<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Yup, works now!<br>
<br>
What i just proposed should hopefully end up looking like this:<br>
<br>
<div>
<div><font face="monospace, monospace">1 void useInt(int);</font></div>
<div><font face="monospace, monospace">2 </font></div>
<div><font face="monospace, monospace">3 int getInt(int x) {</font></div>
<div><font face="monospace, monospace">4 int a;</font></div>
<div><font face="monospace, monospace">5</font></div>
<div><font face="monospace, monospace">6 if (x > 0)</font></div>
<div><font face="monospace, monospace">7 a = 3;<br>
<b> </b><b>~~^~~ // (8) Assigning 3 to 'a'</b><br>
</font></div>
<div><font face="monospace, monospace">8 else</font></div>
<div><font face="monospace, monospace">9 a = 2;</font></div>
<div><font face="monospace, monospace">10</font></div>
<div><font face="monospace, monospace">11 return a;</font></div>
<div><font face="monospace, monospace">12 }</font></div>
<div><font face="monospace, monospace">13</font></div>
<div><font face="monospace, monospace">14 int g();</font></div>
<div><font face="monospace, monospace">15</font></div>
<div><font face="monospace, monospace">16 int main() {</font></div>
<div><font face="monospace, monospace">17 int arr[10];</font></div>
<div><font face="monospace, monospace">18</font></div>
<div><font face="monospace, monospace">19 for (int i = 0; i <
3; ++i)<br>
<b> </b><b>^~~~~~~~~~~~~~~~~~~~~~~~~~~ (1)--(6) Looping
around the loop</b><br>
</font></div>
<div><font face="monospace, monospace">20 arr[i] = 0;</font></div>
<div><font face="monospace, monospace">21</font></div>
<div><font face="monospace, monospace">22 int x = g();</font></div>
<div><font face="monospace, monospace">23 int n = getInt(x);<br>
</font><font face="monospace, monospace"><b><font
face="monospace, monospace"><b> ^~~~~~~~~ //
(7) Calling getInt</b><b><br>
</b></font></b></font><font face="monospace, monospace"><b><font
face="monospace, monospace"><font face="monospace,
monospace"><b> ^~~~~~~~~ // (9) Returning
'3'</b><b><br>
</b></font></font></b><b> ~~~~~~^~~~~~~~~~~ // (10)
Assigning 'n' to '3'</b><br>
</font></div>
<div><font face="monospace, monospace">24 useInt(arr[n]);<br>
<b> ~~~~^~ // (11) Loading uninitialized value at
index '3'</b><b><br>
</b><b> ~~~~~~~^~~~~~ // (12) Use of uninitialized value!</b><br>
</font></div>
<div><font face="monospace, monospace">25 }</font></div>
</div>
<br>
And all we need is to add note (11) by pattern-matching the current
statement in trackExpressionValue() (which is a pretty good start
regardless) and then invoke another trackExpressionValue()
recursively over the index expression.<br>
<br>
<div class="moz-cite-prefix">On 4/3/19 3:51 PM, Kristóf Umann wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAGcXOD4Tb3Tsc+SnGpiuqk1FQ==iKDzT0bcyQeT6o0gtqQiA8g@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div>Let's hope this works now:</div>
<div><br>
</div>
<div><img src="cid:part1.58EF5961.6980FA09@gmail.com"
alt="image.png" class="" width="562" height="553"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 4 Apr 2019 at 00:45,
Artem Dergachev <<a href="mailto:noqnoqneo@gmail.com"
moz-do-not-send="true">noqnoqneo@gmail.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> If i understand correctly (hmm,
there seem to be image problems again), in this bug report
it's about doing trackNullOrUndefValue() over `n` whenever
we track the uninitialized value back to a load from an
array with index `n` - i think it easily gets us straight
to `a = 3` and it doesn't require introducing any new
analyses.<br>
</div>
</blockquote>
<div><br>
</div>
<div>The problem is, as seen on the image, that it isn't
obvious at all from the report that a == 3.</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>