[Bug analyzer/106383] New: False positives from -Wanalyzer-va-list-exhausted

[dmalcolm at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106383

            Bug ID: 106383
           Summary: False positives from -Wanalyzer-va-list-exhausted
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 106358
  Target Milestone: ---

https://godbolt.org/z/c87abh5vc

Given:

typedef __builtin_va_list va_list;

struct printf_spec {
  unsigned int type;
};

int
format_decode(const char *fmt, struct printf_spec *spec);

static int vbin_printf(const char *fmt, va_list args) {
  struct printf_spec spec;
  int width = 0;

  while (*fmt) {
    int read = format_decode(fmt, &spec);

    fmt += read;

    switch (spec.type) {
    case 0:
      break;
    case 1:
      width = __builtin_va_arg(args, int);
      break;
    }
  }

  return width;
}

int bprintf(const char *fmt, ...) {
  va_list args;
  int ret;

  __builtin_va_start(args, fmt);
  ret = vbin_printf(fmt, args);
  __builtin_va_end(args);

  return ret;
}

we get this false positive with trunk with -fanalyzer:

../../src/vsprintf.c: In function ‘vbin_printf’:
../../src/vsprintf.c:23:13: warning: ‘args’ has no more arguments (0 consumed)
[CWE-685] [-Wanalyzer-va-list-exhausted]
   23 |       width = __builtin_va_arg(args, int);
      |       ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ‘bprintf’: events 1-2
    |
    |   31 | int bprintf(const char *fmt, ...) {
    |      |     ^~~~~~~
    |      |     |
    |      |     (1) entry to ‘bprintf’
    |......
    |   36 |   ret = vbin_printf(fmt, args);
    |      |         ~~~~~~~~~~~~~~~~~~~~~~
    |      |         |
    |      |         (2) calling ‘vbin_printf’ from ‘bprintf’
    |
    +--> ‘vbin_printf’: events 3-6
           |
           |   10 | static int vbin_printf(const char *fmt, va_list args) {
           |      |            ^~~~~~~~~~~
           |      |            |
           |      |            (3) entry to ‘vbin_printf’
           |......
           |   14 |   while (*fmt) {
           |      |          ~  
           |      |          |
           |      |          (4) following ‘true’ branch...
           |   15 |     int read = format_decode(fmt, &spec);
           |      |                ~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |                |
           |      |                (5) ...to here
           |......
           |   23 |       width = __builtin_va_arg(args, int);
           |      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |             |
           |      |             (6) ‘args’ has no more arguments (0 consumed)
           |

Reduced from Linux kernel: lib/vsprintf.c


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer