public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
@ 2021-12-02 18:49 dmalcolm at gcc dot gnu.org
2021-12-06 23:37 ` [Bug analyzer/103533] " cvs-commit at gcc dot gnu.org
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-12-02 18:49 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
Bug ID: 103533
Summary: Enable "taint" state machine with -fanalyzer without
requiring -fanalyzer-checker=taint
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
sm.cc: make_checkers currently has:
/* The "taint" checker must be explicitly enabled (as it currently
leads to state explosions that stop the other checkers working). */
if (flag_analyzer_checker)
out.safe_push (make_taint_state_machine (logger));
and all of the various testcases for the "taint" state machine have:
// TODO: remove need for this option:
/* { dg-additional-options "-fanalyzer-checker=taint" } */
and with notes in the docs of the form:
This warning requires both @option{-fanalyzer} and
@option{-fanalyzer-checker=taint} to enable it;
I'm opening this bug to track removing the need for this, so that the the taint
checker can be enabled directly by -fanalyzer.
Currently removing this leads to:
* ICE in alt_get_inherited_state in abs-1.c, data-model-1.c, data-model-19.c,
pr101570.c, pr99771-1.c, zlib-2.c, zlib-3.c, torture/pr93450.c; all of which
seems to be for a UNARY_OP that isn't a NOP_EXPR; replacing that
gcc_unreachable with break, so it returns NULL fixes all of these.
* state explosion and failure in pr93032-mztools.c, with:
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c: In function
‘unzRepair’:
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:252:16: warning:
terminating analysis for this program point: callstring: [] after SN: 52EN:
270-271, EN: 526-527, EN: 782-783, EN: 1038-1039 [-Wanalyzer-too-complex]
252 | entries++;
| ~~~~~~~^~
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:252:16: warning:
terminating analysis for this program point: callstring: [] after SN: 52EN:
270-271, EN: 526-527, EN: 782-783, EN: 1038-1039 [-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
299 | while ( (nRead = (int)fread(buffer, 1, sizeof(buffer),
fpOutCD)) > 0) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:299:31: warning:
terminating analysis for this program point: callstring: [] before (SN: 68
stmt: 0): _325 = fread (&buffer, 1, 8192, fpOutCD_522);EN: 1302-1308, EN: 1329
[-Wanalyzer-too-complex]
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c: At top level:
../../src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools.c:319:21: warning:
analysis bailed out early (401 'after-snode' enodes; 1506 enodes)
[-Wanalyzer-too-complex]
319 | *nRecovered = entries;
| ~~~~~~~~~~~~^~~~~~~~~
Interestingly, PR analyzer/103521 reports this as now failing on powerpc64
(without turning on taint detection), although the explosion is in a different
place.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
@ 2021-12-06 23:37 ` cvs-commit at gcc dot gnu.org
2022-01-07 15:17 ` dmalcolm at gcc dot gnu.org
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-12-06 23:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:c9543403c19fdc3c3b5a8db8546340de085bd14e
commit r12-5815-gc9543403c19fdc3c3b5a8db8546340de085bd14e
Author: David Malcolm <dmalcolm@redhat.com>
Date: Mon Dec 6 14:04:35 2021 -0500
analyzer: fix equivalence class state purging [PR103533]
Whilst debugging state explosions seen when enabling taint detection
with -fanalyzer (PR analyzer/103533), I noticed that constraint
manager instances could contain stray, redundant constants, such
as this instance:
constraint_manager:
equiv classes:
ec0: {(int)0 == [m_constant]â0â}
ec1: {(size_t)4 == [m_constant]â4â}
constraints:
where there are two equivalence classes, each just containing a
constant, with no constraints using them.
This patch makes constraint_manager::canonicalize more aggressive
about purging state, handling the case of purging a redundant
EC containing just a constant.
gcc/analyzer/ChangeLog:
PR analyzer/103533
* constraint-manager.cc (equiv_class::contains_non_constant_p):
New.
(constraint_manager::canonicalize): Call it when determining
redundant ECs.
(selftest::test_purging): New selftest.
