-Cllvm-args=-fanalyzer reports uses of uninitialized values

[bjorn3]

#[unsafe(no_mangle)]
fn main() {
    let _ = Box::new(42);
}

and then compile with -Cllvm-args=-fanalyzer results in

libgccjit.so: warning: : use of uninitialized value 'undefined' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 1
    │
    │ (1): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E'
    │
  '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 2
    │
    │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:78:17:
    │
    └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 3
           │
           │libgccjit.so:
           │ (3): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E'
           │
         '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 4
           │
           │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/alloc/layout.rs:138:18:
           │
         '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 5
           │
           │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:75:14:
           │
    <──────┘
    │
  '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 6
    │
    │
  '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 7
    │
    │libgccjit.so:
    │ (7): use of uninitialized value 'undefined' here
    │
libgccjit.so: warning: : use of uninitialized value 'undefined' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  '_ZN5alloc5alloc15exchange_malloc17h3ccaf01f6c22a3acE': event 1
    │
    │libgccjit.so:
    │ (1): entry to '_ZN5alloc5alloc15exchange_malloc17h3ccaf01f6c22a3acE'
    │
  '_ZN5alloc5alloc15exchange_malloc17h3ccaf01f6c22a3acE': event 2
    │
    │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/alloc/src/alloc.rs:351:27:
    │
    └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 3
           │
           │libgccjit.so:
           │ (3): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E'
           │
         '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 4
           │
           │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:78:17:
           │
           └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 5
                  │
                  │libgccjit.so:
                  │ (5): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E'
                  │
                '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 6
                  │
                  │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/alloc/layout.rs:138:18:
                  │
                '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 7
                  │
                  │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:75:14:
                  │
           <──────┘
           │
         '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 8
           │
           │
         '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 9
           │
           │libgccjit.so:
           │ (9): use of uninitialized value 'undefined' here
           │
libgccjit.so: warning: : use of uninitialized value 'undefined' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  'main': event 1
    │
    │libgccjit.so:
    │ (1): entry to 'main'
    │
  'main': event 2
    │
    │<source>:3:13:
    │    3 |     let _ = Box::new(42);
    │      |             ^
    │      |             |
    │      |             (2) inlined call to '_ZN5alloc5boxed12Box$LT$T$GT$3new17h4d326128f3fc6045E' from 'main'
    │
    └──> '_ZN5alloc5boxed12Box$LT$T$GT$3new17h4d326128f3fc6045E': event 3
           │
           │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/alloc/src/boxed.rs:261:16:
           │
         '_ZN5alloc5alloc15exchange_malloc17h3ccaf01f6c22a3acE': event 4
           │
           │libgccjit.so:
           │ (4): entry to '_ZN5alloc5alloc15exchange_malloc17h3ccaf01f6c22a3acE'
           │
         '_ZN5alloc5alloc15exchange_malloc17h3ccaf01f6c22a3acE': event 5
           │
           │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/alloc/src/alloc.rs:351:27:
           │
           └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 6
                  │
                  │libgccjit.so:
                  │ (6): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E'
                  │
                '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 7
                  │
                  │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:78:17:
                  │
                  └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 8
                         │
                         │libgccjit.so:
                         │ (8): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E'
                         │
                       '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 9
                         │
                         │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/alloc/layout.rs:138:18:
                         │
                       '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 10
                         │
                         │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:75:14:
                         │
                  <──────┘
                  │
                '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 11
                  │
                  │
                '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 12
                  │
                  │libgccjit.so:
                  │ (12): use of uninitialized value 'undefined' here
                  │
libgccjit.so: warning: : use of uninitialized value 'undefined' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  '_ZN5alloc5alloc6Global10alloc_impl17h0be00c1c456dfa5cE': events 1-2
/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/alloc/src/alloc.rs:186:9:
  '_ZN5alloc5alloc6Global10alloc_impl17h0be00c1c456dfa5cE': event 3
libgccjit.so:
 (3): use of uninitialized value 'undefined' here
libgccjit.so: warning: : use of uninitialized value 'undefined' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  '_ZN63_$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$8allocate17h69f42b4c603da6acE': event 1
    │
    │libgccjit.so:
    │ (1): entry to '_ZN63_$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$8allocate17h69f42b4c603da6acE'
    │
  '_ZN63_$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$8allocate17h69f42b4c603da6acE': event 2
    │
    │
    └──> '_ZN5alloc5alloc6Global10alloc_impl17h0be00c1c456dfa5cE': event 3
           │
           │libgccjit.so:
           │ (3): entry to '_ZN5alloc5alloc6Global10alloc_impl17h0be00c1c456dfa5cE'
           │
         '_ZN5alloc5alloc6Global10alloc_impl17h0be00c1c456dfa5cE': events 4-5
           │
           │
         '_ZN5alloc5alloc6Global10alloc_impl17h0be00c1c456dfa5cE': event 6
           │
           │libgccjit.so:
           │ (6): use of uninitialized value 'undefined' here
           │
libgccjit.so: warning: : use of uninitialized value 'undefined' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  '_ZN4core5alloc6layout6Layout13for_value_raw17hfb84ae9010274903E': event 1
    │
    │libgccjit.so:
    │ (1): entry to '_ZN4core5alloc6layout6Layout13for_value_raw17hfb84ae9010274903E'
    │
  '_ZN4core5alloc6layout6Layout13for_value_raw17hfb84ae9010274903E': event 2
    │
