| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Fixes the following clang warning:
gcc/analyzer/region-model.cc:5096:8: warning: 'subclass_equal_p' overrides a member function but is not marked 'override' [-Winconsistent-missing-override]
gcc/analyzer/ChangeLog:
* region-model.cc: Add missing final keyword.
|
|
|
|
[PR106181]
This patch fixes the ICE reported in PR106181 and adds a new warning to
the analyzer complaining about the use of floating-point operands.
Regrtested on Linux x86_64.
2022-08-17 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106181
* analyzer.opt: Add Wanalyzer-imprecise-floating-point-arithmetic.
* region-model.cc (is_any_cast_p): Formatting.
(region_model::check_region_size): Ensure precondition.
(class imprecise_floating_point_arithmetic): New abstract
diagnostic class for all floating-point related warnings.
(class float_as_size_arg): Concrete diagnostic class to complain
about floating-point operands inside the size argument.
(class contains_floating_point_visitor):
New visitor to find floating-point operands inside svalues.
(region_model::check_dynamic_size_for_floats): New function.
(region_model::set_dynamic_extents):
Call to check_dynamic_size_for_floats.
* region-model.h (class region_model):
Add region_model::check_dynamic_size_for_floats.
gcc/ChangeLog:
PR analyzer/106181
* doc/invoke.texi: Add Wanalyzer-imprecise-fp-arithmetic.
gcc/testsuite/ChangeLog:
PR analyzer/106181
* gcc.dg/analyzer/allocation-size-1.c: New test.
* gcc.dg/analyzer/imprecise-floating-point-1.c: New test.
* gcc.dg/analyzer/pr106181.c: New test.
|
|
|
|
gcc/analyzer/ChangeLog:
* region-model.cc: Fix -Winconsistent-missing-override clang
warning.
* region.h: Likewise.
|
|
|
|
Fix a read/write typo.
Also, add more test coverage of -Wanalyzer-out-of-bounds to help
establish a baseline for experiments on tweaking the wording of
the warning (PR analyzer/106626).
gcc/analyzer/ChangeLog:
PR analyzer/106626
* region-model.cc (buffer_overread::emit): Fix copy&paste error in
direction of the access in the note.
gcc/testsuite/ChangeLog:
PR analyzer/106626
* gcc.dg/analyzer/out-of-bounds-read-char-arr.c: New test.
* gcc.dg/analyzer/out-of-bounds-read-int-arr.c: New test.
* gcc.dg/analyzer/out-of-bounds-write-char-arr.c: New test.
* gcc.dg/analyzer/out-of-bounds-write-int-arr.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/106573
* region-model.cc (region_model::on_call_pre): Use check_call_args
when ensuring that we call get_arg_svalue on all args. Remove
redundant call from handling for stdio builtins.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
This patch fixes the ICE caused by valid_to_unchecked_state
in sm-fd.cc by exiting early if first argument of any "dup"
functions is invalid.
gcc/analyzer/ChangeLog:
PR analyzer/106551
* sm-fd.cc (check_for_dup): exit early if first
argument is invalid for all dup functions.
gcc/testsuite/ChangeLog:
PR analyzer/106551
* gcc.dg/analyzer/fd-dup-1.c: New testcase.
Signed-off-by: Immad Mir <mirimmad@outlook.com>
|
|
|
|
This patch adds an experimental out-of-bounds checker to the analyzer.
The checker was tested on coreutils, curl, httpd and openssh. It is mostly
accurate but does produce false-positives on yacc-generated files and
sometimes when the analyzer misses an invariant. These cases will be
documented in bugzilla.
Regression-tested on Linux x86-64, further ran the analyzer tests with
the -m32 option.
2022-08-11 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106000
* analyzer.opt: Add Wanalyzer-out-of-bounds.
* region-model.cc (class out_of_bounds): Diagnostics base class
for all out-of-bounds diagnostics.
(class past_the_end): Base class derived from out_of_bounds for
the buffer_overflow and buffer_overread diagnostics.
