |-Wanalyzer-exposure-through |-uninit-copy false positive |-uninit-copy false positive |seen on Linux kernel's |seen on Linux kernel's |drivers/net/ethernet/intel/ |drivers/net/ethernet/intel/ |ice/ice_ptp.c |ice/ice_ptp.c --- Comment #5 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch. Keeping open to track backporting this to other branches.
[Bug analyzer/113253] [11/12 Regression] gcc -g causes -fanalyzer to issue false positive
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113253 David Malcolm changed: What|Removed |Added Summary|[11/12/13 Regression] gcc |[11/12 Regression] gcc -g |-g causes -fanalyzer to |causes -fanalyzer to issue |issue false positive|false positive --- Comment #6 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch. Keeping open to backport to other branches.
[Bug analyzer/111289] Unwarranted -Wanalyzer-va-arg-type-mismatch warning
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111289 David Malcolm changed: What|Removed |Added Summary|[13 Regression] Unwarranted |Unwarranted |-Wanalyzer-va-arg-type-mism |-Wanalyzer-va-arg-type-mism |atch warning|atch warning Resolution|--- |FIXED Status|ASSIGNED|RESOLVED --- Comment #9 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch.
[Bug analyzer/109251] -Wanalyzer-deref-before-check false positives seen in Linux kernel due to check in macros
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109251 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Summary|[13 Regression] |-Wanalyzer-deref-before-che |-Wanalyzer-deref-before-che |ck false positives seen in |ck false positives seen in |Linux kernel due to check |Linux kernel due to check |in macros |in macros | Resolution|--- |FIXED --- Comment #4 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch.
[Bug analyzer/114473] ICE: in deref_rvalue, at analyzer/region-model.cc:2780 with -fanalyzer -fanalyzer-call-summaries
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114473 David Malcolm changed: What|Removed |Added Summary|[13 Regression] ICE: in |ICE: in deref_rvalue, at |deref_rvalue, at|analyzer/region-model.cc:27 |analyzer/region-model.cc:27 |80 with -fanalyzer |80 with -fanalyzer |-fanalyzer-call-summaries |-fanalyzer-call-summaries | Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #5 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch.
[Bug analyzer/114408] ICE when invoking strcmp multiple times with -fsanitize=undefined -O1 -fanalyzer -flto
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114408 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED Summary|[13 Regression] ICE when|ICE when invoking strcmp |invoking strcmp multiple|multiple times with |times with |-fsanitize=undefined -O1 |-fsanitize=undefined -O1|-fanalyzer -flto |-fanalyzer -flto| --- Comment #9 from David Malcolm --- Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch.
[Bug analyzer/106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 Bug 106358 depends on bug 112792, which changed state. Bug 112792 Summary: -Wanalyzer-out-of-bounds false positives seen on Linux kernel with certain unions https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112792 What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED
[Bug analyzer/112792] -Wanalyzer-out-of-bounds false positives seen on Linux kernel with certain unions
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112792 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Summary|[13 Regression] |-Wanalyzer-out-of-bounds |-Wanalyzer-out-of-bounds|false positives seen on |false positives seen on |Linux kernel with certain |Linux kernel with certain |unions |unions | Status|ASSIGNED|RESOLVED --- Comment #5 from David Malcolm --- Unfortunately, backporting to GCC 13 is too involved (the code has greatly changed since). Closing this out instead.
[Bug analyzer/111475] [14 regression] Many C++ analyzer tests FAIL
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111475 David Malcolm changed: What|Removed |Added Target Milestone|14.0|14.2 Summary|[14/15 regression] Many C++ |[14 regression] Many C++ |analyzer tests FAIL |analyzer tests FAIL --- Comment #14 from David Malcolm --- Testing the above patch on sparc-sun-solaris2.11 (cfarm216) shows this improvement to the results of 'gmake check-g++ RUNTESTFLAGS="analyzer.exp=*"': # of expected passes 11395 -> 12043 # of unexpected failures684 -> 0 # of unexpected successes 4 -> 0 # of expected failures 443 -> 447 So I believe this is fixed on trunk; waiting until after GCC 14.1 to backport to gcc 14.
[Bug analyzer/114920] null_terminated_string_arg attribute does not warn for non-nul-terminated strings
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114920 David Malcolm changed: What|Removed |Added Ever confirmed|0 |1 Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2024-05-02 --- Comment #1 from David Malcolm --- Thanks for filing this bug report. Confirmed with trunk; see e.g.: https://godbolt.org/z/5x5fqe4Td I'm taking a look.