    │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/alloc/layout.rs:224:18:
    │
    └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 3
           │
           │libgccjit.so:
           │ (3): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E'
           │
         '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 4
           │
           │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:78:17:
           │
           └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 5
                  │
                  │libgccjit.so:
                  │ (5): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E'
                  │
                '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 6
                  │
                  │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/alloc/layout.rs:138:18:
                  │
                '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 7
                  │
                  │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:75:14:
                  │
           <──────┘
           │
         '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 8
           │
           │
         '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 9
           │
           │libgccjit.so:
           │ (9): use of uninitialized value 'undefined' here
           │
libgccjit.so: warning: : use of uninitialized value 'undefined' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  '_ZN72_$LT$alloc..boxed..Box$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$4drop17h7863c2941af28a7cE': event 1
    │
    │libgccjit.so:
    │ (1): entry to '_ZN72_$LT$alloc..boxed..Box$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$4drop17h7863c2941af28a7cE'
    │
  '_ZN72_$LT$alloc..boxed..Box$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$4drop17h7863c2941af28a7cE': event 2
    │
    │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/alloc/src/boxed.rs:1652:26:
    │
    └──> '_ZN4core5alloc6layout6Layout13for_value_raw17hfb84ae9010274903E': event 3
           │
           │libgccjit.so:
           │ (3): entry to '_ZN4core5alloc6layout6Layout13for_value_raw17hfb84ae9010274903E'
           │
         '_ZN4core5alloc6layout6Layout13for_value_raw17hfb84ae9010274903E': event 4
           │
           │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/alloc/layout.rs:224:18:
           │
           └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 5
                  │
                  │libgccjit.so:
                  │ (5): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E'
                  │
                '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 6
                  │
                  │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:78:17:
                  │
                  └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 7
                         │
                         │libgccjit.so:
                         │ (7): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E'
                         │
                       '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 8
                         │
                         │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/alloc/layout.rs:138:18:
                         │
                       '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 9
                         │
                         │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:75:14:
                         │
                  <──────┘
                  │
                '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 10
                  │
                  │
                '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 11
                  │
                  │libgccjit.so:
                  │ (11): use of uninitialized value 'undefined' here
                  │
libgccjit.so: warning: : use of uninitialized value 'undefined' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  '_ZN4core3ptr49drop_in_place$LT$alloc..boxed..Box$LT$i32$GT$$GT$17h2d9920e239d4edd1E': event 1
    │
    │libgccjit.so:
    │ (1): entry to '_ZN4core3ptr49drop_in_place$LT$alloc..boxed..Box$LT$i32$GT$$GT$17h2d9920e239d4edd1E'
    │
  '_ZN4core3ptr49drop_in_place$LT$alloc..boxed..Box$LT$i32$GT$$GT$17h2d9920e239d4edd1E': event 2
    │
    │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ptr/mod.rs:804:1:
    │
    └──> '_ZN72_$LT$alloc..boxed..Box$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$4drop17h7863c2941af28a7cE': event 3
           │
           │libgccjit.so:
           │ (3): entry to '_ZN72_$LT$alloc..boxed..Box$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$4drop17h7863c2941af28a7cE'
           │
         '_ZN72_$LT$alloc..boxed..Box$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$4drop17h7863c2941af28a7cE': event 4
           │
           │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/alloc/src/boxed.rs:1652:26:
           │
           └──> '_ZN4core5alloc6layout6Layout13for_value_raw17hfb84ae9010274903E': event 5
                  │
                  │libgccjit.so:
                  │ (5): entry to '_ZN4core5alloc6layout6Layout13for_value_raw17hfb84ae9010274903E'
                  │
                '_ZN4core5alloc6layout6Layout13for_value_raw17hfb84ae9010274903E': event 6
                  │
                  │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/alloc/layout.rs:224:18:
                  │
                  └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 7
                         │
                         │libgccjit.so:
                         │ (7): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E'
                         │
                       '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 8
                         │
                         │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:78:17:
                         │
                         └──> '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 9
                                │
                                │libgccjit.so:
                                │ (9): entry to '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E'
                                │
                              '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 10
                                │
                                │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/alloc/layout.rs:138:18:
                                │
                              '_ZN4core5alloc6layout6Layout25from_size_align_unchecked18precondition_check17h7567f7e907a542e2E': event 11
                                │
                                │/root/build-rustc-cg-gcc/rustc_codegen_gcc/build/build_sysroot/sysroot_src/library/core/src/ub_checks.rs:75:14:
                                │
                         <──────┘
                         │
                       '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 12
                         │
                         │
                       '_ZN4core5alloc6layout6Layout25from_size_align_unchecked17h70ce6625d1a2bfa4E': event 13
                         │
                         │libgccjit.so:
                         │ (13): use of uninitialized value 'undefined' here
                         │

