[Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

            Bug ID: 103533
           Summary: Enable "taint" state machine with -fanalyzer without
                    requiring -fanalyzer-checker=taint
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
  Target Milestone: ---

sm.cc: make_checkers currently has:

  /* The "taint" checker must be explicitly enabled (as it currently
     leads to state explosions that stop the other checkers working).  */
  if (flag_analyzer_checker)
    out.safe_push (make_taint_state_machine (logger));

and all of the various testcases for the "taint" state machine have:

  // TODO: remove need for this option:
  /* { dg-additional-options "-fanalyzer-checker=taint" } */

and with notes in the docs of the form:

  This warning requires both @option{-fanalyzer} and
  @option{-fanalyzer-checker=taint} to enable it;


I'm opening this bug to track removing the need for this, so that the the taint
checker can be enabled directly by -fanalyzer.

Currently removing this leads to:

* ICE in alt_get_inherited_state in abs-1.c, data-model-1.c, data-model-19.c,
pr101570.c, pr99771-1.c, zlib-2.c, zlib-3.c, torture/pr93450.c; all of which
seems to be for a UNARY_OP that isn't a NOP_EXPR; replacing that
gcc_unreachable with break, so it returns NULL fixes all of these.

* state explosion and failure in pr93032-mztools.c, with:
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c: In function
‘unzRepair’:
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:252:16: warning:
terminating analysis for this program point: callstring: [] after SN: 52EN:
270-271, EN: 526-527, EN: 782-783, EN: 1038-1039 [-Wanalyzer-too-complex]
  252 |         entries++;
      |         ~~~~~~~^~
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:252:16: warning:
terminating analysis for this program point: callstring: [] after SN: 52EN:
270-271, EN: 526-527, EN: 782-783, EN: 1038-1039 [-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0):  _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
  299 |         while ( (nRead = (int)fread(buffer, 1, sizeof(buffer),
fpOutCD)) > 0) {
      |                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0):  _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0):  _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0):  _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0):  _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0):  _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0):  _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c: At top level:
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:319:21: warning:
analysis bailed out early (401 'after-snode' enodes; 1506 enodes)
[-Wanalyzer-too-complex]
  319 |         *nRecovered = entries;
      |         ~~~~~~~~~~~~^~~~~~~~~

   Interestingly, PR analyzer/103521 reports this as now failing on powerpc64
(without turning on taint detection), although the explosion is in a different
place.

[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:c9543403c19fdc3c3b5a8db8546340de085bd14e

commit r12-5815-gc9543403c19fdc3c3b5a8db8546340de085bd14e
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Dec 6 14:04:35 2021 -0500

    analyzer: fix equivalence class state purging [PR103533]

    Whilst debugging state explosions seen when enabling taint detection
    with -fanalyzer (PR analyzer/103533), I noticed that constraint
    manager instances could contain stray, redundant constants, such
    as this instance:

    constraint_manager:
      equiv classes:
        ec0: {(int)0 == [m_constant]â0â}
        ec1: {(size_t)4 == [m_constant]â4â}
      constraints:

    where there are two equivalence classes, each just containing a
    constant, with no constraints using them.

    This patch makes constraint_manager::canonicalize more aggressive
    about purging state, handling the case of purging a redundant
    EC containing just a constant.

    gcc/analyzer/ChangeLog:
            PR analyzer/103533
            * constraint-manager.cc (equiv_class::contains_non_constant_p):
            New.
            (constraint_manager::canonicalize): Call it when determining
            redundant ECs.
            (selftest::test_purging): New selftest.
            (selftest::run_constraint_manager_tests): Likewise.
            * constraint-manager.h (equiv_class::contains_non_constant_p):
            New decl.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Note that as well as the scaling issues, there currently aren't that many
sources of taint (currently just a hardcoded one for the result fread); a lot
more would be added by
  [PATCH 0/6] RFC: adding support to GCC for detecting trust boundaries
    https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584372.html
but that patch kit isn't in yet.

