https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105264
Bug ID: 105264
Summary: -Wanalyzer-use-of-uninitialized-value gets confused
about var + i v.s. &var[i]
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: avarab at gmail dot com
Target Milestone: ---
After reading
https://developers.redhat.com/articles/2022/04/12/state-static-analysis-gcc-12-compiler
I tried out -fanalyzer on GCC 12 (built from c1ff207af66 (ppc: testsuite: skip
pr60203 on no ldbl128, 2022-04-12)) against git.git, and discover what seems to
be a bug.
When compiling git (https://github.com/git/git/) as:
$ make CC=gcc CFLAGS=-fanalyzer builtin/merge-file.o
It will complain about:
builtin/merge-file.c:86:28: error: use of uninitialized value ‘mmfs[i].size’
[CWE-457] [-Werror=analyzer-use-of-uninitialized-value]
86 | if (mmfs[i].size > MAX_XDIFF_SIZE ||
[...]
The basic control flow is:
mmfile_t mmfs[3];
[...]
for-loop
[...]
ret = read_mmfile(mmfs + i, fname);
[...]
Where read_mmfile() function is always either returning -1 or populating
mmfs[i] structure, in the case of -1 we can't reach the code -fanalyzer raises
an issue about.
The warning will go away if I apply:
diff --git a/builtin/merge-file.c b/builtin/merge-file.c
index e695867ee54..0ca3580b27d 100644
--- a/builtin/merge-file.c
+++ b/builtin/merge-file.c
@@ -77,7 +77,7 @@ int cmd_merge_file(int argc, const char **argv, const char
*prefix)
names[i] = argv[i];
fname = prefix_filename(prefix, argv[i]);
- ret = read_mmfile(mmfs + i, fname);
+ ret = read_mmfile(&mmfs[i], fname);
free(fname);
if (ret)
return -1;
Which to me suggests a bug in the analyzer, that's not the most obvious code in
the world and probably could use that patch in any case, but the analyzer
should understand that mmfs+i and &mmfs[i] yield the same pointer.
analyzer-use-of-uninitialized-value
