Fix #14150 (Add unionzeroinit check) (danmar#7843)

This has bitten me before and is definitely a foot gun. GCC 15[1]
changed their semantics related to zero initialization of unions; from
initializing the complete union (sizeof union) to only zero initializing
the first member. If the same first member is not the largest one, the
state of the remaining storage is considered undefined and in practice
most likely stack garbage.

The unionzeroinit addon can detect such scenarios and emit a warning. It
does not cover the designated initializers as I would interpret those as
being intentional.

Example output from one of my projects:

```
x86-decoder.c:294:7: warning: Zero initializing union Evex does not guarantee its complete storage to be zero initialized as its largest member is not declared as the first member. Consider making u32 the first member or favor memset(). [unionzeroinit-unionzeroinit]
 Evex evex = {0};
      ^
```

[1] https://trofi.github.io/posts/328-c-union-init-and-gcc-15.html

Author: mptre

.selfcheck_unused_suppressions

@@ -6,3 +6,6 @@ unusedFunction:lib/symboldatabase.cpp
 
 # Q_OBJECT functions which are not called in our code
 unusedFunction:cmake.output.notest/gui/cppcheck-gui_autogen/*/moc_aboutdialog.cpp
+
+# CheckUnionZeroInit::generateTestMessage only used in tests.
+unusedFunction:lib/checkunionzeroinit.cpp

Makefile

@@ -224,6 +224,7 @@ LIBOBJ =      $(libcppdir)/valueflow.o \
               $(libcppdir)/checkstring.o \
               $(libcppdir)/checktype.o \
               $(libcppdir)/checkuninitvar.o \
+              $(libcppdir)/checkunionzeroinit.o \
               $(libcppdir)/checkunusedfunctions.o \
               $(libcppdir)/checkunusedvar.o \
               $(libcppdir)/checkvaarg.o \
@@ -346,6 +347,7 @@ TESTOBJ =     test/fixture.o \
               test/testtokenrange.o \
               test/testtype.o \
               test/testuninitvar.o \
+              test/testunionzeroinit.o \
               test/testunusedfunctions.o \
               test/testunusedprivfunc.o \
               test/testunusedvar.o \
@@ -561,6 +563,9 @@ $(libcppdir)/checktype.o: lib/checktype.cpp lib/addoninfo.h lib/astutils.h lib/c
 $(libcppdir)/checkuninitvar.o: lib/checkuninitvar.cpp lib/addoninfo.h lib/astutils.h lib/check.h lib/checkers.h lib/checknullpointer.h lib/checkuninitvar.h lib/config.h lib/ctu.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/platform.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/symboldatabase.h lib/templatesimplifier.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/vfvalue.h
 	$(CXX) ${INCLUDE_FOR_LIB} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/checkuninitvar.cpp
 
+$(libcppdir)/checkunionzeroinit.o: lib/checkunionzeroinit.cpp lib/addoninfo.h lib/check.h lib/checkers.h lib/checkunionzeroinit.h lib/config.h lib/errortypes.h lib/library.h lib/mathlib.h lib/platform.h lib/settings.h lib/sourcelocation.h lib/standards.h lib/symboldatabase.h lib/templatesimplifier.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/valueflow.h lib/vfvalue.h
+	$(CXX) ${INCLUDE_FOR_LIB} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/checkunionzeroinit.cpp
+
 $(libcppdir)/checkunusedfunctions.o: lib/checkunusedfunctions.cpp externals/tinyxml2/tinyxml2.h lib/addoninfo.h lib/astutils.h lib/checkers.h lib/checkunusedfunctions.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/symboldatabase.h lib/templatesimplifier.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/vfvalue.h lib/xml.h
 	$(CXX) ${INCLUDE_FOR_LIB} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/checkunusedfunctions.cpp
 
@@ -909,6 +914,9 @@ test/testtype.o: test/testtype.cpp lib/addoninfo.h lib/check.h lib/checkers.h li
 test/testuninitvar.o: test/testuninitvar.cpp lib/addoninfo.h lib/check.h lib/checkers.h lib/checkuninitvar.h lib/color.h lib/config.h lib/ctu.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/settings.h lib/standards.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/vfvalue.h test/fixture.h test/helpers.h
 	$(CXX) ${INCLUDE_FOR_TEST} ${CFLAGS_FOR_TEST} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ test/testuninitvar.cpp
 
