[Bug analyzer/104274] New: FAIL: gcc.dg/analyzer/pr97029.c (test for excess errors)

[Bug analyzer/104274] New: FAIL: gcc.dg/analyzer/pr97029.c (test for excess errors)

[danglin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104274

            Bug ID: 104274
           Summary: FAIL: gcc.dg/analyzer/pr97029.c (test for excess
                    errors)
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: danglin at gcc dot gnu.org
  Target Milestone: ---
              Host: hppa*-*-hpux*
            Target: hppa*-*-hpux*
             Build: hppa*-*-hpux*

spawn -ignore SIGHUP /home/dave/gnu/gcc/objdir64/gcc/xgcc
-B/home/dave/gnu/gcc/o
bjdir64/gcc/ /home/dave/gnu/gcc/gcc/gcc/testsuite/gcc.dg/analyzer/pr97029.c
-fdi
agnostics-plain-output -fanalyzer -Wanalyzer-too-complex
-fanalyzer-call-summari
es -S -o pr97029.s
/home/dave/gnu/gcc/gcc/gcc/testsuite/gcc.dg/analyzer/pr97029.c: In function
'set
jmp':
/home/dave/gnu/gcc/gcc/gcc/testsuite/gcc.dg/analyzer/pr97029.c:6:3: warning:
use
 of uninitialized value 'pl.0' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
/home/dave/gnu/gcc/gcc/gcc/testsuite/gcc.dg/analyzer/pr97029.c:6:3: note: (1)
us
e of uninitialized value 'pl.0' here
FAIL: gcc.dg/analyzer/pr97029.c (test for excess errors)
Excess errors:
/home/dave/gnu/gcc/gcc/gcc/testsuite/gcc.dg/analyzer/pr97029.c:6:3: warning:
use of uninitialized value 'pl.0' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]

[Bug analyzer/104274] FAIL: gcc.dg/analyzer/pr97029.c (test for excess errors)

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104274

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2022-02-10
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |ASSIGNED

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Confirmed (with --target=hppa64-hpux11.3)

pr97029.c.006t.gimple with x86_64 has...

VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV    
void setjmp (struct vj pl)
{
  setjmp (pl);
}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


...whereas with  --target=hppa64-hpux11.3 has:
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV    
void setjmp (struct vj pl)
{
  struct vj pl.0;

  setjmp (pl.0);
}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

It still happens if I rename the function from "setjmp" to "foo".
It no longer happens if I add a dummy field to the struct.

The temporary "pl.0" is created on hppa by:
#4  0x0000000000aa7b3a in gimplify_parameters
(cleanup=cleanup@entry=0x7fffffffd9b0) at ../../src/gcc/function.cc:3939
3926              tree type = TREE_TYPE (data.arg.type);
3927              function_arg_info orig_arg (type, data.arg.named);
3928              if (reference_callee_copied (&all.args_so_far_v, orig_arg))
3929                {
3930                  tree local, t;
3931    
3932                  /* For constant-sized objects, this is trivial; for
3933                     variable-sized objects, we have to play games.  */
3934                  if (TREE_CODE (DECL_SIZE_UNIT (parm)) == INTEGER_CST
3935                      && !(flag_stack_check == GENERIC_STACK_CHECK
3936                           && compare_tree_int (DECL_SIZE_UNIT (parm),
3937                                                STACK_CHECK_MAX_VAR_SIZE) >
0))
3938                    {
3939                      local = create_tmp_var (type, get_name (parm));
3940                      DECL_IGNORED_P (local) = 0;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

and never assigned to.

[Bug analyzer/104274] FAIL: gcc.dg/analyzer/pr97029.c (test for excess errors)

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104274

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
In gimplify_parameters:

x86_64:
(gdb) p data.arg
$2 = {type = <record_type 0x7fffea77cbd0 vj>, mode = E_BLKmode, named = 1,
pass_by_reference = 0}

hppa64-hpux11.3:
(gdb) p data.arg
$29 = {type = <pointer_type 0x7fffea73bbd0>, mode = E_DImode, named = 1,
pass_by_reference = 1}

so this seems to only be happening for empty structs, when passing them by
reference.

