https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94754
Bug ID: 94754
Summary: -fanalyzer false positive due to it ignoring previous
if
Product: gcc
Version: 10.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: colomar.6.4.3 at gmail dot com
Target Milestone: ---
The analyzer follows branches that are incompatible (sometimes).
Code to reproduce the bug:
[[gnu::nonnull]]
static
void init_x(int cond, int **x, int *y)
{
if (!cond)
return;
*x = y;
}
int foo(int cond)
{
int *x;
int y = 7;
if (cond < 2)
return -1;
/* cond >= 2 != 0, so it will initialize x */
init_x(cond, &x, &y);
return *x;
}
$ gcc-10 -c false_positive.c -o foo -fanalyzer
In function ‘foo’:
false_positive.c:22:9: warning: use of uninitialized value ‘x’ [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
22 | return *x;
| ^~
‘foo’: events 1-4
|
| 11 | int foo(int cond)
| | ^~~
| | |
| | (1) entry to ‘foo’
|......
| 16 | if (cond < 2)
| | ~
| | |
| | (2) following ‘false’ branch (when ‘cond > 1’)...
|......
| 20 | init_x(cond, &x, &y);
| | ~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) ...to here
| | (4) calling ‘init_x’ from ‘foo’
|
+--> ‘init_x’: events 5-7
|
| 3 | void init_x(int cond, int **x, int *y)
| | ^~~~~~
| | |
| | (5) entry to ‘init_x’
|......
| 6 | if (!cond)
| | ~
| | |
| | (6) following ‘true’ branch (when ‘cond == 0’)...
!!! cond == 0, but previously it assumed cond > 1 !!!
| 7 | return;
| | ~~~~~~
| | |
| | (7) ...to here
|
<------+
|
‘foo’: events 8-9
|
| 20 | init_x(cond, &x, &y);
| | ^~~~~~~~~~~~~~~~~~~~
| | |
| | (8) returning to ‘foo’ from ‘init_x’
| 21 |
| 22 | return *x;
| | ~~
| | |
| | (9) use of uninitialized value ‘x’ here
|
$
___________________________________________________
But.
- If I copy&paste (manual inline) `init_x` code inside `foo`, the warning goes
away.
- If I use pointers instead of double pointers (`void init_x(int cond, int *x,
int y)`), the warning goes away.
