[Bug analyzer/106319] New: False positives from -Wanalyzer-va-arg-type-mismatch on int promotion

[Bug analyzer/106319] New: False positives from -Wanalyzer-va-arg-type-mismatch on int promotion

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106319

            Bug ID: 106319
           Summary: False positives from -Wanalyzer-va-arg-type-mismatch
                    on int promotion
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
  Target Milestone: ---

Consider e.g.:

static void __attribute__((noinline))
__analyzer_consume_n_ints (int num, ...)
{
  __builtin_va_list ap;
  __builtin_va_start (ap, num);

  int i, v;
  for (i = 0; i < num; i++)
    v = __builtin_va_arg (ap, int);

  __builtin_va_end (ap);
}

void test_int (int x)
{
  __analyzer_consume_n_ints (1, x);
}

void test_3_ints (int x, int y, int z)
{
  __analyzer_consume_n_ints (3, x, y, z);
}

void test_short (short s)
{
  __analyzer_consume_n_ints (1, s);
}

Currently we emit this false postive:

../../src/gcc/testsuite/gcc.dg/analyzer/stdarg-types-3.c: In function
‘__analyzer_consume_n_ints’:
../../src/gcc/testsuite/gcc.dg/analyzer/stdarg-types-3.c:9:7: warning: ‘va_arg’
expected ‘int’ but received ‘short int’ for variadic argument 1 of ‘ap’
[CWE-686] [-Wanalyzer-va-arg-type-mismatch]
    9 |     v = __builtin_va_arg (ap, int);
      |     ~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ‘test_short’: events 1-2
    |
    |   24 | void test_short (short s)
    |      |      ^~~~~~~~~~
    |      |      |
    |      |      (1) entry to ‘test_short’
    |   25 | {
    |   26 |   __analyzer_consume_n_ints (1, s);
    |      |   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |   |
    |      |   (2) calling ‘__analyzer_consume_n_ints’ from ‘test_short’ with 1
variadic argument
    |
    +--> ‘__analyzer_consume_n_ints’: events 3-6
           |
           |    2 | __analyzer_consume_n_ints (int num, ...)
           |      | ^~~~~~~~~~~~~~~~~~~~~~~~~
           |      | |
           |      | (3) entry to ‘__analyzer_consume_n_ints’
           |......
           |    8 |   for (i = 0; i < num; i++)
           |      |               ~~~~~~~
           |      |                 |
           |      |                 (4) following ‘true’ branch (when ‘i <
num’)...
           |    9 |     v = __builtin_va_arg (ap, int);
           |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |       |
           |      |       (5) ...to here
           |      |       (6) ‘va_arg’ expected ‘int’ but received ‘short int’
for variadic argument 1 of ‘ap’
           |

Reproducer: https://godbolt.org/z/6xrvErbov

>From https://en.cppreference.com/w/c/language/variadic :
"At the function call, each argument that is a part of the variable argument
list undergoes special implicit conversions known as default argument
promotions."

From
https://en.cppreference.com/w/c/language/conversion#Default_argument_promotions
:
"In a function call expression when the call is made to
  1) a function without a prototype
  2) a variadic function, where the argument expression is one of the trailing
arguments that are matched against the ellipsis parameter
Each argument of integer type undergoes integer promotion (see below), and each
argument of type float is implicitly converted to the type double"


>From https://en.cppreference.com/w/c/language/conversion#Integer_promotions :
"Integer promotion is the implicit conversion of a value of any integer type
with rank less or equal to rank of int or of a bit field of type _Bool, int,
signed int, unsigned int, to the value of type int or unsigned int.
If int can represent the entire range of values of the original type (or the
range of values of the original bit field), the value is converted to type int.
Otherwise the value is converted to unsigned int."

Seen on Linux kernel e.g. in drivers/input/keyboard/lm8323.c, where we falsely
complain in lm8323_write_pwm_one about:
  418 |         lm8323_write(pwm->chip, 4, 

with 4 args: int, int, int, u16; the u16 should be promoted to int.

[Bug analyzer/106319] False positives from -Wanalyzer-va-arg-type-mismatch on int promotion

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106319

--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:db613e8fa841259f74740665ee9e508bd73ea1c4

commit r13-1848-gdb613e8fa841259f74740665ee9e508bd73ea1c4
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Jul 26 17:17:18 2022 -0400

    analyzer: fix false +ves from -Wanalyzer-va-arg-type-mismatch on int
promotion [PR106319]

    gcc/analyzer/ChangeLog:
            PR analyzer/106319
            * store.cc (store::set_value): Don't strip away casts if the
            region has NULL type.

    gcc/testsuite/ChangeLog:
            PR analyzer/106319
            * gcc.dg/analyzer/stdarg-types-3.c: New test.
            * gcc.dg/analyzer/stdarg-types-4.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/106319] False positives from -Wanalyzer-va-arg-type-mismatch on int promotion

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106319

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|UNCONFIRMED                 |RESOLVED
            Version|12.0                        |13.0

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by the above patch.