Fix #12091 (False negative: Uninitialized variable read in subfunction (regression)) (#5739)

2023-12-08 21:54:23 +01:00 · 2023-12-08 21:54:23 +01:00 · 1af83ad821
parent f5109df632
commit 1af83ad821
4 changed files with 28 additions and 11 deletions
--- a/lib/valueflow.cpp
+++ b/lib/valueflow.cpp
@ -7325,9 +7325,16 @@ struct MultiValueFlowAnalyzer : ValueFlowAnalyzer {
        return false;
    }

-    bool stopOnCondition(const Token* /*condTok*/) const override {
-        // TODO fix false negatives
-        return true; // isConditional();
+    bool stopOnCondition(const Token* condTok) const override {
+        if (isConditional())
+            return true;
+        if (!condTok->hasKnownIntValue() && values.count(condTok->varId()) == 0) {
+            const auto& values_ = condTok->values();
+            return std::any_of(values_.cbegin(), values_.cend(), [](const ValueFlow::Value& v) {
+                return v.isSymbolicValue() && Token::Match(v.tokvalue, "%oror%|&&");
+            });
+        }
+        return false;
    }

    bool updateScope(const Token* endBlock, bool /*modified*/) const override {
--- a/test/teststl.cpp
+++ b/test/teststl.cpp
@ -2403,12 +2403,11 @@ private:
              "void g(const std::vector<int>& w) {\n"
              "    f(-1, w);\n"
              "}\n");
-        TODO_ASSERT_EQUALS("test.cpp:5:warning:Array index -1 is out of bounds.\n"
-                           "test.cpp:8:note:Calling function 'f', 1st argument '-1' value is -1\n"
-                           "test.cpp:3:note:Assuming condition is false\n"
-                           "test.cpp:5:note:Negative array index\n",
-                           "",
-                           errout.str());
+        ASSERT_EQUALS("test.cpp:5:warning:Array index -1 is out of bounds.\n"
+                      "test.cpp:8:note:Calling function 'f', 1st argument '-1' value is -1\n"
+                      "test.cpp:3:note:Assuming condition is false\n"
+                      "test.cpp:5:note:Negative array index\n",
+                      errout.str());

        settings = oldSettings;
    }
--- a/test/testuninitvar.cpp
+++ b/test/testuninitvar.cpp
@ -6587,7 +6587,7 @@ private:
                        "  bool copied_all = true;\n"
                        "  g(&copied_all, 5, 6, &bytesCopied);\n"
                        "}");
-        TODO_ASSERT_EQUALS("[test.cpp:7] -> [test.cpp:2]: (warning) Uninitialized variable: *buflen\n", "", errout.str());
+        ASSERT_EQUALS("[test.cpp:7] -> [test.cpp:2]: (warning) Uninitialized variable: *buflen\n", errout.str());

        // # 9953
        valueFlowUninit("uint32_t f(uint8_t *mem) {\n"
--- a/test/testvalueflow.cpp
+++ b/test/testvalueflow.cpp
@ -4511,7 +4511,7 @@ private:
               "void f(Object *obj) {\n"
               "  if (valid(obj, K0)) {}\n"
               "}\n";
-        TODO_ASSERT_EQUALS(true, false, testValueOfX(code, 7U, 0));
+        ASSERT_EQUALS(true, testValueOfX(code, 7U, 0));
        ASSERT_EQUALS(false, testValueOfXKnown(code, 7U, 0));

        code = "int f(int i) {\n"
@ -5624,6 +5624,17 @@ private:
               "}\n";
        values = tokenValues(code, "x <", ValueFlow::Value::ValueType::UNINIT);
        ASSERT_EQUALS(0, values.size());
+
+        code = "void g(bool *result, size_t *buflen) {\n" // #12091
+               "    if (*result && *buflen >= 5) {}\n" // <- *buflen might not be initialized
+               "}\n"
+               "void f() {\n"
+               "    size_t bytesCopied;\n"
+               "    bool copied_all = true;\n"
+               "    g(&copied_all, &bytesCopied);\n"
+               "}";
+        values = tokenValues(code, "buflen >=", ValueFlow::Value::ValueType::UNINIT);
+        ASSERT_EQUALS(1, values.size());
    }

    void valueFlowConditionExpressions() {