[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:2c16dfe6268eeeb4b7924ff423e274fa00894a4d

commit r12-6526-g2c16dfe6268eeeb4b7924ff423e274fa00894a4d
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Jan 11 15:57:39 2022 -0500

    analyzer: complain about tainted sizes with "access" attribute [PR103940]

    GCC 10 gained the "access" function and type attribute, which
    optionally can take a size-index param:
      https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html

    -fanalyzer in trunk (for GCC 12) has gained a -Wanalyzer-tainted-size to
    complain about attacker-controlled size values, but this was only being
    used deep inside the region-model code when handling the hardcoded known
    behavior of certain functions (memset, IIRC).

    This patch extends -Wanalyzer-tainted-size to also complain about
    unsanitized attacker-controlled values being passed to function
    parameters marked as a size via the "access" attribute.

    Note that -fanalyzer-checker=taint is currently required in
    addition to -fanalyzer to use this warning, due to scaling issues
    (see bug 103533).

    gcc/analyzer/ChangeLog:
            PR analyzer/103940
            * engine.cc (impl_sm_context::impl_sm_context): Add
            "unknown_side_effects" param and use it to initialize
            new m_unknown_side_effects field.
            (impl_sm_context::unknown_side_effects_p): New.
            (impl_sm_context::m_unknown_side_effects): New.
            (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
            ctor.
            * sm-taint.cc: Include "stringpool.h" and "attribs.h".
            (tainted_size::tainted_size): Drop "dir" param.
            (tainted_size::get_kind): Drop "FINAL".
            (tainted_size::emit): Likewise.
            (tainted_size::m_dir): Drop unused field.
            (class tainted_access_attrib_size): New subclass.
            (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
            external functions with unknown side effects.
            (taint_state_machine::check_for_tainted_size_arg): New.
            (region_model::check_region_for_taint): Drop "dir" param from
            tainted_size ctor.
            * sm.h (sm_context::unknown_side_effects_p): New.

    gcc/testsuite/ChangeLog:
            PR analyzer/103940
            * gcc.dg/analyzer/taint-size-access-attr-1.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:faacafd2306ad7ece721a79dedbb6e44e0d65bdb

commit r12-7718-gfaacafd2306ad7ece721a79dedbb6e44e0d65bdb
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Dec 7 19:22:47 2021 -0500

    analyzer: extend state-purging to locals [PR104943]

    The existing analyzer code attempts to purge the state of SSA names
    where it can in order to minimize the size of program_state instances,
    and to increase the chances of being able to reuse exploded_node
    instances whilst exploring the user's code.

    PR analyzer/104943 identifies that we fail to purge state of local
    variables, based on behavior seen in PR analyzer/104954 when attempting
    to profile slow performance of -fanalyzer on a particular file in the
    Linux kernel, where that testcase has many temporary "boxed" values of
    structs containing ints, which are never cleaned up, leading to bloat
    of the program_state instances (specifically, of the store objects).

    This patch generalizes the state purging from just being on SSA names
    to also work on local variables.  Doing so requires that we detect where
    addresses to a local variable (or within them) are taken; we assume that
    once a pointer has been taken, it's not longer safe to purge the value
    of that decl at any successor point within the function.

    Doing so speeds up the PR analyzer/104954 Linux kernel analyzer testcase
    from taking 254 seconds to "just" 186 seconds (and I have a followup
    patch in development that seems to further reduce this to 37 seconds).

    The patch may also help with scaling up taint-detection so that it can
    eventually be turned on by default, but we're not quite there (this
    is PR analyzer/103533).