[Bug analyzer/114896] analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114896 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |NEW Ever confirmed|0 |1 Last reconfirmed||2024-04-30 --- Comment #2 from David Malcolm --- Thanks for filing this bug. The reproducer on Compiler Explorer is: https://godbolt.org/z/4Pc7Wfx8r
[Bug analyzer/111475] [14/15 regression] Many C++ analyzer tests FAIL
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111475 David Malcolm changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #11 from David Malcolm --- Thanks. I've been working on this on cfarm216; I have a messy set of patches with this improvement to g++.sum with analyzer.exp so far: # of expected passes 11395 -> 12015 # of unexpected failures 684 ->64 # of unexpected successes 4 -> 0 # of expected failures 443 -> 447 # of unsupported tests50 However I'm don't have access to my regular workstation/testing box until late tomorrow, so I'm holding off on posting until I've cleaned them up and put them through my usual testing regime. Sorry again about the noise
[Bug analyzer/111475] [14/15 regression] Many C++ analyzer tests FAIL
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111475 --- Comment #9 from David Malcolm --- Sorry about this. Is there a machine in the compile farm I can test this on?
[Bug target/113235] SMHasher SHA3-256 benchmark is almost 40% slower vs. Clang (not enough complete loop peeling)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113235 David Malcolm changed: What|Removed |Added CC||dmalcolm at gcc dot gnu.org --- Comment #10 from David Malcolm --- (In reply to Jan Hubicka from comment #4) > I keep mentioning to Larabel that he should use -fno-semantic-interposition, > but he doesn't. Possibly a silly question, but how about changing the default in GCC 15? What proportion of users actually make use of -fsemantic-interposition ?
[Bug analyzer/114778] ICE: in get_region_for_local, at analyzer/region.cc:1366
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114778 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |DUPLICATE --- Comment #2 from David Malcolm --- Duplicate of bug 106634. *** This bug has been marked as a duplicate of bug 106634 ***
[Bug analyzer/106634] [13/14 Regression] ICE in get_region_for_local with nested function extension since r13-2029-g7e3b45befdbbf1a1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106634 David Malcolm changed: What|Removed |Added CC||iamanonymous.cs at gmail dot com --- Comment #5 from David Malcolm --- *** Bug 114778 has been marked as a duplicate of this bug. ***
[Bug analyzer/114778] ICE: in get_region_for_local, at analyzer/region.cc:1366
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114778 --- Comment #1 from David Malcolm --- Thanks for filing this. It's failing this assertion in frame_region::get_region_for_local : 1421case VAR_DECL: 1422 gcc_assert (!is_global_var (expr)); 1423 /* Fall through. */ 1424case PARM_DECL: 1425case RESULT_DECL: 1426 gcc_assert (DECL_CONTEXT (expr) == m_fun.decl); 1427 break; (gdb) pt expr unit-size align:64 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type 0x7fffea664000 precision:64 min max > used unsigned ignored DI ../../src/pr114778.c:6:5 size unit-size align:64 warn_if_not_align:0 context > (gdb) p m_fun.decl $1 = Looks like another ICE due to GCC's nested functions extension for C, which the analyzer doesn't yet support.
[Bug analyzer/114472] [14 Regression] ICE: in falls_short_of_p, at analyzer/store.cc:365 (in exceeds_p, at analyzer/store.cc:342) with -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114472 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #5 from David Malcolm --- ICE should be fixed by the above patch.
[Bug analyzer/114677] [13/14 Regression] -Wanalyzer-fd-leak false positive writing to int * param
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114677 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |NEW Last reconfirmed||2024-04-10 Summary|apparent -Wanalyzer-fd-leak |[13/14 Regression] | false positive |-Wanalyzer-fd-leak false ||positive writing to int * ||param Ever confirmed|0 |1 --- Comment #1 from David Malcolm --- Thanks for filing this bug. Confirmed (thanks for the godbolt link). Affects GCC 13 onwards (which added that warning) Looks like for some reason the analyzer isn't treating (*sock) as keeping the value of the fd alive.
[Bug analyzer/114472] [14 Regression] ICE: in falls_short_of_p, at analyzer/store.cc:365 (in exceeds_p, at analyzer/store.cc:342) with -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114472 --- Comment #3 from David Malcolm --- I'm testing a fix for this.
[Bug analyzer/94365] false positive leak when using container_of-like constructs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94365 --- Comment #3 from David Malcolm --- (In reply to David Malcolm from comment #2) > Testing again with trunk (for GCC 12); the false leak of ‘a’ report still > occurs, but the -Wanalyzer-free-of-non-heap report is fixed. False leak still present with trunk (for GCC 14): https://godbolt.org/z/nzjaMG7c8
[Bug analyzer/114588] Analyzer buffer overflow ASCII art hardcodes "RED" and "GREEN" as the terminal colors
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114588 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #4 from David Malcolm --- Should be fixed by the above commit.
[Bug analyzer/114616] New: RFE: show type and possible ranges of size in -Wanalyzer-tainted-size and -Wanalyzer-tainted-allocation-size
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114616 Bug ID: 114616 Summary: RFE: show type and possible ranges of size in -Wanalyzer-tainted-size and -Wanalyzer-tainted-allocation-size Product: gcc Version: 14.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- It's really helpful when triaging analyzer reports from -Wanalyzer-tainted-size and -Wanalyzer-tainted-allocation-size to know more about the size in use. e.g. if it's come from uint8_t then an allocation of that size is unlikely to be problematic even if it's "unsanitized" (probably should have a param for the threshold above which we complain). Probably should add notes/events describing more about the value and the sanitization/type converstions that happen to it.
