FW: [error27/smatch] smatch misidentifies uninitialized variable after switch with no default: (Issue #3)

"Brandeburg, Jesse" <jesse.brandeburg@xxxxxxxxx> · Fri, 7 Jan 2022 16:19:40 +0000

Forwarding to try to get some attention, if you'd rather I resend to the list, please let me know.

From: Jesse Brandeburg <notifications@xxxxxxxxxx> 
Sent: Tuesday, December 21, 2021 11:49 AM
To: error27/smatch <smatch@xxxxxxxxxxxxxxxxxx>
Cc: Brandeburg, Jesse <jesse.brandeburg@xxxxxxxxx>; Your activity <your_activity@xxxxxxxxxxxxxxxxxx>
Subject: [error27/smatch] smatch misidentifies uninitialized variable after switch with no default: (Issue #3)

I've got a simple reproducer for the issue that I found when scanning our ice driver in the kernel with smatch.
original repro against smatch HEAD https://github.com/error27/smatch/commit/0951ed5915c0f9a764a284f185de8cfdb59a4aa5 ("db: fix uninitialized variable false positives")
smatch reported:
~/git/smatch/smatch_scripts/kchecker drivers/net/ethernet/intel/ice/ice_ptp_hw.c
drivers/net/ethernet/intel/ice/ice_ptp_hw.c:2852 ice_ptp_port_cmd_e810() error: uninitialized symbol 'cmd_val'.
Below is a simple c-code reproducer, compile with:
gcc -o srt -Wextra -Wall smatch_switch_repro.c
see error with
~/git/smatch/smatch smatch_switch_repro.c
smatch_switch_repro.c:43 badfunc() error: uninitialized symbol 'my_int'.
One bit of data that might be useful: it works fine with badfunc content inline in main() and fails when badfunc is a function with the enum argument. It also succeeds when there is a "default:" label and a simple assignment in that case (see the reproducer below and bit of commented out code)

// SPDX-License-Identifier: BSD-3-Clause
/*
 * Copyright 2021, Intel Corporation
 *
 * A quick demo of a smatch false positive
 */

#include <stdio.h>

enum three_values
{
        value_one,
        value_two,
        value_three
};

void badfunc(const enum three_values cmd)
{
        unsigned int my_int, new_int; //uninitialized

        switch (cmd) {
        case value_one:
                printf("one\n");
                my_int = 1;
                break;
        case value_two:
                printf("two\n");
                my_int = 2;
                break;
        case value_three:
                printf("three\n");
                my_int = 3;
                break;
        /* no default because all enum values handled, which has value
         * to developers because it forces compile error if not all enum values
         * handled and enum is changed */
        //default:
                //my_int = 4;
                //break;
        }

        new_int = 0;
        new_int |= my_int;

        printf("data: %d\n", new_int);
}

int main(int argc __attribute__((unused)), char **argv __attribute__((unused)))
{
        enum three_values my_enum = value_two;

        badfunc(my_enum);

        return 0;
}