| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Fix a false positive from -Wanalyzer-null-dereference due to -fanalyzer
failing to grok the value of a particular boolean field initialized to a
constant.
gcc/analyzer/ChangeLog:
PR analyzer/105783
* region-model.cc (selftest::get_bit): New function.
(selftest::test_bits_within_svalue_folding): New.
(selfftest::analyzer_region_model_cc_tests): Call it.
* svalue.cc (constant_svalue::maybe_fold_bits_within): Handle the
case of extracting a single bit.
gcc/testsuite/ChangeLog:
PR analyzer/105783
* gcc.dg/analyzer/pr105783.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
I overreduced PR analyzer/107158 in r13-3096-gef878564140cbc, and there
was another ICE in the original reproducer, which this patch fixes.
gcc/analyzer/ChangeLog:
PR analyzer/107158
* store.cc (store::replay_call_summary_cluster): Eliminate
special-casing of RK_HEAP_ALLOCATED in favor of sharing code with
RK_DECL, avoiding an ICE due to attempting to bind a
compound_svalue into a binding_cluster when an svalue in the
summary cluster converts to a compound_svalue in the caller.
gcc/testsuite/ChangeLog:
PR analyzer/107158
* gcc.dg/analyzer/call-summaries-pr107158-2.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
* call-summary.cc (call_summary_replay::dump_to_pp): Bulletproof
against NULL caller regions/svalues.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
gcc/analyzer/ChangeLog:
* analysis-plan.cc: Simplify includes.
* analyzer-pass.cc: Likewise.
* analyzer-selftests.cc: Likewise.
* analyzer.cc: Likewise.
* analyzer.h: Add includes of "json.h" and "tristate.h".
* call-info.cc: Simplify includes.
* call-string.cc: Likewise.
* call-summary.cc: Likewise.
* checker-path.cc: Likewise.
* complexity.cc: Likewise.
* constraint-manager.cc: Likewise.
* diagnostic-manager.cc: Likewise.
* engine.cc: Likewise.
* feasible-graph.cc: Likewise.
* known-function-manager.cc: Likewise.
* pending-diagnostic.cc: Likewise.
* program-point.cc: Likewise.
* program-state.cc: Likewise.
* region-model-asm.cc: Likewise.
* region-model-impl-calls.cc: Likewise.
* region-model-manager.cc: Likewise.
* region-model-reachability.cc: Likewise.
* region-model.cc: Likewise.
* region-model.h: Include "selftest.h".
* region.cc: Simplify includes.
* sm-fd.cc: Likewise.
* sm-file.cc: Likewise.
* sm-malloc.cc: Likewise.
* sm-pattern-test.cc: Likewise.
* sm-sensitive.cc: Likewise.
* sm-signal.cc: Likewise.
* sm-taint.cc: Likewise.
* sm.cc: Likewise.
* state-purge.cc: Likewise.
* store.cc: Likewise.
* store.h: Likewise.
* supergraph.cc: Likewise.
* svalue.cc: Likewise.
* svalue.h: Likewise.
* trimmed-graph.cc: Likewise.
* varargs.cc: Likewise.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
This doesn't fix the various false positives seen with
-fanalyzer-call-summaries on PR 107060, but stops it crashing at -O2.
gcc/analyzer/ChangeLog:
PR analyzer/107060
* call-summary.cc
(call_summary_replay::convert_svalue_from_summary_1): Handle NULL
results from convert_svalue_from_summary in SK_UNARY_OP and
SK_BIN_OP.
* engine.cc (impl_region_model_context::on_unknown_change): Bail
out on svalues that can't have associated state.
* region-model-impl-calls.cc
(region_model::impl_call_analyzer_get_unknown_ptr): New.
* region-model.cc (region_model::on_stmt_pre): Handle
"__analyzer_get_unknown_ptr".
* region-model.h
(region_model::impl_call_analyzer_get_unknown_ptr): New decl.
* store.cc (store::replay_call_summary_cluster): Avoid trying to
create binding clusters for base regions that shouldn't have them.
gcc/ChangeLog:
PR analyzer/107060
* doc/analyzer.texi (__analyzer_get_unknown_ptr): Document.
gcc/testsuite/ChangeLog:
PR analyzer/107060
* gcc.dg/analyzer/analyzer-decls.h (__analyzer_get_unknown_ptr):
New decl.
* gcc.dg/analyzer/call-summaries-2.c
(test_summarized_writes_param_to_ptr_unknown): New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
Fixes:
gcc/analyzer/call-summary.h:103:13: warning: private field 'm_called_fn' is not used [-Wunused-private-field]
gcc/analyzer/engine.cc:1631:24: warning: unused parameter 'uncertainty' [-Wunused-parameter]
gcc/analyzer/ChangeLog:
* call-summary.cc (call_summary_replay::call_summary_replay):
Remove unused variable and arguments.
* call-summary.h: Likewise.
* engine.cc (exploded_node::on_stmt): Likewise.
