public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/108664] New: -Wanalyzer-use-of-uninitialized-value false positive seen in coreutils's cksum.c: cksum_slice8
@ 2023-02-03 21:30 dmalcolm at gcc dot gnu.org
2023-02-15 19:53 ` [Bug analyzer/108664] " cvs-commit at gcc dot gnu.org
2023-02-15 19:58 ` dmalcolm at gcc dot gnu.org
0 siblings, 2 replies; 3+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-02-03 21:30 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108664
Bug ID: 108664
Summary: -Wanalyzer-use-of-uninitialized-value false positive
seen in coreutils's cksum.c: cksum_slice8
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
Created attachment 54407
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54407&action=edit
Reproducer
Trunk emits false postives:
https://godbolt.org/z/9Mjcr3j1W
in which the analyzer doesn't seem to grok that fread_unlocked will have
initialized part of the buffer when the return value is checked.
<source>: In function 'cksum_slice8':
<source>:58:16: warning: use of uninitialized value '*datap_52' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
58 | uint32_t first = *datap++, second = *datap++;
| ^~~~~
'cksum_slice8': events 1-2
|
| 33 | uint32_t buf[(1 << 16) / sizeof(uint32_t)];
| | ^~~
| | |
| | (1) region created on stack here
|......
| 38 | if (!fp || !crc_out || !length_out)
| | ~
| | |
| | (2) following 'false' branch...
|
'cksum_slice8': event 3
|
|cc1:
| (3): ...to here
|
'cksum_slice8': events 4-12
|
| 41 | while ((bytes_read = fread_unlocked(buf, 1, (1 << 16), fp)) > 0)
{
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
| | |
| | (4)
following 'true' branch (when 'bytes_read != 0')...
|......
| 44 | if (length + bytes_read < length) {
| | ~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (5) ...to here
| | (6) following 'false' branch...
|......
| 49 | length += bytes_read;
| | ~~~~~~~~~~~~~~~~~~~~
| | |
| | (7) ...to here
| 50 |
| 51 | if (bytes_read == 0) {
| | ~
| | |
| | (8) following 'false' branch (when 'bytes_read != 0')...
|......
| 56 | datap = (uint32_t*)buf;
| | ~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (9) ...to here
| 57 | while (bytes_read >= 8) {
| | ~~~~~~~~~~~~~~~
| | |
| | (10) following 'true' branch (when
'bytes_read > 7')...
| 58 | uint32_t first = *datap++, second = *datap++;
| | ~~~~~ ~~~~~~~
| | | |
| | | (11) ...to here
| | (12) use of uninitialized value '*datap_52' here
|
<source>:58:34: warning: use of uninitialized value '*datap_77' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
58 | uint32_t first = *datap++, second = *datap++;
| ^~~~~~
'cksum_slice8': events 1-2
|
| 33 | uint32_t buf[(1 << 16) / sizeof(uint32_t)];
| | ^~~
| | |
| | (1) region created on stack here
|......
| 38 | if (!fp || !crc_out || !length_out)
| | ~
| | |
| | (2) following 'false' branch...
|
'cksum_slice8': event 3
|
|cc1:
| (3): ...to here
|
'cksum_slice8': events 4-12
|
| 41 | while ((bytes_read = fread_unlocked(buf, 1, (1 << 16), fp)) > 0)
{
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
| | |
| | (4)
following 'true' branch (when 'bytes_read != 0')...
|......
| 44 | if (length + bytes_read < length) {
| | ~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (5) ...to here
| | (6) following 'false' branch...
|......
| 49 | length += bytes_read;
| | ~~~~~~~~~~~~~~~~~~~~
| | |
| | (7) ...to here
| 50 |
| 51 | if (bytes_read == 0) {
| | ~
| | |
| | (8) following 'false' branch (when 'bytes_read != 0')...
|......
| 56 | datap = (uint32_t*)buf;
| | ~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (9) ...to here
| 57 | while (bytes_read >= 8) {
| | ~~~~~~~~~~~~~~~
| | |
| | (10) following 'true' branch (when
'bytes_read > 7')...