simple true UB things like

#[unsafe(no_mangle)]
fn main() {
    unsafe { *core::ptr::null_mut() = 42; }
}

are correctly reported with -Cllvm-args=-fanalyzer -O though, so -fanalyzer is not completely broken:

libgccjit.so: <source>:3:14: warning: : dereference of NULL '0B' [CWE-476] [-Wanalyzer-null-dereference]
  'main': event 1
<source>:3:14:
    3 |     unsafe { *core::ptr::null_mut() = 42; }
      |              ^
      |              |
      |              (1) ⚠️  dereference of NULL '0B'

but something like

#[unsafe(no_mangle)]
fn main() {
    let x = 42;
    let bad_box = unsafe { std::mem::transmute::<&i32, Box<i32>>(&x) };
    drop(bad_box);
}

doesn't get any errors with -Cllvm-args=-fanalyzer -O (likely because __rust_dealloc is not recognized as free function by GCC, while without -O it produces the same warnings about uninitialized values.

[bjorn3]

Getting this to work well could be a nice complement to miri and it would help detect bugs in cg_gcc itself.

[bjorn3]

#[unsafe(no_mangle)]
fn main() {
    let mut a = core::ptr::null_mut();
    (|| {
        let x = 42;
        a = &x as *const _ as *mut u8;
    })();
    unsafe { *a = 42; }
}

is also correctly reported, but if I replace the closure with a regular block, it isn't anymore. Probably caused by cg_gcc ignoring StorageLive/StorageDead.

[bjorn3]

This is part of the original gimple for the first example I gave of those warnings:

struct struct _RNvMNtNtCsd4HGMicdM8P_4core5alloc6layoutNtB2_6Layout25from_size_align_uncheckedCs1jaRrZSZcb5_7example (size_t param0, size_t param1, long int * param2)
{
  struct struct D.4017;
  struct struct aggregate_value;
  struct struct aggregate_value;
  struct struct undefined;
  signed char stack_var_2[8];
  signed char stack_var_1[8];

  try
    {
      start:
      stack_var_1.15_1 = &stack_var_1;
      MEM[(size_t *)stack_var_1.15_1] = param0;
      stack_var_2.16_2 = &stack_var_2;
      MEM[(size_t *)stack_var_2.16_2] = param1;
      if (1 != 0) goto bb1; else goto bb2;
      bb2:
      aggregate_value = undefined;
      _3 = VIEW_CONVERT_EXPR<long int>(param1);
      _4 = (size_t) _3;
      aggregate_value.field0_TODO = _4;
      aggregate_value = aggregate_value;
      aggregate_value.field1_TODO = param0;
      D.4017 = aggregate_value;
      return D.4017;
      bb1:
      _RNvNvMNtNtCsd4HGMicdM8P_4core5alloc6layoutNtB4_6Layout25from_size_align_unchecked18precondition_checkCs1jaRrZSZcb5_7example (param0, param1, param2);
      goto bb2;
    }
  finally
    {
      aggregate_value = {CLOBBER(eos)};
      aggregate_value = {CLOBBER(eos)};
      undefined = {CLOBBER(eos)};
      stack_var_2 = {CLOBBER(eos)};
      stack_var_1 = {CLOBBER(eos)};
    }
}

[antoyo]

Yeah, I opened an issue upstream for the use of uninitialized value.
Could you please confirm this is the same issue you have?