(exploded_node::replay_call_summaries): Likewise.
(exploded_node::replay_call_summary): Likewise.
* exploded-graph.h (class exploded_node): Likewise.
|
|
With -fanalyzer-call-summaries the analyzer canl attempt to summarize
the effects of some function calls at their call site, rather than
simulate the call directly, which can avoid big slowdowns during
analysis.
Previously, this summarization was extremely simplistic: no attempt
was made to update sm-state, and region_model::update_for_call_summary
would simply set the return value of the function to UNKNOWN, and assume
the function had no side effects.
This patch implements less simplistic summarizations: it tracks each
possible return enode from the called function, and attempts to generate
a successor enode from the callsite for each that have compatible
conditions, mapping state changes in the summary to state changes
at the callsite. It also implements the beginnings of heuristics for
generating user-facing descriptions of a summary e.g.
"when 'foo' returns NULL"
versus:
"when 'foo' returns a heap-allocated buffer"
This still has some bugs, but much more accurately tracks the effects
of a call, and so is an improvement; it should only have an effect
when -fanalyzer-call-summaries is enabled.
As before, -fanalyzer-call-summaries is disabled by default in
analyzer.opt (but enabled by default in the test suite).
gcc/ChangeLog:
PR analyzer/107072
* Makefile.in (ANALYZER_OBJS): Add analyzer/call-summary.o.
gcc/analyzer/ChangeLog:
PR analyzer/107072
* analyzer-logging.h: Include "diagnostic-core.h".
* analyzer.h: Include "function.h".
(class call_summary): New forward decl.
(class call_summary_replay): New forward decl.
(struct per_function_data): New forward decl.
(struct interesting_t): New forward decl.
(custom_edge_info::update_state): New vfunc.
* call-info.cc (custom_edge_info::update_state): New.
* call-summary.cc: New file.
* call-summary.h: New file.
* constraint-manager.cc: Include "analyzer/call-summary.h".
(class replay_fact_visitor): New.
(constraint_manager::replay_call_summary): New.
* constraint-manager.h (constraint_manager::replay_call_summary):
New.
* engine.cc: Include "analyzer/call-summary.h".
(exploded_node::on_stmt): Handle call summaries.
(class call_summary_edge_info): New.
(exploded_node::replay_call_summaries): New.
(exploded_node::replay_call_summary): New.
(per_function_data::~per_function_data): New.
(per_function_data::add_call_summary): Move here from header and
reimplement.
(exploded_graph::process_node): Call update_state rather than
update_model when handling bifurcation
(viz_callgraph_node::dump_dot): Use a regular label rather
than an HTML table; add summaries to dump.
* exploded-graph.h: Include "alloc-pool.h", "fibonacci_heap.h",
"supergraph.h", "sbitmap.h", "shortest-paths.h", "analyzer/sm.h",
"analyzer/program-state.h", and "analyzer/diagnostic-manager.h".
(exploded_node::replay_call_summaries): New decl.
(exploded_node::replay_call_summary): New decl.
(per_function_data::~per_function_data): New decl.
(per_function_data::add_call_summary): Move implemention from
header.
(per_function_data::m_summaries): Update type of element.
* known-function-manager.h: Include "analyzer/analyzer-logging.h".
* program-point.h: Include "pretty-print.h" and
"analyzer/call-string.h".
* program-state.cc: Include "analyzer/call-summary.h".
(sm_state_map::replay_call_summary): New.
(program_state::replay_call_summary): New.
* program-state.h (sm_state_map::replay_call_summary): New decl.
(program_state::replay_call_summary): New decl.
* region-model-manager.cc
(region_model_manager::get_or_create_asm_output_svalue): New
overload.
* region-model-manager.h
(region_model_manager::get_or_create_asm_output_svalue): New
overload decl.
* region-model.cc: Include "analyzer/call-summary.h".
(region_model::maybe_update_for_edge): Remove call to
region_model::update_for_call_summary on
SUPEREDGE_INTRAPROCEDURAL_CALL.
(region_model::update_for_call_summary): Delete.
(region_model::replay_call_summary): New.
* region-model.h (region_model::replay_call_summary): New decl.
(region_model::update_for_call_summary): Delete decl.
* store.cc: Include "analyzer/call-summary.h".
(store::replay_call_summary): New.
(store::replay_call_summary_cluster): New.
* store.h: Include "tristate.h".
(is_a_helper <const ana::concrete_binding *>::test): New.
(store::replay_call_summary): New decl.
(store::replay_call_summary_cluster): New decl.
* supergraph.cc (get_ultimate_function_for_cgraph_edge): Remove
"static" from decl.
(supergraph_call_edge): Make stmt param const.
* supergraph.h: Include "ordered-hash-map.h", "cfg.h",
"basic-block.h", "gimple.h", "gimple-iterator.h", and "digraph.h".
(supergraph_call_edge): Make stmt param const.
