public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows
@ 2022-06-16 12:59 dmalcolm at gcc dot gnu.org
2022-06-16 13:31 ` [Bug analyzer/106000] " Painololo at protonmail dot com
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-06-16 12:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
Bug ID: 106000
Summary: RFE: -fanalyzer should complain about definite buffer
overflows/underflows
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Blocks: 105887
Target Milestone: ---
I attempted to implement buffer-overflow (and underflow) detection for GCC 12,
trying to categorize all region accesses as either:
(a) definitely in-bounds
(b) definitely out-of-bounds
(c) possibly out-of-bounds
Unfortunately my implementation led to a "wall of noise" level of warnings from
(c). It now strikes me that we could at least implement warnings for (b) -
where we can see definite problems, and that this might be at least somewhat
useful.
Compare with:
https://clang.llvm.org/docs/analyzer/checkers.html#alpha-security-arraybound-c
https://clang.llvm.org/docs/analyzer/checkers.html#alpha-security-arrayboundv2-c
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105887
[Bug 105887] [meta-bug] clang analyzer warnings that GCC's -fanalyzer could
implement
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106000] RFE: -fanalyzer should complain about definite buffer overflows/underflows
2022-06-16 12:59 [Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows dmalcolm at gcc dot gnu.org
@ 2022-06-16 13:31 ` Painololo at protonmail dot com
2022-06-16 13:49 ` dmalcolm at gcc dot gnu.org
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Painololo at protonmail dot com @ 2022-06-16 13:31 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
John Klein <Painololo at protonmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Painololo at protonmail dot com
--- Comment #1 from John Klein <Painololo at protonmail dot com> ---
Thanks for the decision. Saw a similar one at
https://www.wildtornado.casino/games/casino_slots/.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106000] RFE: -fanalyzer should complain about definite buffer overflows/underflows
2022-06-16 12:59 [Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows dmalcolm at gcc dot gnu.org
2022-06-16 13:31 ` [Bug analyzer/106000] " Painololo at protonmail dot com
@ 2022-06-16 13:49 ` dmalcolm at gcc dot gnu.org
2022-07-01 14:34 ` [Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds dmalcolm at gcc dot gnu.org
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-06-16 13:49 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
See also:
https://cwe.mitre.org/data/definitions/468.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds
2022-06-16 12:59 [Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows dmalcolm at gcc dot gnu.org
2022-06-16 13:31 ` [Bug analyzer/106000] " Painololo at protonmail dot com
2022-06-16 13:49 ` dmalcolm at gcc dot gnu.org
@ 2022-07-01 14:34 ` dmalcolm at gcc dot gnu.org
2022-07-02 10:07 ` dmalcolm at gcc dot gnu.org
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-01 14:34 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|RFE: -fanalyzer should |RFE: -fanalyzer should
|complain about definite |complain about memory
|buffer overflows/underflows |accesses that are
| |definitely out-of-bounds
--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
"out-of-bounds" is more precise than "buffer overflow/underflow" so updating
the title accordingly
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds
2022-06-16 12:59 [Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows dmalcolm at gcc dot gnu.org
` (2 preceding siblings ...)
2022-07-01 14:34 ` [Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds dmalcolm at gcc dot gnu.org
@ 2022-07-02 10:07 ` dmalcolm at gcc dot gnu.org
2022-07-03 19:44 ` dmalcolm at gcc dot gnu.org
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-02 10:07 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
For example, the "classic test" referred to in section 1.2 of
https://open-std.org/JTC1/SC22/WG14/www/docs/n3005.pdf
has:
#include <stdio.h>
#include <string.h>
int y=2, x=1;
int main() {
int *p = &x + 1;
int *q = &y;
printf("Addresses: p=%p q=%p\n" ,(void*)p,(void*)q);
if (memcmp(&p, &q, sizeof(p)) == 0) {
*p = 11; // does this have undefined behaviour?
printf("x=%d y=%d *p=%d *q=%d\n",x,y,*p,*q);
}
}
where N3005 notes that "the mere formation of the &x+1 one-past pointer is
explicitly permitted by the ISO standard".
I think -fanalyzer ought to complain with an definite-out-of-bounds warning at
the *p dereference: assuming sizeof(int) == 4, we'd have a decl_region of size
4, where only bytes 0 to 3 are validly accessible, whereas here the code
attempts to accessing bytes 4-7 of the decl_region for x, which is
out-of-bounds.
(I think the memcpy result would be a conjured_svalue, and hence we would
consider both true and false out-edges after the test; if the user is relying
on the two vars to be next to each other in memory we ought to be warning them
about that)
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds
2022-06-16 12:59 [Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows dmalcolm at gcc dot gnu.org
` (3 preceding siblings ...)
2022-07-02 10:07 ` dmalcolm at gcc dot gnu.org
@ 2022-07-03 19:44 ` dmalcolm at gcc dot gnu.org
2022-08-12 9:14 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-03 19:44 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #5 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Consider also:
write (fd, "hello world", 200);
where the write call is definitely going to access beyond the string literal.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds
2022-06-16 12:59 [Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows dmalcolm at gcc dot gnu.org
` (4 preceding siblings ...)
