[analyzer] false positive in alpha.unix.cstring.UninitializedRead - Bytes string function accesses uninitialized/garbage values #60557
Description
I see a false positive in the alpha.unix.cstring.UninitializedRead checker when analyzing code containing an array of structs, but not an equivalent array of a scalar type.
$ clang --analyze -Xclang -analyzer-checker=alpha.unix.cstring.OutOfBounds,alpha.unix.cstring.UninitializedRead case1.c
warning: Bytes string function accesses uninitialized/garbage values [alpha.unix.cstring.UninitializedRead]
memcpy(local_info, Info, sizeof(struct _ss)*2);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~case2.c below is a 2 dim scalar array, and does not show this false positive. So could be a difference in the way structs are handled (or not?) ?
The element region for Info comes out to be : Element{Info,7 S64b,char} in both cases. For the case that fails, I see that convertOffsetsFromSvalToUnsigneds() in RegionStore.cpp (around line 1683) is returning UndefinedVal() because Offset.uge(*(ExtentIt++) is true for case1.c
If it's true we're not handling structs properly (or at all), would it better to detect that case and return UnknownVal() instead? Or is there a better fix for this problem?
I think this is somehow related to this change, and series - https://reviews.llvm.org/D104285.
case1.c
typedef __typeof(sizeof(int)) size_t;
void *memcpy(void *to, void const *from, size_t count);
typedef struct _ss {
short a;
short b;
} ss, *pss;
const ss Info[2] = { { 0, 1, }, { 2, 3, },};
void clang_analyzer_dump(short);
static void xxx(void)
{
ss local_info[2];
memcpy(local_info, Info, sizeof(struct _ss)*2);
}case2.c
typedef __typeof(sizeof(int)) size_t;
void *memcpy(void *to, void const *from, size_t count);
const short Info[2][2] = { { 0, 1, }, { 2, 3, },};
void clang_analyzer_dump(short);
static void xxx(void)
{
short local_info[2][2];
memcpy(local_info, Info, sizeof(short)*4);
}