[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

Mon, 21 Aug 2023 18:17:01 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalc...@gcc.gnu.org>:

https://gcc.gnu.org/g:fe97f09a0caeff2a22cc41b26bf08692bff8686d

commit r14-3374-gfe97f09a0caeff2a22cc41b26bf08692bff8686d
Author: David Malcolm <dmalc...@redhat.com>
Date:   Mon Aug 21 21:13:19 2023 -0400

    analyzer: replace -Wanalyzer-unterminated-string with
scan_for_null_terminator [PR105899]

    In r14-3169-g325f9e88802daa I added check_for_null_terminated_string_arg
    to -fanalyzer, calling it in various places, with a sole check for
    unterminated string constants, adding -Wanalyzer-unterminated-string for
    this case.

    This patch adds region_model::scan_for_null_terminator, which simulates
    scanning memory for a zero byte, complaining about uninitiliazed bytes
    and out-of-range accesses seen before any zero byte is seen.

    This more flexible approach catches the issues we saw before with
    -Wanalyzer-unterminated-string, and also catches uninitialized runs
    of bytes, and I believe will be a better way to build checking of C
    string operations in the analyzer.

    Given that the patch makes -Wanalyzer-unterminated-string redundant
    and that this option was only in trunk for 10 days and has no known
    users, the patch simply removes the option without a compatibility
    fallback.

    The patch uses custom events and notes to provide context on where
    the issues are coming from.  For example, given:

    null-terminated-strings-1.c: In function âtest_partially_initializedâ:
    null-terminated-strings-1.c:71:3: warning: use of uninitialized value
âbuf[1]â [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
       71 |   __analyzer_get_strlen (buf);
          |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~
      âtest_partially_initializedâ: events 1-3
        |
        |   69 |   char buf[16];
        |      |        ^~~
        |      |        |
        |      |        (1) region created on stack here
        |   70 |   buf[0] = 'a';
        |   71 |   __analyzer_get_strlen (buf);
        |      |   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
        |      |   |
        |      |   (2) while looking for null terminator for argument 1
(â&bufâ) of â__analyzer_get_strlenâ...
        |      |   (3) use of uninitialized value âbuf[1]â here
        |
    analyzer-decls.h:59:22: note: argument 1 of â__analyzer_get_strlenâ
must be a pointer to a null-terminated string
       59 | extern __SIZE_TYPE__ __analyzer_get_strlen (const char *ptr);
          |                      ^~~~~~~~~~~~~~~~~~~~~

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * analyzer.opt (Wanalyzer-unterminated-string): Delete.
            * call-details.cc
            (call_details::check_for_null_terminated_string_arg): Convert
            return type from void to const svalue *.  Add param "out_sval".
            * call-details.h
            (call_details::check_for_null_terminated_string_arg): Likewise.
            * kf-analyzer.cc (kf_analyzer_get_strlen::impl_call_pre): Wire up
            to result of check_for_null_terminated_string_arg.
            * region-model.cc (get_strlen): Delete.
            (class unterminated_string_arg): Delete.
            (struct fragment): New.
            (class iterable_cluster): New.
            (region_model::get_store_bytes): New.
            (get_tree_for_byte_offset): New.
            (region_model::scan_for_null_terminator): New.
            (region_model::check_for_null_terminated_string_arg): Convert
            return type from void to const svalue *.  Add param "out_sval".
            Reimplement in terms of scan_for_null_terminator, dropping the
            special-case for -Wanalyzer-unterminated-string.
            * region-model.h (region_model::get_store_bytes): New decl.
            (region_model::scan_for_null_terminator): New decl.
            (region_model::check_for_null_terminated_string_arg): Convert
            return type from void to const svalue *.  Add param "out_sval".
            * store.cc (concrete_binding::get_byte_range): New.
            * store.h (concrete_binding::get_byte_range): New decl.
            (store_manager::get_concrete_binding): New overload.

    gcc/ChangeLog:
            PR analyzer/105899
            * doc/invoke.texi: Remove -Wanalyzer-unterminated-string.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * gcc.dg/analyzer/error-1.c: Update expected results to reflect
            reimplementation of unterminated string detection.  Add test
            coverage for uninitialized buffers.
            * gcc.dg/analyzer/null-terminated-strings-1.c: Likewise.
            * gcc.dg/analyzer/putenv-1.c: Likewise.
            * gcc.dg/analyzer/strchr-1.c: Likewise.
            * gcc.dg/analyzer/strcpy-1.c: Likewise.
            * gcc.dg/analyzer/strdup-1.c: Likewise.

    Signed-off-by: David Malcolm <dmalc...@redhat.com>

Reply via email to