public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/108725] New: -Wanalyzer-use-of-uninitialized-value on ternary pointer access seen in qemu-7.2.0's dump/win_dump.c
@ 2023-02-08 19:57 dmalcolm at gcc dot gnu.org
2023-02-15 19:53 ` [Bug analyzer/108725] " cvs-commit at gcc dot gnu.org
2023-02-15 20:00 ` dmalcolm at gcc dot gnu.org
0 siblings, 2 replies; 3+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-02-08 19:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108725
Bug ID: 108725
Summary: -Wanalyzer-use-of-uninitialized-value on ternary
pointer access seen in qemu-7.2.0's dump/win_dump.c
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
Created attachment 54438
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54438&action=edit
Reproducer
We get two false positives from the attached at -O1 and above, with both trunk
and gcc 12:
Trunk: https://godbolt.org/z/KboceYY7q
GCC 12.2: https://godbolt.org/z/jEPa6vaPd
<source>: In function 'cpu_read_ptr':
<source>:15:24: warning: use of uninitialized value 'ptr64' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
15 | *ptr = x64 ? ptr64 : ptr32;
| ~~~~~~~~~~~~^~~~~~~
'cpu_read_ptr': events 1-5
|
| 11 | uint64_t ptr64;
| | ^~~~~
| | |
| | (1) region created on stack here
| | (2) capacity: 8 bytes
|......
| 15 | *ptr = x64 ? ptr64 : ptr32;
| | ~~~~~~~~~~~~~~~~~~~
| | |
| | (3) following 'true' branch (when 'x64 !=
0')...
| | (4) ...to here
| | (5) use of uninitialized value 'ptr64' here
|
<source>:15:24: warning: use of uninitialized value 'ptr32' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
15 | *ptr = x64 ? ptr64 : ptr32;
| ~~~~~~~~~~~~^~~~~~~
'cpu_read_ptr': events 1-5
|
| 10 | uint32_t ptr32;
| | ^~~~~
| | |
| | (1) region created on stack here
| | (2) capacity: 4 bytes
|......
| 15 | *ptr = x64 ? ptr64 : ptr32;
| | ~~~~~~~~~~~~~~~~~~~
| | |
| | (3) following 'false' branch (when 'x64 ==
0')...
| | (4) ...to here
| | (5) use of uninitialized value 'ptr32' here
|
Compiler returned: 0
where the analyzer isn't treating the argument pointer as potentially having
been written through (presumably confused by the ternary operator).
^ permalink raw reply [flat|nested] 3+ messages in thread* [Bug analyzer/108725] -Wanalyzer-use-of-uninitialized-value on ternary pointer access seen in qemu-7.2.0's dump/win_dump.c
2023-02-08 19:57 [Bug analyzer/108725] New: -Wanalyzer-use-of-uninitialized-value on ternary pointer access seen in qemu-7.2.0's dump/win_dump.c dmalcolm at gcc dot gnu.org
@ 2023-02-15 19:53 ` cvs-commit at gcc dot gnu.org
2023-02-15 20:00 ` dmalcolm at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-02-15 19:53 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108725
--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:b03a10b0b25cef4928ccead4c8a461d3674dbe86
commit r13-6064-gb03a10b0b25cef4928ccead4c8a461d3674dbe86
Author: David Malcolm <dmalcolm@redhat.com>
Date: Wed Feb 15 14:52:02 2023 -0500
analyzer: fix uninit false +ves [PR108664,PR108666,PR108725]
This patch updates poisoned_value_diagnostic so that, where possible,
it checks to see if the value is still poisoned along the execution
path seen during feasibility analysis, rather than just that seen
in the exploded graph.
Integration testing shows this reduction in the number of
false positives:
-Wanalyzer-use-of-uninitialized-value: 191 -> 153 (-38)
where the changes happen in:
coreutils-9.1: 34 -> 20 (-14)
qemu-7.2.0: 78 -> 54 (-24)
gcc/analyzer/ChangeLog:
PR analyzer/108664
PR analyzer/108666
PR analyzer/108725
* diagnostic-manager.cc (epath_finder::get_best_epath): Add
"target_stmt" param.
(epath_finder::explore_feasible_paths): Likewise.
(epath_finder::process_worklist_item): Likewise.
(saved_diagnostic::calc_best_epath): Pass m_stmt to
epath_finder::get_best_epath.
* engine.cc (feasibility_state::maybe_update_for_edge): Move
per-stmt logic to...
(feasibility_state::update_for_stmt): ...this new function.
* exploded-graph.h (feasibility_state::update_for_stmt): New decl.
* feasible-graph.cc (feasible_node::get_state_at_stmt): New.
* feasible-graph.h: Include "analyzer/exploded-graph.h".
(feasible_node::get_state_at_stmt): New decl.
* infinite-recursion.cc
(infinite_recursion_diagnostic::check_valid_fpath_p): Update for
vfunc signature change.
* pending-diagnostic.h (pending_diagnostic::check_valid_fpath_p):
Convert first param to a reference. Add stmt param.
* region-model.cc: Include "analyzer/feasible-graph.h".
(poisoned_value_diagnostic::poisoned_value_diagnostic): Add
"check_expr" param.
(poisoned_value_diagnostic::check_valid_fpath_p): New.
(poisoned_value_diagnostic::m_check_expr): New field.
(region_model::check_for_poison): Attempt to supply a check_expr
to the diagnostic
(region_model::deref_rvalue): Add NULL for new check_expr param
of poisoned_value_diagnostic.
(region_model::get_or_create_region_for_heap_alloc): Don't reuse
regions that are marked as TOUCHED.
gcc/testsuite/ChangeLog:
PR analyzer/108664
PR analyzer/108666
PR analyzer/108725
* gcc.dg/analyzer/coreutils-cksum-pr108664.c: New test.
* gcc.dg/analyzer/coreutils-sum-pr108666.c: New test.
* gcc.dg/analyzer/torture/uninit-pr108725.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread* [Bug analyzer/108725] -Wanalyzer-use-of-uninitialized-value on ternary pointer access seen in qemu-7.2.0's dump/win_dump.c
2023-02-08 19:57 [Bug analyzer/108725] New: -Wanalyzer-use-of-uninitialized-value on ternary pointer access seen in qemu-7.2.0's dump/win_dump.c dmalcolm at gcc dot gnu.org
2023-02-15 19:53 ` [Bug analyzer/108725] " cvs-commit at gcc dot gnu.org
@ 2023-02-15 20:00 ` dmalcolm at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-02-15 20:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108725
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed on trunk by the above patch.
I don't plan to backport the patch to GCC 12 (doing so would be nontrivial), so
marking this as resolved.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-02-15 20:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-08 19:57 [Bug analyzer/108725] New: -Wanalyzer-use-of-uninitialized-value on ternary pointer access seen in qemu-7.2.0's dump/win_dump.c dmalcolm at gcc dot gnu.org
2023-02-15 19:53 ` [Bug analyzer/108725] " cvs-commit at gcc dot gnu.org
2023-02-15 20:00 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).