https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96374
Bug ID: 96374
Summary: Analyzer erroneously rejects certain diagnostics due
to path-feasibility being used on shortest path
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
Analyzer fails to find a path to the __analyzer_dump_path call:
#include "analyzer-decls.h"
int test_6 (int a, int b)
{
int problem = 0;
if (a)
problem = 1;
if (b)
{
if (!problem)
problem = 2;
__analyzer_dump_path (); /* { dg-message "path" "" { xfail *-*-* } } */
}
return problem;
}
It's rejecting the path due to picking the shortest path, and then a bad
interaction with feasibility-checking.
If feasibility-checking is hacked out, it picks this path (with
-fanalyzer-verbosity=3 for clarity):
‘test_6’: events 1-7
|
| 6 | if (a)
| | ^
| | |
| | (1) following ‘false’ branch (when ‘a == 0’)...
| 7 | problem = 1;
| 8 | if (b)
| | ~
| | |
| | (2) ...to here
| | (3) following ‘true’ branch (when ‘b != 0’)...
| 9 | {
| 10 | if (!problem)
| | ~
| | |
| | (4) ...to here
| | (5) following ‘false’ branch (when ‘problem != 0’)...
| 11 | problem = 2;
| 12 | __analyzer_dump_path ();
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (6) ...to here
| | (7) here
|
However, with feasibility-checking, "problem" is still 0 at event (5) (due to
the shortest path skipping the "problem = 1" suite), and hance the "problem !=
0" edge is invalid, and the edge from (5) to (6) is rejected, and the
diagnostic rejected.
We want the shortest feasible path if one exists, and are currently
approximating this by picking the shortest path, and checking if it's feasible,
which isn't the same thing.
Am not sure how best to fix this, but need a PR to mark this as XFAIL.
