https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109579
Bug ID: 109579 Summary: -Wanalyzer-out-of-bounds false positive in Emacs mapping stack Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: eggert at gnu dot org Target Milestone: --- Created attachment 54895 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54895&action=edit compressed test program illustrating false positive This is gcc (GCC) 13.0.1 20230401 (Red Hat 13.0.1-0) on x86-64, and I ran into this problem when compiling Emacs. Take the attached file ccl1.i.gz and then run: gzip -d ccl1.i.gz gcc -S -fanalyzer -O2 ccl1.i The incorrect diagnostics are as follows. These diagnostics are wrong since the two uses of "mapping_stack_pointer--" in lines 33010 and 33011 are protected due to those lines being in the else-part of "if (mapping_stack_pointer <= (mapping_stack + 1))", which means mapping_stack_pointer cannot possibly underrun the buffer simply by subtracting one from it twice. I can work around this by compiling with -Wno-analyzer-out-of-bounds but this seems a bit drastic. Here are the incorrect diagnostics. These diagnostics are a regression since GCC 12. ----- ccl1.i: In function ‘ccl_driver’: ccl1.i:33010:107: warning: buffer under-read [CWE-127] [-Wanalyzer-out-of-bounds] 33010 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (orig_op) = mapping_stack_pointer->orig_val; } while (0); | ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘Fccl_execute_on_string’: events 1-4 | |33434 | __attribute__((section (".subrs"))) static union Aligned_Lisp_Subr Sccl_execute_on_string = {{{ PVEC_SUBR << PSEUDOVECTOR_AREA_BITS }, { .a5 = Fccl_execute_on_string }, 3, 5, "ccl-execute-on-string", {0}, 0}}; Lisp_Object Fccl_execute_on_string | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to ‘Fccl_execute_on_string’ |...... |33446 | if (! setup_ccl_program (&ccl, ccl_prog)) | | ~ | | | | | (2) following ‘true’ branch... |33447 | error ("Invalid CCL program"); |33448 | CHECK_VECTOR (status); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) ...to here | | (4) calling ‘CHECK_VECTOR’ from ‘Fccl_execute_on_string’ | +--> ‘CHECK_VECTOR’: events 5-6 | | 5942 | CHECK_VECTOR (Lisp_Object x) | | ^~~~~~~~~~~~ | | | | | (5) entry to ‘CHECK_VECTOR’ | 5943 | { | 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x); | | ~~~~~~~~~~~ | | | | | (6) calling ‘VECTORP’ from ‘CHECK_VECTOR’ | +--> ‘VECTORP’: events 7-8 | | 5933 | VECTORP (Lisp_Object x) | | ^~~~~~~ | | | | | (7) entry to ‘VECTORP’ | 5934 | { | 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & ( | | ~ | | | | | (8) inlined call to ‘ASIZE’ from ‘VECTORP’ | +--> ‘ASIZE’: event 9 | | 5916 | ((0 <= size) ? (void) 0 : __builtin_unreachable ()); | | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) following ‘false’ branch (when ‘size >= 0’)... | <------+ | ‘VECTORP’: event 10 | | 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & ( | | ~~~~~~~~~~~^~~ | | | | | (10) ...to here | 5936 | (9223372036854775807L) | | ~~~~~~~~~~~~~~~~~~~~~~ | 5937 | - | | ~ | 5938 | (9223372036854775807L) | | ~~~~~~~~~~~~~~~~~~~~~~ | 5939 | / 2)); | | ~~~~~ | <------+ | ‘CHECK_VECTOR’: events 11-12 | | 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x); | | ~ ^~~~~~~~~~~ | | | | | | | (11) returning to ‘CHECK_VECTOR’ from ‘VECTORP’ | | (12) inlined