GCC Static Analyzer evaluates `((l_42 , 0UL)-1) <= ((l_42)-1)` to be "FALSE" in the true branch of `if (((l_42 , 0UL) <= l_42 ))`

Geoffrey1014 commented 1 year ago

date: 2022-12-29 Commit: 8c8ca873216387bc26046615c806b96f0345ff9d args: -O0 -fanalyzer test:

#include "stdio.h"
#include <stdint.h>
#include <stdbool.h>

int foo(int a, int b) {
    int l_42 = 1UL;
    if (((l_42 , 0UL) <= l_42 )){
        //fact
        __analyzer_eval(((l_42 , 0UL) <= l_42)==true);
        __analyzer_eval((((l_42 , 0UL))+0)<=((l_42)+0));
        __analyzer_eval((((l_42 , 0UL))+0)<=((l_42)+1));
        __analyzer_eval((((l_42 , 0UL))+1)<=((l_42)+1));
        __analyzer_eval((((l_42 , 0UL))+0)<=((l_42)+2));
        __analyzer_eval((((l_42 , 0UL))+1)<=((l_42)+2));
        __analyzer_eval((((l_42 , 0UL))+2)<=((l_42)+2));
        __analyzer_eval((((l_42 , 0UL))-0)<=((l_42)-0));

        __analyzer_eval(((l_42 , 0UL)-1) <= ((l_42)-0));    
        __analyzer_eval(((l_42 , 0UL)-1) <= ((l_42)-1));

    }
}

report: fix: original:

Geoffrey1014 commented 1 year ago

https://godbolt.org/z/9qG3W6Ys5

Geoffrey1014 commented 1 year ago

GSA does the evaluation of unsigned int right.

Geoffrey1014 / SA_Bugs

GCC Static Analyzer evaluates `((l_42 , 0UL)-1) <= ((l_42)-1)` to be "FALSE" in the true branch of `if (((l_42 , 0UL) <= l_42 ))` #27