[Bug analyzer/105899] New: RFE: -fanalyzer could complain about misuses of standard C string APIs

[Bug analyzer/105899] New: RFE: -fanalyzer could complain about misuses of standard C string APIs

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

            Bug ID: 105899
           Summary: RFE: -fanalyzer could complain about misuses of
                    standard C string APIs
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 105887
  Target Milestone: ---

See:
  https://clang.llvm.org/docs/analyzer/checkers.html
    1.2.13.8. alpha.unix.cstring.NotNullTerminated (C)
    1.2.13.9. alpha.unix.cstring.OutOfBounds (C)
    1.2.13.10. alpha.unix.cstring.UninitializedRead (C)

Difficult to implement if we do the general case; but fairly easy for detecting
the "definitely happens" cases, I think.


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105887
[Bug 105887] RFE: clang analyzer warnings that GCC's -fanalyzer could implement

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #1 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:325f9e88802daaca0a4793ca079bb504f7d76c54

commit r14-3169-g325f9e88802daaca0a4793ca079bb504f7d76c54
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Aug 11 18:05:48 2023 -0400

    analyzer: new warning: -Wanalyzer-unterminated-string [PR105899]

    This patch adds new functions to the analyzer for checking that
    an argument at a callsite is a pointer to a valid null-terminated
    string, and uses this for the following known functions:

    - error (param 3, the format string)
    - error_at_line (param 5, the format string)
    - putenv
    - strchr (1st param)
    - strcpy (2nd param)
    - strdup

    Currently the check merely detects pointers to unterminated string
    constants, and adds a new -Wanalyzer-unterminated-string to complain
    about that.  I'm experimenting with detecting other ways in which
    a buffer can fail to be null-terminated, and for other problems with
    such buffers, but this patch at least adds the framework for wiring
    up the check to specific parameters of known_functions.

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * analyzer.opt (Wanalyzer-unterminated-string): New.
            * call-details.cc
            (call_details::check_for_null_terminated_string_arg): New.
            * call-details.h
            (call_details::check_for_null_terminated_string_arg): New decl.
            * kf-analyzer.cc (class kf_analyzer_get_strlen): New.
            (register_known_analyzer_functions): Register it.
            * kf.cc (kf_error::impl_call_pre): Check that format arg is a
            valid null-terminated string.
            (kf_putenv::impl_call_pre): Likewise for the sole param.
            (kf_strchr::impl_call_pre): Likewise for the first param.
            (kf_strcpy::impl_call_pre): Likewise for the second param.
            (kf_strdup::impl_call_pre): Likewise for the sole param.
            * region-model.cc (get_strlen): New.
            (struct call_arg_details): New.
            (inform_about_expected_null_terminated_string_arg): New.
            (class unterminated_string_arg): New.
            (region_model::check_for_null_terminated_string_arg): New.
            * region-model.h
            (region_model::check_for_null_terminated_string_arg): New decl.

    gcc/ChangeLog:
            PR analyzer/105899
            * doc/analyzer.texi (__analyzer_get_strlen): New.
            * doc/invoke.texi: Add -Wanalyzer-unterminated-string.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * gcc.dg/analyzer/analyzer-decls.h (__analyzer_get_strlen): New.
            * gcc.dg/analyzer/error-1.c (test_error_unterminated): New.
            (test_error_at_line_unterminated): New.
            * gcc.dg/analyzer/null-terminated-strings-1.c: New test.
            * gcc.dg/analyzer/putenv-1.c (test_unterminated): New.
            * gcc.dg/analyzer/strchr-1.c (test_unterminated): New.
            * gcc.dg/analyzer/strcpy-1.c (test_unterminated): New.
            * gcc.dg/analyzer/strdup-1.c (test_unterminated): New.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2023-08-11

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:fe97f09a0caeff2a22cc41b26bf08692bff8686d

commit r14-3374-gfe97f09a0caeff2a22cc41b26bf08692bff8686d
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Aug 21 21:13:19 2023 -0400

    analyzer: replace -Wanalyzer-unterminated-string with
scan_for_null_terminator [PR105899]

    In r14-3169-g325f9e88802daa I added check_for_null_terminated_string_arg
    to -fanalyzer, calling it in various places, with a sole check for
    unterminated string constants, adding -Wanalyzer-unterminated-string for
    this case.

    This patch adds region_model::scan_for_null_terminator, which simulates
    scanning memory for a zero byte, complaining about uninitiliazed bytes
    and out-of-range accesses seen before any zero byte is seen.

    This more flexible approach catches the issues we saw before with
    -Wanalyzer-unterminated-string, and also catches uninitialized runs
    of bytes, and I believe will be a better way to build checking of C
    string operations in the analyzer.

    Given that the patch makes -Wanalyzer-unterminated-string redundant
    and that this option was only in trunk for 10 days and has no known
    users, the patch simply removes the option without a compatibility
    fallback.

    The patch uses custom events and notes to provide context on where
    the issues are coming from.  For example, given:

    null-terminated-strings-1.c: In function âtest_partially_initializedâ:
    null-terminated-strings-1.c:71:3: warning: use of uninitialized value
âbuf[1]â [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
       71 |   __analyzer_get_strlen (buf);
          |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~
      âtest_partially_initializedâ: events 1-3
        |
        |   69 |   char buf[16];
        |      |        ^~~
        |      |        |
        |      |        (1) region created on stack here
        |   70 |   buf[0] = 'a';
        |   71 |   __analyzer_get_strlen (buf);
        |      |   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
        |      |   |
        |      |   (2) while looking for null terminator for argument 1
(â&bufâ) of â__analyzer_get_strlenâ...
        |      |   (3) use of uninitialized value âbuf[1]â here
        |
    analyzer-decls.h:59:22: note: argument 1 of â__analyzer_get_strlenâ
must be a pointer to a null-terminated string
       59 | extern __SIZE_TYPE__ __analyzer_get_strlen (const char *ptr);
          |                      ^~~~~~~~~~~~~~~~~~~~~

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * analyzer.opt (Wanalyzer-unterminated-string): Delete.
            * call-details.cc
            (call_details::check_for_null_terminated_string_arg): Convert
            return type from void to const svalue *.  Add param "out_sval".
            * call-details.h
            (call_details::check_for_null_terminated_string_arg): Likewise.
            * kf-analyzer.cc (kf_analyzer_get_strlen::impl_call_pre): Wire up
            to result of check_for_null_terminated_string_arg.
            * region-model.cc (get_strlen): Delete.
            (class unterminated_string_arg): Delete.
            (struct fragment): New.
            (class iterable_cluster): New.
            (region_model::get_store_bytes): New.
            (get_tree_for_byte_offset): New.
            (region_model::scan_for_null_terminator): New.
            (region_model::check_for_null_terminated_string_arg): Convert
            return type from void to const svalue *.  Add param "out_sval".
            Reimplement in terms of scan_for_null_terminator, dropping the
            special-case for -Wanalyzer-unterminated-string.
            * region-model.h (region_model::get_store_bytes): New decl.
            (region_model::scan_for_null_terminator): New decl.
            (region_model::check_for_null_terminated_string_arg): Convert
            return type from void to const svalue *.  Add param "out_sval".
            * store.cc (concrete_binding::get_byte_range): New.
            * store.h (concrete_binding::get_byte_range): New decl.
            (store_manager::get_concrete_binding): New overload.

    gcc/ChangeLog:
            PR analyzer/105899
            * doc/invoke.texi: Remove -Wanalyzer-unterminated-string.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * gcc.dg/analyzer/error-1.c: Update expected results to reflect
            reimplementation of unterminated string detection.  Add test
            coverage for uninitialized buffers.
            * gcc.dg/analyzer/null-terminated-strings-1.c: Likewise.
            * gcc.dg/analyzer/putenv-1.c: Likewise.
            * gcc.dg/analyzer/strchr-1.c: Likewise.
            * gcc.dg/analyzer/strcpy-1.c: Likewise.
            * gcc.dg/analyzer/strdup-1.c: Likewise.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:3b691e0190c6e7291f8a52e1e14d8293a28ff4ce

commit r14-3376-g3b691e0190c6e7291f8a52e1e14d8293a28ff4ce
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Aug 21 21:13:19 2023 -0400

    analyzer: check format strings for null termination [PR105899]

    This patch extends -fanalyzer to check the format strings of calls
    to functions marked with '__attribute__ ((format...))'.

    The only checking done in this patch is to check that the format string
    is a valid null-terminated string; this patch doesn't attempt to check
    the content of the format string.

