From: David Malcolm <dmalcolm@redhat.com>
Date: Wed, 11 Feb 2026 13:51:16 +0000 (-0500)
Subject: analyzer: fix uninit in null-termination checking [PR124055]
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a815fdb2052fbca8854b1fddcd0db316a66020ae;p=thirdparty%2Fgcc.git

analyzer: fix uninit in null-termination checking [PR124055]

gcc/analyzer/ChangeLog:
	PR analyzer/124055
	* kf.cc (kf_strcpy::impl_call_pre): Ensure bytes_to_copy is
	initialized.  Assert that it was written to with non-null if
	check_for_null_terminated_string_arg returns non-null.
	* region-model.cc (region_model::scan_for_null_terminator):
	Initialize *out_sval, and assert it is written to when
	returning non-null.
	(region_model::check_for_null_terminated_string_arg): Assert
	that scan_for_null_terminator wrote to *out_sval if it
	returns non-null.

gcc/testsuite/ChangeLog:
	PR analyzer/124055
	* gcc.dg/analyzer/ice-pr124055-1.c: New test.
	* gcc.dg/analyzer/ice-pr124055-2.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---

diff --git a/gcc/analyzer/kf.cc b/gcc/analyzer/kf.cc
index 5fb86014746..b6b4f8f93ac 100644
--- a/gcc/analyzer/kf.cc
+++ b/gcc/analyzer/kf.cc
@@ -1399,10 +1399,11 @@ kf_strcpy::impl_call_pre (const call_details &cd) const
   /* strcpy returns the initial param.  */
   cd.maybe_set_lhs (dest_sval);
 
-  const svalue *bytes_to_copy;
+  const svalue *bytes_to_copy = nullptr;
   if (const svalue *num_bytes_read_sval
       = cd.check_for_null_terminated_string_arg (1, true, &bytes_to_copy))
     {
+      gcc_assert (bytes_to_copy);
       cd.complain_about_overlap (0, 1, num_bytes_read_sval);
       model->write_bytes (dest_reg, num_bytes_read_sval, bytes_to_copy, ctxt);
     }
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index 1c851130c45..871b91c069a 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -4844,7 +4844,11 @@ region_model::scan_for_null_terminator (const region *reg,
       reg->dump_to_pp (pp, true);
       logger->end_log_line ();
     }
+  if (out_sval)
+    *out_sval = nullptr;
   const svalue *sval = scan_for_null_terminator_1 (reg, expr, out_sval, ctxt);
+  if (sval && out_sval)
+    gcc_assert (*out_sval);
   if (logger)
     {
       pretty_printer *pp = logger->get_printer ();
@@ -5028,6 +5032,8 @@ region_model::check_for_null_terminated_string_arg (const call_details &cd,
 				  out_sval,
 				  &my_ctxt))
     {
+      if (out_sval)
+	gcc_assert (*out_sval);
       if (include_terminator)
 	return num_bytes_read_sval;
       else
diff --git a/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-1.c b/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-1.c
new file mode 100644
index 00000000000..9b1d190b644
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-1.c
@@ -0,0 +1,15 @@
+/* { dg-additional-options "-O -fdump-analyzer -frounding-math" } */
+
+void *p;
+
+static inline void
+bar(_Complex float f)
+{
+  __builtin_strcpy(p, (void *)&f); /* { dg-warning "uninit" } */
+}
+
+void
+foo()
+{
+  bar(72057594037927934);
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-2.c b/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-2.c
new file mode 100644
index 00000000000..692917fad23
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/ice-pr124055-2.c
@@ -0,0 +1,15 @@
+/* { dg-additional-options "-O -fdump-analyzer -frounding-math" } */
+
+void *p;
+
+static inline void
+bar(_Complex float f)
+{
+  __builtin_strcpy(p, (void *)&f);
+}
+
+void
+foo()
+{
+  bar(0);
+}