    gcc/analyzer/ChangeLog:
            PR analyzer/104943
            PR analyzer/104954
            PR analyzer/103533
            * analyzer.h (class state_purge_per_decl): New forward decl.
            * engine.cc (impl_run_checkers): Pass region_model_manager to
            state_purge_map ctor.
            * program-point.cc (function_point::final_stmt_p): New.
            (function_point::get_next): New.
            * program-point.h (function_point::final_stmt_p): New decl.
            (function_point::get_next): New decl.
            * program-state.cc (program_state::prune_for_point): Generalize to
            purge local decls as well as SSA names.
            (program_state::can_purge_base_region_p): New.
            * program-state.h (program_state::can_purge_base_region_p): New
            decl.
            * region-model.cc (struct append_ssa_names_cb_data): Rename to...
            (struct append_regions_cb_data): ...this.
            (region_model::get_ssa_name_regions_for_current_frame): Rename
            to...
            (region_model::get_regions_for_current_frame): ...this, updating
            for other renamings.
            (region_model::append_ssa_names_cb): Rename to...
            (region_model::append_regions_cb): ...this, and drop the
requirement
            that the subregion be a SSA name.
            * region-model.h (struct append_ssa_names_cb_data): Rename decl
            to...
            (struct append_regions_cb_data): ...this.
            (region_model::get_ssa_name_regions_for_current_frame): Rename
            decl to...
            (region_model::get_regions_for_current_frame): ...this.
            (region_model::append_ssa_names_cb): Rename decl to...
            (region_model::append_regions_cb): ...this.
            * state-purge.cc: Include "tristate.h", "selftest.h",
            "analyzer/store.h", "analyzer/region-model.h", and
            "gimple-walk.h".
            (get_candidate_for_purging): New.
            (class gimple_op_visitor): New.
            (my_load_cb): New.
            (my_store_cb): New.
            (my_addr_cb): New.
            (state_purge_map::state_purge_map): Add "mgr" param.  Update for
            renamings.  Find uses of local variables.
            (state_purge_map::~state_purge_map): Update for renaming of m_map
            to m_ssa_map.  Clean up m_decl_map.
            (state_purge_map::get_or_create_data_for_decl): New.
            (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
            inheriting from state_purge_per_tree.
            (state_purge_per_ssa_name::add_to_worklist): Likewise.
            (state_purge_per_decl::state_purge_per_decl): New.
            (state_purge_per_decl::add_needed_at): New.
            (state_purge_per_decl::add_pointed_to_at): New.
            (state_purge_per_decl::process_worklists): New.
            (state_purge_per_decl::add_to_worklist): New.
            (same_binding_p): New.
            (fully_overwrites_p): New.
            (state_purge_per_decl::process_point_backwards): New.
            (state_purge_per_decl::process_point_forwards): New.
            (state_purge_per_decl::needed_at_point_p): New.
            (state_purge_annotator::print_needed): Generalize to print local
            decls as well as SSA names.
            * state-purge.h (class state_purge_map): Update leading comment.
            (state_purge_map::map_t): Rename to...
            (state_purge_map::ssa_map_t): ...this.
            (state_purge_map::iterator): Rename to...
            (state_purge_map::ssa_iterator): ...this.
            (state_purge_map::decl_map_t): New typedef.
            (state_purge_map::decl_iterator): New typedef.
            (state_purge_map::state_purge_map): Add "mgr" param.
            (state_purge_map::get_data_for_ssa_name): Update for renaming.
            (state_purge_map::get_any_data_for_decl): New.
            (state_purge_map::get_or_create_data_for_decl): New decl.
            (state_purge_map::begin): Rename to...
            (state_purge_map::begin_ssas): ...this.
            (state_purge_map::end): Rename to...
            (state_purge_map::end_ssa): ...this.
            (state_purge_map::begin_decls): New.
            (state_purge_map::end_decls): New.
            (state_purge_map::m_map): Rename to...
            (state_purge_map::m_ssa_map): ...this.
            (state_purge_map::m_decl_map): New field.
            (class state_purge_per_tree): New class.
            (class state_purge_per_ssa_name): Inherit from
state_purge_per_tree.
            (state_purge_per_ssa_name::get_function): Move to base class.
            (state_purge_per_ssa_name::point_set_t): Likewise.
            (state_purge_per_ssa_name::m_fun): Likewise.
            (class state_purge_per_decl): New.

    gcc/testsuite/ChangeLog:
            PR analyzer/104943
            PR analyzer/104954
            PR analyzer/103533
            * gcc.dg/analyzer/torture/boxed-ptr-1.c: Update expected number
            of exploded nodes to reflect improvements in state purging.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[rootkea at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

Avinash Sonawane <rootkea at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rootkea at gmail dot com

--- Comment #5 from Avinash Sonawane <rootkea at gmail dot com> ---
Since we are not quite there yet we should remove (comment out) the tainted-*
checkers listed under -fanalyzer in docs which says "Enabling this option
effectively enables the following warnings:".

