From patchwork Fri Jan 14 22:54:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Malcolm X-Patchwork-Id: 50052 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 95FF63858411 for ; Fri, 14 Jan 2022 22:54:41 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 95FF63858411 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1642200881; bh=8rITMxz0wA4sj+mn40aD+qhoPUm6LFmLtbCMDmWIHJE=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=GsUCKpzOmV3EFtnxDsjog3osp+gXLkPaRSthZd3EuwKzgaIVg6DocaTHUFmOrfJ3+ WzIV4kXQHvWaBkypIMqA9+Xivp3Y4MRRmV27ifLBptDUXOATskovQ8d7fZzQmwOXvx JsgFUOWzFkAHfY+YmEuehRQ6BUqubLcs0YZbdChY= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 6CBBF3850429 for ; Fri, 14 Jan 2022 22:54:12 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6CBBF3850429 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-240-8ncvJwm2MS2p9uHHyZ3tbA-1; Fri, 14 Jan 2022 17:54:10 -0500 X-MC-Unique: 8ncvJwm2MS2p9uHHyZ3tbA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C10491006AA3 for ; Fri, 14 Jan 2022 22:54:09 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.2.16.212]) by smtp.corp.redhat.com (Postfix) with ESMTP id 710B910246E3; Fri, 14 Jan 2022 22:54:09 +0000 (UTC) To: gcc-patches@gcc.gnu.org Subject: [committed] analyzer: fix ICE when combining taint states has_ub and has_lb Date: Fri, 14 Jan 2022 17:54:07 -0500 Message-Id: <20220114225407.1765321-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-13.2 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: David Malcolm via Gcc-patches From: David Malcolm Reply-To: David Malcolm Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Pushed to trunk as cc3b67e40140ec79f86e79a96d7fdd169b84faaf. gcc/analyzer/ChangeLog: * sm-taint.cc (taint_state_machine::combine_states): Handle combination of has_ub and has_lb. gcc/testsuite/ChangeLog: * gcc.dg/analyzer/taint-merger.c: New test. --- gcc/analyzer/sm-taint.cc | 14 +++-- gcc/testsuite/gcc.dg/analyzer/taint-merger.c | 57 ++++++++++++++++++++ 2 files changed, 66 insertions(+), 5 deletions(-) create mode 100644 gcc/testsuite/gcc.dg/analyzer/taint-merger.c diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc index 3a46256b020..357456593ff 100644 --- a/gcc/analyzer/sm-taint.cc +++ b/gcc/analyzer/sm-taint.cc @@ -860,15 +860,19 @@ taint_state_machine::combine_states (state_t s0, state_t s1) const return s0; if (s0 == m_tainted || s1 == m_tainted) return m_tainted; - if (s0 == m_stop) - return s1; - if (s1 == m_stop) - return s0; if (s0 == m_start) return s1; if (s1 == m_start) return s0; - gcc_unreachable (); + if (s0 == m_stop) + return s1; + if (s1 == m_stop) + return s0; + /* The only remaining combinations are one of has_ub and has_lb + (in either order). */ + gcc_assert ((s0 == m_has_lb && s1 == m_has_ub) + || (s0 == m_has_ub && s1 == m_has_lb)); + return m_tainted; } /* Check for calls to external functions marked with diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-merger.c b/gcc/testsuite/gcc.dg/analyzer/taint-merger.c new file mode 100644 index 00000000000..e4e48f3db03 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/taint-merger.c @@ -0,0 +1,57 @@ +/* { dg-additional-options "-fanalyzer-checker=taint" } */ +// TODO: remove need for this option + +#include "analyzer-decls.h" + +int v_start; + +__attribute__((tainted_args)) +void test (int v_tainted, int v_has_lb, int v_has_ub, int v_stop) +{ + /* Get each var into the 5 different taintedness states. */ + if (v_has_lb < 10) + return; + if (v_has_ub > 100) + return; + if (v_stop < 0 || v_stop > 100) + return; + + /* Verify that we have the taintedness states we expect. */ + + __analyzer_dump_state ("taint", v_start); /* { dg-warning "state: 'start'" } */ + __analyzer_dump_state ("taint", v_tainted); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_has_lb); /* { dg-warning "state: 'has_lb'" } */ + __analyzer_dump_state ("taint", v_has_ub); /* { dg-warning "state: 'has_ub'" } */ + __analyzer_dump_state ("taint", v_stop); /* { dg-warning "state: 'stop'" } */ + + /* Check all combinations of taintedness state. */ + __analyzer_dump_state ("taint", v_start + v_start); /* { dg-warning "state: 'start'" } */ + __analyzer_dump_state ("taint", v_start + v_tainted); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_start + v_has_lb); /* { dg-warning "state: 'has_lb'" } */ + __analyzer_dump_state ("taint", v_start + v_has_ub); /* { dg-warning "state: 'has_ub'" } */ + __analyzer_dump_state ("taint", v_start + v_stop); /* { dg-warning "state: 'stop'" } */ + + __analyzer_dump_state ("taint", v_tainted + v_start); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_tainted + v_tainted); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_tainted + v_has_lb); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_tainted + v_has_ub); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_tainted + v_stop); /* { dg-warning "state: 'tainted'" } */ + + __analyzer_dump_state ("taint", v_has_lb + v_start); /* { dg-warning "state: 'has_lb'" } */ + __analyzer_dump_state ("taint", v_has_lb + v_tainted); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_has_lb + v_has_lb); /* { dg-warning "state: 'has_lb'" } */ + __analyzer_dump_state ("taint", v_has_lb + v_has_ub); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_has_lb + v_stop); /* { dg-warning "state: 'has_lb'" } */ + + __analyzer_dump_state ("taint", v_has_ub + v_start); /* { dg-warning "state: 'has_ub'" } */ + __analyzer_dump_state ("taint", v_has_ub + v_tainted); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_has_ub + v_has_lb); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_has_ub + v_has_ub); /* { dg-warning "state: 'has_ub'" } */ + __analyzer_dump_state ("taint", v_has_ub + v_stop); /* { dg-warning "state: 'has_ub'" } */ + + __analyzer_dump_state ("taint", v_stop + v_start); /* { dg-warning "state: 'stop'" } */ + __analyzer_dump_state ("taint", v_stop + v_tainted); /* { dg-warning "state: 'tainted'" } */ + __analyzer_dump_state ("taint", v_stop + v_has_lb); /* { dg-warning "state: 'has_lb'" } */ + __analyzer_dump_state ("taint", v_stop + v_has_ub); /* { dg-warning "state: 'has_ub'" } */ + __analyzer_dump_state ("taint", v_stop + v_stop); /* { dg-warning "state: 'stop'" } */ +}