(class buffer_overflow): Buffer overflow diagnostics.
(class buffer_overread): Buffer overread diagnostics.
(class buffer_underflow): Buffer underflow diagnostics.
(class buffer_underread): Buffer overread diagnostics.
(region_model::check_region_bounds): New function to check region
bounds for out-of-bounds accesses.
(region_model::check_region_access):
Add call to check_region_bounds.
(region_model::get_representative_tree): New function that accepts
a region instead of an svalue.
* region-model.h (class region_model):
Add region_model::check_region_bounds.
* region.cc (region::symbolic_p): New predicate.
(offset_region::get_byte_size_sval): Only return the remaining
byte size on offset_regions.
* region.h: Add region::symbolic_p.
* store.cc (byte_range::intersects_p):
Add new function equivalent to bit_range::intersects_p.
(byte_range::exceeds_p): New function.
(byte_range::falls_short_of_p): New function.
* store.h (struct byte_range): Add byte_range::intersects_p,
byte_range::exceeds_p and byte_range::falls_short_of_p.
gcc/ChangeLog:
PR analyzer/106000
* doc/invoke.texi: Add Wanalyzer-out-of-bounds.
gcc/testsuite/ChangeLog:
PR analyzer/106000
* g++.dg/analyzer/pr100244.C: Disable out-of-bounds warning.
* gcc.dg/analyzer/allocation-size-3.c:
Disable out-of-bounds warning.
* gcc.dg/analyzer/memcpy-2.c: Disable out-of-bounds warning.
* gcc.dg/analyzer/pr101962.c: Add dg-warning.
* gcc.dg/analyzer/pr96764.c: Disable out-of-bounds warning.
* gcc.dg/analyzer/pr97029.c:
Add dummy buffer to prevent an out-of-bounds warning.
* gcc.dg/analyzer/realloc-5.c: Add dg-warning.
* gcc.dg/analyzer/test-setjmp.h:
Add dummy buffer to prevent an out-of-bounds warning.
* gcc.dg/analyzer/zlib-3.c: Add dg-bogus.
* g++.dg/analyzer/out-of-bounds-placement-new.C: New test.
* gcc.dg/analyzer/out-of-bounds-1.c: New test.
* gcc.dg/analyzer/out-of-bounds-2.c: New test.
* gcc.dg/analyzer/out-of-bounds-3.c: New test.
* gcc.dg/analyzer/out-of-bounds-container_of.c: New test.
* gcc.dg/analyzer/out-of-bounds-coreutils.c: New test.
* gcc.dg/analyzer/out-of-bounds-curl.c: New test.
|
|
This patch adds the "shrinks buffer" case to the success_with_move
modelling of realloc.
Regression-tested on Linux x86-64, further ran the analyzer tests with
the -m32 option.
2022-08-11 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106539
* region-model-impl-calls.cc (region_model::impl_call_realloc):
Use the result of get_copied_size as the size for the
sized_regions in realloc.
(success_with_move::get_copied_size): New function.
gcc/testsuite/ChangeLog:
PR analyzer/106539
* gcc.dg/analyzer/pr106539.c: New test.
* gcc.dg/analyzer/realloc-5.c: New test.
|
|
|
|
This patch fixes the ICE caused by valid_to_unchecked_state,
at analyzer/sm-fd.cc by handling the m_start state in
check_for_dup.
Tested lightly on x86_64.
gcc/analyzer/ChangeLog:
PR analyzer/106551
* sm-fd.cc (check_for_dup): handle the m_start
state when transitioning the state of LHS
of dup, dup2 and dup3 call.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/fd-dup-1.c: New testcases.
* gcc.dg/analyzer/fd-uninit-1.c: Remove bogus
warning.
Signed-off-by: Immad Mir <mirimmad@outlook.com>
|
|
|
|
functions [PR106573]
We were missing checks for uninitialized params on calls to functions
that the analyzer has hardcoded knowledge of - both for those that are
handled just by state machines, and for those that are handled in
region-model-impl-calls.cc (for those arguments for which the svalue
wasn't accessed in handling the call).
