Fix #12091 (False negative: Uninitialized variable read in subfunctio…

…n (regression))

lib/valueflow.cpp

@@ -7325,9 +7325,17 @@ struct MultiValueFlowAnalyzer : ValueFlowAnalyzer {
         return false;
     }
 
-    bool stopOnCondition(const Token* /*condTok*/) const override {
-        // TODO fix false negatives
-        return true; // isConditional();
+    bool stopOnCondition(const Token* condTok) const override {
+        if (isConditional())
+            return true;
+        if (!condTok->hasKnownIntValue() && values.count(condTok->varId()) == 0) {
+            for (const auto& v: condTok->values()) {
+                if (v.isSymbolicValue() && Token::Match(v.tokvalue, "%oror%|&&")) {
+                    return true;
+                }
+            }
+        }
+        return false;
     }
 
     bool updateScope(const Token* endBlock, bool /*modified*/) const override {

test/teststl.cpp

@@ -2403,12 +2403,11 @@ class TestStl : public TestFixture {
               "void g(const std::vector<int>& w) {\n"
               "    f(-1, w);\n"
               "}\n");
-        TODO_ASSERT_EQUALS("test.cpp:5:warning:Array index -1 is out of bounds.\n"
-                           "test.cpp:8:note:Calling function 'f', 1st argument '-1' value is -1\n"
-                           "test.cpp:3:note:Assuming condition is false\n"
-                           "test.cpp:5:note:Negative array index\n",
-                           "",
-                           errout.str());
+        ASSERT_EQUALS("test.cpp:5:warning:Array index -1 is out of bounds.\n"
+                      "test.cpp:8:note:Calling function 'f', 1st argument '-1' value is -1\n"
+                      "test.cpp:3:note:Assuming condition is false\n"
+                      "test.cpp:5:note:Negative array index\n",
+                      errout.str());
 
         settings = oldSettings;
     }

test/testuninitvar.cpp

@@ -6559,7 +6559,7 @@ class TestUninitVar : public TestFixture {
                         "  bool copied_all = true;\n"
                         "  g(&copied_all, 5, 6, &bytesCopied);\n"
                         "}");
-        TODO_ASSERT_EQUALS("[test.cpp:7] -> [test.cpp:2]: (warning) Uninitialized variable: *buflen\n", "", errout.str());
+        ASSERT_EQUALS("[test.cpp:7] -> [test.cpp:2]: (warning) Uninitialized variable: *buflen\n", errout.str());
 
         // # 9953
         valueFlowUninit("uint32_t f(uint8_t *mem) {\n"

test/testvalueflow.cpp

@@ -4511,7 +4511,7 @@ class TestValueFlow : public TestFixture {
                "void f(Object *obj) {\n"
                "  if (valid(obj, K0)) {}\n"
                "}\n";
-        TODO_ASSERT_EQUALS(true, false, testValueOfX(code, 7U, 0));
+        ASSERT_EQUALS(true, testValueOfX(code, 7U, 0));
         ASSERT_EQUALS(false, testValueOfXKnown(code, 7U, 0));
 
         code = "int f(int i) {\n"
@@ -5624,6 +5624,17 @@ class TestValueFlow : public TestFixture {
                "}\n";
         values = tokenValues(code, "x <", ValueFlow::Value::ValueType::UNINIT);
         ASSERT_EQUALS(0, values.size());
+
+        code = "void g(bool *result, size_t *buflen) {\n" // #12091
+               "    if (*result && *buflen >= 5) {}\n" // <- *buflen might not be initialized
+               "}\n"
+               "void f() {\n"
+               "    size_t bytesCopied;\n"
+               "    bool copied_all = true;\n"
+               "    g(&copied_all, &bytesCopied);\n"
+               "}";
+        values = tokenValues(code, "buflen >=", ValueFlow::Value::ValueType::UNINIT);
+        ASSERT_EQUALS(1, values.size());
     }
 
     void valueFlowConditionExpressions() {