https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93544
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
(In reply to Arseny Solokha from comment #0)
[...snip...]
Thanks for filing this, I'm investigating the ICE.
> (BTW, w/o -O1 the analysis seems to be wrong in that double-free happens
> following "false" branch, but that's a different issue.)
I'm not sure what you mean by the above, though the output does have issues.
With only -fanalyzer, I get the following, which is rather nonsensical:
$ ./xgcc -B. -c -fanalyzer pr93544.c
pr93544.c: In function ‘lk’:
pr93544.c:14:3: warning: double-‘free’ of ‘bs’ [CWE-415]
[-Wanalyzer-double-free]
14 | __builtin_free (bs);
| ^~~~~~~~~~~~~~~~~~~
‘lk’: events 1-4
|
| 11 | bs = dx = !!ja ? qd () : 0;
| | ~~~~~~~~~~~~~~~~~~^~~
| | | | |
| | | | (1) following ‘true’ branch...
| | | (2) ...to here
| | (3) first ‘free’ here
|......
| 14 | __builtin_free (bs);
| | ~~~~~~~~~~~~~~~~~~~
| | |
| | (4) second ‘free’ here; first ‘free’ was at (3)
|
Adding -fanalyzer-fine-grained improves the output considerably:
$ ./xgcc -B. -c -fanalyzer pr93544.c -fanalyzer-fine-grained
pr93544.c: In function ‘lk’:
pr93544.c:14:3: warning: double-‘free’ of ‘bs’ [CWE-415]
[-Wanalyzer-double-free]
14 | __builtin_free (bs);
| ^~~~~~~~~~~~~~~~~~~
‘lk’: events 1-4
|
| 11 | bs = dx = !!ja ? qd () : 0;
| | ~~~~~~~~~~~~~^~~
| | | |
| | | (1) following ‘true’ branch...
| | (2) ...to here
| 12 |
| 13 | __builtin_free (dx);
| | ~~~~~~~~~~~~~~~~~~~
| | |
| | (3) first ‘free’ here
| 14 | __builtin_free (bs);
| | ~~~~~~~~~~~~~~~~~~~
| | |
| | (4) second ‘free’ here; first ‘free’ was at (3)
|
