From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id DA97B385782C; Wed, 28 Sep 2022 15:57:32 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DA97B385782C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1664380652;
	bh=rP/WvH2N+2zsyWKXnhcUOujyD2RjTBVXnVJlEvsjZp8=;
	h=From:To:Subject:Date:From;
	b=Kl+gW0Iw8uwrkSHjr0kJxWTOuivH28Cl6R1Gsz+cyDmXaQhp9/1fQq07RQCkctAgt
	 DkUMk43PaRA8WfdiJfANJV4ivpaNwwQeQ7RefqHGUj3bLx/eOs9dvRsOmm86X9DEFb
	 Q/SxPa01K1JDelWx2yAg3ZTqEtYi2InQXnefx3qM=
From: "dmalcolm at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/107072] New: Analyzer call summarization not taking
 into account side-effects of calls
Date: Wed, 28 Sep 2022 15:57:32 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 13.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: dmalcolm at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter blocked target_milestone
 attachments.created
Message-ID: <bug-107072-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D107072

            Bug ID: 107072
           Summary: Analyzer call summarization not taking into account
                    side-effects of calls
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 99390, 107060
  Target Milestone: ---

Created attachment 53637
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D53637&action=3Dedit
Reproducer reduced from PR 107060

-fanalyzer-call-summaries doesn't seem to be taking account of the side-eff=
ects
of calls; it emit lots of -Wanalyzer-use-of-uninitialized-value false posit=
ives
on the reproducer for PR 107060.

Am attaching a minimized version, which emits these false positives:

$ ./xgcc -B. -S -fanalyzer ../../src/uninit.c -fanalyzer-call-summaries
../../src/uninit.c: In function =E2=80=98fetch_string_char_advance=E2=80=99:
../../src/uninit.c:52:7: warning: use of uninitialized value =E2=80=98chlen=
=E2=80=99 [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
   52 |     b +=3D chlen;
      |       ^~
  =E2=80=98fetch_string_char_advance=E2=80=99: events 1-5
    |
    |   49 |   if (STRING_MULTIBYTE(string)) {
    |      |      ~=20=20=20
    |      |      |
    |      |      (3) following =E2=80=98true=E2=80=99 branch...
    |   50 |     int chlen;
    |      |         ^~~~~
    |      |         |
    |      |         (1) region created on stack here
    |      |         (2) capacity: 4 bytes
    |   51 |     output =3D string_char_and_length(chp, &chlen);
    |      |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |              |
    |      |              (4) ...to here
    |   52 |     b +=3D chlen;
    |      |       ~~=20
    |      |       |
    |      |       (5) use of uninitialized value =E2=80=98chlen=E2=80=99 h=
ere
    |
../../src/uninit.c: In function =E2=80=98fetch_string_char_as_multibyte_adv=
ance=E2=80=99:
../../src/uninit.c:70:7: warning: use of uninitialized value =E2=80=98chlen=
=E2=80=99 [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
   70 |     b +=3D chlen;
      |       ^~
  =E2=80=98fetch_string_char_as_multibyte_advance=E2=80=99: events 1-5
    |
    |   67 |   if (STRING_MULTIBYTE(string)) {
    |      |      ~=20=20=20
    |      |      |
    |      |      (3) following =E2=80=98true=E2=80=99 branch...
    |   68 |     int chlen;
    |      |         ^~~~~
    |      |         |
    |      |         (1) region created on stack here
    |      |         (2) capacity: 4 bytes
    |   69 |     output =3D string_char_and_length(chp, &chlen);
    |      |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |              |
    |      |              (4) ...to here
    |   70 |     b +=3D chlen;
    |      |       ~~=20
    |      |       |
    |      |       (5) use of uninitialized value =E2=80=98chlen=E2=80=99 h=
ere
    |

...despite string_char_and_length writing back to chlen (aka *length) on ev=
ery
possible outcome.


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99390
[Bug 99390] [meta-bug] tracker bug for call summaries in -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D107060
[Bug 107060] -fanalyzer unbearably slow when compiling GNU Emacs=