[Bug analyzer/107072] New: Analyzer call summarization not taking into account side-effects of calls

Wed, 28 Sep 2022 08:57:43 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107072

            Bug ID: 107072
           Summary: Analyzer call summarization not taking into account
                    side-effects of calls
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 99390, 107060
  Target Milestone: ---

Created attachment 53637
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53637&action=edit
Reproducer reduced from PR 107060

-fanalyzer-call-summaries doesn't seem to be taking account of the side-effects
of calls; it emit lots of -Wanalyzer-use-of-uninitialized-value false positives
on the reproducer for PR 107060.

Am attaching a minimized version, which emits these false positives:

$ ./xgcc -B. -S -fanalyzer ../../src/uninit.c -fanalyzer-call-summaries
../../src/uninit.c: In function ‘fetch_string_char_advance’:
../../src/uninit.c:52:7: warning: use of uninitialized value ‘chlen’ [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
   52 |     b += chlen;
      |       ^~
  ‘fetch_string_char_advance’: events 1-5
    |
    |   49 |   if (STRING_MULTIBYTE(string)) {
    |      |      ~   
    |      |      |
    |      |      (3) following ‘true’ branch...
    |   50 |     int chlen;
    |      |         ^~~~~
    |      |         |
    |      |         (1) region created on stack here
    |      |         (2) capacity: 4 bytes
    |   51 |     output = string_char_and_length(chp, &chlen);
    |      |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |              |
    |      |              (4) ...to here
    |   52 |     b += chlen;
    |      |       ~~ 
    |      |       |
    |      |       (5) use of uninitialized value ‘chlen’ here
    |
../../src/uninit.c: In function ‘fetch_string_char_as_multibyte_advance’:
../../src/uninit.c:70:7: warning: use of uninitialized value ‘chlen’ [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
   70 |     b += chlen;
      |       ^~
  ‘fetch_string_char_as_multibyte_advance’: events 1-5
    |
    |   67 |   if (STRING_MULTIBYTE(string)) {
    |      |      ~   
    |      |      |
    |      |      (3) following ‘true’ branch...
    |   68 |     int chlen;
    |      |         ^~~~~
    |      |         |
    |      |         (1) region created on stack here
    |      |         (2) capacity: 4 bytes
    |   69 |     output = string_char_and_length(chp, &chlen);
    |      |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |              |
    |      |              (4) ...to here
    |   70 |     b += chlen;
    |      |       ~~ 
    |      |       |
    |      |       (5) use of uninitialized value ‘chlen’ here
    |

...despite string_char_and_length writing back to chlen (aka *length) on every
possible outcome.


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99390
[Bug 99390] [meta-bug] tracker bug for call summaries in -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107060
[Bug 107060] -fanalyzer unbearably slow when compiling GNU Emacs

Reply via email to