Fixed thusly.
gcc/analyzer/ChangeLog:
PR analyzer/106573
* region-model.cc (region_model::on_call_pre): Ensure that we call
get_arg_svalue on all arguments.
gcc/testsuite/ChangeLog:
PR analyzer/106573
* gcc.dg/analyzer/error-uninit.c: New test.
* gcc.dg/analyzer/fd-uninit-1.c: New test.
* gcc.dg/analyzer/file-uninit-1.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
This patch adds a new warning to -fanalyzer for jumps through NULL
function pointers.
gcc/analyzer/ChangeLog:
PR analyzer/105947
* analyzer.opt (Wanalyzer-jump-through-null): New option.
* engine.cc (class jump_through_null): New.
(exploded_graph::process_node): Complain about jumps through NULL
function pointers.
gcc/ChangeLog:
PR analyzer/105947
* doc/invoke.texi: Add -Wanalyzer-jump-through-null.
gcc/testsuite/ChangeLog:
PR analyzer/105947
* gcc.dg/analyzer/function-ptr-5.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
This patch extends the state machine in sm-fd.cc to support
creat, dup, dup2 and dup3 functions.
Lightly tested on x86_64 Linux.
gcc/analyzer/ChangeLog:
PR analyzer/106298
* sm-fd.cc (fd_state_machine::on_open): Add
creat, dup, dup2 and dup3 functions.
(enum dup): New.
(fd_state_machine::valid_to_unchecked_state): New.
(fd_state_machine::on_creat): New.
(fd_state_machine::on_dup): New.
gcc/testsuite/ChangeLog:
PR analyzer/106298
* gcc.dg/analyzer/fd-1.c: Add tests for 'creat'.
* gcc.dg/analyzer/fd-2.c: Likewise.
* gcc.dg/analyzer/fd-4.c: Likewise.
* gcc.dg/analyzer/fd-dup-1.c: New tests.
Signed-off-by: Immad Mir <mirimmad@outlook.com>
|
|
|
|
This patch implements a new -fanalyzer warning:
-Wanalyzer-putenv-of-auto-var
which complains about stack pointers passed to putenv(3) calls, as
per SEI CERT C Coding Standard rule POS34-C ("Do not call putenv() with
a pointer to an automatic variable as the argument").
For example, given:
#include <stdio.h>
#include <stdlib.h>
void test_arr (void)
{
char arr[] = "NAME=VALUE";
putenv (arr);
}
it emits:
demo.c: In function ‘test_arr’:
demo.c:7:3: warning: ‘putenv’ on a pointer to automatic variable ‘arr’ [POS34-C] [-Wanalyzer-putenv-of-auto-var]
7 | putenv (arr);
| ^~~~~~~~~~~~
‘test_arr’: event 1
|
| 7 | putenv (arr);
| | ^~~~~~~~~~~~
| | |
| | (1) ‘putenv’ on a pointer to automatic variable ‘arr’
|
demo.c:6:8: note: ‘arr’ declared on stack here
6 | char arr[] = "NAME=VALUE";
| ^~~
demo.c:7:3: note: perhaps use ‘setenv’ rather than ‘putenv’
7 | putenv (arr);
| ^~~~~~~~~~~~
gcc/analyzer/ChangeLog:
PR analyzer/105893
* analyzer.opt (Wanalyzer-putenv-of-auto-var): New.
* region-model-impl-calls.cc (class putenv_of_auto_var): New.
(region_model::impl_call_putenv): New.
* region-model.cc (region_model::on_call_pre): Handle putenv.
* region-model.h (region_model::impl_call_putenv): New decl.
gcc/ChangeLog:
PR analyzer/105893
* doc/invoke.texi: Add -Wanalyzer-putenv-of-auto-var.
gcc/testsuite/ChangeLog:
PR analyzer/105893
* gcc.dg/analyzer/putenv-1.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
* sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE.
* sm-taint.cc (tainted_size::emit): Likewise.
gcc/ChangeLog:
* doc/invoke.texi (-fdiagnostics-show-cwe): Use uref rather than
url.
