From patchwork Thu Dec 1 02:41:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Malcolm X-Patchwork-Id: 61293 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E8967384F494 for ; Thu, 1 Dec 2022 02:43:44 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E8967384F494 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1669862624; bh=HT7dBvmtwLm5uEXN425VW0YbErnHYl1RjQUmLJthLsU=; h=To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=sOYIf6cuZoJjx7tPvKS+LV7yTSM52+dJvX/NhK+TZZZrOpJx/lwyCvmyvy2p+zEYG XjDgZ1fOQMIakpz9x28nsp40vtEFkqv+/HG7COF8tquJWWRRdtBR+zXnpaoKJXboGX MNEOZBFWTp0Hs6oxIkPKrQcsBSJOHnpcWGT2XgXU= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 1B9063858434 for ; Thu, 1 Dec 2022 02:42:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 1B9063858434 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-625-BGvFz16eOT6vc-w6iAsuNA-1; Wed, 30 Nov 2022 21:42:06 -0500 X-MC-Unique: BGvFz16eOT6vc-w6iAsuNA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1BC0E29AB3FC for ; Thu, 1 Dec 2022 02:42:06 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.2.16.65]) by smtp.corp.redhat.com (Postfix) with ESMTP id EC6512024CBE; Thu, 1 Dec 2022 02:42:05 +0000 (UTC) To: gcc-patches@gcc.gnu.org Cc: David Malcolm Subject: [committed 5/7] diagnostics: tweak diagnostic_path::interprocedural_p [PR106626] Date: Wed, 30 Nov 2022 21:41:58 -0500 Message-Id: <20221201024200.3722982-5-dmalcolm@redhat.com> In-Reply-To: <20221201024200.3722982-1-dmalcolm@redhat.com> References: <20221201024200.3722982-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: David Malcolm via Gcc-patches From: David Malcolm Reply-To: David Malcolm Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" The region-creation event at the start of... : In function 'int_arr_write_element_after_end_off_by_one': :14:11: warning: buffer overflow [CWE-787] [-Wanalyzer-out-of-bounds] 14 | arr[10] = x; | ~~~~~~~~^~~ event 1 | | 10 | int32_t arr[10]; | | ^~~ | | | | | (1) capacity is 40 bytes | +--> 'int_arr_write_element_after_end_off_by_one': events 2-3 | | 12 | void int_arr_write_element_after_end_off_by_one(int32_t x) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) entry to 'int_arr_write_element_after_end_off_by_one' | 13 | { | 14 | arr[10] = x; /* { dg-line line } */ | | ~~~~~~~~~~~ | | | | | (3) out-of-bounds write from byte 40 till byte 43 but 'arr' ends at byte 40 | :14:11: note: write of 4 bytes to beyond the end of 'arr' 14 | arr[10] = x; | ~~~~~~~~^~~ :14:11: note: valid subscripts for 'arr' are '[0]' to '[9]' ...makes diagnostic_manager::finish_pruning consider the path to be interprocedural, and so it doesn't prune the function entry event. This patch tweaks diagnostic_path::interprocedural_p to ignore leading events outside of any function, so that it considers the path to be intraprocedural, and thus diagnostic_manager::finish_pruning prunes the function entry event, leading to this simpler output: : In function 'int_arr_write_element_after_end_off_by_one': :14:11: warning: buffer overflow [CWE-787] [-Wanalyzer-out-of-bounds] 14 | arr[10] = x; | ~~~~~~~~^~~ event 1 | | 10 | int32_t arr[10]; | | ^~~ | | | | | (1) capacity is 40 bytes | +--> 'int_arr_write_element_after_end_off_by_one': event 2 | | 14 | arr[10] = x; | | ~~~~~~~~^~~ | | | | | (2) out-of-bounds write from byte 40 till byte 43 but 'arr' ends at byte 40 | :14:11: note: write of 4 bytes to beyond the end of 'arr' :14:11: note: valid subscripts for 'arr' are '[0]' to '[9]' Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Pushed to trunk as r13-4429-g1d86af242bc4a8. gcc/ChangeLog: PR analyzer/106626 * diagnostic-path.h (diagnostic_path::get_first_event_in_a_function): New decl. * diagnostic.cc (diagnostic_path::get_first_event_in_a_function): New. (diagnostic_path::interprocedural_p): Ignore leading events that are outside of any function. gcc/testsuite/ChangeLog: PR analyzer/106626 * gcc.dg/analyzer/out-of-bounds-multiline-1.c: New test. Signed-off-by: David Malcolm --- gcc/diagnostic-path.h | 3 ++ gcc/diagnostic.cc | 37 +++++++++++++++++-- .../analyzer/out-of-bounds-multiline-1.c | 37 +++++++++++++++++++ 3 files changed, 74 insertions(+), 3 deletions(-) create mode 100644 gcc/testsuite/gcc.dg/analyzer/out-of-bounds-multiline-1.c diff --git a/gcc/diagnostic-path.h b/gcc/diagnostic-path.h index 8ce4ff763d4..aa5cda8c23a 100644 --- a/gcc/diagnostic-path.h +++ b/gcc/diagnostic-path.h @@ -167,6 +167,9 @@ class diagnostic_path virtual const diagnostic_event & get_event (int idx) const = 0; bool interprocedural_p () const; + +private: + bool get_first_event_in_a_function (unsigned *out_idx) const; }; /* Concrete subclasses. */ diff --git a/gcc/diagnostic.cc b/gcc/diagnostic.cc index a9562a815b1..322515b3242 100644 --- a/gcc/diagnostic.cc +++ b/gcc/diagnostic.cc @@ -939,18 +939,49 @@ diagnostic_event::meaning::maybe_get_property_str (enum property p) /* class diagnostic_path. */ +/* Subroutint of diagnostic_path::interprocedural_p. + Look for the first event in this path that is within a function + i.e. has a non-NULL fndecl, and a non-zero stack depth. + If found, write its index to *OUT_IDX and return true. + Otherwise return false. */ + +bool +diagnostic_path::get_first_event_in_a_function (unsigned *out_idx) const +{ + const unsigned num = num_events (); + for (unsigned i = 0; i < num; i++) + { + if (!(get_event (i).get_fndecl () == NULL + && get_event (i).get_stack_depth () == 0)) + { + *out_idx = i; + return true; + } + } + return false; +} + /* Return true if the events in this path involve more than one function, or false if it is purely intraprocedural. */ bool diagnostic_path::interprocedural_p () const { + /* Ignore leading events that are outside of any function. */ + unsigned first_fn_event_idx; + if (!get_first_event_in_a_function (&first_fn_event_idx)) + return false; + + const diagnostic_event &first_fn_event = get_event (first_fn_event_idx); + tree first_fndecl = first_fn_event.get_fndecl (); + int first_fn_stack_depth = first_fn_event.get_stack_depth (); + const unsigned num = num_events (); - for (unsigned i = 0; i < num; i++) + for (unsigned i = first_fn_event_idx + 1; i < num; i++) { - if (get_event (i).get_fndecl () != get_event (0).get_fndecl ()) + if (get_event (i).get_fndecl () != first_fndecl) return true; - if (get_event (i).get_stack_depth () != get_event (0).get_stack_depth ()) + if (get_event (i).get_stack_depth () != first_fn_stack_depth) return true; } return false; diff --git a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-multiline-1.c b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-multiline-1.c new file mode 100644 index 00000000000..25301e9e2ff --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-multiline-1.c @@ -0,0 +1,37 @@ +/* Integration test of how the execution path looks for + -Wanalyzer-out-of-bounds. */ + +/* { dg-additional-options "-fdiagnostics-show-path-depths" } */ +/* { dg-additional-options "-fdiagnostics-path-format=inline-events -fdiagnostics-show-caret" } */ + + +#include + +int32_t arr[10]; + +void int_arr_write_element_after_end_off_by_one(int32_t x) +{ + arr[10] = x; /* { dg-line line } */ +} +/* { dg-warning "buffer overflow" "warning" { target *-*-* } line } */ +/* { dg-message "valid subscripts for 'arr' are '\\\[0\\\]' to '\\\[9\\\]'" "valid subscript note" { target *-*-* } line } */ + + +/* { dg-begin-multiline-output "" } + arr[10] = x; + ~~~~~~~~^~~ + event 1 (depth 0) + | + | int32_t arr[10]; + | ^~~ + | | + | (1) capacity is 40 bytes + | + +--> 'int_arr_write_element_after_end_off_by_one': event 2 (depth 1) + | + | arr[10] = x; + | ~~~~~~~~^~~ + | | + | (2) out-of-bounds write from byte 40 till byte 43 but 'arr' ends at byte 40 + | + { dg-end-multiline-output "" } */