[Bug analyzer/114594] Issues seen with -Wanalyzer-malloc-leak on htop/XUtils.c: String_split
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114594 --- Comment #1 from David Malcolm --- The "leak" was fixed in htop by https://github.com/htop-dev/htop/commit/62c2d820add3dadea7569af051d2afd804f08432
[Bug analyzer/114594] New: Issues seen with -Wanalyzer-malloc-leak on htop/XUtils.c: String_split
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114594
Bug ID: 114594
Summary: Issues seen with -Wanalyzer-malloc-leak on
htop/XUtils.c: String_split
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
CC: BenBE at geshi dot org
Target Milestone: ---
Created attachment 57881
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57881=edit
Reduced reproducer
User "BenBE2" on #gcc on IRC noted some issues with the attached file; see also
at https://godbolt.org/z/vKbhqMq4T
The analyzer reports a leak, arguably falsely:
: In function 'xRealloc':
:32:7: warning: leak of '' [CWE-401] [-Wanalyzer-malloc-leak]
32 | free(ptr);
| ^
'String_split': events 1-2
|
| 38 | char** String_split(const char* s, char sep, size_t* n) {
| |^~~~
| ||
| |(1) entry to 'String_split'
| 39 |const size_t rate = 10;
| 40 |char** out = xCalloc(rate, sizeof(char*));
| |
| | |
| | (2) calling 'xCalloc' from 'String_split'
|
+--> 'xCalloc': event 3
|
| 15 | void* xCalloc(size_t nmemb, size_t size) {
| | ^~~
| | |
| | (3) entry to 'xCalloc'
|
'xCalloc': event 4
|
| 16 |assert(nmemb > 0);
| |^~
| ||
| |(4) following 'true' branch (when 'nmemb != 0')...
|
'xCalloc': event 5
|
| 17 |assert(size > 0);
| |^~
| ||
| |(5) ...to here
|
'xCalloc': event 6
|
| 17 |assert(size > 0);
| |^~
| ||
| |(6) following 'true' branch (when 'size != 0')...
|
'xCalloc': events 7-11
|
| 18 |if (SIZE_MAX / nmemb < size) {
| | ~ ^
| | | |
| | | (7) ...to here
| | (8) following 'false' branch...
|..
| 21 |void* data = calloc(nmemb, size);
| | ~~~
| | |
| | (9) ...to here
| 22 |if (!data) {
| | ~
| | |
| | (10) following 'false' branch (when 'data' is
non-NULL)...
|..
| 25 |return data;
| |
| | |
| | (11) ...to here
|
<--+
|
'String_split': events 12-13
|
| 40 |char** out = xCalloc(rate, sizeof(char*));
| | ^~~~
| | |
| | (12) returning to 'String_split' from 'xCalloc'
|..
| 44 |while ((where = strchr(s, sep)) != NULL) {
| |~~
| ||
| |(13) when 'strchr' returns non-NULL
|
'String_split': events 14-16
|
| 44 |while ((where = strchr(s, sep)) != NULL) {
| |^
| ||
| |(14) following 'true' branch
(when 'where' is non-NULL)...
| 45 | size_t size = (size_t)(where - s);
| | ~~~
| ||
| |(15) ...to here
| 46 | out[ctr] = xStrndup(s, size);
| | ~
| | |
| | (16) calling 'xStrndup' from 'String_split'
|
+--> 'xStrndup': events 17-21
|
| 67 | char* xStrndup(const char* str, size_t len) {
| | ^~~~
| | |
| | (17) entry to 'xStrndup'
| 68 |char* data = strndup(str, len);
| | ~
| | |
| | (18) allocated here
| 69 |if (!data) {
| | ~
| | |
| | (19) assuming 'data' is
[Bug analyzer/114588] New: Analyzer buffer overflow ASCII art hardcodes "RED" and "GREEN" as the terminal colors
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114588
Bug ID: 114588
Summary: Analyzer buffer overflow ASCII art hardcodes "RED" and
"GREEN" as the terminal colors
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
As noted by ycombinator user "ephaeton" here:
https://news.ycombinator.com/item?id=39927200
> I'd appreciate dropping red/green as bad/good colorscheme. red & green feed
> one of
> the most common visual impairments, and tend to work quite bad with terminal
> fg/bg
> colors throughout the spectrum except for its ends (black & white). Maybe you
> have
> some color profile descriptor somewhere that a user can change, but a quick
> search
> through info gcc (of my installed version) just shows the ability to turn it
> on &
> off (-fdiagnostics-color=[auto|never|always]).
>
> Color is definitely one of the things that do NOT work well on a wide variety
> of
> terminals. try a white-on-firebrick VTE, or a black-on-darkgoldenrod (awesome
> for
> sun-glare, btw), white-on-green, white-on-purple for a change to see how well
> they
> mingle...