(get_ultimate_function_for_cgraph_edge): New decl.
* svalue.cc (compound_svalue::compound_svalue): Assert that we're
not nesting compound_svalues.
* svalue.h: Include "json.h", "analyzer/store.h", and
"analyzer/program-point.h".
(asm_output_svalue::get_num_outputs): New accessor.
gcc/testsuite/ChangeLog:
PR analyzer/107072
* gcc.dg/analyzer/call-summaries-2.c: New test.
* gcc.dg/analyzer/call-summaries-3.c: New test.
* gcc.dg/analyzer/call-summaries-asm-x86.c: New test.
* gcc.dg/analyzer/call-summaries-malloc.c: New test.
* gcc.dg/analyzer/call-summaries-pr107072.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
* region-model.h: Include "analyzer/region-model-manager.h"
(class region_model_manager): Move decl to...
* region-model-manager.h: ...this new file.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
* region-model-manager.cc
(region_model_manager::maybe_fold_unaryop): Fold -(-(VAL)) to VAL.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
Enabling work towrads better call summarization.
gcc/analyzer/ChangeLog:
* region-model-manager.cc
(region_model_manager::get_or_create_widening_svalue): Use a
function_point rather than a program_point.
* region-model.cc (selftest::test_widening_constraints): Likewise.
* region-model.h
(region_model_manager::get_or_create_widening_svalue): Likewise.
(model_merger::get_function_point): New.
* svalue.cc (svalue::can_merge_p): Use a function_point rather
than a program_point.
(svalue::can_merge_p): Likewise.
* svalue.h (widening_svalue::key_t): Likewise.
(widening_svalue::widening_svalue): Likewise.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
Fixes:
gcc/analyzer/region-model.cc:5918:8: warning: private field 'm_record_type' is not used [-Wunused-private-field]
gcc/analyzer/region-model.cc:6305:25: warning: private field 'm_mgr' is not used [-Wunused-private-field]
gcc/analyzer/ChangeLog:
* region-model.cc (region_model::maybe_complain_about_infoleak):
Remove unused fields.
|
|
|
|
This patch adds handling of empty ranges in bit_range and byte_range and
adds an assertion to member functions that assume a positive size.
Further, the patch fixes an ICE caused by an empty byte_range passed to
byte_range::exceeds_p.
Regression-tested on Linux x86_64.
2022-09-10 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106845
* region-model.cc (region_model::check_region_bounds):
Bail out if 0 bytes were accessed.
* store.cc (byte_range::dump_to_pp):
Add special case for empty ranges.
(byte_range::exceeds_p): Restrict to non-empty ranges.
(byte_range::falls_short_of_p): Restrict to non-empty ranges.
* store.h (bit_range::empty_p): New function.
(bit_range::get_last_byte_offset): Restrict to non-empty ranges.
(byte_range::empty_p): New function.
(byte_range::get_last_byte_offset): Restrict to non-empty ranges.
gcc/testsuite/ChangeLog:
PR analyzer/106845
* gcc.dg/analyzer/out-of-bounds-zero.c: New test.
* gcc.dg/analyzer/pr106845.c: New test.
|
|
|
|
This is a less ambitious version of:
[PATCH 0/6] RFC: adding support to GCC for detecting trust boundaries
https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584372.html
Earlier versions of this patch attempted:
(a) various ways of identifying "untrusted" memory regions
(b) providing a way to support the Linux kernel's "__user" annotation,
either via type attributes, or via custom address spaces
(c) enough attributes to identify "copy_from_user" and "copy_to_user",
(d) wiring all of the above together to detect infoleaks and taint
This patch adds a new -Wanalyzer-exposure-through-uninit-copy, emitted
by -fanalyzer if it detects copying of uninitialized data through
a pointer to an untrusted region, but requires a plugin to tell it when
a copy crosses a trust boundary.
This patch adds a proof-of-concept gcc plugin for the analyzer for use
with the Linux kernel that special-cases calls to "copy_from_user" and
calls to "copy_to_user": calls to copy_to_user are checked for
-Wanalyzer-exposure-through-uninit-copy, and data copied via
copy_from_user is marked as tainted when -fanalyzer-checker=taint is
active.
This is very much just a proof-of-concept. A big limitation is that the
copy_{from,to}_user special-casing only happens if these functions have
no body in the TU being analyzed, which isn't the case for a normal
kernel build. I'd much prefer to provide a more general mechanism for
handling such behavior without resorting to plugins (e.g. via attributes
or custom address spaces), but in the interest of not "letting perfect
be the enemy of the good" this patch at least allows parts of this
"trust boundaries" code to be merged for experimentation with the idea.
The -Wanalyzer-exposure-through-uninit-copy diagnostic uses notes to
express what fields and padding within a struct have not been initialized.