+test/testunionzeroinit.o: test/testunionzeroinit.cpp lib/addoninfo.h lib/check.h lib/checkers.h lib/checkunionzeroinit.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/settings.h lib/standards.h lib/tokenize.h lib/tokenlist.h lib/utils.h test/fixture.h test/helpers.h
+	$(CXX) ${INCLUDE_FOR_TEST} ${CFLAGS_FOR_TEST} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ test/testunionzeroinit.cpp
+
 test/testunusedfunctions.o: test/testunusedfunctions.cpp lib/addoninfo.h lib/check.h lib/checkers.h lib/checkunusedfunctions.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/settings.h lib/standards.h lib/tokenize.h lib/tokenlist.h lib/utils.h test/fixture.h test/helpers.h
 	$(CXX) ${INCLUDE_FOR_TEST} ${CFLAGS_FOR_TEST} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ test/testunusedfunctions.cpp
 

lib/checkers.cpp

@@ -200,6 +200,7 @@ namespace checkers {
         {"CheckType::checkLongCast","style"},
         {"CheckType::checkSignConversion","warning"},
         {"CheckType::checkTooBigBitwiseShift","platform"},
+        {"CheckUninitVar::check",""},
         {"CheckUninitVar::analyseWholeProgram",""},
         {"CheckUninitVar::check",""},
         {"CheckUninitVar::valueFlowUninit",""},

lib/checkunionzeroinit.cpp

@@ -0,0 +1,209 @@
+/*
+ * Cppcheck - A tool for static C/C++ code analysis
+ * Copyright (C) 2007-2025 Cppcheck team.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "checkunionzeroinit.h"
+
+#include <sstream>
+#include <unordered_map>
+#include <vector>
+
+#include "errortypes.h"
+#include "settings.h"
+#include "symboldatabase.h"
+#include "token.h"
+#include "tokenize.h"
+#include "valueflow.h"
+
+static const CWE CWEXXX(0U); /* TODO */
+
+static const std::string noname;
+
+// Register this check class (by creating a static instance of it)
+namespace {
+    CheckUnionZeroInit instance;
+}
+
+struct UnionMember {
+    UnionMember()
+        : name(noname)
+        , size(0) {}
+
+    UnionMember(const std::string &name_, size_t size_)
+        : name(name_)
+        , size(size_) {}
+
+    const std::string &name;
+    size_t size;
+};
+
+struct Union {
+    Union(const Scope *scope_, const std::string &name_)
+        : scope(scope_)
+        , name(name_) {}
+
+    const Scope *scope;
+    const std::string &name;
+    std::vector<UnionMember> members;
+
+    const UnionMember *largestMember() const {
+        const UnionMember *largest = nullptr;
+        for (const UnionMember &m : members) {
+            if (m.size == 0)
+                return nullptr;
+            if (largest == nullptr || m.size > largest->size)
+                largest = &m;
+        }
+        return largest;
+    }
+
+    bool isLargestMemberFirst() const {
+        const UnionMember *largest = largestMember();
+        return largest == nullptr || largest == &members[0];
+    }
+};
+
+static UnionMember parseUnionMember(const Variable &var,
+                                    const Settings &settings)
+{
+    const Token *nameToken = var.nameToken();
+    if (nameToken == nullptr)
+        return UnionMember();
+
+    const ValueType *vt = nameToken->valueType();
+    size_t size = 0;
+    if (var.isArray()) {
+        size = var.dimension(0);
+    } else if (vt != nullptr) {
+        size = ValueFlow::getSizeOf(*vt, settings,
+                                    ValueFlow::Accuracy::ExactOrZero);
+    }
+    return UnionMember(nameToken->str(), size);
+}
+
+static std::vector<Union> parseUnions(const SymbolDatabase &symbolDatabase,
+                                      const Settings &settings)
+{
+    std::vector<Union> unions;
+
+    for (const Scope &scope : symbolDatabase.scopeList) {
+        if (scope.type != ScopeType::eUnion)
+            continue;
+
+        Union u(&scope, scope.className);
+        for (const Variable &var : scope.varlist) {
+            u.members.push_back(parseUnionMember(var, settings));
+        }
+        unions.push_back(u);
+    }
+
+    return unions;
+}
+
+static bool isZeroInitializer(const Token *tok)
+{
+    return Token::simpleMatch(tok, "= { 0 } ;") ||
+           Token::simpleMatch(tok, "= { } ;");
+}
+
+void CheckUnionZeroInit::check()
+{
+    if (!mSettings->severity.isEnabled(Severity::portability))
+        return;
+
+    logChecker("CheckUnionZeroInit::check"); // portability
+
+    const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
+
+    std::unordered_map<const Scope *, Union> unionsByScopeId;
+    const std::vector<Union> unions = parseUnions(*symbolDatabase, *mSettings);
+    for (const Union &u : unions) {
+        unionsByScopeId.insert({u.scope, u});
+    }
+
+    for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
+        if (!tok->isName() || !isZeroInitializer(tok->next()))
+            continue;
+
+        const ValueType *vt = tok->valueType();
+        if (vt == nullptr || vt->typeScope == nullptr)
+            continue;
+        auto it = unionsByScopeId.find(vt->typeScope);
+        if (it == unionsByScopeId.end())
+            continue;
+        const Union &u = it->second;
+        if (!u.isLargestMemberFirst()) {
+            const UnionMember *largestMember = u.largestMember();
+            assert(largestMember != nullptr);
+            unionZeroInitError(tok, *largestMember);
+        }
+    }
+}
+
+void CheckUnionZeroInit::runChecks(const Tokenizer &tokenizer,
+                                   ErrorLogger *errorLogger)
+{
+    CheckUnionZeroInit(&tokenizer, &tokenizer.getSettings(), errorLogger).check();
+}
+
+void CheckUnionZeroInit::unionZeroInitError(const Token *tok,
+                                            const UnionMember& largestMember)
+{
+    reportError(tok, Severity::portability, "UnionZeroInit",
+                "$symbol:" + (tok != nullptr ? tok->str() : "") + "\n"
+                "Zero initializing union '$symbol' does not guarantee " +
+                "its complete storage to be zero initialized as its largest member " +
+                "is not declared as the first member. Consider making " +
+                largestMember.name + " the first member or favor memset().",
+                CWEXXX, Certainty::normal);
+}
+
+void CheckUnionZeroInit::getErrorMessages(ErrorLogger *errorLogger,
+                                          const Settings *settings) const
+{
+    CheckUnionZeroInit c(nullptr, settings, errorLogger);
+    c.unionZeroInitError(nullptr, UnionMember());
+}
+
+std::string CheckUnionZeroInit::generateTestMessage(const Tokenizer &tokenizer,
+                                                    const Settings &settings)
+{
+    std::stringstream ss;
+
+    const std::vector<Union> unions = parseUnions(*tokenizer.getSymbolDatabase(),
+                                                  settings);
+    for (const Union &u : unions) {
+        ss << "Union{";
+        ss << "name=\"" << u.name << "\", ";
+        ss << "scope=" << u.scope << ", ";
+        ss << "isLargestMemberFirst=" << u.isLargestMemberFirst();
+        ss << "}" << std::endl;
+
+        const UnionMember *largest = u.largestMember();
+        for (const UnionMember &m : u.members) {
+            ss << "  Member{";
+            ss << "name=\"" << m.name << "\", ";
+            ss << "size=" << m.size;
+            ss << "}";
+            if (&m == largest)
+                ss << " (largest)";
+            ss << std::endl;
+        }
+    }
+
+    return ss.str();
+}