Also, the wording in docs suggest that `-fanalyzer -fanalyzer-checker=taint`
enables the taint checkers *in addition* to the default checkers but currently,
enabling -fanalyzer-checker=taint stops other checkers. I came to know about
this after finding none of other checkers working. We should document this.

I just submitted a patch which documents the above fact and comments out the
tainted-* checkers under -fanalyzer.

When this issue gets fixed we can simply remove the .texi comment commands and
drop the line saying other checkers not working with taint checker.

https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592144.html

[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:319ba7e241e7e21f9eb481f075310796f13d2035

commit r12-7808-g319ba7e241e7e21f9eb481f075310796f13d2035
Author: Avinash Sonawane <rootkea@gmail.com>
Date:   Tue Mar 22 07:32:44 2022 +0530

    Docs: Document that taint analyzer checker disables some warnings
[PR103533]

    gcc/ChangeLog:
            PR analyzer/103533
            * doc/invoke.texi: Document that enabling taint analyzer
            checker disables some warnings from `-fanalyzer`.

    Signed-off-by: Avinash Sonawane <rootkea@gmail.com>

[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

--- Comment #7 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tobias Burnus <burnus@gcc.gnu.org>:

https://gcc.gnu.org/g:748f36a48b506f52e10bcdeb750a7fe9c30c26f3

commit r12-7810-g748f36a48b506f52e10bcdeb750a7fe9c30c26f3
Author: Tobias Burnus <tobias@codesourcery.com>
Date:   Fri Mar 25 10:47:49 2022 +0100

    doc/invoke.texi: Move @ignore block out of @gccoptlist [PR103533]

    With TeX output ("make pdf"), @gccoptlist's content end up in a single
    line such that TeX does not find the matching '@end ignore' for the
    '@ignore' block â failing with a runaway error. Solution is to move
    the @ignore block after the closing '}'.
    (Follow up to r12-7808-g319ba7e241e7e21f9eb481f075310796f13d2035 )

    gcc/
            PR analyzer/103533
            * doc/invoke.texi (Static Analyzer Options): Move
            @ignore block after @gccoptlist's '}' for 'make pdf'.

[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

--- Comment #8 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:cfaaa8b11b8429eed5ec44426fc6a20ad5d53d30

commit r14-5464-gcfaaa8b11b8429eed5ec44426fc6a20ad5d53d30
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Nov 14 15:51:52 2023 -0500

    analyzer: enable taint state machine by default [PR103533]

    gcc/analyzer/ChangeLog:
            PR analyzer/103533
            * sm-taint.cc: Remove "experimental" from comment.
            * sm.cc (make_checkers): Always add taint state machine.

    gcc/ChangeLog:
            PR analyzer/103533
            * doc/invoke.texi (Static Analyzer Options): Add the six
            -Wanalyzer-tainted-* warnings.  Update documentation of each
            warning to reflect removed requirement to use
            -fanalyzer-checker=taint.  Remove discussion of
            -fanalyzer-checker=taint.

