[Bug analyzer/105382] New: Support for coroutines in -fanalyzer

[dmalcolm at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105382

            Bug ID: 105382
           Summary: Support for coroutines in -fanalyzer
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 97110
  Target Milestone: ---

-fanalyzer doesn't work well with C++ coroutines.

For example, trying it on
gcc/testsuite/g++.dg/coroutines/torture/co-yield-01-multi.C leads to:

warning: dereference of possibly-NULL ‘<unknown>’ [CWE-690]
[-Wanalyzer-possible-null-dereference]
   13 | f () noexcept
      | ^
  ‘coro1 f()’: events 1-2
    |
    |   13 | f () noexcept
    |      | ~
    |      | |
    |      | (2) ‘operator new(40)’ could be NULL: unchecked value from (1)
    |......
    |   23 | }
    |      | ^
    |      | |
    |      | (1) this call could return NULL
    |

along with numerous:
  warning: use of uninitialized value ‘<unknown>’ [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]

e.g.:

../../src/gcc/testsuite/g++.dg/coroutines/torture/co-yield-01-multi.C:23:1:
warning: use of uninitialized value ‘<unknown>’ [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
   23 | }
      | ^
  ‘coro1 f()’: events 1-3
    |
    |   13 | f () noexcept
    |      | ^    ~~~~~~~~
    |      | |    |
    |      | |    (2) region created on stack here
    |      | (1) entry to ‘f’
    |      | (3) calling ‘f’ from ‘f’
    |
    +--> ‘void f(f()::_Z1fv.Frame*)’: events 4-10
           |
           |   13 | f () noexcept
           |      | ^
           |      | |
           |      | (4) entry to ‘f’
           |      | (8) ...to here
           |      | (9) following ‘true’ branch...
           |      | (10) ...to here
           |......
           |   23 | }
           |      | ~
           |      | |
           |      | (5) following ‘false’ branch...
           |      | (6) ...to here
           |      | (7) following ‘case 0:’ branch...
           |
    <------+
    |
  ‘coro1 f()’: events 11-12
    |
    |   13 | f () noexcept
    |      | ^
    |      | |
    |      | (11) returning to ‘f’ from ‘f’
    |......
    |   23 | }
    |      | ~
    |      | |
    |      | (12) use of uninitialized value ‘<unknown>’ here
    |

Note how the path refers to "case 0:"; I believe this is a reference to the
synthetic switch for handling re-entering the coroutine:

  <bb 3> :
  _3 = frame_ptr_56(D)->_Coro_resume_index;
  _4 = (int) _3;
  switch (_4) <default: <L1> [INV], case 1: <L2> [INV], case 3: <L3> [INV],
case 5: <L4> [INV], case 7: <L5> [INV], case 9: <L6> [INV]>

So I think that the way we generate events in diagnostic paths might need some
kind of support for presenting the information in a form that more closely
resembles what the user wrote, rather than the gimplification of what the C++
FE generated.


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97110
[Bug 97110] [meta-bug] tracker bug for supporting C++ in -fanalyzer