Specifically, for both targets we reach:
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV    
Breakpoint 12, pass_by_reference (ca=0x7fffffffd860, arg=...) at
../../src/gcc/calls.cc:921
921       return targetm.calls.pass_by_reference (pack_cumulative_args (ca),
arg);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

and on pa, size == 0, so we pass by reference:

6367    static bool
6368    pa_pass_by_reference (cumulative_args_t, const function_arg_info &arg)
6369    {
6370      HOST_WIDE_INT size = arg.type_size_in_bytes ();
6371      if (TARGET_64BIT)
6372        return size <= 0;
6373      else
6374        return size <= 0 || size > 8;
6375    }

whereas on x86_64, ix86_pass_by_reference returns false.

[Bug analyzer/104274] FAIL: gcc.dg/analyzer/pr97029.c (test for excess errors)

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104274

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
In theory, 

3978                  gimplify_assign (local, parm, &stmts);

ought to be generating a "pl.0 = pl;" assignment, but we're hitting this case
in gimplify_modify_expr:
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV

5927      /* For empty types only gimplify the left hand side and right hand
5928         side as statements and throw away the assignment.  Do this after
5929         gimplify_modify_expr_rhs so we handle TARGET_EXPRs of addressable
5930         types properly.  */
5931      if (is_empty_type (TREE_TYPE (*from_p))
5932          && !want_value
5933          /* Don't do this for calls that return addressable types,
expand_call
5934             relies on those having a lhs.  */
5935          && !(TREE_ADDRESSABLE (TREE_TYPE (*from_p))
5936               && TREE_CODE (*from_p) == CALL_EXPR))
(gdb) 
5937        {
5938          gimplify_stmt (from_p, pre_p);
5939          gimplify_stmt (to_p, pre_p);
5940          *expr_p = NULL_TREE;
5941          return GS_ALL_DONE;
5942        }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[Bug analyzer/104274] FAIL: gcc.dg/analyzer/pr97029.c (test for excess errors)

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104274

--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
This patch seems to fix it, but I'm not yet sure if it's the correct fix.

diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index f8f19769258..9b42e9e983d 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -843,6 +843,10 @@ region_model::check_for_poison (const svalue *sval,

   if (const poisoned_svalue *poisoned_sval = sval->dyn_cast_poisoned_svalue
())
     {
+      /* Ignore empty types.  */
+      if (sval->get_type () && is_empty_type (sval->get_type ()))
+       return sval;
+
       /* If we have an SSA name for a temporary, we don't want to print
         '<unknown>'.
         Poisoned values are shared by type, and so we can't reconstruct

[Bug analyzer/104274] FAIL: gcc.dg/analyzer/pr97029.c (test for excess errors)

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104274

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:cc68ad87014a331399ccb2528db3bf47fabe6f72

commit r12-7199-gcc68ad87014a331399ccb2528db3bf47fabe6f72
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu Feb 10 19:01:30 2022 -0500

    analyzer: ignore uninitialized uses of empty types [PR104274]

    PR analyzer/104274 reports a false positive from
    -Wanalyzer-use-of-uninitialized-value on hppa when passing
    an empty struct as a function parameter.

    pa_pass_by_reference returns true for empty structs, so the
    call is turned into:

      struct empty arg.0;
      arg.0 = arg
      called_function (arg.0);

    by gimplify_parameters.

    However, gimplify_modify_expr discards assignments statments
    of empty types, so that we end up with:

      struct empty arg.0;
      called_function (arg.0);

    which the analyzer considers to be a use of uninitialized "arg.0";

    Given that gimplify_modify_expr will discard any assignments to
    such types, it seems simplest for -Wanalyzer-use-of-uninitialized-value
    to ignore values of empty types.

    gcc/analyzer/ChangeLog:
            PR analyzer/104274
            * region-model.cc (region_model::check_for_poison): Ignore
            uninitialized uses of empty types.

    gcc/testsuite/ChangeLog:
            PR analyzer/104274
            * gcc.dg/analyzer/torture/empty-struct-1.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/104274] FAIL: gcc.dg/analyzer/pr97029.c (test for excess errors)

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104274

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #6 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by the above patch (I tested pr97029.c successfully with
--target=hppa64-hpux11.3); marking as resolved.