lib/checkunionzeroinit.h

@@ -0,0 +1,77 @@
+/* -*- C++ -*-
+ * Cppcheck - A tool for static C/C++ code analysis
+ * Copyright (C) 2007-2025 Cppcheck team.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+//---------------------------------------------------------------------------
+#ifndef checkunionzeroinitH
+#define checkunionzeroinitH
+//---------------------------------------------------------------------------
+
+#include "check.h"
+#include "config.h"
+
+#include <string>
+
+class ErrorLogger;
+class Settings;
+class Token;
+class Tokenizer;
+struct UnionMember;
+
+/// @addtogroup Checks
+/// @{
+
+/**
+ * @brief Check for error-prone zero initialization of unions.
+ */
+
+class CPPCHECKLIB CheckUnionZeroInit : public Check {
+    friend class TestUnionZeroInit;
+
+public:
+    /** This constructor is used when registering the CheckUnionZeroInit */
+    CheckUnionZeroInit() : Check(myName()) {}
+
+private:
+    /** This constructor is used when running checks. */
+    CheckUnionZeroInit(const Tokenizer *tokenizer, const Settings *settings, ErrorLogger *errorLogger)
+        : Check(myName(), tokenizer, settings, errorLogger) {}
+
+    /** @brief Run checks against the normal token list */
+    void runChecks(const Tokenizer &tokenizer, ErrorLogger *errorLogger) override;
+
+    /** Check for error-prone zero initialization of unions. */
+    void check();
+
+    void unionZeroInitError(const Token *tok, const UnionMember &largestMember);
+
+    void getErrorMessages(ErrorLogger *errorLogger, const Settings *settings) const override;
+
+    static std::string generateTestMessage(const Tokenizer &tokenizer, const Settings &settings);
+
+    static std::string myName() {
+        return "CheckUnionZeroInit";
+    }
+
+    std::string classInfo() const override {
+        return "Check for error-prone zero initialization of unions.\n";
+    }
+};
+/// @}
+//---------------------------------------------------------------------------
+#endif // checkunionzeroinitH

