[Bug c/111394] New: Warning about uninitialized memory that is actually initialized

[Bug c/111394] New: Warning about uninitialized memory that is actually initialized

[aiya64bits at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111394

            Bug ID: 111394
           Summary: Warning about uninitialized memory that is actually
                    initialized
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: aiya64bits at gmail dot com
  Target Milestone: ---

#include <stdio.h>
#include <stdlib.h>

int memoized_cut_rod_aux(const int p[], int n, int c, int r[]) {
    if (r[n] >= 0)
        return r[n];

    int q = p[n - 1];
    if (!n) {
        q = 0;
    } else {
        for (int i = 1; i <= n / 2; ++i) {
            const int v = p[i - 1] + memoized_cut_rod_aux(p, n - i, c, r) - c;
            if (v > q)
                q = v;
        }
    }
    r[n] = q;
    return q;
}

int memoized_cut_rod(const int p[], int n, int c) {
    int result;

    int *const r = malloc((n + 1) * sizeof(int));
    if (!r) {
        fprintf(stderr, "Out of memory.\n");
        exit(1);
    }

    for (int i = 0; i < n + 1; ++i)
        r[i] = -1;

    result = memoized_cut_rod_aux(p, n, c, r);
    free(r);
    return result;
}

The above code when compiled with "gcc -Wall -O3 -o rod_cutting rod_cutting.c"
gives the following warning:

In function ‘memoized_cut_rod_aux’,
    inlined from ‘memoized_cut_rod’ at rod_cutting.c:95:17:
rod_cutting.c:59:14: warning: ‘*r_30 + _122’ may be used uninitialized
[-Wmaybe-uninitialized]
   59 |         if (r[n] >= 0)
      |             ~^~~

But all the elements of r are initialized to -1 in the loop in
memoized_cut_rod. I got this warning with GCC 13.2.1 and then got the same
warning with the trunk branch.

[Bug c/111394] Warning about uninitialized memory that is actually initialized

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111394

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
N could be -1 which then would access out of bounds ..

I suspect if you add a check for n being negative in memoized_cut_rod the
warning will go away and a security issue is solved too.

[Bug tree-optimization/111394] Warning about uninitialized memory that is actually initialized

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111394

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Adding:
    if (n < 0)
    exit(1);

Or:
    if (n < 0)
      __builtin_unreachable();

Fixes the warning.

Yes the warning could be slightly better but it is definitely a bug in your
code if you are not checking the input ...

[Bug tree-optimization/111394] Warning about uninitialized memory that is actually initialized

[aiya64bits at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111394

Sayu <aiya64bits at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |UNCONFIRMED
         Resolution|INVALID                     |---

--- Comment #3 from Sayu <aiya64bits at gmail dot com> ---
(In reply to Andrew Pinski from comment #1)
> N could be -1 which then would access out of bounds ..
> 
> I suspect if you add a check for n being negative in memoized_cut_rod the
> warning will go away and a security issue is solved too.

I see. I didn't realize that negative indexes are allowed in C, I always
assumed it was undefined behavior or just invalid. However, what does "*r_30 +
_122" mean in the warning?

[Bug tree-optimization/111394] Warning about uninitialized memory that is actually initialized

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111394

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to Sayu from comment #3)
> (In reply to Andrew Pinski from comment #1)
> > N could be -1 which then would access out of bounds ..
> > 
> > I suspect if you add a check for n being negative in memoized_cut_rod the
> > warning will go away and a security issue is solved too.
> 
> I see. I didn't realize that negative indexes are allowed in C, I always
> assumed it was undefined behavior or just invalid. However, what does "*r_30
> + _122" mean in the warning?

well for pointers it is not undefined. Just in this case it is being allocated
via malloc which does make it undefined. But that is the whole reason for the
warning.

The trunk gives:
In function 'memoized_cut_rod_aux',
    inlined from 'memoized_cut_rod' at <source>:34:14:
<source>:5:10: warning: '*<unknown>' may be used uninitialized
[-Wmaybe-uninitialized]
    5 |     if (r[n] >= 0)
      |         ~^~~

Which was fixed by PR 111253 .

But yes this is warning about r being used as not being initialized in the case
n in memoized_cut_rod being negative and acessing r[n] here.