analyzer: disable the "taint" checker by default

PR analyzer/93032 tracks a false negative where we fail to report
FILE * leaks within zlib/contrib/minizip/mztools.c.

The underlying issue is a combinatorial explosion of states within the
exploded graph.  In particular, the state of the "taint" checker is
exploding, leading to the analyzer bailing out.

I have a patch kit under construction that fixes the state explosion
issue enough for the "file" checker to report the leaks, but doing so
requires disabling the "taint" checker.  Given that the latter is more
of a proof-of-concept, this patch disables it by default, to stop it
breaking the other checkers.

gcc/analyzer/ChangeLog:
	PR analyzer/93032
	* sm.cc (make_checkers): Require the "taint" checker to be
	explicitly enabled.

gcc/ChangeLog:
	PR analyzer/93032
	* doc/invoke.texi (-Wnanalyzer-tainted-array-index): Note that
	-fanalyzer-checker=taint is also required.
	(-fanalyzer-checker=): Note that providing this option enables the
	given checker, and doing so may be required for checkers that are
	disabled by default.

gcc/testsuite/ChangeLog:
	PR analyzer/93032
	* gcc.dg/analyzer/pr93382.c: Add "-fanalyzer-checker=taint".
	* gcc.dg/analyzer/taint-1.c: Likewise.

7 files changed, 38 insertions, 4 deletions

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index 2049bf5..13f0356 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,5 +1,14 @@
 2020-02-24  David Malcolm  <dmalcolm@redhat.com>
 
+	PR analyzer/93032
+	* doc/invoke.texi (-Wnanalyzer-tainted-array-index): Note that
+	-fanalyzer-checker=taint is also required.
+	(-fanalyzer-checker=): Note that providing this option enables the
+	given checker, and doing so may be required for checkers that are
+	disabled by default.
+
+2020-02-24  David Malcolm  <dmalcolm@redhat.com>
+
 	* doc/invoke.texi (-fanalyzer-verbosity=): "2" only shows
 	significant control flow events; add a "3" which shows all
 	control flow events; the old "3" becomes "4".
diff --git a/gcc/analyzer/ChangeLog b/gcc/analyzer/ChangeLog
index 0882ec6..7511c2d 100644
--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
@@ -1,5 +1,11 @@
 2020-02-24  David Malcolm  <dmalcolm@redhat.com>
 
+	PR analyzer/93032
+	* sm.cc (make_checkers): Require the "taint" checker to be
+	explicitly enabled.
+
+2020-02-24  David Malcolm  <dmalcolm@redhat.com>
+
 	PR analyzer/93899
 	* engine.cc
 	(impl_region_model_context::impl_region_model_context): Add logger
diff --git a/gcc/analyzer/sm.cc b/gcc/analyzer/sm.cc
index e94c691..b1f156f 100644
--- a/gcc/analyzer/sm.cc
+++ b/gcc/analyzer/sm.cc
@@ -111,7 +111,10 @@ make_checkers (auto_delete_vec <state_machine> &out, logger *logger)
 {
   out.safe_push (make_malloc_state_machine (logger));
   out.safe_push (make_fileptr_state_machine (logger));
-  out.safe_push (make_taint_state_machine (logger));
+  /* The "taint" checker must be explicitly enabled (as it currently
+     leads to state explosions that stop the other checkers working).  */
+  if (flag_analyzer_checker)
+    out.safe_push (make_taint_state_machine (logger));
   out.safe_push (make_sensitive_state_machine (logger));
   out.safe_push (make_signal_state_machine (logger));
 
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 183c256..208500c 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -6629,8 +6629,9 @@ no longer exists, and likely lead to a crash (or worse).
 @item -Wno-analyzer-tainted-array-index
 @opindex Wanalyzer-tainted-array-index
 @opindex Wno-analyzer-tainted-array-index
-This warning requires @option{-fanalyzer}, which enables it; use
-@option{-Wno-analyzer-tainted-array-index} to disable it.
+This warning requires both @option{-fanalyzer} and
+@option{-fanalyzer-checker=taint} to enable it;
+use @option{-Wno-analyzer-tainted-array-index} to disable it.
 
 This diagnostic warns for paths through the code in which a value
 that could be under an attacker's control is used as the index
@@ -8436,7 +8437,12 @@ call site, and that are sufficiently complicated (as per
 
 @item -fanalyzer-checker=@var{name}
 @opindex fanalyzer-checker
-Restrict the analyzer to run just the named checker.
+Restrict the analyzer to run just the named checker, and enable it.
+
+Some checkers are disabled by default (even with @option{-fanalyzer}),
+such as the @code{taint} checker that implements
+@option{-Wanalyzer-tainted-array-index}, and this option is required
+to enable them.
 
 @item -fanalyzer-fine-grained
 @opindex fanalyzer-fine-grained
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index a2844a3..fa451c6 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,5 +1,11 @@
 2020-02-24  David Malcolm  <dmalcolm@redhat.com>
 
+	PR analyzer/93032
+	* gcc.dg/analyzer/pr93382.c: Add "-fanalyzer-checker=taint".
+	* gcc.dg/analyzer/taint-1.c: Likewise.
+
+2020-02-24  David Malcolm  <dmalcolm@redhat.com>
+
 	PR analyzer/93899
 	* g++.dg/analyzer/pr93899.C: New test.
 
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93382.c b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
index 7d18d16..dae32f5 100644
--- a/gcc/testsuite/gcc.dg/analyzer/pr93382.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
@@ -1,3 +1,5 @@
+/* { dg-additional-options "-fanalyzer-checker=taint" } */
+
 typedef __SIZE_TYPE__ size_t;
 
 int idx;
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-1.c
index 293ce28..549e266 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-1.c
@@ -1,3 +1,5 @@
+/* { dg-additional-options "-fanalyzer-checker=taint" } */
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>