For example:
infoleak-CVE-2011-1078-2.c: In function 'test_1':
infoleak-CVE-2011-1078-2.c:32:9: warning: potential exposure of sensitive
information by copying uninitialized data from stack across trust
boundary [CWE-200] [-Wanalyzer-exposure-through-uninit-copy]
32 | copy_to_user(optval, &cinfo, sizeof(cinfo));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'test_1': events 1-3
|
| 25 | struct sco_conninfo cinfo;
| | ^~~~~
| | |
| | (1) region created on stack here
| | (2) capacity: 6 bytes
|......
| 32 | copy_to_user(optval, &cinfo, sizeof(cinfo));
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) uninitialized data copied from stack here
|
infoleak-CVE-2011-1078-2.c:32:9: note: 1 byte is uninitialized
32 | copy_to_user(optval, &cinfo, sizeof(cinfo));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
infoleak-CVE-2011-1078-2.c:18:15: note: padding after field 'dev_class'
is uninitialized (1 byte)
18 | __u8 dev_class[3];
| ^~~~~~~~~
infoleak-CVE-2011-1078-2.c:25:29: note: suggest forcing
zero-initialization by providing a '{0}' initializer
25 | struct sco_conninfo cinfo;
| ^~~~~
| = {0}
For taint-detection, the patch includes a series of reproducers for
detecting CVE-2011-0521. Unfortunately the analyzer doesn't yet detect
the issue until the code has been significantly simplified from its
original form: currently only in -5.c and -6.c in the series of test
(see notes in the individual cases), such as:
taint-CVE-2011-0521-6.c:33:48: warning: use of attacker-controlled value
'*info.num' in array lookup without bounds checking [CWE-129]
[-Wanalyzer-tainted-array-index]
33 | av7110->ci_slot[info->num].num = info->num;
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~
'test_1': events 1-3
|
| 19 | if (copy_from_user(&sbuf, (void __user *)arg, sizeof(sbuf)) != 0)
| | ^
| | |
| | (1) following 'false' branch...
|......
| 23 | struct dvb_device *dvbdev = file->private_data;
| | ~~~~~~
| | |
| | (2) ...to here
|......
| 33 | av7110->ci_slot[info->num].num = info->num;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) use of attacker-controlled value '*info.num' in array lookup without bounds checking
|
The patch also includes various infoleak and taint cases from my
antipatterns.ko kernel module:
https://github.com/davidmalcolm/antipatterns.ko
gcc/analyzer/ChangeLog:
* analyzer.opt (Wanalyzer-exposure-through-uninit-copy): New.
* checker-path.cc (region_creation_event::region_creation_event):
Add "capacity" and "kind" params.
(region_creation_event::get_desc): Generalize to different kinds
of event.
(checker_path::add_region_creation_event): Convert to...
(checker_path::add_region_creation_events): ...this.
* checker-path.h (enum rce_kind): New.
(region_creation_event::region_creation_event): Add "capacity" and
"kind" params.
(region_creation_event::m_capacity): New field.
(region_creation_event::m_rce_kind): New field.
(checker_path::add_region_creation_event): Convert to...
(checker_path::add_region_creation_events): ...this.
* diagnostic-manager.cc (diagnostic_manager::build_emission_path):
Update for multiple region creation events.
(diagnostic_manager::add_event_on_final_node): Likewise.
(diagnostic_manager::add_events_for_eedge): Likewise.
* region-model-impl-calls.cc (call_details::get_logger): New.
* region-model.cc: Define INCLUDE_MEMORY before including
"system.h". Include "gcc-rich-location.h".
(class record_layout): New.
(class exposure_through_uninit_copy): New.
(contains_uninit_p): New.
(region_model::maybe_complain_about_infoleak): New.
* region-model.h (call_details::get_logger): New decl.
(region_model::maybe_complain_about_infoleak): New decl.
(region_model::mark_as_tainted): New decl.
* sm-taint.cc (region_model::mark_as_tainted): New.
gcc/ChangeLog:
* doc/invoke.texi (Static Analyzer Options): Add
-Wanalyzer-exposure-through-uninit-copy.
gcc/testsuite/ChangeLog:
* gcc.dg/plugin/analyzer_kernel_plugin.c: New test.
* gcc.dg/plugin/copy_from_user-1.c: New test.
* gcc.dg/plugin/infoleak-1.c: New test.
* gcc.dg/plugin/infoleak-2.c: New test.
* gcc.dg/plugin/infoleak-3.c: New test.
* gcc.dg/plugin/infoleak-CVE-2011-1078-1.c: New test.
* gcc.dg/plugin/infoleak-CVE-2011-1078-2.c: New test.
* gcc.dg/plugin/infoleak-CVE-2014-1446-1.c: New test.
* gcc.dg/plugin/infoleak-CVE-2017-18549-1.c: New test.
* gcc.dg/plugin/infoleak-CVE-2017-18550-1.c: New test.
* gcc.dg/plugin/infoleak-antipatterns-1.c: New test.
* gcc.dg/plugin/infoleak-fixit-1.c: New test.
