https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109635
Bug ID: 109635 Summary: -Wanalyzer-use-of-uninitialized-value false alarm involving adding 8 to index Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: eggert at cs dot ucla.edu Target Milestone: --- Created attachment 54926 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54926&action=edit compile with -O2 -fanalyzer to reproduce false positive This is gcc (GCC) 13.0.1 20230401 (Red Hat 13.0.1-0) on x86-64. I ran into this problem when building Coreutils. Compile the attached program with: gcc -S -O2 -fanalyzer make-prime-list.i The output is at the end of this bug report. It's a false alarm, since primes[i + 8].p is accessed only when 8 <= i + 8 < nprimes, and every entry from primes[0] up to (but not including) primes[nprimes] is initialized by the call to process_prime. If you change both instances of 'i + 8' to 'i + 1' in line 1997, the false alarm goes away. The false alarm is present if you use 'i + 2', though. I don't know why the problem starts occuring between i + 1 and i + 2. Here's the output: make-prime-list.i: In function ‘output_primes’: make-prime-list.i:1997:56: warning: use of uninitialized value ‘*primes_42(D) + _3.p’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 1997 | unsigned int d8 = i + 8 < nprimes ? primes[i + 8].p - primes[i].p : 0xff; | ~~~~~~~~~~~~~^~ ‘main’: events 1-6 | | 2038 | main (int argc, char **argv) | | ^~~~ | | | | | (1) entry to ‘main’ |...... | 2045 | if (argc != 2) | | ~ | | | | | (2) following ‘false’ branch (when ‘argc == 2’)... |...... | 2055 | limit = atoi (argv[1]); | | ~~~~~~~~~~~~~~ | | | | | (3) ...to here | 2056 | if (limit < 3) | | ~ | | | | | (4) following ‘false’ branch... |...... | 2060 | if ( !(limit & 1)) | | ~~~~~~~~~~~ | | | | | (5) ...to here |...... | 2063 | sieve = xalloc (size); | | ~~~~~~~~~~~~~ | | | | | (6) calling ‘xalloc’ from ‘main’ | +--> ‘xalloc’: events 7-9 | | 2025 | xalloc (size_t s) | | ^~~~~~ | | | | | (7) entry to ‘xalloc’ |...... | 2028 | if (p) | | ~ | | | | | (8) following ‘true’ branch (when ‘p’ is non-NULL)... | 2029 | return p; | | ~ | | | | | (9) ...to here | <------+ | ‘main’: events 10-11 | | 2063 | sieve = xalloc (size); | | ^~~~~~~~~~~~~ | | | | | (10) returning to ‘main’ from ‘xalloc’ | 2064 | memset (sieve, 1, size); | 2065 | prime_list = xalloc (size * sizeof (*prime_list)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) calling ‘xalloc’ from ‘main’ | +--> ‘xalloc’: events 12-15 | | 2025 | xalloc (size_t s) | | ^~~~~~ | | | | | (12) entry to ‘xalloc’ | 2026 | { | 2027 | void *p = malloc (s); | | ~~~~~~~~~~ | | | | | (13) region created on heap here | 2028 | if (p) | | ~ | | | | | (14) following ‘true’ branch (when ‘p’ is non-NULL)... | 2029 | return p; | | ~ | | | | | (15) ...to here | <------+ | ‘main’: events 16-19 | | 2065 | prime_list = xalloc (size * sizeof (*prime_list)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to ‘main’ from ‘xalloc’ | 2066 | nprimes = 0; | 2067 | for (i = 0; i < size;) | | ~~~~~~~~ | | | | | (17) following ‘true’ branch (when ‘i < size’)... | 2068 | { | 2069 | unsigned p = 3 + 2 * i; | | ~~~~~~~~~ | | | | | (18) ...to here | 2070 | unsigned j; | 2071 | process_prime (&prime_list[nprimes++], p); | | ~ | | | | | (19) inlined call to ‘process_prime’ from ‘main’ | +--> ‘process_prime’: event 20 | | 1956 | info->pinv = binvert (p); | | ^~~~~~~~~~~ | | | | | (20) calling ‘binvert’ from ‘main’ | ‘binvert’: events 21-22 | | 1940 | binvert (wide_uint a) | | ^~~~~~~ | | | | | (21) entry to ‘binvert’ |...... | 1946 | if (y == x) | | ~ | | | | | (22) following ‘false’ branch (when ‘x != y’)... | ‘binvert’: event 23 | |cc1: | (23): ...to here | <------+ | ‘main’: event 24 | | 2071 | process_prime (&prime_list[nprimes++], p); | | ^ | | | | | (24) inlined call to ‘process_prime’ from ‘main’ | +--> ‘process_prime’: event 25 | | 1956 | info->pinv = binvert (p); | | ^~~~~~~~~~~ | | | | | (25) returning to ‘main’ from ‘binvert’ | <------+ | ‘main’: events 26-28 | | 2072 | for (j = (p * p - 3) / 2; j < size; j += p) | | ~~^~~~~~ | | | | | (26) following ‘true’ branch... | 2073 | sieve[j] = 0; | | ~ | | | | | (27) ...to here |...... | 2077 | output_primes (prime_list, nprimes); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) calling ‘output_primes’ from ‘main’ | +--> ‘output_primes’: events 29-36 | | 1984 | output_primes (const struct prime *primes, unsigned nprimes) | | ^~~~~~~~~~~~~ | | | | | (29) entry to ‘output_primes’ |...... | 1991 | for (wide_uint_bits = 0; mask; wide_uint_bits++) | | ~~~~ | | | | | (30) following ‘true’ branch (when ‘mask != 0’)... | 1992 | mask >>= 1; | | ~~~~~~~~~~ | | | | | (31) ...to here |...... | 1995 | for (i = 0, p = 2; i < nprimes; i++) | | ~~~~~~~~~~~ | | | | | (32) following ‘true’ branch (when ‘i < nprimes’)... | 1996 | { | 1997 | unsigned int d8 = i + 8 < nprimes ? primes[i + 8].p - primes[i].p : 0xff; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | | | | | (34) following ‘true’ branch... | | | | (36) use of uninitialized value ‘*primes_42(D) + _3.p’ here | | (33) ...to here (35) ...to here |