(selftest::run_constraint_manager_tests): Likewise.
* constraint-manager.h (equiv_class::contains_non_constant_p):
New decl.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
2021-12-06 23:37 ` [Bug analyzer/103533] " cvs-commit at gcc dot gnu.org
@ 2022-01-07 15:17 ` dmalcolm at gcc dot gnu.org
2022-01-12 15:00 ` cvs-commit at gcc dot gnu.org
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-01-07 15:17 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Note that as well as the scaling issues, there currently aren't that many
sources of taint (currently just a hardcoded one for the result fread); a lot
more would be added by
[PATCH 0/6] RFC: adding support to GCC for detecting trust boundaries
https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584372.html
but that patch kit isn't in yet.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
2021-12-06 23:37 ` [Bug analyzer/103533] " cvs-commit at gcc dot gnu.org
2022-01-07 15:17 ` dmalcolm at gcc dot gnu.org
@ 2022-01-12 15:00 ` cvs-commit at gcc dot gnu.org
2022-03-18 23:22 ` cvs-commit at gcc dot gnu.org
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-01-12 15:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:2c16dfe6268eeeb4b7924ff423e274fa00894a4d
commit r12-6526-g2c16dfe6268eeeb4b7924ff423e274fa00894a4d
Author: David Malcolm <dmalcolm@redhat.com>
Date: Tue Jan 11 15:57:39 2022 -0500
analyzer: complain about tainted sizes with "access" attribute [PR103940]
GCC 10 gained the "access" function and type attribute, which
optionally can take a size-index param:
https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html
-fanalyzer in trunk (for GCC 12) has gained a -Wanalyzer-tainted-size to
complain about attacker-controlled size values, but this was only being
used deep inside the region-model code when handling the hardcoded known
behavior of certain functions (memset, IIRC).
This patch extends -Wanalyzer-tainted-size to also complain about
unsanitized attacker-controlled values being passed to function
parameters marked as a size via the "access" attribute.
Note that -fanalyzer-checker=taint is currently required in
addition to -fanalyzer to use this warning, due to scaling issues
(see bug 103533).
gcc/analyzer/ChangeLog:
PR analyzer/103940
* engine.cc (impl_sm_context::impl_sm_context): Add
"unknown_side_effects" param and use it to initialize
new m_unknown_side_effects field.
(impl_sm_context::unknown_side_effects_p): New.
(impl_sm_context::m_unknown_side_effects): New.
(exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
ctor.
* sm-taint.cc: Include "stringpool.h" and "attribs.h".
(tainted_size::tainted_size): Drop "dir" param.
(tainted_size::get_kind): Drop "FINAL".
(tainted_size::emit): Likewise.
(tainted_size::m_dir): Drop unused field.
(class tainted_access_attrib_size): New subclass.
(taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
external functions with unknown side effects.
(taint_state_machine::check_for_tainted_size_arg): New.
(region_model::check_region_for_taint): Drop "dir" param from
tainted_size ctor.
* sm.h (sm_context::unknown_side_effects_p): New.
gcc/testsuite/ChangeLog:
PR analyzer/103940
* gcc.dg/analyzer/taint-size-access-attr-1.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
` (2 preceding siblings ...)
2022-01-12 15:00 ` cvs-commit at gcc dot gnu.org
@ 2022-03-18 23:22 ` cvs-commit at gcc dot gnu.org
2022-03-22 18:36 ` rootkea at gmail dot com
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-03-18 23:22 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:faacafd2306ad7ece721a79dedbb6e44e0d65bdb
commit r12-7718-gfaacafd2306ad7ece721a79dedbb6e44e0d65bdb
Author: David Malcolm <dmalcolm@redhat.com>
Date: Tue Dec 7 19:22:47 2021 -0500
analyzer: extend state-purging to locals [PR104943]
The existing analyzer code attempts to purge the state of SSA names
where it can in order to minimize the size of program_state instances,
and to increase the chances of being able to reuse exploded_node
instances whilst exploring the user's code.
