From patchwork Fri Jan 14 22:53:04 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Malcolm <dmalcolm@redhat.com>
X-Patchwork-Id: 50051
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 9A6833857027
	for <patchwork@sourceware.org>; Fri, 14 Jan 2022 22:53:42 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9A6833857027
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1642200822;
	bh=a8axQbjH5NNPX93CZjOUjtuTNcXINnUDmN6G4KDePk8=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=nNGIqcyaBBzxwUxAUTTyyYto9xLYBvzOdsl/eT+UQh3CkLrSTeQm1KTztX565YHPB
	 lRC+TBK18Aj3q53+w7TsM5QG6hlL0bYG/w+r7SztBcUooLJzduJY3RNsFT6t4eCY9I
	 7bNrEJfJBK1+BLhBi7iLzy7Ys4TLqueTcDP2NGkc=
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by sourceware.org (Postfix) with ESMTPS id D23F23858C39
 for <gcc-patches@gcc.gnu.org>; Fri, 14 Jan 2022 22:53:12 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org D23F23858C39
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-495-e3q_RVGkMwCxWlsV6_BgyQ-1; Fri, 14 Jan 2022 17:53:10 -0500
X-MC-Unique: e3q_RVGkMwCxWlsV6_BgyQ-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C158480D693
 for <gcc-patches@gcc.gnu.org>; Fri, 14 Jan 2022 22:53:08 +0000 (UTC)
Received: from t14s.localdomain.com (unknown [10.2.16.212])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 6FD4E4E2B7;
 Fri, 14 Jan 2022 22:53:08 +0000 (UTC)
To: gcc-patches@gcc.gnu.org
Subject: [committed] analyzer: fix ICE in taint checker on unary ops
 [PR104029]
Date: Fri, 14 Jan 2022 17:53:04 -0500
Message-Id: <20220114225304.1765152-1-dmalcolm@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-13.2 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
 SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
X-Patchwork-Original-From: David Malcolm via Gcc-patches
 <gcc-patches@gcc.gnu.org>
From: David Malcolm <dmalcolm@redhat.com>
Reply-To: David Malcolm <dmalcolm@redhat.com>
Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org
Sender: "Gcc-patches"
 <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org>

gcc/analyzer/ChangeLog:
	PR analyzer/104029
	* sm-taint.cc (taint_state_machine::alt_get_inherited_state):
	Remove gcc_unreachable from default case for unary ops.

gcc/testsuite/ChangeLog:
	PR analyzer/104029
	* gcc.dg/analyzer/pr104029.c: New test.
	* gcc.dg/analyzer/taint-ops.c: New test.
---
 gcc/analyzer/sm-taint.cc                  |   1 -
 gcc/testsuite/gcc.dg/analyzer/pr104029.c  | 115 ++++++++++++++++++++++
 gcc/testsuite/gcc.dg/analyzer/taint-ops.c | 106 ++++++++++++++++++++
 3 files changed, 221 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr104029.c
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/taint-ops.c

diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index 54c7e6015ab..3a46256b020 100644
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -649,7 +649,6 @@ taint_state_machine::alt_get_inherited_state (const sm_state_map &map,
 	      return arg_state;
 	    }
 	  default:
-	    gcc_unreachable ();
 	    break;
 	  }
       }
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr104029.c b/gcc/testsuite/gcc.dg/analyzer/pr104029.c
new file mode 100644
index 00000000000..adf15ed356f
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr104029.c
@@ -0,0 +1,115 @@
+// TODO: remove need for this option
+/* { dg-additional-options "-fanalyzer-checker=taint" } */
+
+typedef __SIZE_TYPE__ size_t;
+typedef const void *t_comptype;
+typedef int (*t_compfunc)(t_comptype, t_comptype);
+
+extern int *__errno_location(void)
+  __attribute__((__nothrow__, __leaf__,__const__));
+extern void free(void *__ptr)
+  __attribute__((__nothrow__, __leaf__));
+extern void *my_malloc1(const char *file, int line, size_t size);
+
+int heapsort(void *vbase, size_t nmemb, size_t size, t_compfunc compar) {
+  char tmp, *tmp1, *tmp2, *abase, *k, *p, *t;
+  size_t cnt, i, j, l;
+
+  if (nmemb <= 1)
+    return (0);
+
+  if (!size) {
+    (*__errno_location()) = 22;
+    return (-1);
+  }
+
+  k = my_malloc1(__FILE__, __LINE__, size);
+
+  abase = (char *)vbase - size;
+
+  for (l = nmemb / 2 + 1; --l;) {
+    for (i = l; (j = i * 2) <= nmemb; i = j) {
+      p = abase + j * size;
+      if (j < nmemb && compar(p, p + size) < 0) {
+        p += size;
+        ++j;
+      }
+      t = abase + i * size;
+      if (compar(p, t) <= 0)
+        break;
+      {
+        cnt = size;
+        do {
+          tmp = *t;
+          *t++ = *p;
+          *p++ = tmp;
+        } while (--cnt);
+      };
+    }
+  };
+
+  while (nmemb > 1) {
+    {
+      cnt = size;
+      tmp1 = k;
+      tmp2 = abase + nmemb * size;
+      do {
+        *tmp1++ = *tmp2++;
+      } while (--cnt);
+    };
+    {
+      cnt = size;
+      tmp1 = abase + nmemb * size;
+      tmp2 = abase + size;
+      do {
+        *tmp1++ = *tmp2++;
+      } while (--cnt);
+    };
+    --nmemb;
+    {
+      for (i = 1; (j = i * 2) <= nmemb; i = j) {
+        p = abase + j * size;
+        if (j < nmemb && compar(p, p + size) < 0) {
+          p += size;
+          ++j;
+        }
+        t = abase + i * size;
+        {
+          cnt = size;
+          tmp1 = t;
+          tmp2 = p;
+          do {
+            *tmp1++ = *tmp2++;
+          } while (--cnt);
+        };
+      }
+      for (;;) {
+        j = i;
+        i = j / 2;
+        p = abase + j * size;
+        t = abase + i * size;
+        if (j == 1 || compar(k, t) < 0) {
+          {
+            cnt = size;
+            tmp1 = p;
+            tmp2 = k;
+            do {
+              *tmp1++ = *tmp2++;
+            } while (--cnt);
+          };
+          break;
+        }
+        {
+          cnt = size;
+          tmp1 = p;
+          tmp2 = t;
+          do {
+            *tmp1++ = *tmp2++;
+          } while (--cnt);
+        };
+      }
+    };
+  }
+  free(k);
+  return (0);
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-ops.c b/gcc/testsuite/gcc.dg/analyzer/taint-ops.c
new file mode 100644
index 00000000000..729dbe53a0c
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-ops.c
@@ -0,0 +1,106 @@
+/* { dg-additional-options "-fanalyzer-checker=taint" } */
+// TODO: remove need for this option
+/* This test can probably be removed when -fanalyzer enables
+   the taint checker by default.  */
+
+#include "analyzer-decls.h"
+
+void
+test_1 (char a)
+{
+  char b = -a;
+}
+
+/* Copies of code from data-model-1.c.  */
+
+void test_20 (int i, int j)
+{
+  __analyzer_eval (i + 1); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i + j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i - 1); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i - j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i * 2); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i * j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i / 2); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i / j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i % 2); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i % j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i & 1); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i & j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i | 1); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i | j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i ^ 1); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i ^ j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i >> 1); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i >> j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i << 1); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i << j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i && 0); /* { dg-warning "FALSE" } */
+  __analyzer_eval (i && 1); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i && j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i || 0); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (i || 1); /* { dg-warning "TRUE" } */
+  __analyzer_eval (i || j); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval (~i); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (-i); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (+i); /* { dg-warning "UNKNOWN" } */
+
+  /* Anything added above should be added to the next function also.  */
+}
+
+void test_21 (void)
+{
+  int i, j, zero;
+  int *pi = &i;
+  int *pj = &j;
+  int *pzero = &zero;
+  *pi = 5;
+  *pj = 3;
+  *pzero = 0;
+
+  __analyzer_eval (i + j == 8); /* { dg-warning "TRUE" } */
+  __analyzer_eval (i - j == 2); /* { dg-warning "TRUE" } */
+  __analyzer_eval (i * j == 15); /* { dg-warning "TRUE" } */
+  __analyzer_eval (i / j == 1); /* { dg-warning "TRUE" } */
+  __analyzer_eval (i % j == 2); /* { dg-warning "TRUE" } */
+
+  /* Division by zero.  */
+  // TODO: should we warn for this?
+  __analyzer_eval (i / zero); /* { dg-warning "UNKNOWN" } */
+  __analyzer_eval (i % zero); /* { dg-warning "UNKNOWN" } */
+
+  __analyzer_eval ((i & 1) == (5 & 1)); /* { dg-warning "TRUE" } */
+  __analyzer_eval ((i & j) == (5 & 3)); /* { dg-warning "TRUE" } */
+  __analyzer_eval ((i | 1) == (5 | 1)); /* { dg-warning "TRUE" } */
+  __analyzer_eval ((i | j) == (5 | 3)); /* { dg-warning "TRUE" } */
+  __analyzer_eval ((i ^ 1) == (5 ^ 1)); /* { dg-warning "TRUE" } */
+  __analyzer_eval ((i ^ j) == (5 ^ 3)); /* { dg-warning "TRUE" } */
+  __analyzer_eval ((i >> 1) == (5 >> 1)); /* { dg-warning "TRUE" } */
+  __analyzer_eval ((i >> j) == (5 >> 3)); /* { dg-warning "TRUE" } */
+  __analyzer_eval ((i << 1) == (5 << 1)); /* { dg-warning "TRUE" } */
+  __analyzer_eval ((i << j) == (5 << 3)); /* { dg-warning "TRUE" } */
+  __analyzer_eval (i && 0); /* { dg-warning "FALSE" } */
+  __analyzer_eval (i && 1); /* { dg-warning "TRUE" } */
+  __analyzer_eval (i && j); /* { dg-warning "TRUE" } */
+
+  __analyzer_eval (i || 0); /* { dg-warning "TRUE" } */
+  __analyzer_eval (i || 1); /* { dg-warning "TRUE" } */
+  __analyzer_eval (i || j); /* { dg-warning "TRUE" } */
+
+  __analyzer_eval (~i == ~5); /* { dg-warning "TRUE" } */
+  __analyzer_eval (-i == -5); /* { dg-warning "TRUE" } */
+  __analyzer_eval (+i == +5); /* { dg-warning "TRUE" } */
+}