analyzer: add allocation size checker [PR105900]

This patch adds an checker that warns about code paths in which a buffer
is assigned to a incompatible type, i.e. when the allocated buffer size
is not a multiple of the pointee's size.

Regression-tested on x86_64 Linux. Also compiled coreutils, curl, openssh and
httpd with the patch enabled.

2022-07-01  Tim Lange  <mail@tim-lange.me>

gcc/analyzer/ChangeLog:

	PR analyzer/105900
	* analyzer.opt: Added Wanalyzer-allocation-size.
	* checker-path.cc (region_creation_event::get_desc): Added call to new
	virtual function pending_diagnostic::describe_region_creation_event.
	* checker-path.h: Added region_creation_event::get_desc.
	* diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
	New function.
	* diagnostic-manager.h:
	Added diagnostic_manager::add_event_on_final_node.
	* pending-diagnostic.h (struct region_creation): New event_desc struct.
	(pending_diagnostic::describe_region_creation_event): Added virtual
	function to overwrite description of a region creation.
	* region-model.cc (class dubious_allocation_size): New class.
	(capacity_compatible_with_type): New helper function.
	(class size_visitor): New class.
	(struct_or_union_with_inheritance_p): New helper function.
	(is_any_cast_p): New helper function.
	(region_model::check_region_size): New function.
	(region_model::set_value): Added call to
	region_model::check_region_size.
	* region-model.h (class region_model): New function check_region_size.
	* svalue.cc (region_svalue::accept): Changed to post-order traversal.
	(initial_svalue::accept): Likewise.
	(unaryop_svalue::accept): Likewise.
	(binop_svalue::accept): Likewise.
	(sub_svalue::accept): Likewise.
	(repeated_svalue::accept): Likewise.
	(bits_within_svalue::accept): Likewise.
	(widening_svalue::accept): Likewise.
	(unmergeable_svalue::accept): Likewise.
	(compound_svalue::accept): Likewise.
	(conjured_svalue::accept): Likewise.
	(asm_output_svalue::accept): Likewise.
	(const_fn_result_svalue::accept): Likewise.

gcc/ChangeLog:

	PR analyzer/105900
	* doc/invoke.texi: Added Wanalyzer-allocation-size.

gcc/testsuite/ChangeLog:

	PR analyzer/105900
	* gcc.dg/analyzer/pr96639.c: Changed buffer size to omit warning.
	* gcc.dg/analyzer/allocation-size-1.c: New test.
	* gcc.dg/analyzer/allocation-size-2.c: New test.
	* gcc.dg/analyzer/allocation-size-3.c: New test.
	* gcc.dg/analyzer/allocation-size-4.c: New test.
	* gcc.dg/analyzer/allocation-size-5.c: New test.

Signed-off-by: Tim Lange <mail@tim-lange.me>

1 files changed, 14 insertions, 0 deletions

diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index d86e45a..89c8dce 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -9739,6 +9739,7 @@ This analysis is much more expensive than other GCC warnings.
 Enabling this option effectively enables the following warnings:
 
 @gccoptlist{ @gol
+-Wanalyzer-allocation-size @gol
 -Wanalyzer-double-fclose @gol
 -Wanalyzer-double-free @gol
 -Wanalyzer-exposure-through-output-file @gol
@@ -9791,6 +9792,19 @@ By default, the analysis silently stops if the code is too
 complicated for the analyzer to fully explore and it reaches an internal
 limit.  The @option{-Wanalyzer-too-complex} option warns if this occurs.
 
+@item -Wno-analyzer-allocation-size
+@opindex Wanalyzer-allocation-size
+@opindex Wno-analyzer-allocation-size
+This warning requires @option{-fanalyzer}, which enables it; use
+@option{-Wno-analyzer-allocation-size}
+to disable it.
+
+This diagnostic warns for paths through the code in which a pointer to
+a buffer is assigned to point at a buffer with a size that is not a
+multiple of @code{sizeof (*pointer)}.
+
+See @url{https://cwe.mitre.org/data/definitions/131.html, CWE-131: Incorrect Calculation of Buffer Size}.
+
 @item -Wno-analyzer-double-fclose
 @opindex Wanalyzer-double-fclose
 @opindex Wno-analyzer-double-fclose