lib/cppcheck.vcxproj

@@ -56,6 +56,7 @@
     <ClCompile Include="checkstring.cpp" />
     <ClCompile Include="checktype.cpp" />
     <ClCompile Include="checkuninitvar.cpp" />
+    <ClCompile Include="checkunionzeroinit.cpp" />
     <ClCompile Include="checkunusedfunctions.cpp" />
     <ClCompile Include="checkunusedvar.cpp" />
     <ClCompile Include="checkvaarg.cpp" />
@@ -127,6 +128,7 @@
     <ClInclude Include="checkstring.h" />
     <ClInclude Include="checktype.h" />
     <ClInclude Include="checkuninitvar.h" />
+    <ClInclude Include="checkunionzeroinit.h" />
     <ClInclude Include="checkunusedfunctions.h" />
     <ClInclude Include="checkunusedvar.h" />
     <ClInclude Include="checkvaarg.h" />

oss-fuzz/Makefile

@@ -70,6 +70,7 @@ LIBOBJ =      $(libcppdir)/valueflow.o \
               $(libcppdir)/checkstring.o \
               $(libcppdir)/checktype.o \
               $(libcppdir)/checkuninitvar.o \
+              $(libcppdir)/checkunionzeroinit.o \
               $(libcppdir)/checkunusedfunctions.o \
               $(libcppdir)/checkunusedvar.o \
               $(libcppdir)/checkvaarg.o \
@@ -243,6 +244,9 @@ $(libcppdir)/checktype.o: ../lib/checktype.cpp ../lib/addoninfo.h ../lib/astutil
 $(libcppdir)/checkuninitvar.o: ../lib/checkuninitvar.cpp ../lib/addoninfo.h ../lib/astutils.h ../lib/check.h ../lib/checkers.h ../lib/checknullpointer.h ../lib/checkuninitvar.h ../lib/config.h ../lib/ctu.h ../lib/errorlogger.h ../lib/errortypes.h ../lib/library.h ../lib/mathlib.h ../lib/platform.h ../lib/settings.h ../lib/smallvector.h ../lib/sourcelocation.h ../lib/standards.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/vfvalue.h
 	$(CXX) ${LIB_FUZZING_ENGINE} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/checkuninitvar.cpp
 
+$(libcppdir)/checkunionzeroinit.o: ../lib/checkunionzeroinit.cpp ../lib/addoninfo.h ../lib/check.h ../lib/checkers.h ../lib/checkunionzeroinit.h ../lib/config.h ../lib/errortypes.h ../lib/library.h ../lib/mathlib.h ../lib/platform.h ../lib/settings.h ../lib/sourcelocation.h ../lib/standards.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/valueflow.h ../lib/vfvalue.h
+	$(CXX) ${LIB_FUZZING_ENGINE} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/checkunionzeroinit.cpp
+
 $(libcppdir)/checkunusedfunctions.o: ../lib/checkunusedfunctions.cpp ../externals/tinyxml2/tinyxml2.h ../lib/addoninfo.h ../lib/astutils.h ../lib/checkers.h ../lib/checkunusedfunctions.h ../lib/config.h ../lib/errorlogger.h ../lib/errortypes.h ../lib/library.h ../lib/mathlib.h ../lib/path.h ../lib/platform.h ../lib/settings.h ../lib/smallvector.h ../lib/sourcelocation.h ../lib/standards.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/vfvalue.h ../lib/xml.h
 	$(CXX) ${LIB_FUZZING_ENGINE} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/checkunusedfunctions.cpp
 

test/testrunner.vcxproj

@@ -107,6 +107,7 @@
     <ClCompile Include="testtokenrange.cpp" />
     <ClCompile Include="testtype.cpp" />
     <ClCompile Include="testuninitvar.cpp" />
+    <ClCompile Include="testunionzeroinit.cpp" />
     <ClCompile Include="testunusedfunctions.cpp" />
     <ClCompile Include="testunusedprivfunc.cpp" />
     <ClCompile Include="testunusedvar.cpp" />