PR analyzer/104943 identifies that we fail to purge state of local
variables, based on behavior seen in PR analyzer/104954 when attempting
to profile slow performance of -fanalyzer on a particular file in the
Linux kernel, where that testcase has many temporary "boxed" values of
structs containing ints, which are never cleaned up, leading to bloat
of the program_state instances (specifically, of the store objects).
This patch generalizes the state purging from just being on SSA names
to also work on local variables. Doing so requires that we detect where
addresses to a local variable (or within them) are taken; we assume that
once a pointer has been taken, it's not longer safe to purge the value
of that decl at any successor point within the function.
Doing so speeds up the PR analyzer/104954 Linux kernel analyzer testcase
from taking 254 seconds to "just" 186 seconds (and I have a followup
patch in development that seems to further reduce this to 37 seconds).
The patch may also help with scaling up taint-detection so that it can
eventually be turned on by default, but we're not quite there (this
is PR analyzer/103533).
gcc/analyzer/ChangeLog:
PR analyzer/104943
PR analyzer/104954
PR analyzer/103533
* analyzer.h (class state_purge_per_decl): New forward decl.
* engine.cc (impl_run_checkers): Pass region_model_manager to
state_purge_map ctor.
* program-point.cc (function_point::final_stmt_p): New.
(function_point::get_next): New.
* program-point.h (function_point::final_stmt_p): New decl.
(function_point::get_next): New decl.
* program-state.cc (program_state::prune_for_point): Generalize to
purge local decls as well as SSA names.
(program_state::can_purge_base_region_p): New.
* program-state.h (program_state::can_purge_base_region_p): New
decl.
* region-model.cc (struct append_ssa_names_cb_data): Rename to...
(struct append_regions_cb_data): ...this.
(region_model::get_ssa_name_regions_for_current_frame): Rename
to...
(region_model::get_regions_for_current_frame): ...this, updating
for other renamings.
(region_model::append_ssa_names_cb): Rename to...
(region_model::append_regions_cb): ...this, and drop the
requirement
that the subregion be a SSA name.
* region-model.h (struct append_ssa_names_cb_data): Rename decl
to...
(struct append_regions_cb_data): ...this.
(region_model::get_ssa_name_regions_for_current_frame): Rename
decl to...
(region_model::get_regions_for_current_frame): ...this.
(region_model::append_ssa_names_cb): Rename decl to...
(region_model::append_regions_cb): ...this.
* state-purge.cc: Include "tristate.h", "selftest.h",
"analyzer/store.h", "analyzer/region-model.h", and
"gimple-walk.h".
(get_candidate_for_purging): New.
(class gimple_op_visitor): New.
(my_load_cb): New.
(my_store_cb): New.
(my_addr_cb): New.
(state_purge_map::state_purge_map): Add "mgr" param. Update for
renamings. Find uses of local variables.
(state_purge_map::~state_purge_map): Update for renaming of m_map
to m_ssa_map. Clean up m_decl_map.
(state_purge_map::get_or_create_data_for_decl): New.
(state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
inheriting from state_purge_per_tree.
(state_purge_per_ssa_name::add_to_worklist): Likewise.
(state_purge_per_decl::state_purge_per_decl): New.
(state_purge_per_decl::add_needed_at): New.
(state_purge_per_decl::add_pointed_to_at): New.
(state_purge_per_decl::process_worklists): New.
(state_purge_per_decl::add_to_worklist): New.
(same_binding_p): New.
(fully_overwrites_p): New.
(state_purge_per_decl::process_point_backwards): New.
(state_purge_per_decl::process_point_forwards): New.
(state_purge_per_decl::needed_at_point_p): New.
(state_purge_annotator::print_needed): Generalize to print local
decls as well as SSA names.
* state-purge.h (class state_purge_map): Update leading comment.
(state_purge_map::map_t): Rename to...
(state_purge_map::ssa_map_t): ...this.
(state_purge_map::iterator): Rename to...
(state_purge_map::ssa_iterator): ...this.
(state_purge_map::decl_map_t): New typedef.
(state_purge_map::decl_iterator): New typedef.
