Created attachment 53056 [details] False positive with -O2 -fanalyzer -Wanalyzer-use-of-uninitialized-value I found this bug with GCC 12.1.1 20220507 (Red Hat 12.1.1-1) on x86-64. Compile the attached program x.i (which is simplified from GNU Emacs master) with: gcc -O2 -fanalyzer -Wanalyzer-use-of-uninitialized-value -S x.i The GCC output is as follows. This is a false positive, since *src must point into the initialized part of the array. x.i: In function ‘ccl_driver’: x.i:13:11: warning: use of uninitialized value ‘*src’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 13 | i = *src++; | ~~^~~~~~~~ ‘Fccl_execute_on_string’: events 1-5 | | 19 | Fccl_execute_on_string (char *str, long str_bytes) | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to ‘Fccl_execute_on_string’ |...... | 25 | int source[1024]; | | ~~~~~~ | | | | | (2) region created on stack here |...... | 28 | while (src_size < 1024 && p < endp) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) following ‘false’ branch... |...... | 31 | ccl_driver (source, src_size); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (4) ...to here | | (5) calling ‘ccl_driver’ from ‘Fccl_execute_on_string’ | +--> ‘ccl_driver’: events 6-11 | | 5 | ccl_driver (int *source, int src_size) | | ^~~~~~~~~~ | | | | | (6) entry to ‘ccl_driver’ |...... | 10 | while (!quit_flag) | | ~~~~~~~~~~ | | | | | (7) following ‘false’ branch... | 11 | { | 12 | if (src < src_end) | | ~ | | | | | (8) ...to here | | (9) following ‘true’ branch (when ‘src < src_end’)... | 13 | i = *src++; | | ~~~~~~~~~~ | | | | | | | (10) ...to here | | (11) use of uninitialized value ‘*src’ here |
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:3a32fb2eaa761aac13ffe5424748d5839038ef66 commit r13-4398-g3a32fb2eaa761aac13ffe5424748d5839038ef66 Author: David Malcolm <dmalcolm@redhat.com> Date: Tue Nov 29 19:56:27 2022 -0500 analyzer: fix folding of '(PTR + 0) => PTR' [PR105784] gcc/analyzer/ChangeLog: PR analyzer/105784 * region-model-manager.cc (region_model_manager::maybe_fold_binop): For POINTER_PLUS_EXPR, PLUS_EXPR and MINUS_EXPR, eliminate requirement that the final type matches that of arg0 in favor of a cast. gcc/testsuite/ChangeLog: PR analyzer/105784 * gcc.dg/analyzer/torture/fold-ptr-arith-pr105784.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Thanks for filing this bug. Should be fixed on trunk for GCC 13 by the above patch. Still affects GCC 12: https://godbolt.org/z/K7fosxvab I'm keeping this bug open to track backporting the fix there.
The releases/gcc-12 branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:1c66f1c6d69dbe0a855f7adb61df8d92ca523899 commit r12-9359-g1c66f1c6d69dbe0a855f7adb61df8d92ca523899 Author: David Malcolm <dmalcolm@redhat.com> Date: Wed Mar 29 14:16:47 2023 -0400 analyzer: fix folding of '(PTR + 0) => PTR' [PR105784] Cherrypicked from r13-4398-g3a32fb2eaa761a. gcc/analyzer/ChangeLog: PR analyzer/105784 * region-model-manager.cc (region_model_manager::maybe_fold_binop): For POINTER_PLUS_EXPR, PLUS_EXPR and MINUS_EXPR, eliminate requirement that the final type matches that of arg0 in favor of a cast. gcc/testsuite/ChangeLog: PR analyzer/105784 * gcc.dg/analyzer/torture/fold-ptr-arith-pr105784.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Should be fixed on gcc 12 branch by the above; marking as resolved.