-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CodeQL - false positive: Potentially uninitialized local variable after noreturn function. #10600
Comments
Apologies for the slow reply. This indeed seems a false positive, and looking at the query I don't expect this false positive to occur. Could you tell me which version of the CodeQL CLI you're using in your workflow? Also the logs produced by CodeQL would useful. |
It's run "as normal" from a Github action. TrenchBoot/secure-kernel-loader@5a525e7 is the exact workflow file. Looking through the logs of the run, we've got
and
Does this cover what you need? |
Not quite. There's a file called |
Thanks, that does the trick. This seems to have the same underlying cause as the issue you reported in #10601. In this case this is about |
Ah! We actually have 40 or so issues, and the others were clearly related to |
No problem. I can fully understand this wasn't immediately obvious. |
Thanks again for reporting this problem. The issue should be fixed in the next version of CodeQL which will be released in a few weeks. Closing this issue for now. |
I'm transitioning a project from LGTM.com to Github Actions CodeQL.
While doing so, https://github.com/TrenchBoot/secure-kernel-loader/security/code-scanning/18 got reported.
The complaint is a "Potentially uninitialized local variable" and while strictly speaking, this statement is true, the alert is wrong.
In this specific example, all paths leading to this point where the variable isn't suitably initialised end up making a call to
reboot()
which is__attribute__((noreturn))
. In fact, it's a local static function, which also ends with__builtin_unreachable()
for extra measure.Shouldn't these annotations have caused the analysis to realise that the variable is properly initialised?
The text was updated successfully, but these errors were encountered: