I’ve been working on a large C++ program and I forgot to add my usual list of compiler flags/warnings when working on a C project. After enabling the -fanalyzer flag, I began to get a lot of "warning: use of uninitialized value ‘<unknown>’" messages from GCC 12.2 throughout my code. Here is an isolated example I was able to generate in Compiler Explorer:
#include <string>
std::string square(int num) {
return std::to_string(num * num);
}
Compiler output:
<source>: In function 'std::string square(int)':
<source>:4:36: warning: use of uninitialized value '<unknown>' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
4 | return std::to_string(num * num);
| ^
'std::string square(int)': events 1-2
|
| 3 | std::string square(int num) {
| | ^
| | |
| | (1) region created on stack here
| 4 | return std::to_string(num * num);
| | ~
| | |
| | (2) use of uninitialized value '<unknown>' here
|
<source>:4:36: warning: use of uninitialized value '<unknown>' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
4 | return std::to_string(num * num);
| ^
'std::string square(int)': events 1-2
|
| 3 | std::string square(int num) {
| | ^
| | |
| | (1) region created on stack here
| 4 | return std::to_string(num * num);
| | ~
| | |
| | (2) use of uninitialized value '<unknown>' here
|
Does this simple square function really have such a problem? Or am I missing something bigger? Is the static analysis in GCC broken?
>Solution :
It is clearly a false positive. The analyzer complains about any function returning a std::string (and other standard library types), e.g.
#include <string>
std::string f() {
return {};
}
as well. (https://godbolt.org/z/oKrfrbn5o)
Surprisingly I could not find any previous bug report on this seemingly obvious issue. However, @JasonLiam has filed one here.
-Wanalyzer-use-of-uninitialized-value is also a relatively new feature, added with GCC 12, so it might simply still need some improvements. It can be disabled while leaving other analyzer checks in effect by adding -Wno-analyzer-use-of-uninitialized-value.