* gcc.dg/plugin/infoleak-net-ethtool-ioctl.c: New test.
* gcc.dg/plugin/infoleak-vfio_iommu_type1.c: New test.
* gcc.dg/plugin/plugin.exp (plugin_test_list): Add
analyzer_kernel_plugin.c and the new test cases.
* gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c: New test.
* gcc.dg/plugin/taint-CVE-2011-0521-1.c: New test.
* gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c: New test.
* gcc.dg/plugin/taint-CVE-2011-0521-2.c: New test.
* gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c: New test.
* gcc.dg/plugin/taint-CVE-2011-0521-3.c: New test.
* gcc.dg/plugin/taint-CVE-2011-0521-4.c: New test.
* gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c: New test.
* gcc.dg/plugin/taint-CVE-2011-0521-5.c: New test.
* gcc.dg/plugin/taint-CVE-2011-0521-6.c: New test.
* gcc.dg/plugin/taint-CVE-2011-0521.h: New test.
* gcc.dg/plugin/taint-antipatterns-1.c: New test.
* gcc.dg/plugin/test-uaccess.h: New header for tests.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
This patch adds the ability for plugins to register "known functions"
with the analyzer, identified by name. If -fanalyzer sees a call to
such a function (with no body), it will use a plugin-provided subclass
of the new known_function abstract base class to model the possible
outcomes of the function call.
gcc/ChangeLog:
* Makefile.in (ANALYZER_OBJS): Add
analyzer/known-function-manager.o.
gcc/analyzer/ChangeLog:
* analyzer.h (class known_function_manager): New forward decl.
(class known_function): New.
(plugin_analyzer_init_iface::register_known_function): New.
* engine.cc: Include "analyzer/known-function-manager.h".
(plugin_analyzer_init_impl::plugin_analyzer_init_impl): Add
known_fn_mgr param.
(plugin_analyzer_init_impl::register_state_machine): Add
LOC_SCOPE.
(plugin_analyzer_init_impl::register_known_function): New.
(plugin_analyzer_init_impl::m_known_fn_mgr): New.
(impl_run_checkers): Update plugin callback invocation to use
eng's known_function_manager.
* known-function-manager.cc: New file.
* known-function-manager.h: New file.
* region-model-manager.cc
(region_model_manager::region_model_manager): Pass logger to
m_known_fn_mgr's ctor.
* region-model.cc (region_model::update_for_zero_return): New.
(region_model::update_for_nonzero_return): New.
(maybe_simplify_upper_bound): New.
(region_model::maybe_get_copy_bounds): New.
(region_model::get_known_function): New.
(region_model::on_call_pre): Handle plugin-supplied known
functions.
* region-model.h: Include "analyzer/known-function-manager.h".
(region_model_manager::get_known_function_manager): New.
(region_model_manager::m_known_fn_mgr): New.
(call_details::get_model): New accessor.
(region_model::maybe_get_copy_bounds): New decl.
(region_model::update_for_zero_return): New decl.
(region_model::update_for_nonzero_return): New decl.
(region_model::get_known_function): New decl.
(region_model::get_known_function_manager): New.
gcc/testsuite/ChangeLog:
* gcc.dg/plugin/analyzer_known_fns_plugin.c: New test plugin.
* gcc.dg/plugin/known-fns-1.c: New test.
* gcc.dg/plugin/plugin.exp (plugin_test_list): Add the new plugin
and test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
This patch adds support for reasoning about the inequality of two symbolic
values in the special case specifically suited for reasoning about
out-of-bounds past the end of the buffer. With this patch, the analyzer
catches off-by-one errors and more even when the offset and capacity is
symbolic.
Regrtested on Linux x86_64 and tested on coreutils, curl, httpd and
openssh as usual.
2022-09-07 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106625
* analyzer.h (region_offset): Eliminate m_is_symbolic member.
* region-model-impl-calls.cc (region_model::impl_call_realloc):
Refine implementation to be more precise.
* region-model.cc (class symbolic_past_the_end):
Abstract diagnostic class to complain about accesses past the end
with symbolic values.
(class symbolic_buffer_overflow):
Concrete diagnostic class to complain about buffer overflows with
symbolic values.
(class symbolic_buffer_overread):
Concrete diagnostic class to complain about buffer overreads with
symbolic values.
(region_model::check_symbolic_bounds): New function.
(maybe_get_integer_cst_tree): New helper function.
(region_model::check_region_bounds):
Add call to check_symbolic_bounds if offset is not concrete.
(region_model::eval_condition_without_cm):
Add support for EQ_EXPR and GT_EXPR with binaryop_svalues.
(is_positive_svalue): New hleper function.
(region_model::symbolic_greater_than):
New function to handle GT_EXPR comparisons with symbolic values.
(region_model::structural_equality): New function to compare
whether two svalues are structured the same, i.e. evaluate to
the same value.
(test_struct): Reflect changes to region::calc_offset.
(test_var): Likewise.