(Static Analyzer Options): Likewise. Add urefs for all of the
warnings that have associated CWE identifiers.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
* region.h: Add notes to the comment describing the region
class hierarchy.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
sm-fd.cc [PR106286]
This patch adds get_meaning_for_state_change vfunc to
fd_diagnostic in sm-fd.cc which could be used by SARIF output.
Lightly tested on x86_64 Linux.
gcc/analyzer/ChangeLog:
PR analyzer/106286
* sm-fd.cc:
(fd_diagnostic::get_meaning_for_state_change): New.
gcc/testsuite/ChangeLog:
PR analyzer/106286
* gcc.dg/analyzer/fd-meaning.c: New test.
Signed-off-by: Immad Mir <mirimmad@outlook.com>
|
|
|
|
promotion [PR106319]
gcc/analyzer/ChangeLog:
PR analyzer/106319
* store.cc (store::set_value): Don't strip away casts if the
region has NULL type.
gcc/testsuite/ChangeLog:
PR analyzer/106319
* gcc.dg/analyzer/stdarg-types-3.c: New test.
* gcc.dg/analyzer/stdarg-types-4.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
These were copy&paste errors.
gcc/analyzer/ChangeLog:
* region.h (code_region::get_element): Remove stray decl.
(function_region::get_element): Likewise.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
gcc/analyzer/ChangeLog:
* sm-fd.cc: Run dos2unix and fix coding style issues.
|
|
|
|
This patch adds three new function attributes to GCC that
are used for static analysis of usage of file descriptors:
1) __attribute__ ((fd_arg(N))): The attributes may be applied to a function that
takes an open file descriptor at refrenced argument N.
It indicates that the passed filedescriptor must not have been closed.
Therefore, when the analyzer is enabled with -fanalyzer, the
analyzer may emit a -Wanalyzer-fd-use-after-close diagnostic
if it detects a code path in which a function with this attribute is
called with a closed file descriptor.
The attribute also indicates that the file descriptor must have been checked for
validity before usage. Therefore, analyzer may emit
-Wanalyzer-fd-use-without-check diagnostic if it detects a code path in
which a function with this attribute is called with a file descriptor that has
not been checked for validity.
2) __attribute__((fd_arg_read(N))): The attribute is identical to
fd_arg, but with the additional requirement that it might read from
the file descriptor, and thus, the file descriptor must not have been opened
as write-only.
The analyzer may emit a -Wanalyzer-access-mode-mismatch
diagnostic if it detects a code path in which a function with this
attribute is called on a file descriptor opened with O_WRONLY.
3) __attribute__((fd_arg_write(N))): The attribute is identical to fd_arg_read
except that the analyzer may emit a -Wanalyzer-access-mode-mismatch diagnostic if
it detects a code path in which a function with this attribute is called on a
file descriptor opened with O_RDONLY.
gcc/analyzer/ChangeLog:
* sm-fd.cc (fd_param_diagnostic): New diagnostic class.
(fd_access_mode_mismatch): Change inheritance from fd_diagnostic
to fd_param_diagnostic. Add new overloaded constructor.
(fd_use_after_close): Likewise.
(unchecked_use_of_fd): Likewise and also change name to fd_use_without_check.
(double_close): Change name to fd_double_close.
(enum access_directions): New.
(fd_state_machine::on_stmt): Handle calls to function with the
new three function attributes.
(fd_state_machine::check_for_fd_attrs): New.
(fd_state_machine::on_open): Use the new overloaded constructors
of diagnostic classes.
gcc/c-family/ChangeLog:
* c-attribs.cc: (c_common_attribute_table): add three new attributes
namely: fd_arg, fd_arg_read and fd_arg_write.
(handle_fd_arg_attribute): New.
gcc/ChangeLog:
* doc/extend.texi: Add fd_arg, fd_arg_read and fd_arg_write under
"Common Function Attributes" section.