(state_purge_map::state_purge_map): Add "mgr" param.
(state_purge_map::get_data_for_ssa_name): Update for renaming.
(state_purge_map::get_any_data_for_decl): New.
(state_purge_map::get_or_create_data_for_decl): New decl.
(state_purge_map::begin): Rename to...
(state_purge_map::begin_ssas): ...this.
(state_purge_map::end): Rename to...
(state_purge_map::end_ssa): ...this.
(state_purge_map::begin_decls): New.
(state_purge_map::end_decls): New.
(state_purge_map::m_map): Rename to...
(state_purge_map::m_ssa_map): ...this.
(state_purge_map::m_decl_map): New field.
(class state_purge_per_tree): New class.
(class state_purge_per_ssa_name): Inherit from
state_purge_per_tree.
(state_purge_per_ssa_name::get_function): Move to base class.
(state_purge_per_ssa_name::point_set_t): Likewise.
(state_purge_per_ssa_name::m_fun): Likewise.
(class state_purge_per_decl): New.
gcc/testsuite/ChangeLog:
PR analyzer/104943
PR analyzer/104954
PR analyzer/103533
* gcc.dg/analyzer/torture/boxed-ptr-1.c: Update expected number
of exploded nodes to reflect improvements in state purging.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
` (3 preceding siblings ...)
2022-03-18 23:22 ` cvs-commit at gcc dot gnu.org
@ 2022-03-22 18:36 ` rootkea at gmail dot com
2022-03-25 0:57 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: rootkea at gmail dot com @ 2022-03-22 18:36 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
Avinash Sonawane <rootkea at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rootkea at gmail dot com
--- Comment #5 from Avinash Sonawane <rootkea at gmail dot com> ---
Since we are not quite there yet we should remove (comment out) the tainted-*
checkers listed under -fanalyzer in docs which says "Enabling this option
effectively enables the following warnings:".
Also, the wording in docs suggest that `-fanalyzer -fanalyzer-checker=taint`
enables the taint checkers *in addition* to the default checkers but currently,
enabling -fanalyzer-checker=taint stops other checkers. I came to know about
this after finding none of other checkers working. We should document this.
I just submitted a patch which documents the above fact and comments out the
tainted-* checkers under -fanalyzer.
When this issue gets fixed we can simply remove the .texi comment commands and
drop the line saying other checkers not working with taint checker.
https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592144.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
` (4 preceding siblings ...)
2022-03-22 18:36 ` rootkea at gmail dot com
@ 2022-03-25 0:57 ` cvs-commit at gcc dot gnu.org
2022-03-25 9:57 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-03-25 0:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:319ba7e241e7e21f9eb481f075310796f13d2035
commit r12-7808-g319ba7e241e7e21f9eb481f075310796f13d2035
Author: Avinash Sonawane <rootkea@gmail.com>
Date: Tue Mar 22 07:32:44 2022 +0530
Docs: Document that taint analyzer checker disables some warnings
[PR103533]
gcc/ChangeLog:
PR analyzer/103533
* doc/invoke.texi: Document that enabling taint analyzer
checker disables some warnings from `-fanalyzer`.
Signed-off-by: Avinash Sonawane <rootkea@gmail.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
` (5 preceding siblings ...)
2022-03-25 0:57 ` cvs-commit at gcc dot gnu.org
@ 2022-03-25 9:57 ` cvs-commit at gcc dot gnu.org
2023-11-14 20:55 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-03-25 9:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
--- Comment #7 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tobias Burnus <burnus@gcc.gnu.org>:
https://gcc.gnu.org/g:748f36a48b506f52e10bcdeb750a7fe9c30c26f3
commit r12-7810-g748f36a48b506f52e10bcdeb750a7fe9c30c26f3
Author: Tobias Burnus <tobias@codesourcery.com>
Date: Fri Mar 25 10:47:49 2022 +0100
doc/invoke.texi: Move @ignore block out of @gccoptlist [PR103533]
With TeX output ("make pdf"), @gccoptlist's content end up in a single
line such that TeX does not find the matching '@end ignore' for the
'@ignore' block â failing with a runaway error. Solution is to move
the @ignore block after the closing '}'.