(test_array_2): Likewise and add selftest with symbolic i.
* region-model.h (class region_model): Add check_symbolic_bounds,
symbolic_greater_than and structural_equality.
* region.cc (region::get_offset):
Reflect changes to region::calc_offset.
(region::calc_offset):
Compute the symbolic offset if the offset is not concrete.
(region::get_relative_symbolic_offset): New function to return the
symbolic offset in bytes relative to its parent.
(field_region::get_relative_symbolic_offset): Likewise.
(element_region::get_relative_symbolic_offset): Likewise.
(offset_region::get_relative_symbolic_offset): Likewise.
(bit_range_region::get_relative_symbolic_offset): Likewise.
* region.h: Add get_relative_symbolic_offset.
* store.cc (binding_key::make):
Reflect changes to region::calc_offset.
(binding_map::apply_ctor_val_to_range): Likewise.
(binding_map::apply_ctor_pair_to_child_region): Likewise.
(binding_cluster::bind_compound_sval): Likewise.
(binding_cluster::get_any_binding): Likewise.
(binding_cluster::maybe_get_compound_binding): Likewise.
gcc/ChangeLog:
PR analyzer/106625
* doc/invoke.texi:
State that the checker also reasons about symbolic values.
gcc/testsuite/ChangeLog:
PR analyzer/106625
* gcc.dg/analyzer/data-model-1.c: Change expected result.
* gcc.dg/analyzer/out-of-bounds-5.c: New test.
* gcc.dg/analyzer/out-of-bounds-realloc-grow.c: New test.
* gcc.dg/analyzer/symbolic-gt-1.c: New test.
|
|
|
|
This patch adds modelling for the semantics of strcpy in the simple case
where the analyzer is able to infer a concrete string size.
Regrtested on Linux x86_64.
2022-09-04 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
* region-model-impl-calls.cc (region_model::impl_call_strcpy):
Handle the constant string case.
* region-model.cc (region_model::get_string_size):
New function to get the string size from a region or svalue.
* region-model.h (class region_model): Add get_string_size.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/out-of-bounds-4.c: New test.
* gcc.dg/analyzer/strcpy-3.c: New test.
|
|
This patch fixes a bug where maybe_fold_sub_svalue did not fold the
access of a single char from a string to a char when the offset was zero
because get_relative_concrete_offset did return false for cast_regions.
Regrtested on Linux x86_64.
2022-09-04 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
* region.cc (cast_region::get_relative_concrete_offset):
New overloaded method.
* region.h: Add cast_region::get_relative_concrete_offset.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/fold-string-to-char.c: New test.
|
|
|
|
Fixes the following clang warning:
gcc/analyzer/region-model.cc:5096:8: warning: 'subclass_equal_p' overrides a member function but is not marked 'override' [-Winconsistent-missing-override]
gcc/analyzer/ChangeLog:
* region-model.cc: Add missing final keyword.
|
|
|
|
[PR106181]
This patch fixes the ICE reported in PR106181 and adds a new warning to
the analyzer complaining about the use of floating-point operands.
Regrtested on Linux x86_64.
2022-08-17 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106181
* analyzer.opt: Add Wanalyzer-imprecise-floating-point-arithmetic.
* region-model.cc (is_any_cast_p): Formatting.
(region_model::check_region_size): Ensure precondition.
(class imprecise_floating_point_arithmetic): New abstract
diagnostic class for all floating-point related warnings.
(class float_as_size_arg): Concrete diagnostic class to complain
about floating-point operands inside the size argument.
(class contains_floating_point_visitor):
New visitor to find floating-point operands inside svalues.
(region_model::check_dynamic_size_for_floats): New function.
(region_model::set_dynamic_extents):
Call to check_dynamic_size_for_floats.
* region-model.h (class region_model):
Add region_model::check_dynamic_size_for_floats.
gcc/ChangeLog:
PR analyzer/106181
* doc/invoke.texi: Add Wanalyzer-imprecise-fp-arithmetic.
gcc/testsuite/ChangeLog:
PR analyzer/106181
* gcc.dg/analyzer/allocation-size-1.c: New test.
* gcc.dg/analyzer/imprecise-floating-point-1.c: New test.
* gcc.dg/analyzer/pr106181.c: New test.
|
|
|
|
gcc/analyzer/ChangeLog:
* region-model.cc: Fix -Winconsistent-missing-override clang
warning.
* region.h: Likewise.
|
|
|
|
Fix a read/write typo.
Also, add more test coverage of -Wanalyzer-out-of-bounds to help
establish a baseline for experiments on tweaking the wording of
the warning (PR analyzer/106626).
gcc/analyzer/ChangeLog:
PR analyzer/106626
* region-model.cc (buffer_overread::emit): Fix copy&paste error in
direction of the access in the note.
gcc/testsuite/ChangeLog:
PR analyzer/106626
* gcc.dg/analyzer/out-of-bounds-read-char-arr.c: New test.
