[Bug analyzer/103658] New: missing -Wanalyzer-use-of-uninitialized-value at -O1 and below for an array access

[Bug analyzer/103658] New: missing -Wanalyzer-use-of-uninitialized-value at -O1 and below for an array access

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103658

            Bug ID: 103658
           Summary: missing -Wanalyzer-use-of-uninitialized-value at -O1
                    and below for an array access
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

I came across this while comparing the middle end -Wuninitialized with 
-Wanalyzer-use-of-uninitialized-value.  They both trigger at -O2.  At -O1, only
-Wuninitialized triggers, even though the IL looks the same between the two
levels (as far as I can tell).

$ cat z.c && gcc -O1 -S -Wall -fdump-tree-uninit=/dev/stdout -fanalyzer z.c
int f (int i, int j)
{
  int a[3];
  a[0] = 1;
  a[1] = 2;

  if (i < 1) i = 1;
  if (j < 1) j = 1;
  return a[i + j];
}

;; Function f (f, funcdef_no=0, decl_uid=1979, cgraph_uid=1, symbol_order=0)

z.c: In function ‘f’:
z.c:9:11: warning: ‘a’ is used uninitialized [-Wuninitialized]
    9 |   return a[i + j];
      |          ~^~~~~~~
z.c:3:7: note: ‘a’ declared here
    3 |   int a[3];
      |       ^
int f (int i, int j)
{
  int a[3];
  int _1;
  int _6;
  int _8;
  int _9;

  <bb 2> [local count: 1073741824]:
  _8 = MAX_EXPR <i_5(D), 1>;
  _6 = MAX_EXPR <j_7(D), 1>;
  _1 = _6 + _8;
  _9 = a[_1];
  a ={v} {CLOBBER};
  return _9;

}

[Bug analyzer/103658] missing -Wanalyzer-use-of-uninitialized-value at -O1 and below for an array access

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103658

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
Actually, what I was really after is trying to see if the analyzer would print
the conditionals involved in the subscript expressions.  But in the simple test
case in comment #0 there are no conditionals.  They are here:

int f (int i, int j)
{
  int a[3];
  a[0] = 1;
  a[1] = 2;

  if (i < 1 || 3 < i) i = 1;
  if (j < 1 || 5 < j) j = 1;
  return a[i + j];
}

but it doesn't print them even at -O2 when it does warn:

z.c: In function ‘f’:
z.c:9:11: warning: use of uninitialized value ‘a[<unknown>]’ [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
    9 |   return a[i + j];
      |          ~^~~~~~~
  ‘f’: event 1
    |
    |    9 |   return a[i + j];
    |      |          ~^~~~~~~
    |      |           |
    |      |           (1) use of uninitialized value ‘a[<unknown>]’ here
    |

[Bug analyzer/103658] missing -Wanalyzer-use-of-uninitialized-value at -O1 and below for an array access

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103658

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Note that with -fno-analyzer-state-merge, -fanalyzer warns without optimization
and shows the conditionals you hoped to see:

./xgcc -B. -S -fanalyzer /tmp/foo.c -fno-analyzer-state-merge 
/tmp/foo.c: In function 'f':
/tmp/foo.c:9:11: warning: use of uninitialized value 'a[<unknown>]' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
    9 |   return a[i + j];
      |          ~^~~~~~~
  'f': events 1-6
    |
    |    3 |   int a[3];
    |      |       ^
    |      |       |
    |      |       (1) region created on stack here
    |......
    |    7 |   if (i < 1) i = 1;
    |      |      ~       ~~~~~
    |      |      |         |
    |      |      |         (3) ...to here
    |      |      (2) following 'true' branch (when 'i <= 0')...
    |    8 |   if (j < 1) j = 1;
    |      |      ~       ~~~~~
    |      |      |         |
    |      |      |         (5) ...to here
    |      |      (4) following 'true' branch (when 'j <= 0')...
    |    9 |   return a[i + j];
    |      |          ~~~~~~~~
    |      |           |
    |      |           (6) use of uninitialized value 'a[<unknown>]' here
    |

Not sure why it's printing <unknown> for the index though.

[Bug analyzer/103658] missing -Wanalyzer-use-of-uninitialized-value at -O1 and below for an array access

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103658

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
The analyzer is merging the paths after each conditional by default, which can
be disabled via -fno-analyzer-state-merge as noted in comment #2 above.

I don't plan to change this behavior as this appears to be an artificially
constructed testcase rather than real-world code; resolving this as WONTFIX.