(Follow up to r12-7808-g319ba7e241e7e21f9eb481f075310796f13d2035 )
gcc/
PR analyzer/103533
* doc/invoke.texi (Static Analyzer Options): Move
@ignore block after @gccoptlist's '}' for 'make pdf'.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
` (6 preceding siblings ...)
2022-03-25 9:57 ` cvs-commit at gcc dot gnu.org
@ 2023-11-14 20:55 ` cvs-commit at gcc dot gnu.org
2023-11-14 21:02 ` dmalcolm at gcc dot gnu.org
2023-12-01 13:52 ` cvs-commit at gcc dot gnu.org
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-11-14 20:55 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
--- Comment #8 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:cfaaa8b11b8429eed5ec44426fc6a20ad5d53d30
commit r14-5464-gcfaaa8b11b8429eed5ec44426fc6a20ad5d53d30
Author: David Malcolm <dmalcolm@redhat.com>
Date: Tue Nov 14 15:51:52 2023 -0500
analyzer: enable taint state machine by default [PR103533]
gcc/analyzer/ChangeLog:
PR analyzer/103533
* sm-taint.cc: Remove "experimental" from comment.
* sm.cc (make_checkers): Always add taint state machine.
gcc/ChangeLog:
PR analyzer/103533
* doc/invoke.texi (Static Analyzer Options): Add the six
-Wanalyzer-tainted-* warnings. Update documentation of each
warning to reflect removed requirement to use
-fanalyzer-checker=taint. Remove discussion of
-fanalyzer-checker=taint.
gcc/testsuite/ChangeLog:
PR analyzer/103533
* c-c++-common/analyzer/attr-tainted_args-1.c: Remove use of
-fanalyzer-checker=taint.
* c-c++-common/analyzer/fread-1.c: Likewise.
* c-c++-common/analyzer/pr104029.c: Likewise.
* gcc.dg/analyzer/pr93032-mztools-signed-char.c: Add params to
work around state explosion.
* gcc.dg/analyzer/pr93032-mztools-unsigned-char.c: Likewise.
* gcc.dg/analyzer/pr93382.c: Remove use of
-fanalyzer-checker=taint.
* gcc.dg/analyzer/switch-enum-taint-1.c: Likewise.
* gcc.dg/analyzer/taint-CVE-2011-2210-1.c: Likewise.
* gcc.dg/analyzer/taint-CVE-2020-13143-1.c: Likewise.
* gcc.dg/analyzer/taint-CVE-2020-13143-2.c: Likewise.
* gcc.dg/analyzer/taint-CVE-2020-13143.h: Likewise.
* gcc.dg/analyzer/taint-alloc-1.c: Likewise.
* gcc.dg/analyzer/taint-alloc-2.c: Likewise.
* gcc.dg/analyzer/taint-alloc-3.c: Likewise.
* gcc.dg/analyzer/taint-alloc-4.c: Likewise.
* gcc.dg/analyzer/taint-alloc-5.c: Likewise.
* gcc.dg/analyzer/taint-assert-BUG_ON.c: Likewise.
* gcc.dg/analyzer/taint-assert-macro-expansion.c: Likewise.
* gcc.dg/analyzer/taint-assert-system-header.c: Likewise.
* gcc.dg/analyzer/taint-assert.c: Likewise.
* gcc.dg/analyzer/taint-divisor-1.c: Likewise.
* gcc.dg/analyzer/taint-divisor-2.c: Likewise.
* gcc.dg/analyzer/taint-merger.c: Likewise.
* gcc.dg/analyzer/taint-ops.c: Delete this test: it was a
duplicate of material in operations.c and data-model-1.c, with
-fanalyzer-checker=taint added.
* gcc.dg/analyzer/taint-read-index-1.c: Remove use of
-fanalyzer-checker=taint.
* gcc.dg/analyzer/taint-read-offset-1.c: Likewise.
* gcc.dg/analyzer/taint-realloc.c: Likewise. Add missing
dg-warning for leak now that the malloc state machine is also
active.