| 58 | uint32_t first = *datap++, second = *datap++;
| | ~~~~~~~ ~~~~~~
| | | |
| | | (12) use of uninitialized value
'*datap_77' here
| | (11) ...to here
|
Compiler returned: 0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug analyzer/108664] -Wanalyzer-use-of-uninitialized-value false positive seen in coreutils's cksum.c: cksum_slice8
2023-02-03 21:30 [Bug analyzer/108664] New: -Wanalyzer-use-of-uninitialized-value false positive seen in coreutils's cksum.c: cksum_slice8 dmalcolm at gcc dot gnu.org
@ 2023-02-15 19:53 ` cvs-commit at gcc dot gnu.org
2023-02-15 19:58 ` dmalcolm at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-02-15 19:53 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108664
--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:b03a10b0b25cef4928ccead4c8a461d3674dbe86
commit r13-6064-gb03a10b0b25cef4928ccead4c8a461d3674dbe86
Author: David Malcolm <dmalcolm@redhat.com>
Date: Wed Feb 15 14:52:02 2023 -0500
analyzer: fix uninit false +ves [PR108664,PR108666,PR108725]
This patch updates poisoned_value_diagnostic so that, where possible,
it checks to see if the value is still poisoned along the execution
path seen during feasibility analysis, rather than just that seen
in the exploded graph.
Integration testing shows this reduction in the number of
false positives:
-Wanalyzer-use-of-uninitialized-value: 191 -> 153 (-38)
where the changes happen in:
coreutils-9.1: 34 -> 20 (-14)
qemu-7.2.0: 78 -> 54 (-24)
gcc/analyzer/ChangeLog:
PR analyzer/108664
PR analyzer/108666
PR analyzer/108725
* diagnostic-manager.cc (epath_finder::get_best_epath): Add
"target_stmt" param.
(epath_finder::explore_feasible_paths): Likewise.
(epath_finder::process_worklist_item): Likewise.
(saved_diagnostic::calc_best_epath): Pass m_stmt to
epath_finder::get_best_epath.
* engine.cc (feasibility_state::maybe_update_for_edge): Move
per-stmt logic to...
(feasibility_state::update_for_stmt): ...this new function.
* exploded-graph.h (feasibility_state::update_for_stmt): New decl.
* feasible-graph.cc (feasible_node::get_state_at_stmt): New.
* feasible-graph.h: Include "analyzer/exploded-graph.h".
(feasible_node::get_state_at_stmt): New decl.
* infinite-recursion.cc
(infinite_recursion_diagnostic::check_valid_fpath_p): Update for
vfunc signature change.
* pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
Convert first param to a reference. Add stmt param.
* region-model.cc: Include "analyzer/feasible-graph.h".
(poisoned_value_diagnostic::poisoned_value_diagnostic): Add
"check_expr" param.
(poisoned_value_diagnostic::check_valid_fpath_p): New.
(poisoned_value_diagnostic::m_check_expr): New field.
(region_model::check_for_poison): Attempt to supply a check_expr
to the diagnostic
(region_model::deref_rvalue): Add NULL for new check_expr param
of poisoned_value_diagnostic.
(region_model::get_or_create_region_for_heap_alloc): Don't reuse
regions that are marked as TOUCHED.
gcc/testsuite/ChangeLog:
PR analyzer/108664
PR analyzer/108666
PR analyzer/108725
* gcc.dg/analyzer/coreutils-cksum-pr108664.c: New test.
* gcc.dg/analyzer/coreutils-sum-pr108666.c: New test.
* gcc.dg/analyzer/torture/uninit-pr108725.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug analyzer/108664] -Wanalyzer-use-of-uninitialized-value false positive seen in coreutils's cksum.c: cksum_slice8
2023-02-03 21:30 [Bug analyzer/108664] New: -Wanalyzer-use-of-uninitialized-value false positive seen in coreutils's cksum.c: cksum_slice8 dmalcolm at gcc dot gnu.org
2023-02-15 19:53 ` [Bug analyzer/108664] " cvs-commit at gcc dot gnu.org
@ 2023-02-15 19:58 ` dmalcolm at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-02-15 19:58 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108664
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by the above patch.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-02-15 19:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-03 21:30 [Bug analyzer/108664] New: -Wanalyzer-use-of-uninitialized-value false positive seen in coreutils's cksum.c: cksum_slice8 dmalcolm at gcc dot gnu.org
2023-02-15 19:53 ` [Bug analyzer/108664] " cvs-commit at gcc dot gnu.org
2023-02-15 19:58 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).