call to ‘CHECK_TYPE’ from ‘CHECK_VECTOR’ | +--> ‘CHECK_TYPE’: event 13 | | 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate, x)); | | ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) following ‘true’ branch... | <------+ | ‘CHECK_VECTOR’: event 14 | | 5945 | } | | ^ | | | | | (14) ...to here | <------+ | ‘Fccl_execute_on_string’: events 15-16 | |33448 | CHECK_VECTOR (status); | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (15) returning to ‘Fccl_execute_on_string’ from ‘CHECK_VECTOR’ |33449 | if (ASIZE (status) != 9) | | ~ | | | | | (16) inlined call to ‘ASIZE’ from ‘Fccl_execute_on_string’ | +--> ‘ASIZE’: event 17 | | 5916 | ((0 <= size) ? (void) 0 : __builtin_unreachable ()); | | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) following ‘false’ branch (when ‘size >= 0’)... | <------+ | ‘Fccl_execute_on_string’: events 18-21 | |33449 | if (ASIZE (status) != 9) | | ^ | | | | | (18) ...to here | | (19) following ‘false’ branch (when ‘size == 9’)... |33450 | error ("Length of vector STATUS is not 9"); |33451 | CHECK_STRING (str); | | ~~~~~~~~~~~~~~~~~~ | | | | | (20) ...to here | | (21) calling ‘CHECK_STRING’ from ‘Fccl_execute_on_string’ | +--> ‘CHECK_STRING’: events 22-23 | | 5799 | CHECK_STRING (Lisp_Object x) | | ^~~~~~~~~~~~ | | | | | (22) entry to ‘CHECK_STRING’ | 5800 | { | 5801 | CHECK_TYPE (STRINGP (x), builtin_lisp_symbol (1325), x); | | ~ | | | | | (23) inlined call to ‘CHECK_TYPE’ from ‘CHECK_STRING’ | +--> ‘CHECK_TYPE’: event 24 | | 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate, x)); | | ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) following ‘false’ branch... | <------+ | ‘CHECK_STRING’: event 25 | | 5802 | } | | ^ | | | | | (25) ...to here | <------+ | ‘Fccl_execute_on_string’: events 26-27 | |33451 | CHECK_STRING (str); | | ^~~~~~~~~~~~~~~~~~ | | | | | (26) returning to ‘Fccl_execute_on_string’ from ‘CHECK_STRING’ |33452 | str_chars = SCHARS (str); | | ~ | | | | | (27) inlined call to ‘SCHARS’ from ‘Fccl_execute_on_string’ | +--> ‘SCHARS’: event 28 | | 5852 | ((0 <= nchars) ? (void) 0 : __builtin_unreachable ()); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) following ‘false’ branch (when ‘nchars >= 0’)... | <------+ | ‘Fccl_execute_on_string’: event 29 | |33453 | str_bytes = SBYTES (str); | | ^ | | | | | (29) inlined call to ‘SBYTES’ from ‘Fccl_execute_on_string’ | +--> ‘SBYTES’: event 30 | | 5865 | return STRING_BYTES (XSTRING (string)); | | ^ | | | | | (30) inlined call to ‘STRING_BYTES’ from ‘SBYTES’ | +--> ‘STRING_BYTES’: event 31 | | 5858 | ptrdiff_t nbytes = s->u.s.size_byte < 0 ? s->u.s.size : s->u.s.size_byte; | | ~~~~~~^~~~~~~~~~ | | | | | (31) ...to here | <-------------+ | ‘Fccl_execute_on_string’: events 32-38 | |33454 | for (i = 0; i < 8; i++) | | ~~^~~ | | | | | (32) following ‘true’ branch (when ‘i != 8’)... |33455 | { |33456 | if (NILP (AREF (status, i))) | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) ...to here |...... |33475 | if (__builtin_mul_overflow (buf_magnification, outbufsize, &outbufsize) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (34) following ‘false’ branch... |33476 | || __builtin_add_overflow (256, outbufsize, &outbufsize)) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (35) ...to here | | (36) following ‘false’ branch... |...... |33480 | outp = outbuf = xmalloc (outbufsize); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (37) ...to here |...... |33489 | if (endp - p == str_chars - consumed_chars) | | ~ | | | | | (38) following ‘true’ branch... | ‘Fccl_execute_on_string’: event 39 | |cc1: | (39): ...to here | ‘Fccl_execute_on_string’: events 40-44 | |33490 | while (j < 1024 && p < endp) | | ~~~~~~~~~^~~~~~~~~~~ | | | | | (40) following ‘false’ branch... |...... |33495 | consumed_chars += j; | | ~~ | | | | | (41) ...to here |...... |33503 | int max_expansion = NILP (unibyte_p) ? MAX_MULTIBYTE_LENGTH : 1; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (42) following ‘true’ branch (when ‘unibyte_p’ is NULL)... |33504 | ptrdiff_t offset, shortfall; |33505 | ccl_driver (&ccl, src, destination, src_size, 1024, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (43) ...to here | | (44) calling ‘ccl_driver’ from ‘Fccl_execute_on_string’ |33506 | builtin_lisp_symbol (0)); | | ~~~~~~~~~~~~~~~~~~~~~~~~ | +--> ‘ccl_driver’: events 45-56 | |32373 | ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size, int dst_size, Lisp_Object charset_list) | | ^~~~~~~~~~ | | | | | (45) entry to ‘ccl_driver’ |...... |32388 | if (ccl->buf_magnification == 0) | | ~ | | | | | (46) following ‘false’ branch... |...... |32392 | mapping_stack_pointer = mapping_stack; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (47) ...to here |...... |32404 | do { EMACS_INT prog_word = XFIXNUM ((ccl_prog)[ic++]); if (! ((((-1 - ((1 << (28 - 1)) - 1))) <= (prog_word)) & ((prog_word) <= (((1 << (28 - 1)) - 1))))) do { ccl->status = 3; goto ccl_error_handler; } while (0); (code) = prog_word; } while (0); | | ~ ~~~~~~~~~~~~~~~~~~ | | | | | | (48) following ‘false’ branch... (49) ...to here |...... |32975 | if (stack_idx_of_map_multiple <= stack_idx) | | ~ | | | | | (50) following ‘false’ branch... |...... |32984 | stack_idx_of_map_multiple = 0; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (51) ...to here |...... |32988 | if ((map_set_rest_length > reg[(field1 & 7)]) && (reg[(field1 & 7)] >= 0)) | | ~ | | | | | (52) following ‘true’ branch... |32989 | { |32990 | ic += reg[(field1 & 7)]; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (53) ...to here |...... |33001 | if (mapping_stack_pointer <= (mapping_stack + 1)) | | ~ | | | | | (54) following ‘false’ branch... |...... |33010 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (orig_op) = mapping_stack_pointer->orig_val; } while (0); | | ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | (55) ...to here (56) out-of-bounds read from byte -4 till byte -1 but ‘mapping_stack’ starts at byte 0 | ccl1.i:33010:107: note: valid subscripts for ‘mapping_stack’ are ‘[0]’ to ‘[29]’ 33010 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (orig_op) = mapping_stack_pointer->orig_val; } while (0); | ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ccl1.i:33011:59: warning: buffer under-read [CWE-127] [-Wanalyzer-out-of-bounds] 33011 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (reg[field2]) = mapping_stack_pointer->orig_val; } while (0); | ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘Fccl_execute_on_string’: events 1-4 | |33434 | __attribute__((section (".subrs"))) static union Aligned_Lisp_Subr Sccl_execute_on_string = {{{ PVEC_SUBR << PSEUDOVECTOR_AREA_BITS }, { .a5 = Fccl_execute_on_string }, 3, 5, "ccl-execute-on-string", {0}, 0}}; Lisp_Object Fccl_execute_on_string | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to ‘Fccl_execute_on_string’ |...... |33446 | if (! setup_ccl_program (&ccl, ccl_prog)) | | ~ | | | | | (2) following ‘true’ branch... |33447 | error ("Invalid CCL program"); |33448 | CHECK_VECTOR (status); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) ...to here | | (4) calling ‘CHECK_VECTOR’ from ‘Fccl_execute_on_string’ | +--> ‘CHECK_VECTOR’: events 5-6 | | 5942 | CHECK_VECTOR (Lisp_Object x) | | ^~~~~~~~~~~~ | | | | | (5) entry to ‘CHECK_VECTOR’ | 5943 | { | 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x); | | ~~~~~~~~~~~ | | | | | (6) calling ‘VECTORP’ from ‘CHECK_VECTOR’ | +--> ‘VECTORP’: events 7-8 | | 5933 | VECTORP (Lisp_Object x) | | ^~~~~~~ | | | | | (7) entry to ‘VECTORP’ | 5934 | { | 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & ( | | ~ | | | | | (8) inlined call to ‘ASIZE’ from ‘VECTORP’ | +--> ‘ASIZE’: event 9 | | 5916 | ((0 <= size) ? (void) 0 : __builtin_unreachable ()); | | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) following ‘false’ branch (when ‘size >= 0’)... | <------+ | ‘VECTORP’: event 10 | | 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & ( | | ~~~~~~~~~~~^~~ | | | | | (10) ...to here | 5936 | (9223372036854775807L) | | ~~~~~~~~~~~~~~~~~~~~~~ | 5937 | - | | ~ | 5938 | (9223372036854775807L) | | ~~~~~~~~~~~~~~~~~~~~~~ | 5939 | / 2)); | | ~~~~~ | <------+ | ‘CHECK_VECTOR’: events 11-12 | | 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x); | | ~ ^~~~~~~~~~~ | | | | | | | (11) returning to ‘CHECK_VECTOR’ from ‘VECTORP’ | | (12) inlined call to ‘CHECK_TYPE’ from ‘CHECK_VECTOR’ | +--> ‘CHECK_TYPE’: event 13 | | 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate, x)); | | ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) following ‘true’ branch... | <------+ | ‘CHECK_VECTOR’: event 14 | | 5945 | } | | ^ | | | | | (14) ...to here | <------+ | ‘Fccl_execute_on_string’: events 15-16 | |33448 | CHECK_VECTOR (status); | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (15) returning to ‘Fccl_execute_on_string’ from ‘CHECK_VECTOR’ |33449 | if (ASIZE (status) != 9) | | ~ | | | | | (16) inlined call to ‘ASIZE’ from ‘Fccl_execute_on_string’ | +--> ‘ASIZE’: event 17 | | 5916 | ((0 <= size) ? (void) 0 : __builtin_unreachable ()); | | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) following ‘false’ branch (when ‘size >= 0’)... | <------+ | ‘Fccl_execute_on_string’: events 18-21 | |33449 | if (ASIZE (status) != 9) | | ^ | | | | | (18) ...to here | | (19) following ‘false’ branch (when ‘size == 9’)... |33450 | error ("Length of vector STATUS is not 9"); |33451 | CHECK_STRING (str); | | ~~~~~~~~~~~~~~~~~~ | | | | | (20) ...to here | | (21) calling ‘CHECK_STRING’ from ‘Fccl_execute_on_string’ | +--> ‘CHECK_STRING’: events 22-23 | | 5799 | CHECK_STRING (Lisp_Object x) | | ^~~~~~~~~~~~ | | | | | (22) entry to ‘CHECK_STRING’ | 5800 | { | 5801 | CHECK_TYPE (STRINGP (x), builtin_lisp_symbol (1325), x); | | ~ | | | | | (23) inlined call to ‘CHECK_TYPE’ from ‘CHECK_STRING’ | +--> ‘CHECK_TYPE’: event 24 | | 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate, x)); | | ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) following ‘false’ branch... | <------+ | ‘CHECK_STRING’: event 25 | | 5802 | } | | ^ | | | | | (25) ...to here | <------+ | ‘Fccl_execute_on_string’: events 26-27 | |33451 | CHECK_STRING (str); | | ^~~~~~~~~~~~~~~~~~ | | | | | (26) returning to ‘Fccl_execute_on_string’ from ‘CHECK_STRING’ |33452 | str_chars = SCHARS (str); | | ~ | | | | | (27) inlined call to ‘SCHARS’ from ‘Fccl_execute_on_string’ | +--> ‘SCHARS’: event 28 | | 5852 | ((0 <= nchars) ? (void) 0 : __builtin_unreachable ()); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) following ‘false’ branch (when ‘nchars >= 0’)... | <------+ | ‘Fccl_execute_on_string’: event 29 | |33453 | str_bytes = SBYTES (str); | | ^ | | | | | (29) inlined call to ‘SBYTES’ from ‘Fccl_execute_on_string’ | +--> ‘SBYTES’: event 30 | | 5865 | return STRING_BYTES (XSTRING (string)); | | ^ | | | | | (30) inlined call to ‘STRING_BYTES’ from ‘SBYTES’ | +--> ‘STRING_BYTES’: event 31 | | 5858 | ptrdiff_t nbytes = s->u.s.size_byte < 0 ? s->u.s.size : s->u.s.size_byte; | | ~~~~~~^~~~~~~~~~ | | | | | (31) ...to here | <-------------+ | ‘Fccl_execute_on_string’: events 32-38 | |33454 | for (i = 0; i < 8; i++) | | ~~^~~ | | | | | (32) following ‘true’ branch (when ‘i != 8’)... |33455 | { |33456 | if (NILP (AREF (status, i))) | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) ...to here |...... |33475 | if (__builtin_mul_overflow (buf_magnification, outbufsize, &outbufsize) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (34) following ‘false’ branch... |33476 | || __builtin_add_overflow (256, outbufsize, &outbufsize)) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (35) ...to here | | (36) following ‘false’ branch... |...... |33480 | outp = outbuf = xmalloc (outbufsize); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (37) ...to here |...... |33489 | if (endp - p == str_chars - consumed_chars) | | ~ | | | | | (38) following ‘true’ branch... | ‘Fccl_execute_on_string’: event 39 | |cc1: | (39): ...to here | ‘Fccl_execute_on_string’: events 40-44 | |33490 | while (j < 1024 && p < endp) | | ~~~~~~~~~^~~~~~~~~~~ | | | | | (40) following ‘false’ branch... |...... |33495 | consumed_chars += j; | | ~~ | | | | | (41) ...to here |...... |33503 | int max_expansion = NILP (unibyte_p) ? MAX_MULTIBYTE_LENGTH : 1; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (42) following ‘true’ branch (when ‘unibyte_p’ is NULL)... |33504 | ptrdiff_t offset, shortfall; |33505 | ccl_driver (&ccl, src, destination, src_size, 1024, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (43) ...to here | | (44) calling ‘ccl_driver’ from ‘Fccl_execute_on_string’ |33506 | builtin_lisp_symbol (0)); | | ~~~~~~~~~~~~~~~~~~~~~~~~ | +--> ‘ccl_driver’: events 45-56 | |32373 | ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size, int dst_size, Lisp_Object charset_list) | | ^~~~~~~~~~ | | | | | (45) entry to ‘ccl_driver’ |...... |32388 | if (ccl->buf_magnification == 0) | | ~ | | | | | (46) following ‘false’ branch... |...... |32392 | mapping_stack_pointer = mapping_stack; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (47) ...to here |...... |32404 | do { EMACS_INT prog_word = XFIXNUM ((ccl_prog)[ic++]); if (! ((((-1 - ((1 << (28 - 1)) - 1))) <= (prog_word)) & ((prog_word) <= (((1 << (28 - 1)) - 1))))) do { ccl->status = 3; goto ccl_error_handler; } while (0); (code) = prog_word; } while (0); | | ~ ~~~~~~~~~~~~~~~~~~ | | | | | | (48) following ‘false’ branch... (49) ...to here |...... |32975 | if (stack_idx_of_map_multiple <= stack_idx) | | ~ | | | | | (50) following ‘false’ branch... |...... |32984 | stack_idx_of_map_multiple = 0; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (51) ...to here |...... |32988 | if ((map_set_rest_length > reg[(field1 & 7)]) && (reg[(field1 & 7)] >= 0)) | | ~ | | | | | (52) following ‘true’ branch... |32989 | { |32990 | ic += reg[(field1 & 7)]; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (53) ...to here |...... |33001 | if (mapping_stack_pointer <= (mapping_stack + 1)) | | ~ | | | | | (54) following ‘false’ branch... |...... |33010 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (orig_op) = mapping_stack_pointer->orig_val; } while (0); | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (55) ...to here |33011 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (reg[field2]) = mapping_stack_pointer->orig_val; } while (0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (56) out-of-bounds read from byte -16 till byte -13 but ‘mapping_stack’ starts at byte 0 | ccl1.i:33011:59: note: valid subscripts for ‘mapping_stack’ are ‘[0]’ to ‘[29]’ 33011 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (reg[field2]) = mapping_stack_pointer->orig_val; } while (0); | ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ccl1.i:33011:134: warning: buffer under-read [CWE-127] [-Wanalyzer-out-of-bounds] 33011 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (reg[field2]) = mapping_stack_pointer->orig_val; } while (0); | ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~ ‘Fccl_execute_on_string’: events 1-4 | |33434 | __attribute__((section (".subrs"))) static union Aligned_Lisp_Subr Sccl_execute_on_string = {{{ PVEC_SUBR << PSEUDOVECTOR_AREA_BITS }, { .a5 = Fccl_execute_on_string }, 3, 5, "ccl-execute-on-string", {0}, 0}}; Lisp_Object Fccl_execute_on_string | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to ‘Fccl_execute_on_string’ |...... |33446 | if (! setup_ccl_program (&ccl, ccl_prog)) | | ~ | | | | | (2) following ‘true’ branch... |33447 | error ("Invalid CCL program"); |33448 | CHECK_VECTOR (status); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) ...to here | | (4) calling ‘CHECK_VECTOR’ from ‘Fccl_execute_on_string’ | +--> ‘CHECK_VECTOR’: events 5-6 | | 5942 | CHECK_VECTOR (Lisp_Object x) | | ^~~~~~~~~~~~ | | | | | (5) entry to ‘CHECK_VECTOR’ | 5943 | { | 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x); | | ~~~~~~~~~~~ | | | | | (6) calling ‘VECTORP’ from ‘CHECK_VECTOR’ | +--> ‘VECTORP’: events 7-8 | | 5933 | VECTORP (Lisp_Object x) | | ^~~~~~~ | | | | | (7) entry to ‘VECTORP’ | 5934 | { | 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & ( | | ~ | | | | | (8) inlined call to ‘ASIZE’ from ‘VECTORP’ | +--> ‘ASIZE’: event 9 | | 5916 | ((0 <= size) ? (void) 0 : __builtin_unreachable ()); | | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) following ‘false’ branch (when ‘size >= 0’)... | <------+ | ‘VECTORP’: event 10 | | 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & ( | | ~~~~~~~~~~~^~~ | | | | | (10) ...to here | 5936 | (9223372036854775807L) | | ~~~~~~~~~~~~~~~~~~~~~~ | 5937 | - | | ~ | 5938 | (9223372036854775807L) | | ~~~~~~~~~~~~~~~~~~~~~~ | 