https://gcc.gnu.org/g:a815fdb2052fbca8854b1fddcd0db316a66020ae
commit r16-7459-ga815fdb2052fbca8854b1fddcd0db316a66020ae Author: David Malcolm <[email protected]> Date: Wed Feb 11 08:51:16 2026 -0500 analyzer: fix uninit in null-termination checking [PR124055] gcc/analyzer/ChangeLog: PR analyzer/124055 * kf.cc (kf_strcpy::impl_call_pre): Ensure bytes_to_copy is initialized. Assert that it was written to with non-null if check_for_null_terminated_string_arg returns non-null. * region-model.cc (region_model::scan_for_null_terminator): Initialize *out_sval, and assert it is written to when returning non-null. (region_model::check_for_null_terminated_string_arg): Assert that scan_for_null_terminator wrote to *out_sval if it returns non-null. gcc/testsuite/ChangeLog: PR analyzer/124055 * gcc.dg/analyzer/ice-pr124055-1.c: New test. * gcc.dg/analyzer/ice-pr124055-2.c: New test. Signed-off-by: David Malcolm <[email protected]> Diff: --- gcc/analyzer/kf.cc | 3 ++- gcc/analyzer/region-model.cc | 6 ++++++ gcc/testsuite/gcc.dg/analyzer/ice-pr124055-1.c | 15 +++++++++++++++ gcc/testsuite/gcc.dg/analyzer/ice-pr124055-2.c | 15 +++++++++++++++ 4 files changed, 38 insertions(+), 1 deletion(-) diff --git a/gcc/analyzer/kf.cc b/gcc/analyzer/kf.cc index 5fb86014746e..b6b4f8f93acb 100644 --- a/gcc/analyzer/kf.cc +++ b/gcc/analyzer/kf.cc @@ -1399,10 +1399,11 @@ kf_strcpy::impl_call_pre (const call_details &cd) const /* strcpy returns the initial param. */ cd.maybe_set_lhs (dest_sval); - const svalue *bytes_to_copy; + const svalue *bytes_to_copy = nullptr; if (const svalue *num_bytes_read_sval = cd.check_for_null_terminated_string_arg (1, true, &bytes_to_copy)) { + gcc_assert (bytes_to_copy); cd.complain_about_overlap (0, 1, num_bytes_read_sval); model->write_bytes (dest_reg, num_bytes_read_sval, bytes_to_copy, ctxt); } diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc index 1c851130c45c..871b91c069a5 100644 --- a/gcc/analyzer/region-model.cc +++ b/gcc/analyzer/region-model.cc @@ -4844,7 +4844,11 @@ region_model::scan_for_null_terminator (const region *reg, reg->dump_to_pp (pp, true); logger->end_log_line (); } + if (out_sval) + *out_sval = nullptr; const svalue *sval = scan_for_null_terminator_1 (reg, expr, out_sval, ctxt); + if (sval && out_sval) + gcc_assert (*out_sval); if (logger) { pretty_printer *pp = logger->get_printer (); @@ -5028,6 +5032,8 @@ region_model::check_for_null_terminated_string_arg (const call_details &cd, out_sval, &my_ctxt)) { + if (out_sval) + gcc_assert (*out_sval); if (include_terminator) return num_bytes_read_sval; else diff --git a/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-1.c b/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-1.c new file mode 100644 index 000000000000..9b1d190b6444 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-1.c @@ -0,0 +1,15 @@ +/* { dg-additional-options "-O -fdump-analyzer -frounding-math" } */ + +void *p; + +static inline void +bar(_Complex float f) +{ + __builtin_strcpy(p, (void *)&f); /* { dg-warning "uninit" } */ +} + +void +foo() +{ + bar(72057594037927934); +} diff --git a/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-2.c b/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-2.c new file mode 100644 index 000000000000..692917fad235 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-2.c @@ -0,0 +1,15 @@ +/* { dg-additional-options "-O -fdump-analyzer -frounding-math" } */ + +void *p; + +static inline void +bar(_Complex float f) +{ + __builtin_strcpy(p, (void *)&f); +} + +void +foo() +{ + bar(0); +}