Looking at the code, looks like I hardcoded this (in access-diagram.cc in
access_diagram_impl's ctor), rather than going through the GCC_COLORS envvar:
/* Register painting styles. */
{
style valid_style;
valid_style.m_fg_color = style::named_color::GREEN;
valid_style.m_bold = true;
m_valid_style_id = m_sm.get_or_create_id (valid_style);
style invalid_style;
invalid_style.m_fg_color = style::named_color::RED;
invalid_style.m_bold = true;
m_invalid_style_id = m_sm.get_or_create_id (invalid_style);
}
[Bug analyzer/114473] [13 Regression] ICE: in deref_rvalue, at analyzer/region-model.cc:2780 with -fanalyzer -fanalyzer-call-summaries
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114473 David Malcolm changed: What|Removed |Added Summary|[13/14 Regression] ICE: in |[13 Regression] ICE: in |deref_rvalue, at|deref_rvalue, at |analyzer/region-model.cc:27 |analyzer/region-model.cc:27 |80 with -fanalyzer |80 with -fanalyzer |-fanalyzer-call-summaries |-fanalyzer-call-summaries --- Comment #3 from David Malcolm --- Should be fixed on trunk by the above patch; keeping open to track backport to GCC 13.
[Bug analyzer/114473] [13/14 Regression] ICE: in deref_rvalue, at analyzer/region-model.cc:2780 with -fanalyzer -fanalyzer-call-summaries
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114473 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Priority|P3 |P1 Last reconfirmed||2024-03-25 Ever confirmed|0 |1 --- Comment #1 from David Malcolm --- Thanks for filing this bug. Confirmed: https://godbolt.org/z/cbvjrnYzE
[Bug analyzer/114472] [14 Regression] ICE: in falls_short_of_p, at analyzer/store.cc:365 (in exceeds_p, at analyzer/store.cc:342) with -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114472 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Ever confirmed|0 |1 Last reconfirmed||2024-03-25 Priority|P3 |P1 --- Comment #1 from David Malcolm --- Thanks for filing this bug. Confirmed: https://godbolt.org/z/5rnoW9a3a
[Bug analyzer/113314] [14 Regression] -Wanalyzer-infinite-loop false positive seen on haproxy's fd.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113314 --- Comment #2 from David Malcolm --- (In reply to David Malcolm from comment #1) [...] > 70redo_next: > 71 next = fdtab[fd].update.next; > 72 if (next > -2) > 73goto done; > 74 if (next == -2) > 75goto redo_next; > > does look like an infinite loop when next == 2. Presumably I meant -2 here.
[Bug analyzer/114408] [13 Regression] ICE when invoking strcmp multiple times with -fsanitize=undefined -O1 -fanalyzer -flto
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114408 David Malcolm changed: What|Removed |Added Summary|[13/14 Regression] ICE when |[13 Regression] ICE when |invoking strcmp multiple|invoking strcmp multiple |times with |times with |-fsanitize=undefined -O1|-fsanitize=undefined -O1 |-fanalyzer -flto|-fanalyzer -flto --- Comment #7 from David Malcolm --- Should be fixed on trunk by the above patch. The ICE was introduced by r13-5261-g0d6f7b1dd62e9c9dccb0b9b673f9cc3238b7ea6d when fixing bug 108455. Keeping open to track backporting to GCC 13.
[Bug analyzer/108455] -Wanalyzer-deref-before-check false positive seen in git pack-revindex.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108455 --- Comment #5 from David Malcolm --- Note: the above patch caused the ICE in bug 114408.
[Bug analyzer/114408] [13/14 Regression] ICE when invoking strcmp multiple times with -fsanitize=undefined -O1 -fanalyzer -flto
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114408 David Malcolm changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #5 from David Malcolm --- Thanks; I have it reproducing in DejaGnu now (and the ICE fix). Am looking at fixing the false postive.
[Bug analyzer/114408] [13/14 Regression] ICE when invoking strcmp multiple times with -fsanitize=undefined -O1 -fanalyzer -flto
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114408
--- Comment #2 from David Malcolm ---
Created attachment 57781
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57781=edit
WIP patch for the the ICE
The attached patch seems to fix the ICE. AIUI I'm lazily creating dominance
info as it's needed; calculate_dominance_info has this early exit:
if (dom_computed[dir_index] == DOM_OK)
{
checking_verify_dominators (dir);
return;
}
and free_dominance_info has this early exit:
if (!dom_info_available_p (fn, dir))
return;
So iterating through all funs with gimple bodies at the end of analyzer calling
free_dominance_info on them ought to clean things up - and seems to fix the
ICE.
However I'm having trouble writing a regression test for this, with the
combination of ubsan and lto: I get:
output is /usr/bin/ld: cannot find -lubsan
collect2: error: ld returned 1 exit status
Ideas on fixing welcome.
[Bug analyzer/106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 Bug 106358 depends on bug 112975, which changed state. Bug 112975 Summary: [14 Regression] -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED
[Bug analyzer/112975] [14 Regression] -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975 David Malcolm changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from David Malcolm --- Should be fixed by the above patch.
