Bug 109191 - GCC static analyzer does not warning `*b = 1` where `b` is 1.
Summary: GCC static analyzer does not warning `*b = 1` where `b` is 1.
Status: RESOLVED INVALID
Alias: None
Product: gcc
Classification: Unclassified
Component: analyzer (show other bugs)
Version: 13.0
: P3 normal
Target Milestone: ---
Assignee: David Malcolm
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-19 10:06 UTC by Geoffrey
Modified: 2024-02-15 17:59 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Geoffrey 2023-03-19 10:06:14 UTC 
There is a false nagetive. GCC static analyzer does not warning `*b = 1` where `b` is 1. 

In the following case, the value of all elements is 0 except for the a[0][0][0] which is 1. Dereferencing the pointer variable `b` will result in a crash. I compiled and ran the program with gcc (version: 13.0.0) and it triggered the following error: Segmentation fault (core dumped), the analyzer did not generate an NPD warning.

See it live: https://godbolt.org/z/PY1hxfjY5

```c
#include "stdio.h"
void main()
{
    int a[3][2][1] = {1};
    int *b = (void *)a[0][0][1];
    *b = 1;
}
```
Comment 1 David Malcolm 2023-03-20 20:20:30 UTC 
GCC does emit a -Wint-to-pointer-cast warning on this code, for the int to void * conversion.

Is this reduced from a real-world example, or just synthesized by hand?

I suppose in theory the analyzer could:

(a) figure out that it reads all zeroes from the array and complain about the null pointer deref, and/or

(b) complain that we're accessing beyond the end of an array
Comment 2 David Malcolm 2023-03-20 20:55:12 UTC 
It is valid in the embedded space to do things like

   *(SOME_CONSTANT_ADDRESS) = SOME_VALUE;
Comment 3 David Malcolm 2024-02-15 17:59:08 UTC 
Resolving as "INVALID"; feel free to reopen if there's a response to the above questions.