https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105900
Bug ID: 105900
Summary: RFE: -fanalyzer could check malloc sizes when casting
the result to a pointer
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105906
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105961
--- Comment #1 from David Malcolm ---
(In reply to eggert from comment #0)
[...snip...]
> Compile the attached program (derived from bleeding-edge Emacs) with:
I'm not seeing an attachment - do you still have this file, and can you try
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105962
Bug ID: 105962
Summary: Unhelpful diagnostics paths from analyzer in the face
of inlining
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105961
--- Comment #4 from David Malcolm ---
As well as the false positive, the diagnostic path is rather unreadable due to
inlining. I've filed a separate bug about this (PR 105962).
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105961
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105962
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105962
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105900
--- Comment #1 from David Malcolm ---
See https://cwe.mitre.org/data/definitions/131.html e.g. example 5.
See also:
https://clang.llvm.org/docs/analyzer/checkers.html#alpha-security-mallocoverflow-c
(CWE 131's example 2 has a case of this)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
Bug ID: 106000
Summary: RFE: -fanalyzer should complain about definite buffer
overflows/underflows
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106002
Bug ID: 106002
Summary: RFE: complain about incorrect checks of return values
(CWE-253)
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: diagnostic
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105958
Bug ID: 105958
Summary: Stray events emitted by state machine tests (e.g.
"'VAR' is NULL")
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106006
Bug ID: 106006
Summary: RFE: analyzer should treat data from a socket as
"tainted"
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106007
Bug ID: 106007
Summary: RFE: analyzer should complain about exec/system of
tainted args
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105892
--- Comment #1 from David Malcolm ---
See also CWE 469: https://cwe.mitre.org/data/definitions/469.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105888
--- Comment #1 from David Malcolm ---
See also CWE-562: Return of Stack Variable Address
https://cwe.mitre.org/data/definitions/562.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105900
--- Comment #2 from David Malcolm ---
See also:
https://cwe.mitre.org/data/definitions/467.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106003
Bug ID: 106003
Summary: RFE: -fanalyzer could complain about misuse of
file-descriptors
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #2 from David Malcolm ---
See also:
https://cwe.mitre.org/data/definitions/468.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106003
--- Comment #1 from David Malcolm ---
See also this mailing list thread:
https://gcc.gnu.org/pipermail/gcc/2022-June/238801.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106021
Bug ID: 106021
Summary: RFE: more sources of taint: scanf and its cousins
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105916
--- Comment #1 from David Malcolm ---
Thanks for filing this.
Reproducable with trunk. On trunk I also see similar behavior with the new
SARIF output format via options:
-fdiagnostics-format=sarif-stderr
-fdiagnostics-format=sarif-file
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105916
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |NEW
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105947
Bug ID: 105947
Summary: RFE: -fanalyzer should complain about jumps through
NULL function pointers
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105949
Bug ID: 105949
Summary: RFE: analyzer could warn about calls to vfuncs within
a ctor/dtor
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99667
David Malcolm changed:
What|Removed |Added
Blocks||105887
--- Comment #1 from David
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105948
Bug ID: 105948
Summary: RFE: analyzer could check c++ placement-new sizes
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105894
--- Comment #1 from David Malcolm ---
(In reply to David Malcolm from comment #0)
> The analyzer's region model might make this fairly easy to implement.
Specifically: the result of the function call would be a conjured_svalue where
the stmt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105909
Bug ID: 105909
Summary: RFE: SARIF output could contain metadata about
limitations of the analysis
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106321
Bug ID: 106321
Summary: False positives from -Wanalyzer-tainted-array-index
with switch with ranged cases
Product: gcc
Version: 12.0
Status: UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106312
--- Comment #1 from David Malcolm ---
Seems to work for me (on gcc112); is there a particular machine you tried this
on?
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106319
Bug ID: 106319
Summary: False positives from -Wanalyzer-va-arg-type-mismatch
on int promotion
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106359
Bug ID: 106359
Summary: -fanalyzer takes a very long time on Linux kernel:
sound/soc/codecs/cs47l{85,90}.c
Product: gcc
Version: 12.0
Status: UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
Bug ID: 106358
Summary: [meta-bug] tracker bug for building the Linux kernel
with -fanalyzer
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106359
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
Bug 106358 depends on bug 106359, which changed state.
Bug 106359 Summary: -fanalyzer takes a very long time on Linux kernel:
sound/soc/codecs/cs47l{85,90}.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106359
What|Removed
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106359
--- Comment #1 from David Malcolm ---
Dumping the store shows huge numbers of clusters of the form:
cluster for: "RXANCL Input": CONJURED(madera_free_bus_error_irq (_6, i_29);,
"RXANCL Input") (ESCAPED) (TOUCHED)
cluster for: "Route":
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106373
Bug ID: 106373
Summary: False positives from -Wanalyzer-tainted-array-index
with casts
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106373
David Malcolm changed:
What|Removed |Added
Ever confirmed|0 |1
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106374
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
Bug 106358 depends on bug 106374, which changed state.
Bug 106374 Summary: [13 Regression] -fanalyzer ICE with certain const static
vars
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106374
What|Removed |Added
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106374
Bug ID: 106374
Summary: -fanalyzer ICE with certain const static vars
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106374
David Malcolm changed:
What|Removed |Added
Ever confirmed|0 |1
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106373
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
Bug 106358 depends on bug 106373, which changed state.