[Bug analyzer/112974] [14 Regression] -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974 David Malcolm changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from David Malcolm --- Should be fixed by the above patch.
[Bug analyzer/106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 Bug 106358 depends on bug 112974, which changed state. Bug 112974 Summary: [14 Regression] -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED
[Bug analyzer/113619] [14 Regression] -Wanalyzer-tainted-divisor false positive seen in Linux kernel's fs/ceph/ioctl.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113619 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #2 from David Malcolm --- Should be fixed by the above commit.
[Bug analyzer/106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 Bug 106358 depends on bug 113619, which changed state. Bug 113619 Summary: [14 Regression] -Wanalyzer-tainted-divisor false positive seen in Linux kernel's fs/ceph/ioctl.c https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113619 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED
[Bug analyzer/109251] [13 Regression] -Wanalyzer-deref-before-check false positives seen in Linux kernel due to check in macros
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109251 David Malcolm changed: What|Removed |Added Status|NEW |ASSIGNED Summary|[13/14 Regression] |[13 Regression] |-Wanalyzer-deref-before-che |-Wanalyzer-deref-before-che |ck false positives seen in |ck false positives seen in |Linux kernel due to check |Linux kernel due to check |in macros |in macros --- Comment #2 from David Malcolm --- Should be fixed for GCC 14 by the above patch. Keeping open to track backporting to GCC 13.
[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer since r14-6239
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #7 from David Malcolm --- Patch looked good to me and it passed bootstrap, regrtesting, and integration testing (all on x86_64-pc-linux-gnu), so I went ahead and pushed it to trunk. Marking as resolved. Thanks again for the patch
[Bug middle-end/114348] Corrupt SARIF output on stderr
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114348 --- Comment #5 from David Malcolm --- Should be fixed on trunk for GCC 14 by the above patch. Keeping open to backport. (In reply to Tobias Specht from comment #2) [...snip...] > A workaround could be, to only parse the first line as json, but this also > seems racy. Note that although in earlier releases the JSON was all on one line, for GCC 14 I've added newlines and formatting to the output: https://gcc.gnu.org/pipermail/gcc-patches/2023-December/639625.html (which I've found *very* useful in my own usage of SARIF output).
[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer since r14-6239
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505 --- Comment #5 from David Malcolm --- Thanks, am testing your patch now.
[Bug analyzer/114286] ICE: in deref_rvalue, at analyzer/region-model.cc:2762 with _Atomic _BitInt() and -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114286 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED|RESOLVED --- Comment #7 from David Malcolm --- Should be fixed by the above patch.
[Bug analyzer/110928] [14 Regression] ICE with -fanalyzer on -Wanalyzer-out-of-bounds checker
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110928 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #2 from David Malcolm --- Should be fixed by the above patch.
[Bug analyzer/110902] Missing cast in region_model_manager::maybe_fold_binop on MULT_EXPR by 1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110902 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #3 from David Malcolm --- Should be fixed on trunk by the above patch.
[Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds false postive
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111305 David Malcolm changed: What|Removed |Added Priority|P2 |P3 Summary|[13/14 Regression] GCC |[13/14 Regression] GCC |Static Analyzer |Static Analyzer |-Wanalyzer-out-of-bounds FP |-Wanalyzer-out-of-bounds |and ICE problem |false postive --- Comment #4 from David Malcolm --- ICE should be fixed by the above patch. False positive still not fixed.
[Bug analyzer/111441] [14 Regression] ICE generating access diagram, in fold_binary_loc, at fold-const.cc:11580
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111441 David Malcolm changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #7 from David Malcolm --- Should be fixed by the above patch.
[Bug middle-end/114348] Corrupt SARIF output on stderr
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114348 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Ever confirmed|0 |1 Last reconfirmed||2024-03-18 --- Comment #3 from David Malcolm --- Thanks for reporting this. Note that -fanalyzer isn't needed to reproduce this problem, e.g. on trunk with: $ (./xgcc -B. -fdiagnostics-format=sarif-stderr -c test.c 2>&1) | python -m json.tool Extra data: line 24 column 1 (char 1839) Also affects -fdiagnostics-format=json-stderr. fnotice (stderr, ...) is used in ~150 places in trunk. I'm looking at ways of fixing this (perhaps by having fnotice bail out early on these machine-readable stderr formats when outputting to stderr).
[Bug analyzer/114286] ICE: in deref_rvalue, at analyzer/region-model.cc:2762 with _Atomic _BitInt() and -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114286 --- Comment #5 from David Malcolm --- Aha - thanks! Am working on a fix.
