https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108428
Bug ID: 108428
Summary: - -Wanayzer-null-dereference false negative with *f =
1
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: geoffreydgr at icloud dot com
Target Milestone: ---
I got a false negative error when compiling the following program with `
gcc(trunk) -fanalyzer -O0 ` . It is obvious that `*f = 1;` ( at line 15 ) will
lead to a NPD error, but gcc static analyzer can not find it.
And i found that analyzer did not know `__analyzer_eval(0 == e);` and
`__analyzer_eval(0 == f);` were both true.
In addition, i observed that analyzer seemed to enter the loop for two times
(it evaluated `__analyzer_eval(0 == e);` for two times). I think this may hint
at something wrong.
https://godbolt.org/z/EjYqhsrWe
```c
#include <stdio.h>
extern void __analyzer_eval (int);
int main() {
int e = 1;
int *f;
for (int i = 0; i < 1; i++) {
e = 0;
__analyzer_eval(0 == e);
}
__analyzer_eval(0 == e);
f = (int*) e;
__analyzer_eval(0 == f);
*f = 1;
return 0;
}
```
Output:
```bash
<source>: In function 'main':
<source>:12:7: warning: cast to pointer from integer of different size
[-Wint-to-pointer-cast]
12 | f = (int*) e;
| ^
<source>:9:5: warning: TRUE
9 | __analyzer_eval(0 == e);
| ^~~~~~~~~~~~~~~~~~~~~~~
<source>:9:5: warning: TRUE
<source>:11:3: warning: UNKNOWN
11 | __analyzer_eval(0 == e);
| ^~~~~~~~~~~~~~~~~~~~~~~
<source>:14:3: warning: UNKNOWN
14 | __analyzer_eval(0 == f);
| ^~~~~~~~~~~~~~~~~~~~~~~
Compiler returned: 0
```
However, if I change `int e = 1` to `int e = 0` or to `int * e`, analyzer can
find the NPD error correctly. So maybe the casting to pointer from integer
leads to the problem.
