public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "cvs-commit at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/107582] - -Wanalyzer-use-of-uninitialized-value false positive with while loop in pthread_cleanup_push Date: Sat, 19 Nov 2022 00:40:01 +0000 [thread overview] Message-ID: <bug-107582-4-kmaZ4urulo@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-107582-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107582 --- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:a7aef0a5a2b7e20048275a29bd80674c1a061a24 commit r13-4158-ga7aef0a5a2b7e20048275a29bd80674c1a061a24 Author: David Malcolm <dmalcolm@redhat.com> Date: Fri Nov 18 19:38:25 2022 -0500 analyzer: fix feasibility false +ve on jumps through function ptrs [PR107582] PR analyzer/107582 reports a false +ve from -Wanalyzer-use-of-uninitialized-value where the analyzer's feasibility checker erroneously decides that point (B) in the code below is reachable, with "x" being uninitialized there: pthread_cleanup_push(func, NULL); while (ret != ETIMEDOUT) ret = rand() % 1000; /* (A): after the while loop */ if (ret != ETIMEDOUT) x = &z; pthread_cleanup_pop(1); if (ret == ETIMEDOUT) return 0; /* (B): after not bailing out */ due to these contradictionary conditions somehow both holding: * (ret == ETIMEDOUT), at (A) (skipping the initialization of x), and * (ret != ETIMEDOUT), at (B) The root cause is that after the while loop, state merger puts ret in the exploded graph in an UNKNOWN state, and saves the diagnostic at (B). Later, as we explore the feasibilty of reaching the enode for (B), dynamic_call_info_t::update_model is called to push/pop the frames for handling the call to "func" in pthread_cleanup_pop. The "ret" at these nodes in the feasible_graph has a conjured_svalue for "ret", and a constraint on it being either == *or* != ETIMEDOUT. However dynamic_call_info_t::update_model blithely clobbers the model with a copy from the exploded_graph, in which "ret" is UNKNOWN. This patch fixes dynamic_call_info_t::update_model so that it simulates pushing/popping a frame on the model we're working with, preserving knowledge of the constraint on "ret", and enabling the analyzer to "know" that the bail-out must happen. Doing so fixes the false positive. gcc/analyzer/ChangeLog: PR analyzer/107582 * engine.cc (dynamic_call_info_t::update_model): Update the model by pushing or pop a frame, rather than by clobbering it with the model from the exploded_node's state. gcc/testsuite/ChangeLog: PR analyzer/107582 * gcc.dg/analyzer/feasibility-4.c: New test. * gcc.dg/analyzer/feasibility-pr107582-1.c: New test. * gcc.dg/analyzer/feasibility-pr107582-2.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
next prev parent reply other threads:[~2022-11-19 0:40 UTC|newest] Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-11-08 20:54 [Bug analyzer/107582] New: - -Wanalyzer-use-of-uninitialized-value false positive using pthread_cond_timedwait dimitri at ouroboros dot rocks 2022-11-08 21:05 ` [Bug analyzer/107582] " dimitri at ouroboros dot rocks 2022-11-08 21:10 ` dimitri at ouroboros dot rocks 2022-11-08 21:43 ` dimitri at ouroboros dot rocks 2022-11-18 20:07 ` [Bug analyzer/107582] - -Wanalyzer-use-of-uninitialized-value false positive with while loop in pthread_cleanup_push dmalcolm at gcc dot gnu.org 2022-11-18 20:20 ` dmalcolm at gcc dot gnu.org 2022-11-19 0:40 ` cvs-commit at gcc dot gnu.org [this message] 2022-11-19 0:44 ` dmalcolm at gcc dot gnu.org 2022-11-19 0:46 ` dmalcolm at gcc dot gnu.org 2022-11-19 0:47 ` dmalcolm at gcc dot gnu.org 2022-11-19 21:29 ` dimitri at ouroboros dot rocks 2023-03-29 18:18 ` cvs-commit at gcc dot gnu.org 2023-03-29 19:26 ` dmalcolm at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-107582-4-kmaZ4urulo@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).