clang-static-analyzer: Aggregate-initialized struct field incorrectly marked undefined

[rojer]

This code:

#include <iostream>
#include <string>

struct Structy {
  std::string foo;
  int bar;
};

int main() {
  auto *s = new Structy{
      .foo = "foo",
      .bar = 1,
  };
  std::cout << s->foo << s->bar;
  delete s;
}

produces the following static analyzer warning:

$ clang-tidy -p . qq.cpp 
1 warning generated.
/home/rojer/allterco/shelly-ng3/qq.cpp:14:3: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage,-warnings-as-errors]
   14 |   std::cout << s->foo << s->bar;
      |   ^                      ~~~~~~
/home/rojer/allterco/shelly-ng3/qq.cpp:10:13: note: Uninitialized value stored to field 'bar'
   10 |   auto *s = new Structy{
      |             ^~~~~~~~~~~~
   11 |       .foo = "foo",
      |       ~~~~~~~~~~~~~
   12 |       .bar = 1,
      |       ~~~~~~~~~
   13 |   };
      |   ~
/home/rojer/allterco/shelly-ng3/qq.cpp:14:3: note: 1st function call argument is an uninitialized value
   14 |   std::cout << s->foo << s->bar;
      |   ^                      ~~~~~~
1 warning treated as error

s->bar is of course explicitly initialized to 1, so the generated warning is a false-positive.

swapping field order to bar, foo makes it go away.

tested with latest main (20.0.0git ec353b7).

[llvmbot]

@llvm/issue-subscribers-clang-static-analyzer

Author: Deomid Ryabkov (rojer)

This code:

#include <iostream>
#include <string>

struct Structy {
  std::string foo;
  int bar;
};

int main() {
  auto *s = new Structy{
      .foo = "foo",
      .bar = 1,
  };
  std::cout << s->foo << s->bar;
  delete s;
}

produces the following static analyzer warning:

$ clang-tidy -p . qq.cpp 
1 warning generated.
/home/rojer/allterco/shelly-ng3/qq.cpp:14:3: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage,-warnings-as-errors]
   14 |   std::cout << s->foo << s->bar;
      |   ^                      ~~~~~~
/home/rojer/allterco/shelly-ng3/qq.cpp:10:13: note: Uninitialized value stored to field 'bar'
   10 |   auto *s = new Structy{
      |             ^~~~~~~~~~~~
   11 |       .foo = "foo",
      |       ~~~~~~~~~~~~~
   12 |       .bar = 1,
      |       ~~~~~~~~~
   13 |   };
      |   ~
/home/rojer/allterco/shelly-ng3/qq.cpp:14:3: note: 1st function call argument is an uninitialized value
   14 |   std::cout << s->foo << s->bar;
      |   ^                      ~~~~~~
1 warning treated as error

s->bar is of course explicitly initialized to 1, so the generated warning is a false-positive.

swapping field order to bar, foo makes it go away.

tested with latest main (20.0.0git ec353b7).

[vinay-deshmukh]

I'm working on this issue.

Updates: might be tougher than I initially assumed.

here's my approach so far (in case it helps the next attempt:

Added a case for IntegerLiteralExpr in ExprEngine::Visit to get the APSInt from the corresponding Expr, and then did State::assumeInclusiveRange(Val, aPInt, aPInt) but AFAICT the "SVal" for the Structy* expression is already in the State::contraints, which might be why my aforementioned changes are not "taking effect" and accordingly constraining the ConstraintManager.

My idea was that by binding a nonloc::ConcreteInt and using assumeInclusiveRange would constrain the value accordingly ^

Would appreciate any guidance on what I could be missing here ^

Update 2: I'll try to come back to this once my other PR goes through(as that needs more changes to be compliant with the standard), in the meantime, if anyone wishes to take it up go ahead!

[rojer]

ping @vinay-deshmukh any progress?

[vinay-deshmukh]

Hi @rojer , sorry haven't been able to come back to work/make progress on this issue!

[ashfordium]

Picking this one up if okay with you @vinay-deshmukh.

I made a slightly more minimzed reproducer:

struct S {
  int foo;
  int bar;
};

void f() {
  S *s = new S{
      .foo = 13,
      .bar = 1,
  };
  int retval = s->bar;
  delete s;
}

Looks like a problem with CXXNewExpr with the init lists. The results even when swapping the field order are still not as good as could be. Going to work on aggregate initialization semantics in exprengine I think...

[steakhal]

Picking this one up if okay with you @vinay-deshmukh.

I made a slightly more minimzed reproducer:

struct S {
  int foo;
  int bar;
};

void f() {
  S *s = new S{
      .foo = 13,
      .bar = 1,
  };
  int retval = s->bar;
  delete s;
}

Looks like a problem with CXXNewExpr with the init lists. The results even when swapping the field order are still not as good as could be. Going to work on aggregate initialization semantics in exprengine I think...

Have a look at ExprEngine::ProcessInitializer.

[vinay-deshmukh]

Picking this one up if okay with you @vinay-deshmukh.

I made a slightly more minimzed reproducer:

struct S {
  int foo;
  int bar;
};

void f() {
  S *s = new S{
      .foo = 13,
      .bar = 1,
  };
  int retval = s->bar;
  delete s;
}

Looks like a problem with CXXNewExpr with the init lists. The results even when swapping the field order are still not as good as could be. Going to work on aggregate initialization semantics in exprengine I think...

Go for it!