diff options
author | Tim Lange <mail@tim-lange.me> | 2022-07-01 00:02:17 +0200 |
---|---|---|
committer | Tim Lange <mail@tim-lange.me> | 2022-07-02 19:07:49 +0200 |
commit | e6c3bb379f515b27268d08e62b4b3e5d7200b437 (patch) | |
tree | 9b94cd4942a37d52932c4ac9ed46708336d7beae /gcc/doc | |
parent | 97baacba963c06e3d0e33cde04e7e687671e60e7 (diff) | |
download | gcc-e6c3bb379f515b27268d08e62b4b3e5d7200b437.zip gcc-e6c3bb379f515b27268d08e62b4b3e5d7200b437.tar.gz gcc-e6c3bb379f515b27268d08e62b4b3e5d7200b437.tar.bz2 |
analyzer: add allocation size checker [PR105900]
This patch adds an checker that warns about code paths in which a buffer
is assigned to a incompatible type, i.e. when the allocated buffer size
is not a multiple of the pointee's size.
Regression-tested on x86_64 Linux. Also compiled coreutils, curl, openssh and
httpd with the patch enabled.
2022-07-01 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/105900
* analyzer.opt: Added Wanalyzer-allocation-size.
* checker-path.cc (region_creation_event::get_desc): Added call to new
virtual function pending_diagnostic::describe_region_creation_event.
* checker-path.h: Added region_creation_event::get_desc.
* diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
New function.
* diagnostic-manager.h:
Added diagnostic_manager::add_event_on_final_node.
* pending-diagnostic.h (struct region_creation): New event_desc struct.
(pending_diagnostic::describe_region_creation_event): Added virtual
function to overwrite description of a region creation.
* region-model.cc (class dubious_allocation_size): New class.
(capacity_compatible_with_type): New helper function.
(class size_visitor): New class.
(struct_or_union_with_inheritance_p): New helper function.
(is_any_cast_p): New helper function.
(region_model::check_region_size): New function.
(region_model::set_value): Added call to
region_model::check_region_size.
* region-model.h (class region_model): New function check_region_size.
* svalue.cc (region_svalue::accept): Changed to post-order traversal.
(initial_svalue::accept): Likewise.
(unaryop_svalue::accept): Likewise.
(binop_svalue::accept): Likewise.
(sub_svalue::accept): Likewise.
(repeated_svalue::accept): Likewise.
(bits_within_svalue::accept): Likewise.
(widening_svalue::accept): Likewise.
(unmergeable_svalue::accept): Likewise.
(compound_svalue::accept): Likewise.
(conjured_svalue::accept): Likewise.
(asm_output_svalue::accept): Likewise.
(const_fn_result_svalue::accept): Likewise.
gcc/ChangeLog:
PR analyzer/105900
* doc/invoke.texi: Added Wanalyzer-allocation-size.
gcc/testsuite/ChangeLog:
PR analyzer/105900
* gcc.dg/analyzer/pr96639.c: Changed buffer size to omit warning.
* gcc.dg/analyzer/allocation-size-1.c: New test.
* gcc.dg/analyzer/allocation-size-2.c: New test.
* gcc.dg/analyzer/allocation-size-3.c: New test.
* gcc.dg/analyzer/allocation-size-4.c: New test.
* gcc.dg/analyzer/allocation-size-5.c: New test.
Signed-off-by: Tim Lange <mail@tim-lange.me>
Diffstat (limited to 'gcc/doc')
-rw-r--r-- | gcc/doc/invoke.texi | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index d86e45a..89c8dce 100644 --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi @@ -9739,6 +9739,7 @@ This analysis is much more expensive than other GCC warnings. Enabling this option effectively enables the following warnings: @gccoptlist{ @gol +-Wanalyzer-allocation-size @gol -Wanalyzer-double-fclose @gol -Wanalyzer-double-free @gol -Wanalyzer-exposure-through-output-file @gol @@ -9791,6 +9792,19 @@ By default, the analysis silently stops if the code is too complicated for the analyzer to fully explore and it reaches an internal limit. The @option{-Wanalyzer-too-complex} option warns if this occurs. +@item -Wno-analyzer-allocation-size +@opindex Wanalyzer-allocation-size +@opindex Wno-analyzer-allocation-size +This warning requires @option{-fanalyzer}, which enables it; use +@option{-Wno-analyzer-allocation-size} +to disable it. + +This diagnostic warns for paths through the code in which a pointer to +a buffer is assigned to point at a buffer with a size that is not a +multiple of @code{sizeof (*pointer)}. + +See @url{https://cwe.mitre.org/data/definitions/131.html, CWE-131: Incorrect Calculation of Buffer Size}. + @item -Wno-analyzer-double-fclose @opindex Wanalyzer-double-fclose @opindex Wno-analyzer-double-fclose |