From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id A322A384D19B; Thu, 21 Jul 2022 14:38:38 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A322A384D19B From: "dmalcolm at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/106383] New: False positives from -Wanalyzer-va-list-exhausted Date: Thu, 21 Jul 2022 14:38:38 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 12.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: dmalcolm at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter blocked target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2022 14:38:38 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D106383 Bug ID: 106383 Summary: False positives from -Wanalyzer-va-list-exhausted Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Blocks: 106358 Target Milestone: --- https://godbolt.org/z/c87abh5vc Given: typedef __builtin_va_list va_list; struct printf_spec { unsigned int type; }; int format_decode(const char *fmt, struct printf_spec *spec); static int vbin_printf(const char *fmt, va_list args) { struct printf_spec spec; int width =3D 0; while (*fmt) { int read =3D format_decode(fmt, &spec); fmt +=3D read; switch (spec.type) { case 0: break; case 1: width =3D __builtin_va_arg(args, int); break; } } return width; } int bprintf(const char *fmt, ...) { va_list args; int ret; __builtin_va_start(args, fmt); ret =3D vbin_printf(fmt, args); __builtin_va_end(args); return ret; } we get this false positive with trunk with -fanalyzer: ../../src/vsprintf.c: In function =E2=80=98vbin_printf=E2=80=99: ../../src/vsprintf.c:23:13: warning: =E2=80=98args=E2=80=99 has no more arg= uments (0 consumed) [CWE-685] [-Wanalyzer-va-list-exhausted] 23 | width =3D __builtin_va_arg(args, int); | ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =E2=80=98bprintf=E2=80=99: events 1-2 | | 31 | int bprintf(const char *fmt, ...) { | | ^~~~~~~ | | | | | (1) entry to =E2=80=98bprintf=E2=80=99 |...... | 36 | ret =3D vbin_printf(fmt, args); | | ~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling =E2=80=98vbin_printf=E2=80=99 from =E2=80= =98bprintf=E2=80=99 | +--> =E2=80=98vbin_printf=E2=80=99: events 3-6 | | 10 | static int vbin_printf(const char *fmt, va_list args) { | | ^~~~~~~~~~~ | | | | | (3) entry to =E2=80=98vbin_printf=E2=80=99 |...... | 14 | while (*fmt) { | | ~=20=20 | | | | | (4) following =E2=80=98true=E2=80=99 branch... | 15 | int read =3D format_decode(fmt, &spec); | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (5) ...to here |...... | 23 | width =3D __builtin_va_arg(args, int); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) =E2=80=98args=E2=80=99 has no more argu= ments (0 consumed) | Reduced from Linux kernel: lib/vsprintf.c Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D106358 [Bug 106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer=