From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 09C8A3858C78; Thu, 3 Feb 2022 22:48:27 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 09C8A3858C78 From: "cvs-commit at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/104369] False positive from -Wanalyzer-use-of-uninitialized-value with realloc moving buffer Date: Thu, 03 Feb 2022 22:48:26 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 12.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cvs-commit at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2022 22:48:27 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104369 --- Comment #1 from CVS Commits --- The master branch has been updated by David Malcolm : https://gcc.gnu.org/g:3ef328c293a336df0aead2d72c0c5ed9781a9861 commit r12-7040-g3ef328c293a336df0aead2d72c0c5ed9781a9861 Author: David Malcolm Date: Wed Feb 2 16:39:12 2022 -0500 analyzer: fixes to realloc-handling [PR104369] This patch fixes various issues with how -fanalyzer handles "realloc" seen when debugging PR analyzer/104369. Previously it wasn't correctly copying over the contents of the old buffer for the success-with-move case, leading to false -Wanalyzer-use-of-uninitialized-value diagnostics. I also noticed that -fanalyzer failed to properly handle "realloc" for cases where the ptr's region had unknown dynamic extents, and an ICE for the case where a tainted value is used as a realloc size argument. This patch fixes these issues, including the false uninit diagnostics seen in PR analyzer/104369. gcc/analyzer/ChangeLog: PR analyzer/104369 * engine.cc (exploded_graph::process_node): Use the node for any diagnostics, avoiding ICE if a bifurcation update adds a saved_diagnostic, such as for a tainted realloc size. * region-model-impl-calls.cc (region_model::impl_call_realloc::success_no_move::update_model= ): Require the old pointer to be non-NULL to be able successfully grow in place. Use model->deref_rvalue rather than maybe_get_region to support the old pointer being symbolic. (region_model::impl_call_realloc::success_with_move::update_mod= el): Likewise. Add a constraint that the new pointer !=3D the old pointer. Use a sized_region when setting the value of the new region. Handle the case where we don't know the dynamic size of the old region by marking the new region as unknown. * sm-taint.cc (tainted_allocation_size::tainted_allocation_size= ): Update assertion to also allow for MEMSPACE_UNKNOWN. (tainted_allocation_size::emit): Likewise. (region_model::check_dynamic_size_for_taint): Likewise. gcc/testsuite/ChangeLog: PR analyzer/104369 * gcc.dg/analyzer/pr104369-1.c: New test. * gcc.dg/analyzer/pr104369-2.c: New test. * gcc.dg/analyzer/realloc-3.c: New test. * gcc.dg/analyzer/realloc-4.c: New test. * gcc.dg/analyzer/taint-realloc.c: New test. Signed-off-by: David Malcolm =