* gcc.dg/analyzer/taint-size-1.c: Remove use of
-fanalyzer-checker=taint.
* gcc.dg/analyzer/taint-size-access-attr-1.c: Likewise.
* gcc.dg/analyzer/taint-write-index-1.c: Likewise.
* gcc.dg/analyzer/taint-write-offset-1.c: Likewise.
* gcc.dg/analyzer/torture/taint-read-index-2.c: Likewise.
* gcc.dg/analyzer/torture/taint-read-index-3.c: Likewise.
* gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c: Likewise. Add
-Wno-pedantic.
* gcc.dg/plugin/taint-CVE-2011-0521-1.c: Likewise.
* gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c: Likewise.
* gcc.dg/plugin/taint-CVE-2011-0521-2.c: Likewise.
* gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c: Likewise.
* gcc.dg/plugin/taint-CVE-2011-0521-3.c: Likewise. Fix C++-style
comment.
* gcc.dg/plugin/taint-CVE-2011-0521-4.c: Remove use of
-fanalyzer-checker=taint and add -Wno-pedantic. Remove xfail and
add missing dg-warning.
* gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c: Remove use of
-fanalyzer-checker=taint and add -Wno-pedantic.
* gcc.dg/plugin/taint-CVE-2011-0521-5.c: Likewise.
* gcc.dg/plugin/taint-CVE-2011-0521-6.c: Likewise.
* gcc.dg/plugin/taint-antipatterns-1.c: : Remove use of
-fanalyzer-checker=taint.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
` (7 preceding siblings ...)
2023-11-14 20:55 ` cvs-commit at gcc dot gnu.org
@ 2023-11-14 21:02 ` dmalcolm at gcc dot gnu.org
2023-12-01 13:52 ` cvs-commit at gcc dot gnu.org
9 siblings, 0 replies; 11+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-11-14 21:02 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|UNCONFIRMED |RESOLVED
--- Comment #9 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
I've enabled the taint state machine by default (with -fanalyzer) with the
above patch, for GCC 14 onwards.
PR analyzer/112528 tracks the only known state explosion; integration testing
shows no significicant changes in results from -fanalyzer before/after the
patch.
Closing this bug out.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug analyzer/103533] Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
` (8 preceding siblings ...)
2023-11-14 21:02 ` dmalcolm at gcc dot gnu.org
@ 2023-12-01 13:52 ` cvs-commit at gcc dot gnu.org
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-12-01 13:52 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533
--- Comment #10 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:83b210d55b28461e7604068c5df95a24b21e7081
commit r14-6056-g83b210d55b28461e7604068c5df95a24b21e7081
Author: David Malcolm <dmalcolm@redhat.com>
Date: Fri Dec 1 08:47:41 2023 -0500
docs: remove stray reference to -fanalyzer-checker=taint [PR103533]
I missed this one in r14-5464-gcfaaa8b11b8429.
gcc/ChangeLog:
PR analyzer/103533
* doc/extend.texi: Remove stray reference to
-fanalyzer-checker=taint.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2023-12-01 13:52 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-02 18:49 [Bug analyzer/103533] New: Enable "taint" state machine with -fanalyzer without requiring -fanalyzer-checker=taint dmalcolm at gcc dot gnu.org
2021-12-06 23:37 ` [Bug analyzer/103533] " cvs-commit at gcc dot gnu.org
2022-01-07 15:17 ` dmalcolm at gcc dot gnu.org
2022-01-12 15:00 ` cvs-commit at gcc dot gnu.org
2022-03-18 23:22 ` cvs-commit at gcc dot gnu.org
2022-03-22 18:36 ` rootkea at gmail dot com
2022-03-25 0:57 ` cvs-commit at gcc dot gnu.org
2022-03-25 9:57 ` cvs-commit at gcc dot gnu.org
2023-11-14 20:55 ` cvs-commit at gcc dot gnu.org
2023-11-14 21:02 ` dmalcolm at gcc dot gnu.org
2023-12-01 13:52 ` cvs-commit at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).