If so, there didn't seem to have any consensus about whether this is UB or not to copy uninitialized memory on the GCC side.
Do you have any input on this?

[bjorn3]

Yeah, I opened an issue upstream for the use of uninitialized value.
Could you please confirm this is the same issue you have?

Looks like it.

If so, there didn't seem to have any consensus about whether this is UB or not to copy uninitialized memory on the GCC side.
Do you have any input on this?

In rust we have typed and untyped copies. Untyped copies like core::ptr::copy_nonoverlapping or memcpy always allow copying uninitialized memory in Rust, but GCC -fanalyzer still warns about it in C.

#include <string.h>

void foo(int num) {
    int a;
    int b;
    memcpy(&a, &b, 1);
}

<source>: In function 'foo':
<source>:6:5: warning: use of uninitialized value '*(unsigned char *)&b' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
    6 |     memcpy(&a, &b, 1);
      |     ^~~~~~~~~~~~~~~~~
  'foo': events 1-2
    5 |     int b;
      |         ^
      |         |
      |         (1) region created on stack here
    6 |     memcpy(&a, &b, 1);
      |     ~~~~~~~~~~~~~~~~~
      |     |
      |     (2) ⚠️  use of uninitialized value '*(unsigned char *)&b' here

Typed copies like assignments, passing arguments and returning values only allow copying valid values and will lose padding. For unions all byte patterns (including uninit bytes) are currently considered valid (but not officially stabilized I think, except for MaybeUninit which definitively has to allow uninit values)

Does GCC still complain if cg_gcc were to use memcpy rather than assignments for things like aggregate_value = undefined;? And can GCC still optimize

aggregate_value = undefined;
aggregate_value.field0_TODO = _4;
aggregate_value = aggregate_value;
aggregate_value.field1_TODO = param0;

to

aggregate_value.field0_TODO = _4;
aggregate_value.field1_TODO = param0;

if you do that?

Also in Rust stack allocations are untyped memory just like heap allocations (the only point where the type of a value matters is during typed copies), so if GCC doesn't like struct variables to contain arbitrary bytes, you will have to represent them as the equivalent of MaybeUninit<[u8; size_of::<T>()]> in GIMPLE.

[antoyo]

I also remember some discussions with the GCC folks about trap representations where a memcpy would trigger UB on some architectures if it attempts to copy a trap byte.
We might also have discussed about this in the past, but I cannot find the conversation. Do you remember anything about this?

[bjorn3]

This is perfectly safe code, yet gives an uninit warning with -fanalyzer in cg_gcc (if compiled with -Cllvm-args=-fanalyzer --cfg cg_gcc), but works just fine in gccrs. I think this is because gccrs uses an actual union on the backend.

#![feature(intrinsics)]

#[cfg(not(cg_gcc))]
#[lang = "sized"]
trait Sized {}

#[cfg(not(cg_gcc))]
#[lang = "copy"]
trait Copy {}

#[cfg(not(cg_gcc))]
impl Copy for u32 {}

#[cfg(not(cg_gcc))]
#[lang = "clone"]
trait Clone {
    fn clone(&self) -> Self;
}

#[cfg(not(cg_gcc))]
impl Clone for u32 {
    fn clone(&self) -> Self {
        *self
    }
}

#[cfg(not(cg_gcc))]
#[lang = "phantom_data"]
struct PhantomData<T>;

#[cfg(cg_gcc)]
use core::ptr::copy_nonoverlapping;

#[cfg(not(cg_gcc))]
extern "rust-intrinsic" {
    fn copy_nonoverlapping<T>(src: &T, dst: &mut T, count: usize);
}

#[repr(C)]
#[derive(Copy, Clone)]
union Foo<T: Copy> {
    uninit: (),
    init: T,
}

#[no_mangle]
fn main() {
    let a = Foo::<u32> { uninit: () };
    let mut b = Foo::<u32> { uninit: () };
    b = a;
    unsafe { copy_nonoverlapping(&a, &mut b, 1); }
}

if I heap allocate a, both cg_gcc and gccrs complain, while miri is still fine with it.

https://rust.godbolt.org/z/81rb9foj4

#![feature(intrinsics)]