Bug 106373 Summary: False positives from -Wanalyzer-tainted-array-index on
comparison with non-const
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106373
What|Removed
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106325
David Malcolm changed:
What|Removed |Added
Ever confirmed|0 |1
Status|UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106441
Bug ID: 106441
Summary: Analyzer has some issues with nested functions
extension to C
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106441
--- Comment #1 from David Malcolm ---
Above example on Compiler Explorer:
https://godbolt.org/z/Pv1GoonE6
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106301
Bug ID: 106301
Summary: RFE: analyzer support of mmap
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106302
Bug ID: 106302
Summary: RFE: provide a way for -fanalyzer to use target flags
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106301
--- Comment #1 from David Malcolm ---
Potentially we could also track the allocated region, and complain if it is
leaked. I think this would require handling of mmap/munmap in sm-malloc.cc (so
that we can detect leaks), and support in the
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106286
--- Comment #1 from David Malcolm ---
Compare with e.g.:
gcc/testsuite/gcc.dg/analyzer/file-meaning-1.c
which tests this for the sm-file.cc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106300
Bug ID: 106300
Summary: RFE: analyzer support for more ways of obtaining an
open file descriptor
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106299
Bug ID: 106299
Summary: RFE: analyzer handling of fdopen
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106298
Bug ID: 106298
Summary: RFE: analyzer handling of dup, dup2, and dup3
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106272
--- Comment #9 from David Malcolm ---
Thanks!
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106284
Bug ID: 106284
Summary: False positives from -Wanalyzer-tainted-array-index
with optimized conditionals
Product: gcc
Version: 12.0
Status: UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106283
Bug ID: 106283
Summary: RFE: analyzer handling of close_range and closefrom
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106286
Bug ID: 106286
Summary: fd_diagnostic should implement
get_meaning_for_state_change vfunc
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106284
David Malcolm changed:
What|Removed |Added
Ever confirmed|0 |1
Status|UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
Bug 106358 depends on bug 106319, which changed state.
Bug 106319 Summary: False positives from -Wanalyzer-va-arg-type-mismatch on int
promotion
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106319
What|Removed
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106319
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105893
David Malcolm changed:
What|Removed |Added
Last reconfirmed||2022-07-28
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106007
--- Comment #1 from David Malcolm ---
Similarly, putenv should check for tainted string args.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105893
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105887
Bug 105887 depends on bug 105893, which changed state.
Bug 105893 Summary: RFE: -fanalyzer could check putenv calls
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105893
What|Removed |Added
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106007
--- Comment #2 from David Malcolm ---
Currently the taint analysis only has handling for numeric arguments being
bounds-checked.
How can string arguments transition to a "sanitized" state? Or are string
arguments always tainted once they've
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106147
David Malcolm changed:
What|Removed |Added
Ever confirmed|0 |1
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
Bug 106358 depends on bug 106383, which changed state.
Bug 106383 Summary: False positives from -Wanalyzer-va-list-exhausted
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106383
What|Removed |Added
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106383
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106394
David Malcolm changed:
What|Removed |Added
Assignee|dmalcolm at gcc dot gnu.org|tlange at gcc dot
gnu.org
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106383
Bug ID: 106383
Summary: False positives from -Wanalyzer-va-list-exhausted
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106383
David Malcolm changed:
What|Removed |Added
Last reconfirmed||2022-07-21
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106394
Bug ID: 106394
Summary: Possible false positive from
-Wanalyzer-allocation-size with empty array
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106003
--- Comment #6 from David Malcolm ---
I don't think we were tracking the RFE for this in bugzilla, so just a note
that Immad had now committed his patch for the three new attributes for
functions that make use of file descriptors:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106413
Bug ID: 106413
Summary: State explosion on va_arg when va_start is in
top-level function of analysis
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106454
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |NEW
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106454
--- Comment #2 from David Malcolm ---
...i.e. it's getting confused about liveness. It's considering that the call
to c could have overwritten the old value of d with a new value (or d->args),
and thus that this hypothetical new value of
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106298
David Malcolm changed:
What|Removed |Added
Last reconfirmed||2022-07-27
Assignee|dmalcolm
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106204
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
Bug 106358 depends on bug 106204, which changed state.
Bug 106204 Summary: False positive from -Wanalyzer-use-of-uninitialized-value
with -ftrivial-auto-var-init=zero
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106204
What
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
Bug 106358 depends on bug 106225, which changed state.
Bug 106225 Summary: False positives from -Wanalyzer-tainted-divisor
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
What|Removed |Added
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99860
--- Comment #2 from David Malcolm ---
Quoting Paul Eggert here:
https://lists.gnu.org/archive/html/bug-gnulib/2022-07/msg00066.html
> I looked into this a bit more, and it turns out that GCC was wrong
> about
> what happens when some
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105285
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106284
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106413
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106321
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106401
David Malcolm changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106413
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104308
--- Comment #9 from David Malcolm ---
(In reply to Kamil Dudka from comment #8)
> As spotted by Vincent Mihalkovic, the fix seems to be incomplete. If we run
> gcc-12.0.1-0.14.fc37.x86_64 on the following test-case, some diagnostic
> messages
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104073
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104293
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104071
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95325
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|WAITING
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104072
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105285
--- Comment #11 from David Malcolm ---
Should be fixed on trunk for GCC 13 by the above commit.
I hope to backport this to GCC 12; keeping this open until that's done.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105287
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105366
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105285
--- Comment #6 from David Malcolm ---
For (a):
If I'm reading this right:
reader_init_block_reader has:
struct reftable_block block = {((void *)0)};
reader_init_block_reader checks for (next_off >= r->size) and bails out,
otherwise, block
601 - 700 of 1359 matches
Mail list logo