5939 | / 2)); | | ~~~~~ | <------+ | ‘CHECK_VECTOR’: events 11-12 | | 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x); | | ~ ^~~~~~~~~~~ | | | | | | | (11) returning to ‘CHECK_VECTOR’ from ‘VECTORP’ | | (12) inlined call to ‘CHECK_TYPE’ from ‘CHECK_VECTOR’ | +--> ‘CHECK_TYPE’: event 13 | | 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate, x)); | | ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (13) following ‘true’ branch... | <------+ | ‘CHECK_VECTOR’: event 14 | | 5945 | } | | ^ | | | | | (14) ...to here | <------+ | ‘Fccl_execute_on_string’: events 15-16 | |33448 | CHECK_VECTOR (status); | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (15) returning to ‘Fccl_execute_on_string’ from ‘CHECK_VECTOR’ |33449 | if (ASIZE (status) != 9) | | ~ | | | | | (16) inlined call to ‘ASIZE’ from ‘Fccl_execute_on_string’ | +--> ‘ASIZE’: event 17 | | 5916 | ((0 <= size) ? (void) 0 : __builtin_unreachable ()); | | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) following ‘false’ branch (when ‘size >= 0’)... | <------+ | ‘Fccl_execute_on_string’: events 18-21 | |33449 | if (ASIZE (status) != 9) | | ^ | | | | | (18) ...to here | | (19) following ‘false’ branch (when ‘size == 9’)... |33450 | error ("Length of vector STATUS is not 9"); |33451 | CHECK_STRING (str); | | ~~~~~~~~~~~~~~~~~~ | | | | | (20) ...to here | | (21) calling ‘CHECK_STRING’ from ‘Fccl_execute_on_string’ | +--> ‘CHECK_STRING’: events 22-23 | | 5799 | CHECK_STRING (Lisp_Object x) | | ^~~~~~~~~~~~ | | | | | (22) entry to ‘CHECK_STRING’ | 5800 | { | 5801 | CHECK_TYPE (STRINGP (x), builtin_lisp_symbol (1325), x); | | ~ | | | | | (23) inlined call to ‘CHECK_TYPE’ from ‘CHECK_STRING’ | +--> ‘CHECK_TYPE’: event 24 | | 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate, x)); | | ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) following ‘false’ branch... | <------+ | ‘CHECK_STRING’: event 25 | | 5802 | } | | ^ | | | | | (25) ...to here | <------+ | ‘Fccl_execute_on_string’: events 26-27 | |33451 | CHECK_STRING (str); | | ^~~~~~~~~~~~~~~~~~ | | | | | (26) returning to ‘Fccl_execute_on_string’ from ‘CHECK_STRING’ |33452 | str_chars = SCHARS (str); | | ~ | | | | | (27) inlined call to ‘SCHARS’ from ‘Fccl_execute_on_string’ | +--> ‘SCHARS’: event 28 | | 5852 | ((0 <= nchars) ? (void) 0 : __builtin_unreachable ()); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (28) following ‘false’ branch (when ‘nchars >= 0’)... | <------+ | ‘Fccl_execute_on_string’: event 29 | |33453 | str_bytes = SBYTES (str); | | ^ | | | | | (29) inlined call to ‘SBYTES’ from ‘Fccl_execute_on_string’ | +--> ‘SBYTES’: event 30 | | 5865 | return STRING_BYTES (XSTRING (string)); | | ^ | | | | | (30) inlined call to ‘STRING_BYTES’ from ‘SBYTES’ | +--> ‘STRING_BYTES’: event 31 | | 5858 | ptrdiff_t nbytes = s->u.s.size_byte < 0 ? s->u.s.size : s->u.s.size_byte; | | ~~~~~~^~~~~~~~~~ | | | | | (31) ...to here | <-------------+ | ‘Fccl_execute_on_string’: events 32-38 | |33454 | for (i = 0; i < 8; i++) | | ~~^~~ | | | | | (32) following ‘true’ branch (when ‘i != 8’)... |33455 | { |33456 | if (NILP (AREF (status, i))) | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) ...to here |...... |33475 | if (__builtin_mul_overflow (buf_magnification, outbufsize, &outbufsize) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (34) following ‘false’ branch... |33476 | || __builtin_add_overflow (256, outbufsize, &outbufsize)) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (35) ...to here | | (36) following ‘false’ branch... |...... |33480 | outp = outbuf = xmalloc (outbufsize); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (37) ...to here |...... |33489 | if (endp - p == str_chars - consumed_chars) | | ~ | | | | | (38) following ‘true’ branch... | ‘Fccl_execute_on_string’: event 39 | |cc1: | (39): ...to here | ‘Fccl_execute_on_string’: events 40-44 | |33490 | while (j < 1024 && p < endp) | | ~~~~~~~~~^~~~~~~~~~~ | | | | | (40) following ‘false’ branch... |...... |33495 | consumed_chars += j; | | ~~ | | | | | (41) ...to here |...... |33503 | int max_expansion = NILP (unibyte_p) ? MAX_MULTIBYTE_LENGTH : 1; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (42) following ‘true’ branch (when ‘unibyte_p’ is NULL)... |33504 | ptrdiff_t offset, shortfall; |33505 | ccl_driver (&ccl, src, destination, src_size, 1024, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (43) ...to here | | (44) calling ‘ccl_driver’ from ‘Fccl_execute_on_string’ |33506 | builtin_lisp_symbol (0)); | | ~~~~~~~~~~~~~~~~~~~~~~~~ | +--> ‘ccl_driver’: events 45-56 | |32373 | ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size, int dst_size, Lisp_Object charset_list) | | ^~~~~~~~~~ | | | | | (45) entry to ‘ccl_driver’ |...... |32388 | if (ccl->buf_magnification == 0) | | ~ | | | | | (46) following ‘false’ branch... |...... |32392 | mapping_stack_pointer = mapping_stack; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (47) ...to here |...... |32404 | do { EMACS_INT prog_word = XFIXNUM ((ccl_prog)[ic++]); if (! ((((-1 - ((1 << (28 - 1)) - 1))) <= (prog_word)) & ((prog_word) <= (((1 << (28 - 1)) - 1))))) do { ccl->status = 3; goto ccl_error_handler; } while (0); (code) = prog_word; } while (0); | | ~ ~~~~~~~~~~~~~~~~~~ | | | | | | (48) following ‘false’ branch... (49) ...to here |...... |32975 | if (stack_idx_of_map_multiple <= stack_idx) | | ~ | | | | | (50) following ‘false’ branch... |...... |32984 | stack_idx_of_map_multiple = 0; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (51) ...to here |...... |32988 | if ((map_set_rest_length > reg[(field1 & 7)]) && (reg[(field1 & 7)] >= 0)) | | ~ | | | | | (52) following ‘true’ branch... |32989 | { |32990 | ic += reg[(field1 & 7)]; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (53) ...to here |...... |33001 | if (mapping_stack_pointer <= (mapping_stack + 1)) | | ~ | | | | | (54) following ‘false’ branch... |...... |33010 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (orig_op) = mapping_stack_pointer->orig_val; } while (0); | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (55) ...to here |33011 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (reg[field2]) = mapping_stack_pointer->orig_val; } while (0); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (56) out-of-bounds read from byte -12 till byte -9 but ‘mapping_stack’ starts at byte 0 | ccl1.i:33011:134: note: valid subscripts for ‘mapping_stack’ are ‘[0]’ to ‘[29]’ 33011 | do { mapping_stack_pointer--; (map_set_rest_length) = mapping_stack_pointer->rest_length; (reg[field2]) = mapping_stack_pointer->orig_val; } while (0); | ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~