#[cfg(not(cg_gcc))]
#[lang = "sized"]
trait Sized {}

#[cfg(not(cg_gcc))]
#[lang = "copy"]
trait Copy {}

#[cfg(not(cg_gcc))]
impl Copy for u32 {}

#[cfg(not(cg_gcc))]
#[lang = "clone"]
trait Clone {
    fn clone(&self) -> Self;
}

#[cfg(not(cg_gcc))]
impl Clone for u32 {
    fn clone(&self) -> Self {
        *self
    }
}

#[cfg(not(cg_gcc))]
#[lang = "phantom_data"]
struct PhantomData<T>;

#[cfg(cg_gcc)]
use core::ptr::copy_nonoverlapping;

#[cfg(not(cg_gcc))]
extern "rust-intrinsic" {
    fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: usize);
}

#[repr(C)]
#[derive(Copy, Clone)]
union Foo<T: Copy> {
    uninit: (),
    init: T,
}

extern "C" {
    fn malloc(size: usize) -> *mut u8;
}

#[no_mangle]
fn main() {
    let a = unsafe { malloc(4) } as *const Foo::<u32>;
    let mut b = Foo::<u32> { uninit: () };
    unsafe { b = *a };
    unsafe { copy_nonoverlapping(a, &mut b, 1); }
}

[bjorn3]

I also remember some discussions with the GCC folks about trap representations where a memcpy would trigger UB on some architectures if it attempts to copy a trap byte.

I know Itanium has a trap representation for registers (the NaT value), but I'm not aware of any that has this for actual memory. And any architecture for which this would be the case is definitively not a compliant Rust implementation given the existence of MaybeUninit and the fact that Rust has an untyped memory model. So if GCC wants to have any Rust support, they will have to yield one way or another, even if just behind a flag that only cg_gcc and gccrs enable.

[antoyo]

Alright, I found the discussion we had.

So, my understanding is that the Rust devs believe memcpy with uninitialized memory ought to be OK.
I know I discussed this issue a few times with the GCC devs, but they don't seem to agree.

I remember there was some mentions of this in the C standard document, but I cannot find where. Do you know where this is specified in the C standard? That would allow me to ask for more details to the GCC devs.

[davidmalcolm]

Probably a silly question, but am I right in thinking that -Cllvm-args=-fanalyzer is actually used as the GCC arguments, passed to the libgccjit context when compiling it? (and thus -fanalyzer is the GCC static analyzer? it looks like it, based on the ASCII art control flow output)

[antoyo]

Yes, the name is indeed confusing, but this is sent to GCC here.

[bjorn3]

Yeah, rustc stabilized -Cllvm-args for passing arbitrary arguments to LLVM long before alternative backends were viable. And cg_gcc has now co-opted it for passing arbitrary arguments to GCC. I assume because adding a new flag would require rustc changes, while reusing -Cllvm-args only required a cg_gcc change. We should probably design a better interface for this at some point.

[bjorn3]

I found a -fanalyzer crash the following which contains a null pointer dereference:

#![feature(cstr_display)]
fn main() {
    println!("Hello World! {:?}", unsafe { std::ffi::CStr::from_ptr(0 as _) });
}

