https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103546
--- Comment #7 from David Malcolm ---
As it notes, the above patch reduces the number of false positives on
flex-generated scanners, but doesn't fix them all. Keeping this bug open to
track fixing them.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107928
David Malcolm changed:
What|Removed |Added
Status|NEW |ASSIGNED
--- Comment #2 from David Malc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107928
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107941
--- Comment #2 from David Malcolm ---
Does the SARIF output format contain the information you need?
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107948
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107851
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106325
--- Comment #4 from David Malcolm ---
Created attachment 54023
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54023&action=edit
Reduced reproducer
Attached is a reduced version of the reproducer, which demonstrates the false
+ve on trunk
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106325
David Malcolm changed:
What|Removed |Added
Status|NEW |ASSIGNED
--- Comment #5 from David Malc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106325
--- Comment #6 from David Malcolm ---
Fix for the overzealous reducing is to simply add "__attribute__((nonnull(1,
2)))" to the reproducer here:
__attribute__((nonnull(1, 2)))
void
arranger_object_unsplit (ArrangerObject *r1, ArrangerObject *r2
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106325
--- Comment #8 from David Malcolm ---
Should be fixed on trunk for GCC 13 by the above patch.
Still affects GCC 12, GCC 11, and GCC 10.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107882
David Malcolm changed:
What|Removed |Added
Status|NEW |ASSIGNED
--- Comment #3 from David Malc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107882
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108003
David Malcolm changed:
What|Removed |Added
Last reconfirmed||2022-12-08
Status|UNCONFIRM
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108003
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108028
David Malcolm changed:
What|Removed |Added
Summary|--Wanalyzer-null-dereferenc |Misleading -fanalyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108028
--- Comment #2 from David Malcolm ---
(D) Also, the
(3) dereference of NULL '0'
is poorly worded; ideally we'd say:
(3) dereference of NULL 'q'
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108065
David Malcolm changed:
What|Removed |Added
Summary|[13 Regression] ICE in |[13 Regression] ICE in
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106479
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106479
--- Comment #3 from David Malcolm ---
(In reply to David Malcolm from comment #2)
> Thanks; should be fixed by the above patch (lightly tested with
> hppa-linux-gnu and riscv32-unknown-linux-gnu).
...referring to the FAIL at line 9.
I believe
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108307
Bug ID: 108307
Summary: ICE compiling .S file with
-fdiagnostics-format=sarif-file
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Keywords: diagnostic, ice-on-
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105103
David Malcolm changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102471
--- Comment #5 from David Malcolm ---
Another source of possible benchmarks:
https://gitlab.com/sosy-lab/benchmarking/sv-benchmarks
>From SV-COMP: https://sv-comp.sosy-lab.org/
This embeds the Juliet testsuite, but also many other tests.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105190
David Malcolm changed:
What|Removed |Added
Last reconfirmed||2022-05-17
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105887
Bug ID: 105887
Summary: RFE: clang analyzer warnings that GCC's -fanalyzer
could implement
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: meta-bug
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105888
Bug ID: 105888
Summary: RFE: -fanalyzer should complain when an on-stack
address escapes/outlives the function
Product: gcc
Version: 12.0
Status: UNCONFIRMED
S
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105889
Bug ID: 105889
Summary: RFE: -fanalyzer should complain about uses of
inherently unsafe functions
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: norm
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105890
Bug ID: 105890
Summary: RFE: -fanalyzer should complain about mkstemp with not
enough "X"s in format string
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Seve
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105891
Bug ID: 105891
Summary: RFE: -fanalyzer could complain about pointer
arithmetic on non-arrays
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105892
Bug ID: 105892
Summary: RFE: -fanalyzer could complain about pointer
subtraction of pointers to different memory chunks
Product: gcc
Version: 12.0
Status: UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105893
Bug ID: 105893
Summary: RFE: -fanalyzer could check putenv calls
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyze
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105894
Bug ID: 105894
Summary: RFE: -fanalyzer could complain about misuse of
functions that return pointers to a static buffer
Product: gcc
Version: 12.0
Status: UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105895
Bug ID: 105895
Summary: RFE: -fanalyzer could check constraints on calls to C
standard library
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105896
Bug ID: 105896
Summary: RFE: -fanalyzer could complain about improper uses of
"chroot"
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105897
Bug ID: 105897
Summary: RFE: -fanalyzer could complain about misuses of
pthread API
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
P
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105898
Bug ID: 105898
Summary: RFE: -fanalyzer should complain about overlapping args
to memcpy and mempcpy
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: n
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899
Bug ID: 105899
Summary: RFE: -fanalyzer could complain about misuses of
standard C string APIs
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105900
Bug ID: 105900
Summary: RFE: -fanalyzer could check malloc sizes when casting
the result to a pointer
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99669
David Malcolm changed:
What|Removed |Added
Blocks||105887
--- Comment #2 from David Malcolm
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105894
--- Comment #1 from David Malcolm ---
(In reply to David Malcolm from comment #0)
> The analyzer's region model might make this fairly easy to implement.