* doc/invoke.texi: Add docs to -Wanalyzer-fd-access-mode-mismatch,
-Wanalyzer-use-after-close, -Wanalyzer-fd-use-without-check that these
warnings may be emitted through usage of three function attributes used
for static analysis of file descriptors namely fd_arg, fd_arg_read and
fd_arg_write.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/fd-5.c: New test.
* gcc.dg/analyzer/fd-4.c: Remove quotes around 'read-only' and
'write-only'.
* c-c++-common/attr-fd.c: New test.
Signed-off-by: Immad Mir <mirimmad17@gmail.com>
|
|
|
|
Fix state explosion on va_arg when the call to va_start is in the
top-level function of the analysis.
gcc/analyzer/ChangeLog:
PR analyzer/106413
* varargs.cc (region_model::impl_call_va_start): Avoid iterating
through non-existant variadic arguments by initializing the
impl_region to "UNKNOWN" if the va_start occurs in the top-level
function to the analysis.
gcc/testsuite/ChangeLog:
PR analyzer/106413
* gcc.dg/analyzer/torture/stdarg-4.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/106401
* store.cc (binding_cluster::binding_cluster): Remove overzealous
assertion; we're checking for tracked_p in
store::get_or_create_cluster.
gcc/testsuite/ChangeLog:
PR analyzer/106401
* gcc.dg/analyzer/memcpy-2.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
This patch unifies the handling of zero capacity regions for structs
and other types in the allocation size checker.
Regression-tested on x86_64 Linux.
2022-07-22 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106394
* region-model.cc (capacity_compatible_with_type): Always return true
if alloc_size is zero.
gcc/testsuite/ChangeLog:
PR analyzer/106394
* gcc.dg/analyzer/pr106394.c: New test.
|
|
|
|
[PR106383]
gcc/analyzer/ChangeLog:
PR analyzer/106383
* varargs.cc (region_model::impl_call_va_arg): When determining if
we're doing interprocedural analysis, use the stack depth of the
frame in which va_start was called, rather than the current stack
depth.
gcc/testsuite/ChangeLog:
PR analyzer/106383
* gcc.dg/analyzer/stdarg-3.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
* sm-taint.cc (tainted_array_index::emit): Bulletproof against
NULL m_arg.
(tainted_array_index::describe_final_event): Likewise.
(tainted_size::emit): Likewise.
(tainted_size::describe_final_event): Likewise.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
gcc/analyzer/ChangeLog:
PR analyzer/106374
* region.cc (decl_region::get_svalue_for_initializer): Bail out on
untracked regions.
gcc/testsuite/ChangeLog:
PR analyzer/106374
* gcc.dg/analyzer/untracked-2.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
Doing so fixes various false positives from
-Wanalyzer-tainted-array-index at -O1 and above (e.g. seen on the
Linux kernel)
gcc/analyzer/ChangeLog:
PR analyzer/106373
* sm-taint.cc (taint_state_machine::on_condition): Potentially
update the state of the RHS as well as the LHS.
gcc/testsuite/ChangeLog:
PR analyzer/106373
* gcc.dg/analyzer/torture/taint-read-index-3.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
Doing so speeds up -fanalyzer from taking over 4 hours to under a
minute on the Linux kernel's sound/soc/codecs/cs47l90.c
gcc/analyzer/ChangeLog:
PR analyzer/106359
* region.h (string_region::tracked_p): New.
* store.cc (binding_cluster::binding_cluster): Move here from
store.h. Add assertion that base_region is tracked_p.
* store.h (binding_cluster::binding_cluster): Move to store.cc.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
PR analyzer/106321 reports false positives from
-Wanalyzer-tainted-array-index on switch statements, seen e.g.
in the Linux kernel in drivers/vfio/pci/vfio_pci_core.c, where
vfio_pci_core_ioctl has:
| 744 | switch (info.index) {
| | ~~~~~~ ~~~~~~~~~~
| | | |
| | | (8) ...to here
| | (9) following ‘case 0 ... 5:’ branch...
|......
| 751 | case VFIO_PCI_BAR0_REGION_INDEX ... VFIO_PCI_BAR5_REGION_INDEX:
| | ~~~~
| | |
| | (10) ...to here
and then a false complaint about "use of attacker-controlled value
‘info.index’ in array lookup without upper-bounds checking", where
info.index has clearly had its bounds checked by the switch/case.
