[Bug analyzer/103546] Analyzer reports null dereference in flex scanners
dmalcolm at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Wed Jan 5 21:55:24 GMT 2022
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103546
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2022-01-05
Ever confirmed|0 |1
Status|UNCONFIRMED |ASSIGNED
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug report; I too see the false positive (tested with
trunk).
It seems to be an issue with alias handling in the analyzer: if I'm debugging
things correctly, it seems the analyzer "thinks" that various writes through
unrelated pointers could clobber the value of yy_buffer_stack. Hence we end up
with code paths in which yy_buffer_stack is non-NULL, then a write through a
pointer happens that the analyzer treats as possibly clobbered yy_buffer_stack,
and so it could theoretically be NULL at a subsequent test for NULL, and hence
we have false positives in which yy_buffer_stack is erroneously treated as
being NULL after yyensure_buffer_stack has returned.
It might be possible to fix this by "teaching" the analyzer about TBAA
(type-based alias analysis) so that it can reject some kinds of clobbering; I'm
not yet sure.
More information about the Gcc-bugs
mailing list