Specifically: the result of the function call would be a conjured_svalue where
the stmt of
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105909
Bug ID: 105909
Summary: RFE: SARIF output could contain metadata about
limitations of the analysis
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: nor
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105906
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105916
--- Comment #1 from David Malcolm ---
Thanks for filing this.
Reproducable with trunk. On trunk I also see similar behavior with the new
SARIF output format via options:
-fdiagnostics-format=sarif-stderr
-fdiagnostics-format=sarif-file
and
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105916
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |NEW
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105947
Bug ID: 105947
Summary: RFE: -fanalyzer should complain about jumps through
NULL function pointers
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: nor
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105948
Bug ID: 105948
Summary: RFE: analyzer could check c++ placement-new sizes
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99667
David Malcolm changed:
What|Removed |Added
Blocks||105887
--- Comment #1 from David Malcolm
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105949
Bug ID: 105949
Summary: RFE: analyzer could warn about calls to vfuncs within
a ctor/dtor
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105958
Bug ID: 105958
Summary: Stray events emitted by state machine tests (e.g.
"'VAR' is NULL")
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105961
--- Comment #1 from David Malcolm ---
(In reply to eggert from comment #0)
[...snip...]
> Compile the attached program (derived from bleeding-edge Emacs) with:
I'm not seeing an attachment - do you still have this file, and can you try
attach
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105961
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105962
Bug ID: 105962
Summary: Unhelpful diagnostics paths from analyzer in the face
of inlining
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105961
--- Comment #4 from David Malcolm ---
As well as the false positive, the diagnostic path is rather unreadable due to
inlining. I've filed a separate bug about this (PR 105962).
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105962
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105962
David Malcolm changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105900
--- Comment #1 from David Malcolm ---
See https://cwe.mitre.org/data/definitions/131.html e.g. example 5.
See also:
https://clang.llvm.org/docs/analyzer/checkers.html#alpha-security-mallocoverflow-c
(CWE 131's example 2 has a case of this)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
Bug ID: 106000
Summary: RFE: -fanalyzer should complain about definite buffer
overflows/underflows
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: nor
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106002
Bug ID: 106002
Summary: RFE: complain about incorrect checks of return values
(CWE-253)
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: diagnostic
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105900
--- Comment #2 from David Malcolm ---
See also:
https://cwe.mitre.org/data/definitions/467.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #2 from David Malcolm ---
See also:
https://cwe.mitre.org/data/definitions/468.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105892
--- Comment #1 from David Malcolm ---
See also CWE 469: https://cwe.mitre.org/data/definitions/469.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105888
--- Comment #1 from David Malcolm ---
See also CWE-562: Return of Stack Variable Address
https://cwe.mitre.org/data/definitions/562.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106003
Bug ID: 106003
Summary: RFE: -fanalyzer could complain about misuse of
file-descriptors
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106003
--- Comment #1 from David Malcolm ---
See also this mailing list thread:
https://gcc.gnu.org/pipermail/gcc/2022-June/238801.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106006
Bug ID: 106006
Summary: RFE: analyzer should treat data from a socket as
"tainted"
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Pr
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106007
Bug ID: 106007
Summary: RFE: analyzer should complain about exec/system of
tainted args
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106021
Bug ID: 106021
Summary: RFE: more sources of taint: scanf and its cousins
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105890
--- Comment #2 from David Malcolm ---
https://pubs.opengroup.org/onlinepubs/009604499/functions/mkstemp.html says:
"The string in template should look like a filename with six trailing 'X's"
https://pubs.opengroup.org/onlinepubs/9699919799/f
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106066
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |NEW
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106066
--- Comment #3 from David Malcolm ---
Minimal reproducer for crash in comment #0 (crash in dump_mem_ref seen with
_do_poll:
struct s {
unsigned int f;
};
int use(unsigned int);
static struct s *arr;
void test(int n) {
int i;
for (i = 0;
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106066
--- Comment #4 from David Malcolm ---
(In reply to David Malcolm from comment #2)
> Thanks for filing this bug.
