From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id A60003858C53; Wed, 26 Apr 2023 16:32:45 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A60003858C53 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1682526765; bh=kGCXNok5H41v/JBK9vXqZQ5rC3oM1yCg9yVQ8kCSb74=; h=From:To:Subject:Date:From; b=Xotz9EsaqFTKGJzp7Q/JRGjXFsPk/94uBn7y8NIXRxnTWf3F+QAqzYyM/A7xigP6/ 2kYCcSTvjdtSNGP54ZzUHiWyIhciPmuTo0uoNG0z7o8ksHkRdo553Jpv2dlv55PRWz kWXToQCU48rcSD6SGOlpkurLC/U92J5Mqm+lm7qM= From: "eggert at cs dot ucla.edu" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/109635] New: -Wanalyzer-use-of-uninitialized-value false alarm involving adding 8 to index Date: Wed, 26 Apr 2023 16:32:44 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: eggert at cs dot ucla.edu X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109635 Bug ID: 109635 Summary: -Wanalyzer-use-of-uninitialized-value false alarm involving adding 8 to index Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: eggert at cs dot ucla.edu Target Milestone: --- Created attachment 54926 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D54926&action=3Dedit compile with -O2 -fanalyzer to reproduce false positive This is gcc (GCC) 13.0.1 20230401 (Red Hat 13.0.1-0) on x86-64. I ran into = this problem when building Coreutils. Compile the attached program with: gcc -S -O2 -fanalyzer make-prime-list.i The output is at the end of this bug report. It's a false alarm, since prim= es[i + 8].p is accessed only when 8 <=3D i + 8 < nprimes, and every entry from primes[0] up to (but not including) primes[nprimes] is initialized by the c= all to process_prime. If you change both instances of 'i + 8' to 'i + 1' in line 1997, the false alarm goes away. The false alarm is present if you use 'i + 2', though. I d= on't know why the problem starts occuring between i + 1 and i + 2. Here's the output: make-prime-list.i: In function =E2=80=98output_primes=E2=80=99: make-prime-list.i:1997:56: warning: use of uninitialized value =E2=80=98*pr= imes_42(D) + _3.p=E2=80=99 [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 1997 | unsigned int d8 =3D i + 8 < nprimes ? primes[i + 8].p - prime= s[i].p : 0xff; | ~~~~~~~~~~~~~^~ =E2=80=98main=E2=80=99: events 1-6 | | 2038 | main (int argc, char **argv) | | ^~~~ | | | | | (1) entry to =E2=80=98main=E2=80=99 |...... | 2045 | if (argc !=3D 2) | | ~ | | | | | (2) following =E2=80=98false=E2=80=99 branch (when =E2=80= =98argc =3D=3D 2=E2=80=99)... |...... | 2055 | limit =3D atoi (argv[1]); | | ~~~~~~~~~~~~~~ | | | | | (3) ...to here | 2056 | if (limit < 3) | | ~ | | | | | (4) following =E2=80=98false=E2=80=99 branch... |...... | 2060 | if ( !(limit & 1)) | | ~~~~~~~~~~~ | | | | | (5) ...to here |...... | 2063 | sieve =3D xalloc (size); | | ~~~~~~~~~~~~~ | | | | | (6) calling =E2=80=98xalloc=E2=80=99 from =E2=80=98m= ain=E2=80=99 | +--> =E2=80=98xalloc=E2=80=99: events 7-9 | | 2025 | xalloc (size_t s) | | ^~~~~~ | | | | | (7) entry to =E2=80=98xalloc=E2=80=99 |...... | 2028 | if (p) | | ~ | | | | | (8) following =E2=80=98true=E2=80=99 branch (when = =E2=80=98p=E2=80=99 is non-NULL)... | 2029 | return p; | | ~ | | | | | (9) ...to here | <------+ | =E2=80=98main=E2=80=99: events 10-11 | | 2063 | sieve =3D xalloc (size); | | ^~~~~~~~~~~~~ | | | | | (10) returning to =E2=80=98main=E2=80=99 from =E2=80= =98xalloc=E2=80=99 | 2064 | memset (sieve, 1, size); | 2065 | prime_list =3D xalloc (size * sizeof (*prime_list)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) calling =E2=80=98xalloc=E2=80=99 from =E2= =80=98main=E2=80=99 | +--> =E2=80=98xalloc=E2=80=99: events 12-15 | | 2025 | xalloc (size_t s) | | ^~~~~~ | | | | | (12) entry to =E2=80=98xalloc=E2=80=99 | 2026 | { | 2027 | void *p =3D malloc (s); | | ~~~~~~~~~~ | | | | | (13) region created on heap here | 2028 | if (p) | | ~ | | | | | (14) following =E2=80=98true=E2=80=99 branch (when= =E2=80=98p=E2=80=99 is non-NULL)... | 2029 | return p; | | ~ | | | | | (15) ...to here | <------+ | =E2=80=98main=E2=80=99: events 16-19 | | 2065 | prime_list =3D xalloc (size * sizeof (*prime_list)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to =E2=80=98main=E2=80=99 from = =E2=80=98xalloc=E2=80=99 | 2066 | nprimes =3D 0; | 2067 | for (i =3D 0; i < size;) | | ~~~~~~~~ | | | | | (17) following =E2=80=98true=E2=80=99 branch (= when =E2=80=98i < size=E2=80=99)... | 2068 | { | 2069 | unsigned p =3D 3 + 2 * i; | | ~~~~~~~~~ | | | | | (18) ...to here | 2070 | unsigned j; | 2071 | process_prime (&prime_list[nprimes++], p); | | ~ | | | | | (19) inlined call to =E2=80=98process_prime=E2=80=99 fro= m =E2=80=98main=E2=80=99 | +--> =E2=80=98process_prime=E2=80=99: event 20 | | 1956 | info->pinv =3D binvert (p); | | ^~~~~~~~~~~ | | | | | (20) calling =E2=80=98binvert=E2=80=99 f= rom =E2=80=98main=E2=80=99 | =E2=80=98binvert=E2=80=99: events 21-22 | | 1940 | binvert (wide_uint a) | | ^~~~~~~ | | | | | (21) entry to =E2=80=98binvert=E2=80=99 |...... | 1946 | if (y =3D=3D x) | | ~ | | | | | (22) following =E2=80=98false=E2=80=99 branch = (when =E2=80=98x !=3D y=E2=80=99)... | =E2=80=98binvert=E2=80=99: event 23 | |cc1: | (23): ...to here | <------+ | =E2=80=98main=E2=80=99: event 24 | | 2071 | process_prime (&prime_list[nprimes++], p); | | ^ | | | | | (24) inlined call to =E2=80=98process_prime=E2=80=99 fro= m =E2=80=98main=E2=80=99 | +--> =E2=80=98process_prime=E2=80=99: event 25 | | 1956 | info->pinv =3D binvert (p); | | ^~~~~~~~~~~ | | | | | (25) returning to =E2=80=98main=E2=80=99= from =E2=80=98binvert=E2=80=99 | <------+ | =E2=80=98main=E2=80=99: events 26-28 | | 2072 | for (j =3D (p * p - 3) / 2; j < size; j +=3D p) | | ~~^~~~~~ | | | | | (26) following =E2=80=98true= =E2=80=99 branch... | 2073 | sieve[j] =3D 0; | | ~ | | | | | (27) ...to here |...... | 2077 | output_primes (prime_list, nprimes); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) calling =E2=80=98output_primes=E2=80=99 from =E2=80=98m= ain=E2=80=99 | +--> =E2=80=98output_primes=E2=80=99: events 29-36 | | 1984 | output_primes (const struct prime *primes, unsigned nprimes) | | ^~~~~~~~~~~~~ | | | | | (29) entry to =E2=80=98output_primes=E2=80=99 |...... | 1991 | for (wide_uint_bits =3D 0; mask; wide_uint_bits++) | | ~~~~ | | | | | (30) following =E2=80=98true= =E2=80=99 branch (when =E2=80=98mask !=3D 0=E2=80=99)... | 1992 | mask >>=3D 1; | | ~~~~~~~~~~ | | | | | (31) ...to here |...... | 1995 | for (i =3D 0, p =3D 2; i < nprimes; i++) | | ~~~~~~~~~~~ | | | | | (32) following =E2=80=98true=E2= =80=99 branch (when =E2=80=98i < nprimes=E2=80=99)... | 1996 | { | 1997 | unsigned int d8 =3D i + 8 < nprimes ? primes[i + = 8].p - primes[i].p : 0xff; | |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | = |=20=20=20 | | | | | = |=20=20=20 (34) following =E2=80=98true=E2=80=99 branch... | | | | = (36) use of uninitialized value =E2=80=98*primes_42(D) + _3.p=E2=80=99 here | | (33) ...to here (35) ...to here |=