[Bug analyzer/114286] ICE: in deref_rvalue, at analyzer/region-model.cc:2762 with _Atomic _BitInt() and -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114286 --- Comment #3 from David Malcolm --- Looking at https://gcc.gnu.org/onlinedocs/gcc/_005f_005fatomic-Builtins.html#index-_005f_005fatomic_005fload I see this signature for __atomic_load with 3 arguments: Built-in Function: void __atomic_load (type *ptr, type *ret, int memorder) and that's what I tried to implement in r14-1497-gef768035ae8090 in kf.cc's class kf_atomic_load. However, looking at the gimple, I see this call: __atomic_load (128, , , 0); and sync-builtins.def has this: DEF_SYNC_BUILTIN (BUILT_IN_ATOMIC_LOAD, "__atomic_load", BT_FN_VOID_SIZE_CONST_VPTR_PTR_INT, ATTR_NOTHROWCALL_LEAF_LIST) so presumably the documentation for __atomic_load is wrong. Presumably the signature should be: void __atomic_load (size_t sz, const void *src, void *dst, int memorder);
[Bug analyzer/114286] ICE: in deref_rvalue, at analyzer/region-model.cc:2762 with _Atomic _BitInt() and -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114286 David Malcolm changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #2 from David Malcolm --- Thanks; taking a look.
[Bug analyzer/114285] Use of uninitialized value when copying a struct field by field
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114285 --- Comment #2 from David Malcolm --- (In reply to Antoni from comment #0) > Created attachment 57655 [details] > Reproducer for the bug [...] > I tried to reproduce in C and I attached the reproducer. Trunk with -fanalyzer: https://godbolt.org/z/847M165zf
[Bug analyzer/114159] [13 Regression] ICE: in call_info, at analyzer/call-info.cc:143 with -fanalyzer -fanalyzer-call-summaries --param=analyzer-max-svalue-depth=0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114159 David Malcolm changed: What|Removed |Added Summary|[13/14 Regression] ICE: in |[13 Regression] ICE: in |call_info, at |call_info, at |analyzer/call-info.cc:143 |analyzer/call-info.cc:143 |with -fanalyzer |with -fanalyzer |-fanalyzer-call-summaries |-fanalyzer-call-summaries |--param=analyzer-max-svalue |--param=analyzer-max-svalue |-depth=0|-depth=0 --- Comment #3 from David Malcolm --- Should be fixed on trunk for GCC 14 by the above patch. Keeping open to track backporting the fix to GCC 13.
[Bug analyzer/114159] [13/14 Regression] ICE: in call_info, at analyzer/call-info.cc:143 with -fanalyzer -fanalyzer-call-summaries --param=analyzer-max-svalue-depth=0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114159 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Ever confirmed|0 |1 Last reconfirmed||2024-02-29 --- Comment #1 from David Malcolm --- Thanks for filing this bug. Happens for --param=analyzer-max-svalue-depth=3 and below: https://godbolt.org/z/enfqznExK due to: 6267 const svalue *fn_ptr_sval = get_rvalue (fn_ptr, ctxt); in region_model::get_fndecl_for_call returning an UNKNOWN_SVALUE rather than a ptr to a function_region, due to exceeding the complexity limit.
[Bug analyzer/110483] [14 Regression] Several gcc.dg/analyzer/out-of-bounds-diagram-*.c tests FAIL
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110483
--- Comment #6 from David Malcolm ---
Thanks; let's keep using this PR for the stuff in comment #5.
I've been looking at these on gcc211 in the compile farm:
* I see out-of-bounds-diagram-11.c failing as you describe (the overflow in
test6 isn't reported with g++ for some reason; it is for gcc)
* out-of-bounds-diagram-3.c gets skipped on that machine due to
{ dg-require-effective-target lp64 }
"check_cached_effective_target lp64: returning 0 for unix"
Is there a config/cfarm machine you see the out-of-bounds-diagram-3.c failure
on?
[Bug middle-end/92830] -fdiagnostics-url shows the wrong URL for warnings which are not in 'gcc' but e.g. in 'gfortran'
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92830 --- Comment #7 from David Malcolm --- (In reply to GCC Commits from comment #5) > The master branch has been updated by David Malcolm : > > https://gcc.gnu.org/g:fa29cf0c3f19b648e30b16fd2485c3c17a528a6e > > commit r10-7994-gfa29cf0c3f19b648e30b16fd2485c3c17a528a6e > Author: David Malcolm > Date: Thu Dec 5 14:47:35 2019 -0500 [...] > I considered various schemes involving adding extra tags to the .opt > format to capture where options are documented, but for now this patch > fixes the issue by introducing some special-casing logic. FWIW I've implemented such a scheme for GCC 14, in r14-6920-g9e49746da303b8 through r14-6923-g4ded42c2c5a5c9.
[Bug analyzer/111802] [14 Regression] New analyser diagram failures since commit b365e9d57ad4
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111802 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #4 from David Malcolm --- Should be fixed by the above patch; closing. Please reopen if you still see these issues.
[Bug analyzer/110483] [14 Regression] Several gcc.dg/analyzer/out-of-bounds-diagram-*.c tests FAIL
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110483 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #4 from David Malcolm --- Should be fixed by the above patch; closing. Please reopen if you still see these issues.
[Bug analyzer/111881] [14 Regression] analyzer: ICE in ensure_closed, at analyzer/constraint-manager.cc:130 with -Ofast
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111881 David Malcolm changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from David Malcolm --- Should be fixed by above patch.
[Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111305 David Malcolm changed: What|Removed |Added Last reconfirmed||2024-02-26 Status|UNCONFIRMED |ASSIGNED Ever confirmed|0 |1 --- Comment #1 from David Malcolm --- ICE happens with GCC 14 False +ve happens with GCC 13 and 14
[Bug analyzer/105898] RFE: -fanalyzer should complain about overlapping args to memcpy and mempcpy
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105898 --- Comment #4 from David Malcolm --- I implemented this a different way, for memcpy, in r14-3556-g034d99e81484fb (by special-casing it). We don't yet check mempcpy, wmemcpy, or wmempcp; keeping bug open to handle those.
[Bug analyzer/113999] [14 Regression] ICE: in string_cst_has_null_terminator, at analyzer/region-model.cc:3651 with -fanalyzer on gcc.dg/tree-ssa/strncpy-2.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113999 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #3 from David Malcolm --- Should be fixed by the above patch; marking as resolved.
[Bug analyzer/113998] [14 Regression] ICE: in get_last_byte_offset, at analyzer/ranges.cc:171 with -fanalyzer and __builtin_strncpy()
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113998 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #4 from David Malcolm --- Should be fixed by the above patch; marking as resolved.
[Bug analyzer/111289] [13 Regression] Unwarranted -Wanalyzer-va-arg-type-mismatch warning
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111289 David Malcolm changed: What|Removed |Added Summary|[13/14 Regression] |[13 Regression] Unwarranted |Unwarranted |-Wanalyzer-va-arg-type-mism |-Wanalyzer-va-arg-type-mism |atch warning |atch warning| Status|NEW |ASSIGNED --- Comment #3 from David Malcolm --- Should be fixed on trunk for gcc 14 by the above patch. Keeping open to track the backport to gcc 13.
[Bug analyzer/110520] -Wanalyzer-null-dereference false negative with `*ptr = 10086`
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110520 David Malcolm changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED|RESOLVED --- Comment #4 from David Malcolm --- (In reply to David Malcolm from comment #1) > Keeping open to track adding a regression test for this. Regression test added; closing.
[Bug analyzer/113983] [14 Regression] ICE: tree check: expected integer_cst, have vector_cst in maybe_undo_optimize_bit_field_compare, at analyzer/region-model-manager.cc:606 with -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113983 --- Comment #5 from David Malcolm --- (In reply to Andrew Pinski from comment #4) > Fixed. Thanks!
[Bug analyzer/113999] [14 Regression] ICE: in string_cst_has_null_terminator, at analyzer/region-model.cc:3651 with -fanalyzer on gcc.dg/tree-ssa/strncpy-2.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113999 David Malcolm changed: What|Removed |Added Last reconfirmed||2024-02-19 Status|UNCONFIRMED |ASSIGNED Ever confirmed|0 |1 --- Comment #1 from David Malcolm --- Thanks for filing this bug report. Confirmed affects trunk: https://godbolt.org/z/ao1a7xchq and doesn't affect GCC 13. Am investigating.
[Bug analyzer/113998] [14 Regression] ICE: in get_last_byte_offset, at analyzer/ranges.cc:171 with -fanalyzer and __builtin_strncpy()
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113998 --- Comment #2 from David Malcolm --- Thanks for filing this bug. I'm testing a fix.
[Bug analyzer/113998] [14 Regression] ICE: in get_last_byte_offset, at analyzer/ranges.cc:171 with -fanalyzer and __builtin_strncpy()
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113998 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Ever confirmed|0 |1 Last reconfirmed||2024-02-19 --- Comment #1 from David Malcolm --- Confirmed: ICE on trunk: https://godbolt.org/z/bja1K6rxx Doesn't affect GCC 13
[Bug analyzer/109802] [13 Regression] ICE using dubious flexible arrays in unions
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109802 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |NEW Ever confirmed|0 |1 Last reconfirmed||2024-02-16 Summary|[regression] during IPA |[13 Regression] ICE using |pass: analyzer: internal|dubious flexible arrays in |compiler error (using |unions |dubious flexible arrays in | |unions) | --- Comment #5 from David Malcolm --- Thanks for filing this bug report. (In reply to Alejandro Colomar from comment #2) > Here's a simplified version that will cause the same internal compiler error. Trunk (GCC 14): ok: https://godbolt.org/z/4cjf6Khh3 GCC 13.2: ICE: https://godbolt.org/z/K4j97a4eb GCC 12.3: ok: https://godbolt.org/z/1jfz8YTPj ...so it seems like this is fixed on trunk (for GCC 14) but still affects GCC 13.