* gcc.dg/analyzer/out-of-bounds-read-int-arr.c: New test.
* gcc.dg/analyzer/out-of-bounds-write-char-arr.c: New test.
* gcc.dg/analyzer/out-of-bounds-write-int-arr.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/106573
* region-model.cc (region_model::on_call_pre): Use check_call_args
when ensuring that we call get_arg_svalue on all args. Remove
redundant call from handling for stdio builtins.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
This patch fixes the ICE caused by valid_to_unchecked_state
in sm-fd.cc by exiting early if first argument of any "dup"
functions is invalid.
gcc/analyzer/ChangeLog:
PR analyzer/106551
* sm-fd.cc (check_for_dup): exit early if first
argument is invalid for all dup functions.
gcc/testsuite/ChangeLog:
PR analyzer/106551
* gcc.dg/analyzer/fd-dup-1.c: New testcase.
Signed-off-by: Immad Mir <mirimmad@outlook.com>
|
|
|
|
This patch adds an experimental out-of-bounds checker to the analyzer.
The checker was tested on coreutils, curl, httpd and openssh. It is mostly
accurate but does produce false-positives on yacc-generated files and
sometimes when the analyzer misses an invariant. These cases will be
documented in bugzilla.
Regression-tested on Linux x86-64, further ran the analyzer tests with
the -m32 option.
2022-08-11 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106000
* analyzer.opt: Add Wanalyzer-out-of-bounds.
* region-model.cc (class out_of_bounds): Diagnostics base class
for all out-of-bounds diagnostics.
(class past_the_end): Base class derived from out_of_bounds for
the buffer_overflow and buffer_overread diagnostics.
(class buffer_overflow): Buffer overflow diagnostics.
(class buffer_overread): Buffer overread diagnostics.
(class buffer_underflow): Buffer underflow diagnostics.
(class buffer_underread): Buffer overread diagnostics.
(region_model::check_region_bounds): New function to check region
bounds for out-of-bounds accesses.
(region_model::check_region_access):
Add call to check_region_bounds.
(region_model::get_representative_tree): New function that accepts
a region instead of an svalue.
* region-model.h (class region_model):
Add region_model::check_region_bounds.
* region.cc (region::symbolic_p): New predicate.
(offset_region::get_byte_size_sval): Only return the remaining
byte size on offset_regions.
* region.h: Add region::symbolic_p.
* store.cc (byte_range::intersects_p):
Add new function equivalent to bit_range::intersects_p.
(byte_range::exceeds_p): New function.
(byte_range::falls_short_of_p): New function.
* store.h (struct byte_range): Add byte_range::intersects_p,
byte_range::exceeds_p and byte_range::falls_short_of_p.
gcc/ChangeLog:
PR analyzer/106000
* doc/invoke.texi: Add Wanalyzer-out-of-bounds.
gcc/testsuite/ChangeLog:
PR analyzer/106000
* g++.dg/analyzer/pr100244.C: Disable out-of-bounds warning.
* gcc.dg/analyzer/allocation-size-3.c:
Disable out-of-bounds warning.
* gcc.dg/analyzer/memcpy-2.c: Disable out-of-bounds warning.
* gcc.dg/analyzer/pr101962.c: Add dg-warning.
* gcc.dg/analyzer/pr96764.c: Disable out-of-bounds warning.
* gcc.dg/analyzer/pr97029.c:
Add dummy buffer to prevent an out-of-bounds warning.
* gcc.dg/analyzer/realloc-5.c: Add dg-warning.
* gcc.dg/analyzer/test-setjmp.h:
Add dummy buffer to prevent an out-of-bounds warning.
* gcc.dg/analyzer/zlib-3.c: Add dg-bogus.
* g++.dg/analyzer/out-of-bounds-placement-new.C: New test.
* gcc.dg/analyzer/out-of-bounds-1.c: New test.
* gcc.dg/analyzer/out-of-bounds-2.c: New test.
* gcc.dg/analyzer/out-of-bounds-3.c: New test.
* gcc.dg/analyzer/out-of-bounds-container_of.c: New test.
* gcc.dg/analyzer/out-of-bounds-coreutils.c: New test.
* gcc.dg/analyzer/out-of-bounds-curl.c: New test.
|
|
This patch adds the "shrinks buffer" case to the success_with_move
modelling of realloc.
Regression-tested on Linux x86-64, further ran the analyzer tests with
the -m32 option.
2022-08-11 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106539
* region-model-impl-calls.cc (region_model::impl_call_realloc):
Use the result of get_copied_size as the size for the
sized_regions in realloc.
(success_with_move::get_copied_size): New function.
gcc/testsuite/ChangeLog:
PR analyzer/106539
* gcc.dg/analyzer/pr106539.c: New test.
* gcc.dg/analyzer/realloc-5.c: New test.
|
|
|
|
This patch fixes the ICE caused by valid_to_unchecked_state,
at analyzer/sm-fd.cc by handling the m_start state in
check_for_dup.
