From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 664543858C78; Fri, 12 May 2023 09:32:02 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 664543858C78
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1683883922;
	bh=eTWqOq99yD7lxloKzmLxqg5X2w0kt00K7ELc/6ypMhQ=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=qFGPlKC/7mYov4tEIGxU/uHd+IxAYINcltokikpyVMgaIgLXguKiBAmAAYgrOBBh+
	 1kKwGveW1qzmilTe2YmZ383zv1B42nc7z/7ez8eRFvDdF2l0GnlheDElUcNH4wMEpj
	 4A7HMMzrvEq30f38BQ0re0KZZSxf3Dn8j7oYJrQU=
From: "redi at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/109789] analyzer-use-of-uninitialized-value false
 positive inside function when array passed to the function is pre-initialized
Date: Fri, 12 May 2023 09:32:02 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 13.1.1
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: redi at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-109789-4-0QW78PKRYV@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-109789-4@http.gcc.gnu.org/bugzilla/>
References: <bug-109789-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109789

--- Comment #8 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to Jonathan Wakely from comment #7)
> It also seems to depend on array-to-pointer decay from float[nframes] to
> float* across the function boundary, because if the loop using the size_t
> index is moved into the same function as the array initialization, the
> analyzer doesn't complain.

Ah no, this still complains without a separate function:

void sink(int);

void export_audio(int nframes, int init, int count) {
  do {
    int tmp_l[nframes];
    for (int i =3D 0; i < nframes; i++)
      tmp_l[i] =3D init;
    unsigned size =3D nframes;
    sink(tmp_l[size - 1]);
  } while (--count);
}


a.c: In function =E2=80=98export_audio=E2=80=99:
a.c:9:5: error: use of uninitialized value =E2=80=98*tmp_l[<unknown>]=E2=80=
=99 [CWE-457]
[-Werror=3Danalyzer-use-of-uninitialized-value]
    9 |     sink(tmp_l[size - 1]);
      |     ^~~~~~~~~~~~~~~~~~~~~
  =E2=80=98export_audio=E2=80=99: events 1-4
    |
    |    5 |     int tmp_l[nframes];
    |      |         ^~~~~
    |      |         |
    |      |         (1) region created on stack here
    |    6 |     for (int i =3D 0; i < nframes; i++)
    |      |                     ~~~~~~~~~~~
    |      |                       |
    |      |                       (2) following =E2=80=98false=E2=80=99 br=
anch (when =E2=80=98i >=3D
nframes=E2=80=99)...
    |    7 |       tmp_l[i] =3D init;
    |    8 |     unsigned size =3D nframes;
    |      |              ~~~~
    |      |              |
    |      |              (3) ...to here
    |    9 |     sink(tmp_l[size - 1]);
    |      |     ~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (4) use of uninitialized value =E2=80=98*tmp_l[<unknown>]=
=E2=80=99 here
    |
cc1: some warnings being treated as errors=