[Bug analyzer/110285] [13/14 Regression] -Wanalyzer-infinite-recursion false positive involving floating-point values
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110285 David Malcolm changed: What|Removed |Added Last reconfirmed||2024-02-16 Ever confirmed|0 |1 Status|UNCONFIRMED |NEW Summary|-Wanalyzer-infinite-recursi |[13/14 Regression] |on false positive involving |-Wanalyzer-infinite-recursi |floating-point values |on false positive involving ||floating-point values
[Bug analyzer/109851] [13/14 Regression] False positive va_arg when iterating through format string with for-loop
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109851 David Malcolm changed: What|Removed |Added Summary|False positive va_arg when |[13/14 Regression] False |iterating through format|positive va_arg when |string with for-loop|iterating through format ||string with for-loop Last reconfirmed||2024-02-16 Status|UNCONFIRMED |NEW Ever confirmed|0 |1 --- Comment #1 from David Malcolm --- Thanks for filing this bug report. The analyzer isn't looking at the content of the string literal and assumes that any character is possible. In particular, it isn't attempting to correlate between the ordering of matches in the string and the ordering of the variadic arguments. Still affects trunk and gcc 13: Trunk: https://godbolt.org/z/bMP7sq3ea GCC 13.2: https://godbolt.org/z/e7eE8Eo4d
[Bug analyzer/109579] -Wanalyzer-out-of-bounds false positive in Emacs mapping stack
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109579 David Malcolm changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |WORKSFORME --- Comment #1 from David Malcolm --- Thanks for filing this bug report. Trunk: unaffected: https://godbolt.org/z/EaeP1e1d5 GCC 13.2: affected: https://godbolt.org/z/WvcKh9s9Y Presumably fixed by one of my patches to trunk; marking as RESOLVED WORKSFORME. Feel free to reopen if you can reproduce it with GCC 14 or later.
[Bug analyzer/109628] -Wanalyzer-use-of-uninitialized-value false positive on static storage
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109628 David Malcolm changed: What|Removed |Added Resolution|--- |WORKSFORME Status|UNCONFIRMED |RESOLVED --- Comment #1 from David Malcolm --- Thanks for filing this bug. Seems to be fixed on trunk (for GCC 14): https://godbolt.org/z/ecYGxa3nh Affects GCC 13.2: https://godbolt.org/z/sxs3G1KEc Affects GCC 12.3: https://godbolt.org/z/v4nz19Mj1 I'm going to assume that one of my other fixes on trunk covered this; marking as RESOLVED WORKSFORME. Feel free to reopen if you still see it with GCC 14 onwards.
[Bug analyzer/111213] -Wanalyzer-out-of-bounds false negative with `return arr[9];` at -O1 and above
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111213 David Malcolm changed: What|Removed |Added Status|NEW |SUSPENDED --- Comment #4 from David Malcolm --- Marking this one as SUSPENDED since it would require the big rewrite for PR 111312.
[Bug analyzer/105755] -Wanalyzer-null-dereference regression compiling Emacs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105755 David Malcolm changed: What|Removed |Added Resolution|--- |WORKSFORME Status|UNCONFIRMED |RESOLVED --- Comment #4 from David Malcolm --- Looks like this was fixed sometime in GCC 13; resolving as WORKSFORME. Feel free to reopen if you have a reproducer that triggers on a more recent GCC.
[Bug analyzer/108562] [meta-bug] tracker bug for issues with -Wanalyzer-null-dereference
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108562 Bug 108562 depends on bug 105755, which changed state. Bug 105755 Summary: -Wanalyzer-null-dereference regression compiling Emacs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105755 What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |WORKSFORME
[Bug analyzer/105755] -Wanalyzer-null-dereference regression compiling Emacs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105755 --- Comment #3 from David Malcolm --- Current status of reproducer on Compiler Explorer: GCC trunk: no warning: https://godbolt.org/z/o6ecKKa8e GCC 13.2: no warning: https://godbolt.org/z/z7hdYx1Y7 GCC 12.3: false +ve: https://godbolt.org/z/8W7c68GoT GCC 11.4: no warning: https://godbolt.org/z/5vv5KWsTP
[Bug analyzer/108400] [12/13/14 Regression] -Wanalyzer-null-dereference false positive on SoftEtherVPN's src/Cedar/WebUI.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108400 David Malcolm changed: What|Removed |Added Ever confirmed|0 |1 Last reconfirmed||2024-02-16 Status|UNCONFIRMED |NEW Summary|-Wanalyzer-null-dereference |[12/13/14 Regression] |false positive on |-Wanalyzer-null-dereference |SoftEtherVPN's |false positive on |src/Cedar/WebUI.c |SoftEtherVPN's ||src/Cedar/WebUI.c
[Bug analyzer/105961] -Wanalyzer-use-of-uninitialized-value false positive after "= {0}"
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105961 David Malcolm changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |WORKSFORME --- Comment #5 from David Malcolm --- I tried this again on Compiler Explorer, but I'm now not seeing any output on the reproducer: Trunk: https://godbolt.org/z/G8fravbbT GCC 13.2: https://godbolt.org/z/8aj7zTssG GCC 12.3: https://godbolt.org/z/6v15Es3nc GCC 11.4: https://godbolt.org/z/hxPdxGTr9 Marking as RESOLVED WORKSFORME. Feel free to reopen if you're still able to reproduce this.