Tested lightly on x86_64.
gcc/analyzer/ChangeLog:
PR analyzer/106551
* sm-fd.cc (check_for_dup): handle the m_start
state when transitioning the state of LHS
of dup, dup2 and dup3 call.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/fd-dup-1.c: New testcases.
* gcc.dg/analyzer/fd-uninit-1.c: Remove bogus
warning.
Signed-off-by: Immad Mir <mirimmad@outlook.com>
|
|
|
|
functions [PR106573]
We were missing checks for uninitialized params on calls to functions
that the analyzer has hardcoded knowledge of - both for those that are
handled just by state machines, and for those that are handled in
region-model-impl-calls.cc (for those arguments for which the svalue
wasn't accessed in handling the call).
Fixed thusly.
gcc/analyzer/ChangeLog:
PR analyzer/106573
* region-model.cc (region_model::on_call_pre): Ensure that we call
get_arg_svalue on all arguments.
gcc/testsuite/ChangeLog:
PR analyzer/106573
* gcc.dg/analyzer/error-uninit.c: New test.
* gcc.dg/analyzer/fd-uninit-1.c: New test.
* gcc.dg/analyzer/file-uninit-1.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
This patch adds a new warning to -fanalyzer for jumps through NULL
function pointers.
gcc/analyzer/ChangeLog:
PR analyzer/105947
* analyzer.opt (Wanalyzer-jump-through-null): New option.
* engine.cc (class jump_through_null): New.
(exploded_graph::process_node): Complain about jumps through NULL
function pointers.
gcc/ChangeLog:
PR analyzer/105947
* doc/invoke.texi: Add -Wanalyzer-jump-through-null.
gcc/testsuite/ChangeLog:
PR analyzer/105947
* gcc.dg/analyzer/function-ptr-5.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
This patch extends the state machine in sm-fd.cc to support
creat, dup, dup2 and dup3 functions.
Lightly tested on x86_64 Linux.
gcc/analyzer/ChangeLog:
PR analyzer/106298
* sm-fd.cc (fd_state_machine::on_open): Add
creat, dup, dup2 and dup3 functions.
(enum dup): New.
(fd_state_machine::valid_to_unchecked_state): New.
(fd_state_machine::on_creat): New.
(fd_state_machine::on_dup): New.
gcc/testsuite/ChangeLog:
PR analyzer/106298
* gcc.dg/analyzer/fd-1.c: Add tests for 'creat'.
* gcc.dg/analyzer/fd-2.c: Likewise.
* gcc.dg/analyzer/fd-4.c: Likewise.
* gcc.dg/analyzer/fd-dup-1.c: New tests.
Signed-off-by: Immad Mir <mirimmad@outlook.com>
|
|
|
|
This patch implements a new -fanalyzer warning:
-Wanalyzer-putenv-of-auto-var
which complains about stack pointers passed to putenv(3) calls, as
per SEI CERT C Coding Standard rule POS34-C ("Do not call putenv() with
a pointer to an automatic variable as the argument").
For example, given:
#include <stdio.h>
#include <stdlib.h>
void test_arr (void)
{
char arr[] = "NAME=VALUE";
putenv (arr);
}
it emits:
demo.c: In function ‘test_arr’:
demo.c:7:3: warning: ‘putenv’ on a pointer to automatic variable ‘arr’ [POS34-C] [-Wanalyzer-putenv-of-auto-var]
7 | putenv (arr);
| ^~~~~~~~~~~~
‘test_arr’: event 1
|
| 7 | putenv (arr);
| | ^~~~~~~~~~~~
| | |
| | (1) ‘putenv’ on a pointer to automatic variable ‘arr’
|
demo.c:6:8: note: ‘arr’ declared on stack here
6 | char arr[] = "NAME=VALUE";
| ^~~
demo.c:7:3: note: perhaps use ‘setenv’ rather than ‘putenv’
7 | putenv (arr);
| ^~~~~~~~~~~~
gcc/analyzer/ChangeLog:
PR analyzer/105893
* analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
* region-model-impl-calls.cc (class putenv_of_auto_var): New.
(region_model::impl_call_putenv): New.
* region-model.cc (region_model::on_call_pre): Handle putenv.
* region-model.h (region_model::impl_call_putenv): New decl.
gcc/ChangeLog:
PR analyzer/105893
* doc/invoke.texi: Add -Wanalyzer-putenv-of-auto-var.
gcc/testsuite/ChangeLog:
PR analyzer/105893
* gcc.dg/analyzer/putenv-1.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
* sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
* sm-taint.cc (tainted_size::emit): Likewise.
gcc/ChangeLog:
* doc/invoke.texi (-fdiagnostics-show-cwe): Use uref rather than
url.
(Static Analyzer Options): Likewise. Add urefs for all of the
warnings that have associated CWE identifiers.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
* region.h: Add notes to the comment describing the region
class hierarchy.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
