[Bug analyzer/105784] New: -Wanalyzer-use-of-uninitialized-value false positive on partly initialized array

eggert at cs dot ucla.edu gcc-bugzilla@gcc.gnu.org
Tue May 31 02:13:43 GMT 2022 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105784

            Bug ID: 105784
           Summary: -Wanalyzer-use-of-uninitialized-value false positive
                    on partly initialized array
           Product: gcc
           Version: 12.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: eggert at cs dot ucla.edu
  Target Milestone: ---

Created attachment 53056
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53056&action=edit
False positive with -O2 -fanalyzer -Wanalyzer-use-of-uninitialized-value

I found this bug with GCC 12.1.1 20220507 (Red Hat 12.1.1-1) on x86-64. Compile
the attached program x.i (which is simplified from GNU Emacs master) with:

gcc -O2 -fanalyzer -Wanalyzer-use-of-uninitialized-value -S x.i

The GCC output is as follows. This is a false positive, since *src must point
into the initialized part of the array.

x.i: In function ‘ccl_driver’:
x.i:13:11: warning: use of uninitialized value ‘*src’ [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
   13 |         i = *src++;
      |         ~~^~~~~~~~
  ‘Fccl_execute_on_string’: events 1-5
    |
    |   19 | Fccl_execute_on_string (char *str, long str_bytes)
    |      | ^~~~~~~~~~~~~~~~~~~~~~
    |      | |
    |      | (1) entry to ‘Fccl_execute_on_string’
    |......
    |   25 |       int source[1024];
    |      |           ~~~~~~
    |      |           |
    |      |           (2) region created on stack here
    |......
    |   28 |       while (src_size < 1024 && p < endp)
    |      |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                              |
    |      |                              (3) following ‘false’ branch...
    |......
    |   31 |       ccl_driver (source, src_size);
    |      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |       |
    |      |       (4) ...to here
    |      |       (5) calling ‘ccl_driver’ from ‘Fccl_execute_on_string’
    |
    +--> ‘ccl_driver’: events 6-11
           |
           |    5 | ccl_driver (int *source, int src_size)
           |      | ^~~~~~~~~~
           |      | |
           |      | (6) entry to ‘ccl_driver’
           |......
           |   10 |   while (!quit_flag)
           |      |          ~~~~~~~~~~
           |      |          |
           |      |          (7) following ‘false’ branch...
           |   11 |     {
           |   12 |       if (src < src_end)
           |      |          ~
           |      |          |
           |      |          (8) ...to here
           |      |          (9) following ‘true’ branch (when ‘src <
src_end’)...
           |   13 |         i = *src++;
           |      |         ~~~~~~~~~~
           |      |           |     |
           |      |           |     (10) ...to here
           |      |           (11) use of uninitialized value ‘*src’ here
           |

More information about the Gcc-bugs mailing list