Backtrace

#0  ana::(anonymous namespace)::malloc_state_machine::on_stmt (this=0x7fffd973ea00, sm_ctxt=..., node=0x7fffd971bb20, stmt=0x7fffd94da1c8) at ../../gcc/gcc/analyzer/sm-malloc.cc:2163
#1  0x00007fffe1d4c6a8 in ana::exploded_node::on_stmt (this=this@entry=0x7fffd961fad0, eg=..., snode=snode@entry=0x7fffd971bb20, stmt=stmt@entry=0x7fffd94da1c8, state=state@entry=0x7fffd9d747b0, 
    uncertainty=uncertainty@entry=0x7fffd9d74860, out_could_have_done_work=0x7fffd9d7479f, path_ctxt=0x7fffd9d74830) at ../../gcc/gcc/analyzer/engine.cc:1547
#2  0x00007fffe1d4efdf in ana::exploded_graph::process_node (this=0x7fffd9d74bf0, node=0x7fffd961fad0) at ../../gcc/gcc/analyzer/engine.cc:4501
#3  0x00007fffe1d4fe43 in ana::exploded_graph::process_worklist (this=0x7fffd9d74bf0) at ../../gcc/gcc/analyzer/engine.cc:3890
#4  0x00007fffe1d52190 in ana::impl_run_checkers (logger=logger@entry=0x0) at ../../gcc/gcc/analyzer/engine.cc:6602
#5  0x00007fffe1d5331f in ana::run_checkers () at ../../gcc/gcc/analyzer/analyzer-logging.h:153
#6  0x00007fffe1d4279d in (anonymous namespace)::pass_analyzer::execute (this=<optimized out>) at ../../gcc/gcc/analyzer/analyzer-pass.cc:81
#7  0x00007fffe18745c4 in execute_one_pass (pass=pass@entry=0x7fffd9601000) at ../../gcc/gcc/passes.cc:2648
#8  0x00007fffe1875495 in execute_ipa_pass_list (pass=0x7fffd9601000) at ../../gcc/gcc/passes.cc:3101
#9  0x00007fffe14b50a3 in ipa_passes () at ../../gcc/gcc/cgraphunit.cc:2295
#10 symbol_table::compile (this=0x7fffda108200) at ../../gcc/gcc/cgraphunit.cc:2360
#11 symbol_table::compile (this=0x7fffda108200) at ../../gcc/gcc/cgraphunit.cc:2336
#12 0x00007fffe14b8000 in symbol_table::finalize_compilation_unit (this=0x7fffda108200) at ../../gcc/gcc/cgraphunit.cc:2617
#13 0x00007fffe1984024 in compile_file () at ../../gcc/gcc/toplev.cc:480
#14 0x00007fffe13ce85c in do_compile () at ../../gcc/gcc/toplev.cc:2222
#15 toplev::main (this=this@entry=0x7fffd9d7a5de, argc=<optimized out>, argv=<optimized out>) at ../../gcc/gcc/toplev.cc:2385
#16 0x00007fffe14079ea in gcc::jit::playback::context::compile (this=this@entry=0x7fffd9d7a650) at ../../gcc/gcc/vec.h:605
#17 0x00007fffe13f7dea in gcc::jit::recording::context::compile_to_file (this=0x7fffde72de00, output_kind=GCC_JIT_OUTPUT_KIND_OBJECT_FILE, 
    output_path=0x7fffd9607000 "target/out/rust_out.rust_out.ae530576c0490291-cgu.0.rcgu.o") at ../../gcc/gcc/jit/jit-recording.cc:1728
#18 0x00007fffe13e4a4f in gcc_jit_context_compile_to_file (ctxt=0x7fffde72de00, output_kind=GCC_JIT_OUTPUT_KIND_OBJECT_FILE, 
    output_path=0x7fffd9607000 "target/out/rust_out.rust_out.ae530576c0490291-cgu.0.rcgu.o") at ../../gcc/gcc/jit/libgccjit.cc:3999
#19 0x00007fffe3e42120 in gccjit::context::Context::compile_to_file::h4cb04b38ea079f16 () from /home/bjorn/Projects/cg_gcc/target/release/librustc_codegen_gcc.so
#20 0x00007fffe3e33d58 in rustc_codegen_gcc::back::write::codegen::h790c6d54c10abde8 () from /home/bjorn/Projects/cg_gcc/target/release/librustc_codegen_gcc.so
#21 0x00007fffe3df352b in rustc_codegen_ssa::back::write::execute_optimize_work_item::h3bea3e139d04879b () from /home/bjorn/Projects/cg_gcc/target/release/librustc_codegen_gcc.so
#22 0x00007fffe3ed765e in std::sys::backtrace::__rust_begin_short_backtrace::hf5034862b2ff944a () from /home/bjorn/Projects/cg_gcc/target/release/librustc_codegen_gcc.so
#23 0x00007fffe3e4de20 in core::ops::function::FnOnce::call_once{{vtable.shim}}::hd5de37a721dfb2df () from /home/bjorn/Projects/cg_gcc/target/release/librustc_codegen_gcc.so
#24 0x00007ffff67004cd in std::sys::thread::unix::Thread::new::thread_start::he7b0487bb84c63a3 ()
   from /home/bjorn/.rustup/toolchains/nightly-2025-09-30-x86_64-unknown-linux-gnu/bin/../lib/librustc_driver-c7c296b6a7c1422b.so
#25 0x00007ffff02a71f5 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#26 0x00007ffff03278dc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

After poking around a bit, I suspect the issue is that the malloc function doesn't get annotated by rustc_codegen_gcc as being an allocator function, while -fanalyzer expects to be able to find the builtin decl when the callee of a call is called malloc or one of the other allocation functions. I don't think libgccjit supports setting that attribute yet.

Edit: The same issue exists for strlen.