https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108661
Bug ID: 108661
Summary: -Wanalyzer-use-of-uninitialized-value false positive
seen in haproxy's sink_rotate_file_backed_ring
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
Consider:
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
struct ring
{
char buf[1024];
};
int test (const char *name)
{
struct ring ring;
int fd;
int ret;
fd = open(name, O_RDONLY);
if (fd < 0)
return 0;
ret = read(fd, &ring, sizeof(ring));
close(fd);
if (ret != sizeof(ring))
return 1;
if (ring.buf[0] > 1)
return 2;
return 3;
}
Currently trunk emits this false positive:
<source>: In function 'test':
<source>:26:21: warning: use of uninitialized value 'ring.buf[0]' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
26 | if (ring.buf[0] > 1)
| ~~~~~~~~^~~
'test': events 1-6
|
| 12 | struct ring ring;
| | ^~~~
| | |
| | (1) region created on stack here
|......
| 17 | if (fd < 0)
| | ~
| | |
| | (2) following 'false' branch (when 'fd >= 0')...
|......
| 20 | ret = read(fd, &ring, sizeof(ring));
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) ...to here
|......
| 23 | if (ret != sizeof(ring))
| | ~
| | |
| | (4) following 'false' branch (when 'ret == 1024')...
|......
| 26 | if (ring.buf[0] > 1)
| | ~~~~~~~~~~~
| | |
| | (5) ...to here
| | (6) use of uninitialized value 'ring.buf[0]'
here
|
Compiler returned: 0
https://godbolt.org/z/3sMhxej6P
Looks like the analyzer might not "know" that when "read" returns the input
size, that the buffer is fully populated.