>
> I can reproduce both crashes with trunk.
Correction: for src/ssl_crtlist.c I'm seeing the same crash as in comment #0
(in dump_
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106140
Bug ID: 106140
Summary: RFE: analyzer could complain about misuses of socket
APIs
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Pri
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106147
Bug ID: 106147
Summary: RFE: -fanalyzer could complain about some cases of
infinite loops and infinite recursion
Product: gcc
Version: 12.0
Status: UNCONFIRMED
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106147
--- Comment #1 from David Malcolm ---
Possible implementation idea: look at state merging when building the exploded
graph: if we're merging an identical state in a loop, with no variants, then
complain.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106148
Bug ID: 106148
Summary: RFE: warn about =- typos
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: diagnostic
Severity: normal
Priority: P3
Com
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106006
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
David Malcolm changed:
What|Removed |Added
Summary|RFE: -fanalyzer should |RFE: -fanalyzer should
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #4 from David Malcolm ---
For example, the "classic test" referred to in section 1.2 of
https://open-std.org/JTC1/SC22/WG14/www/docs/n3005.pdf
has:
#include
#include
int y=2, x=1;
int main() {
int *p = &x + 1;
int *q = &y;
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #5 from David Malcolm ---
Consider also:
write (fd, "hello world", 200);
where the write call is definitely going to access beyond the string literal.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106204
Bug ID: 106204
Summary: False positive from
-Wanalyzer-use-of-uninitialized-value with
-ftrivial-auto-var-init=zero
Product: gcc
Version: 12.0
Status
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106204
David Malcolm changed:
What|Removed |Added
Status|UNCONFIRMED |NEW
Last reconfirmed|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106204
David Malcolm changed:
What|Removed |Added
Status|NEW |ASSIGNED
--- Comment #2 from David Malc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106204
--- Comment #4 from David Malcolm ---
Should be fixed on trunk (for gcc 13) by the above commit.
Keeping open to backport to gcc 12.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106218
Bug ID: 106218
Summary: Analyzer false positives with Linux kernel's err.h
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Componen
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
Bug ID: 106225
Summary: False positives from -Wanalyzer-tainted-divisor
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
David Malcolm changed:
What|Removed |Added
Last reconfirmed||2022-07-07
Status|UNCONFIRM
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
--- Comment #3 from David Malcolm ---
Fixed on trunk for gcc 13 by the above commit. Keeping this open to backport
to gcc 12.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229
Bug ID: 106229
Summary: False positives from -Wanalyzer-tainted-array-index
with unsigned char index
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: n
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106235
Bug ID: 106235
Summary: RFE: -fanalyzer could complain about tainted data
triggering assertion failure
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106235
--- Comment #1 from David Malcolm ---
Juliet 1.3 has various testcases for this in
C/testcases/CWE617_Reachable_Assertion/
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96032
--- Comment #4 from David Malcolm ---
I posted a prototype implementation of this here:
"[PATCH 00/12] RFC: Replay of serialized diagnostics"
https://gcc.gnu.org/pipermail/gcc-patches/2022-June/597051.html
(doesn't fully work; see the many
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91733
David Malcolm changed:
What|Removed |Added
CC||dmalcolm at gcc dot gnu.org
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106272
--- Comment #9 from David Malcolm ---
Thanks!
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106283
Bug ID: 106283
Summary: RFE: analyzer handling of close_range and closefrom
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Compone
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106284
Bug ID: 106284
Summary: False positives from -Wanalyzer-tainted-array-index
with optimized conditionals
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106286
Bug ID: 106286
Summary: fd_diagnostic should implement
get_meaning_for_state_change vfunc
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106286
--- Comment #1 from David Malcolm ---
Compare with e.g.:
gcc/testsuite/gcc.dg/analyzer/file-meaning-1.c
which tests this for the sm-file.cc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106298
Bug ID: 106298
Summary: RFE: analyzer handling of dup, dup2, and dup3
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: an
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106299
Bug ID: 106299
Summary: RFE: analyzer handling of fdopen
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106300
Bug ID: 106300
Summary: RFE: analyzer support for more ways of obtaining an
open file descriptor
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: norma
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106301
Bug ID: 106301
Summary: RFE: analyzer support of mmap
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
801 - 900 of 1425 matches
Mail list logo