    gcc/testsuite/ChangeLog:
            PR analyzer/103533
            * c-c++-common/analyzer/attr-tainted_args-1.c: Remove use of
            -fanalyzer-checker=taint.
            * c-c++-common/analyzer/fread-1.c: Likewise.
            * c-c++-common/analyzer/pr104029.c: Likewise.
            * gcc.dg/analyzer/pr93032-mztools-signed-char.c: Add params to
            work around state explosion.
            * gcc.dg/analyzer/pr93032-mztools-unsigned-char.c: Likewise.
            * gcc.dg/analyzer/pr93382.c: Remove use of
            -fanalyzer-checker=taint.
            * gcc.dg/analyzer/switch-enum-taint-1.c: Likewise.
            * gcc.dg/analyzer/taint-CVE-2011-2210-1.c: Likewise.
            * gcc.dg/analyzer/taint-CVE-2020-13143-1.c: Likewise.
            * gcc.dg/analyzer/taint-CVE-2020-13143-2.c: Likewise.
            * gcc.dg/analyzer/taint-CVE-2020-13143.h: Likewise.
            * gcc.dg/analyzer/taint-alloc-1.c: Likewise.
            * gcc.dg/analyzer/taint-alloc-2.c: Likewise.
            * gcc.dg/analyzer/taint-alloc-3.c: Likewise.
            * gcc.dg/analyzer/taint-alloc-4.c: Likewise.
            * gcc.dg/analyzer/taint-alloc-5.c: Likewise.
            * gcc.dg/analyzer/taint-assert-BUG_ON.c: Likewise.
            * gcc.dg/analyzer/taint-assert-macro-expansion.c: Likewise.
            * gcc.dg/analyzer/taint-assert-system-header.c: Likewise.
            * gcc.dg/analyzer/taint-assert.c: Likewise.
            * gcc.dg/analyzer/taint-divisor-1.c: Likewise.
            * gcc.dg/analyzer/taint-divisor-2.c: Likewise.
            * gcc.dg/analyzer/taint-merger.c: Likewise.
            * gcc.dg/analyzer/taint-ops.c: Delete this test: it was a
            duplicate of material in operations.c and data-model-1.c, with
            -fanalyzer-checker=taint added.
            * gcc.dg/analyzer/taint-read-index-1.c: Remove use of
            -fanalyzer-checker=taint.
            * gcc.dg/analyzer/taint-read-offset-1.c: Likewise.
            * gcc.dg/analyzer/taint-realloc.c: Likewise.  Add missing
            dg-warning for leak now that the malloc state machine is also
            active.
            * gcc.dg/analyzer/taint-size-1.c: Remove use of
            -fanalyzer-checker=taint.
            * gcc.dg/analyzer/taint-size-access-attr-1.c: Likewise.
            * gcc.dg/analyzer/taint-write-index-1.c: Likewise.
            * gcc.dg/analyzer/taint-write-offset-1.c: Likewise.
            * gcc.dg/analyzer/torture/taint-read-index-2.c: Likewise.
            * gcc.dg/analyzer/torture/taint-read-index-3.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c: Likewise.  Add
            -Wno-pedantic.
            * gcc.dg/plugin/taint-CVE-2011-0521-1.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-2.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-3.c: Likewise.  Fix C++-style
            comment.
            * gcc.dg/plugin/taint-CVE-2011-0521-4.c: Remove use of
            -fanalyzer-checker=taint and add -Wno-pedantic. Remove xfail and
            add missing dg-warning.
            * gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c: Remove use of
            -fanalyzer-checker=taint and add -Wno-pedantic.
            * gcc.dg/plugin/taint-CVE-2011-0521-5.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-6.c: Likewise.
            * gcc.dg/plugin/taint-antipatterns-1.c: : Remove use of
            -fanalyzer-checker=taint.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #9 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
I've enabled the taint state machine by default (with -fanalyzer) with the
above patch, for GCC 14 onwards.

PR analyzer/112528 tracks the only known state explosion; integration testing
shows no significicant changes in results from -fanalyzer before/after the
patch.

Closing this bug out.

[Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533

--- Comment #10 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:83b210d55b28461e7604068c5df95a24b21e7081

commit r14-6056-g83b210d55b28461e7604068c5df95a24b21e7081
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Dec 1 08:47:41 2023 -0500

    docs: remove stray reference to -fanalyzer-checker=taint [PR103533]

    I missed this one in r14-5464-gcfaaa8b11b8429.

    gcc/ChangeLog:
            PR analyzer/103533
            * doc/extend.texi: Remove stray reference to
            -fanalyzer-checker=taint.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>