It turns out that when I rewrote switch handling for the analyzer in
r12-3101-g8ca7fa84a3af35, I removed notifications to state machines
about the constraints on cases.
This patch fixes that oversight by adding a new on_bounded_ranges vfunc
for region_model_context, called on switch statement edges, which calls
a new state_machine vfunc. It implements it for the "taint" state
machine, so that it updates the "has bounds" flags at out-edges for
switch statements, based on whether the bounds from the edge appear to
actually constrain the switch index.
gcc/analyzer/ChangeLog:
PR analyzer/106321
* constraint-manager.h (bounded_ranges::get_count): New.
(bounded_ranges::get_range): New.
* engine.cc (impl_region_model_context::on_bounded_ranges): New.
* exploded-graph.h (impl_region_model_context::on_bounded_ranges):
New decl.
* region-model.cc (region_model::apply_constraints_for_gswitch):
Potentially call ctxt->on_bounded_ranges.
* region-model.h (region_model_context::on_bounded_ranges): New
vfunc.
(noop_region_model_context::on_bounded_ranges): New.
(region_model_context_decorator::on_bounded_ranges): New.
* sm-taint.cc: Include "analyzer/constraint-manager.h".
(taint_state_machine::on_bounded_ranges): New.
* sm.h (state_machine::on_bounded_ranges): New.
gcc/testsuite/ChangeLog:
PR analyzer/106321
* gcc.dg/analyzer/torture/taint-read-index-2.c: Add test coverage
for switch statements.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
I found this logging tweak very helpful when working on
PR analyzer/106284.
gcc/analyzer/ChangeLog:
* engine.cc (exploded_graph::process_node): Show any description
of the out-edge when logging it for consideration.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
|
|
PR analyzer/106284 reports a false positive from
-Wanalyzer-tainted-array-index seen on the Linux kernel
with a version of my patches from:
https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584372.html
in drivers/usb/class/usblp.c in function ‘usblp_set_protocol’ handling
usblp_ioctl on IOCNR_SET_PROTOCOL, which has:
| 1337 | if (protocol < USBLP_FIRST_PROTOCOL || protocol > USBLP_LAST_PROTOCOL)
| | ~
| | |
| | (15) following ‘false’ branch...
|......
| 1341 | if (usblp->intf->num_altsetting > 1) {
| | ~~~~~~~~~~~~
| | | |
| | | (16) ...to here
| | (17) following ‘true’ branch...
| 1342 | alts = usblp->protocol[protocol].alt_setting;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (18) ...to here
| | (19) use of attacker-controlled value ‘arg’ in array lookup without bounds checking
where "arg" is "protocol" (albeit from the caller frame, the ioctl
callback), and is clearly checked at (15).
The root cause is that at -O1 and above fold-const's build_range-check
can optimize range checks
(c>=low) && (c<=high)
into
(c-low>=0) && (c-low<=high-low)
and thus into a single check:
(unsigned)(c - low) <= (unsigned)(high-low).
I initially attempted to fix this by detecting such conditions in
region_model::on_condition, and calling on_condition for both of the
implied conditions. This turned out not to work since the current
sm_context framework doesn't support applying two conditions
simultaneously: it led to a transition from the old state to has_lb,
then a transition from the old state *again* to has_ub, thus leaving
the new state as has_ub, rather than the stop state.
Instead, this patch fixes things by special-casing it within
taint_state_machine::on_condition.
gcc/analyzer/ChangeLog:
PR analyzer/106284
* sm-taint.cc (taint_state_machine::on_condition): Handle range
checks optimized by build_range_check.
gcc/testsuite/ChangeLog:
PR analyzer/106284
* gcc.dg/analyzer/torture/taint-read-index-2.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