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * call-details.cc (call_details::call_details): New ctor.
            * call-details.h (call_details::call_details): New ctor decl.
            (struct call_arg_details): Move here from region-model.cc.
            * region-model.cc (region_model::check_call_format_attr): New.
            (region_model::check_call_args): Call it.
            (struct call_arg_details): Move it to call-details.h.
            * region-model.h (region_model::check_call_format_attr): New decl.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * gcc.dg/analyzer/attr-format-1.c: New test.
            * gcc.dg/analyzer/sprintf-1.c: Update expected results for
            now-passing tests.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:3242fb533d48abab621618c4f183ca395de3dcd2

commit r14-3391-g3242fb533d48abab621618c4f183ca395de3dcd2
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Aug 22 18:36:54 2023 -0400

    analyzer: reimplement kf_strlen [PR105899]

    Reimplement kf_strlen in terms of the new string scanning
    implementation, sharing strlen's implementation with
    __analyzer_get_strlen.

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * kf-analyzer.cc (class kf_analyzer_get_strlen): Move to kf.cc.
            (register_known_analyzer_functions): Use make_kf_strlen.
            * kf.cc (class kf_strlen::impl_call_pre): Replace with
            implementation of kf_analyzer_get_strlen from kf-analyzer.cc.
            Handle "UNKNOWN" return from check_for_null_terminated_string_arg
            by falling back to a conjured svalue.
            (make_kf_strlen): New.
            (register_known_functions): Use make_kf_strlen.
            * known-function-manager.h (make_kf_strlen): New decl.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * gcc.dg/analyzer/null-terminated-strings-1.c: Update expected
            results on symbolic values.
            * gcc.dg/analyzer/strlen-1.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:5ef89c5c2f52a2c47fd26845d1f73e20b9081fc9

commit r14-3462-g5ef89c5c2f52a2c47fd26845d1f73e20b9081fc9
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu Aug 24 10:24:38 2023 -0400

    analyzer: handle symbolic bindings in scan_for_null_terminator [PR105899]

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * region-model.cc (iterable_cluster::iterable_cluster): Add
            symbolic binding keys to m_symbolic_bindings.
            (iterable_cluster::has_symbolic_bindings_p): New.
            (iterable_cluster::m_symbolic_bindings): New field.
            (region_model::scan_for_null_terminator): Treat clusters with
            symbolic bindings as having unknown strlen.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * gcc.dg/analyzer/sprintf-1.c: Include "analyzer-decls.h".
            (test_strlen_1): New.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:0ae07a7203dd24f90e49d025046e61ef90a9fd18

commit r14-3463-g0ae07a7203dd24f90e49d025046e61ef90a9fd18
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu Aug 24 10:24:38 2023 -0400

    analyzer: reimplement kf_strcpy [PR105899]

    This patch reimplements the analyzer's implementation of strcpy using
    the region_model::scan_for_null_terminator infrastructure, so that e.g.
    it can complain about out-of-bounds reads/writes, unterminated strings,
    etc.

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * kf.cc (kf_strcpy::impl_call_pre): Reimplement using
            check_for_null_terminated_string_arg.
            * region-model.cc (region_model::get_store_bytes): Shortcut
            reading all of a string_region.
            (region_model::scan_for_null_terminator): Use get_store_value for
            the bytes rather than "unknown" when returning an unknown length.
            (region_model::write_bytes): New.
            * region-model.h (region_model::write_bytes): New decl.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * gcc.dg/analyzer/out-of-bounds-diagram-16.c: New test.
            * gcc.dg/analyzer/strcpy-1.c: Add test coverage.
            * gcc.dg/analyzer/strcpy-3.c: Likewise.
            * gcc.dg/analyzer/strcpy-4.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #7 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:603bdf906af6d42ce0dabee86efc1e0aec0f1900

commit r14-3464-g603bdf906af6d42ce0dabee86efc1e0aec0f1900
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu Aug 24 10:24:38 2023 -0400

    analyzer: eliminate region_model::get_string_size [PR105899]

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * region-model.cc (region_model::get_string_size): Delete both.
            * region-model.h (region_model::get_string_size): Delete both
            decls.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #8 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:d99d73c77d1e9cca5938134b4e6e068945cf50b1

commit r14-3466-gd99d73c77d1e9cca5938134b4e6e068945cf50b1
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu Aug 24 10:24:39 2023 -0400

    analyzer: handle strlen(INIT_VAL(STRING_REG)) [PR105899]

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * region-model.cc (fragment::has_null_terminator): Move STRING_CST
            handling to fragment::string_cst_has_null_terminator; also use it
to
            handle INIT_VAL(STRING_REG).
            (fragment::string_cst_has_null_terminator): New, from above.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * gcc.dg/analyzer/strcpy-3.c (test_2): New.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #9 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:46cb27e56f36f23cb277f8a5beae05235af05768

commit r14-3467-g46cb27e56f36f23cb277f8a5beae05235af05768
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu Aug 24 10:24:40 2023 -0400

    analyzer: handle INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL)
[PR105899]

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * region-model-manager.cc
            (region_model_manager::get_or_create_initial_value): Simplify
            INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) to
            CONSTANT_SVAL(STRING[N]).

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #10 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:2bad0eeb5573e52c4b7b51546ecffcb17f46eda3

commit r14-3468-g2bad0eeb5573e52c4b7b51546ecffcb17f46eda3
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu Aug 24 10:24:40 2023 -0400

    analyzer: handle strlen(BITS_WITHIN) [PR105899]

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * region-model.cc (fragment::has_null_terminator): Handle
            SK_BITS_WITHIN.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #11 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:bbdc0e0d0042ae16aa4d09ceb52c71e746d9139d

commit r14-3469-gbbdc0e0d0042ae16aa4d09ceb52c71e746d9139d
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu Aug 24 10:24:40 2023 -0400

    analyzer: implement kf_strcat [PR105899]

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * call-details.cc
            (call_details::check_for_null_terminated_string_arg): Split into
            overloads, one taking just an arg_idx, the other a new
            "include_terminator" param.
            * call-details.h: Likewise.
            * kf.cc (class kf_strcat): New.
            (kf_strcpy::impl_call_pre): Update for change to
            check_for_null_terminated_string_arg.
            (register_known_functions): Register kf_strcat.
            * region-model.cc
            (region_model::check_for_null_terminated_string_arg): Split into
            overloads, one taking just an arg_idx, the other a new
            "include_terminator" param.  When returning an svalue, handle
            "include_terminator" being false by subtracting one.
            * region-model.h
            (region_model::check_for_null_terminated_string_arg): Split into
            overloads, one taking just an arg_idx, the other a new
            "include_terminator" param.

    gcc/ChangeLog:
            PR analyzer/105899
            * doc/invoke.texi (Static Analyzer Options): Add "strcat" to the
            list of functions known to the analyzer.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * gcc.dg/analyzer/strcat-1.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #12 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:f687fc1ff6d4a44db87a35e9e3be7f20425bdacc

commit r14-3549-gf687fc1ff6d4a44db87a35e9e3be7f20425bdacc
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Aug 29 10:57:42 2023 -0400

    analyzer: improve strdup handling [PR105899]

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * kf.cc (kf_strdup::impl_call_pre): Set size of
            dynamically-allocated buffer.  Simulate copying the string from
            the source region to the new buffer.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * c-c++-common/analyzer/pr99193-2.c: Add
            -Wno-analyzer-too-complex.
            * gcc.dg/analyzer/strdup-1.c: Include "analyzer-decls.h".
            (test_concrete_strlen): New.
            (test_symbolic_strlen): New.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #13 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:b51cde34d4e7504e821d935152c0ece0ce0dc74d

commit r14-3740-gb51cde34d4e7504e821d935152c0ece0ce0dc74d
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Sep 6 09:32:01 2023 -0400

    analyzer: implement kf_strncpy [PR105899]

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * kf.cc (class kf_strncpy): New.
            (kf_strncpy::impl_call_post): New.
            (register_known_functions): Register it.
            * region-model.cc (region_model::read_bytes): Handle unknown
            number of bytes.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * c-c++-common/analyzer/null-terminated-strings-2.c: New test.
            * c-c++-common/analyzer/overlapping-buffers.c: Update dg-bogus
            directives to avoid clashing with note from <string.h> that might
            happen to have the same line number.  Add strpncpy test coverage.
            * c-c++-common/analyzer/strncpy-1.c: New test.
            * gcc.dg/analyzer/null-terminated-strings-1.c
            (test_filled_nonzero): New.
            (void test_filled_zero): New.
            (test_filled_symbolic): New.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/105899] RFE: -fanalyzer could complain about misuses of standard C string APIs

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105899

--- Comment #14 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:f2d7a4001a33884bc1dfd8da58e58dee18e3cd71

commit r14-3741-gf2d7a4001a33884bc1dfd8da58e58dee18e3cd71
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Sep 6 09:32:07 2023 -0400

    analyzer: implement kf_strstr [PR105899]

    gcc/analyzer/ChangeLog:
            PR analyzer/105899
            * kf.cc (class kf_strstr): New.
            (kf_strstr::impl_call_post): New.
            (register_known_functions): Register it.

    gcc/testsuite/ChangeLog:
            PR analyzer/105899
            * c-c++-common/analyzer/strstr-1.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>