https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107948
Bug ID: 107948
Summary: GCC Static Analyzer doesn't realize `0 - width <= 0`
is always true when `width > 0` and `width is int`
type,
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: geoffreydgr at icloud dot com
Target Milestone: ---
I got a false negative error when compiling the following program with
gcc(trunk) -fanalyzer -O0. https://godbolt.org/z/vneenabc5
```
extern void __analyzer_eval (int);
void foo(int width) {
int i = 0;
int base;
if (width > 0){
__analyzer_eval(i == 0);
__analyzer_eval(width > 0);
__analyzer_eval(width - i > 0);
__analyzer_eval(i - width <= 0);
if (i - width <= 0) {
base = 512;
}
}
base+=1;
}
```
Output:
```
<source>: In function 'foo':
<source>:7:9: warning: TRUE
7 | __analyzer_eval(i == 0);
| ^~~~~~~~~~~~~~~~~~~~~~~
<source>:8:9: warning: TRUE
8 | __analyzer_eval(width > 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:9:9: warning: TRUE
9 | __analyzer_eval(width - i > 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:10:9: warning: UNKNOWN
10 | __analyzer_eval(i - width <= 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:15:9: warning: use of uninitialized value 'base' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
15 | base+=1;
| ~~~~^~~
'foo': events 1-3
|
| 5 | int base;
| | ^~~~
| | |
| | (1) region created on stack here
| | (2) capacity: 4 bytes
|......
| 15 | base+=1;
| | ~~~~~~~
| | |
| | (3) use of uninitialized value 'base' here
```
GCC Static Analyzer doesn't realize `0 - width <= 0` is always true when `width
> 0` and `width is int type`,hence it reports a wrong
use-of-uninitialized-value warning.
The analysis result shows that analyzer knows `width - i > 0` is true but does
not know the equivalence formula ` i - width <= 0` is also true.