2022-07-03 19:44 ` dmalcolm at gcc dot gnu.org
@ 2022-08-12 9:14 ` cvs-commit at gcc dot gnu.org
2022-10-06 20:01 ` dmalcolm at gcc dot gnu.org
2023-04-07 12:40 ` dmalcolm at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-08-12 9:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tim Lange <tlange@gcc.gnu.org>:
https://gcc.gnu.org/g:7e3b45befdbbf1a1f9ff728fa2bac31b4756907c
commit r13-2029-g7e3b45befdbbf1a1f9ff728fa2bac31b4756907c
Author: Tim Lange <mail@tim-lange.me>
Date: Fri Aug 12 10:27:16 2022 +0200
analyzer: out-of-bounds checker [PR106000]
This patch adds an experimental out-of-bounds checker to the analyzer.
The checker was tested on coreutils, curl, httpd and openssh. It is mostly
accurate but does produce false-positives on yacc-generated files and
sometimes when the analyzer misses an invariant. These cases will be
documented in bugzilla.
Regression-tested on Linux x86-64, further ran the analyzer tests with
the -m32 option.
2022-08-11 Tim Lange <mail@tim-lange.me>
gcc/analyzer/ChangeLog:
PR analyzer/106000
* analyzer.opt: Add Wanalyzer-out-of-bounds.
* region-model.cc (class out_of_bounds): Diagnostics base class
for all out-of-bounds diagnostics.
(class past_the_end): Base class derived from out_of_bounds for
the buffer_overflow and buffer_overread diagnostics.
(class buffer_overflow): Buffer overflow diagnostics.
(class buffer_overread): Buffer overread diagnostics.
(class buffer_underflow): Buffer underflow diagnostics.
(class buffer_underread): Buffer overread diagnostics.
(region_model::check_region_bounds): New function to check region
bounds for out-of-bounds accesses.
(region_model::check_region_access):
Add call to check_region_bounds.
(region_model::get_representative_tree): New function that accepts
a region instead of an svalue.
* region-model.h (class region_model):
Add region_model::check_region_bounds.
* region.cc (region::symbolic_p): New predicate.
(offset_region::get_byte_size_sval): Only return the remaining
byte size on offset_regions.
* region.h: Add region::symbolic_p.
* store.cc (byte_range::intersects_p):
Add new function equivalent to bit_range::intersects_p.
(byte_range::exceeds_p): New function.
(byte_range::falls_short_of_p): New function.
* store.h (struct byte_range): Add byte_range::intersects_p,
byte_range::exceeds_p and byte_range::falls_short_of_p.
gcc/ChangeLog:
PR analyzer/106000
* doc/invoke.texi: Add Wanalyzer-out-of-bounds.
gcc/testsuite/ChangeLog:
PR analyzer/106000
* g++.dg/analyzer/pr100244.C: Disable out-of-bounds warning.
* gcc.dg/analyzer/allocation-size-3.c:
Disable out-of-bounds warning.
* gcc.dg/analyzer/memcpy-2.c: Disable out-of-bounds warning.
* gcc.dg/analyzer/pr101962.c: Add dg-warning.
* gcc.dg/analyzer/pr96764.c: Disable out-of-bounds warning.
* gcc.dg/analyzer/pr97029.c:
Add dummy buffer to prevent an out-of-bounds warning.
* gcc.dg/analyzer/realloc-5.c: Add dg-warning.
* gcc.dg/analyzer/test-setjmp.h:
Add dummy buffer to prevent an out-of-bounds warning.
* gcc.dg/analyzer/zlib-3.c: Add dg-bogus.
* g++.dg/analyzer/out-of-bounds-placement-new.C: New test.
* gcc.dg/analyzer/out-of-bounds-1.c: New test.
* gcc.dg/analyzer/out-of-bounds-2.c: New test.
* gcc.dg/analyzer/out-of-bounds-3.c: New test.
* gcc.dg/analyzer/out-of-bounds-container_of.c: New test.
* gcc.dg/analyzer/out-of-bounds-coreutils.c: New test.
* gcc.dg/analyzer/out-of-bounds-curl.c: New test.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds
2022-06-16 12:59 [Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows dmalcolm at gcc dot gnu.org
` (5 preceding siblings ...)
2022-08-12 9:14 ` cvs-commit at gcc dot gnu.org
@ 2022-10-06 20:01 ` dmalcolm at gcc dot gnu.org
2023-04-07 12:40 ` dmalcolm at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-10-06 20:01 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Tim implemented this in the above patch; marking this as resolved.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds
2022-06-16 12:59 [Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows dmalcolm at gcc dot gnu.org
` (6 preceding siblings ...)
2022-10-06 20:01 ` dmalcolm at gcc dot gnu.org
@ 2023-04-07 12:40 ` dmalcolm at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-04-07 12:40 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |109432
--- Comment #8 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Adding to -Wanalyzer-out-of-bounds tracker bug to make it easier to find.
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109432
[Bug 109432] [meta-bug] tracker bug for issues with -Wanalyzer-out-of-bounds
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2023-04-07 12:40 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-16 12:59 [Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows dmalcolm at gcc dot gnu.org
2022-06-16 13:31 ` [Bug analyzer/106000] " Painololo at protonmail dot com
2022-06-16 13:49 ` dmalcolm at gcc dot gnu.org
2022-07-01 14:34 ` [Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds dmalcolm at gcc dot gnu.org
2022-07-02 10:07 ` dmalcolm at gcc dot gnu.org
2022-07-03 19:44 ` dmalcolm at gcc dot gnu.org
2022-08-12 9:14 ` cvs-commit at gcc dot gnu.org
2022-10-06 20:01 ` dmalcolm at gcc dot gnu.org
2023-04-07 12:40 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).