<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/60557>60557</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
false positive in alpha.unix.cstring.UninitializedRead - Bytes string function accesses uninitialized/garbage values
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
vabridgers
</td>
</tr>
</table>
<pre>
I see a false positive in the alpha.unix.cstring.UninitializedRead checker when analyzing code containing an array of structs, but not an equivalent array of a scalar type.
clang --analyze -Xclang -analyzer-checker=alpha.unix.cstring.OutOfBounds,alpha.unix.cstring.UninitializedRead case1.c
warning: Bytes string function accesses uninitialized/garbage values [alpha.unix.cstring.UninitializedRead]
memcpy(local_info, Info, sizeof(struct _ss)*2);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
case2.c below is a 2 dim scalar array, and does not show this false positive. So could be a difference in the way structs are handled (or not?) ?
The element region for Info comes out to be : Element{Info,7 S64b,char} in both cases. For the case that fails, I see that convertOffsetsFromSvalToUnsigneds() in RegionStore.cpp (around line 1683) is returning UndefinedVal() because Offset.uge(*(ExtentIt++) is true for case1.c
If it's true we're not handling structs properly (or at all), would it better to detect that case and return UnknownVal() instead? Or is there a better fix for this problem?
I think this is somehow related to this change, and series - https://reviews.llvm.org/D104285.
case1.c
`
typedef __typeof(sizeof(int)) size_t;
void *memcpy(void *to, void const *from, size_t count);
typedef struct _ss {
short a;
short b;
} ss, *pss;
const ss Info[2] = { { 0, 1, }, { 2, 3, },};
void clang_analyzer_dump(short);
static void xxx(void)
{
ss local_info[2];
memcpy(local_info, Info, sizeof(struct _ss)*2);
}
`
case2.c
`
typedef __typeof(sizeof(int)) size_t;
void *memcpy(void *to, void const *from, size_t count);
const short Info[2][2] = { { 0, 1, }, { 2, 3, },};
void clang_analyzer_dump(short);
static void xxx(void)
{
short local_info[2][2];
memcpy(local_info, Info, sizeof(short)*4);
}
`
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzMVk2T2jgQ_TXi0oULZMzHgQOEUDWnqcpktvZGyXIbayMkVt2GIYf97VuSzQBJDtmPQ6amLLsltV73e91IEZm9Q1yKYi2KzUC13PiwPKkymGqPgQalry7LJyBEUFArSwhHT4bNCcE44AZB2WOjstaZt0wTB-P22aszzrBR1nzF6hOqCnSD-gsGODfoQDllL1-N24P2FYL2jpVx8Vs5UCGoC_gaiEOrmYT8AGXL4DzHafyzNSdl0fFtpQLSyqoAfDliBmK0EaNV99RWuT0Mh92RCDD8vTf1ljDsoYl884NInlt-rte-dVUE8nOhKsJxpu9RnFWI4Yl8BesLI0G3GerWaTbegdIaiZCgvXcn5HavQqn2CCdlWyQQxfpnMIhi0x0MAHDAgz5ehJxbr5XdGVf7mNOnfiTzFX0t5LzLN-yIhFwIuZJxyNe9I1F8_Ouf_D2QoAhlpqFE689gCBRIqMzhSlsiMmJRroLKIyWyqfFn4MbQN7rL4MWD9q2toIyqrExdY0Cn3xV5VperekAFhEa5ymIFQs59iL5FvhVyAXG4g_m5QUCLh6itgPvIS-1DShRof0AC3zKwj8dGKj92a8Vs3edyBi_TSSnkB92oIGabiKf03CRJUAZbHxK--AncKIZaGZsU3pVYsmnvThj4ua4JmbbBH15Oyn72ry4VaxTiPKI3Dj4llC_sA2b6eIwBqhDFCtY4hPF0nqeVBAG5TRqEV1dhbRxWvynbeypRq5YQuiOzdo9pYiXk_OMbo-MnFnKd_pMzDi2m1PRSf6i4pxoMCznrl51RyFnAxGjiIWK4knMM_ojBXnpmFIOyNqnvA5wTw4ahRGYMMe8VMmrusxRzGPXSRQav7ovzZ3cLyjjiWAr5Fp5DQt1giHrp_dXmLcWQFHYMvrR4-EYQT3HSfemWGALyB4yiDGgVYxUhpSndKBdz1gmYMBgkGELDfCSRr4TcCrkNeDJ4psza0yHzYS_kdjMeTeS8-KZjPeZ0OupeYmursIbdLr51BXutXOM4JW2RinnH71V78iaqfvXeAq4GTqWfvrR3xNFWB3-4NoRdlGHbub06uyK49QkQszVcGw01PjCoW8foLeW7JVYEJbULuToSvU90EIi6nlSspSg2IPJN53-2hlHcNE47Z5s4JKuMb_nNGp8PkadOv7s2-l3VHo4xbRHWfWDEio3usvH29tanKa7oYd8iIrhroh3Qu4D_l04bo3ik_rGJ_nK66NlLZN8R-EvzmMB-T-W_Z_SKRa4mPybzytqgWubVIl-oAS7H01kxnReTIh80S1SFnlaTCueFmmksyvF0stCzopyP1WJRTQZmKUcyH8nRdCzHoyLP8jyfjBfTuZ4XEz2bL8RkhAdl7HuLGRiiFpfTUVHMBlaVaCnd9KR0GH-HqUUhY8SDsIx7hmW7JzEZWUN8a1QDNmxx-f3l76duQ8P_duMZtMEuHxvp3nDTlpmOqtxGkP0wPAb_B2oWcptCIyG3KfS_AwAA___X_XxH">