https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93544
--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
(In reply to Arseny Solokha from comment #3)
[...]
> I'm not sure either now. I bet I've seen
>
> | 11 | bs = dx = !!ja ? qd () : 0;
> | | ~~~~~~~~~~~~~~~~~~^~~
> | | | | |
> | | | | (1) following 'false' branch...
>
> (maybe at some point during testcase reduction?) but I cannot reproduce it
> now. Will try tomorrow on the machine that yielded the testcase and file a
> separate PR if it'll turn to be real.
>
> Meanwhile, passing -xc++ along w/ -fanalyzer-fine-grained, yet unsupported,
> makes the output fully correct.
Thanks; you're right; the ICE involves it erroneously picking the "false" path,
which I see when bulletproofing the crashing code, getting this at -O1:
pr93544.c: In function ‘lk’:
pr93544.c:16:3: warning: double-‘free’ of ‘<unknown>’ [CWE-415]
[-Wanalyzer-double-free]
16 | __builtin_free (bs); /* { dg-warning "double-'free'" } */
| ^~~~~~~~~~~~~~~~~~~
‘lk’: events 1-4
|
| 13 | bs = dx = !!ja ? qd () : 0;
| | ~~~~~~~~~~~~~^~~
| | |
| | (1) following ‘false’ branch...
| 14 |
| 15 | __builtin_free (dx);
| | ~~~~~~~~~~~~~~~~~~~
| | |
| | (2) ...to here
| | (3) first ‘free’ here
| 16 | __builtin_free (bs);
| | ~~~~~~~~~~~~~~~~~~~
| | |
| | (4) second ‘free’ here; first ‘free’ was at (3)
|
If I use -fno-analyzer-state-merge it still misreports it (albeit with "note: 1
duplicate") - with that, I think it's picking the dedupe candidate with the
wrong path.
