[Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows

[Bug analyzer/106000] New: RFE: -fanalyzer should complain about definite buffer overflows/underflows

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000

            Bug ID: 106000
           Summary: RFE: -fanalyzer should complain about definite buffer
                    overflows/underflows
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 105887
  Target Milestone: ---

I attempted to implement buffer-overflow (and underflow) detection for GCC 12,
trying to categorize all region accesses as either:
(a) definitely in-bounds
(b) definitely out-of-bounds
(c) possibly out-of-bounds

Unfortunately my implementation led to a "wall of noise" level of warnings from
(c).  It now strikes me that we could at least implement warnings for (b) -
where we can see definite problems, and that this might be at least somewhat
useful.

Compare with:
 
https://clang.llvm.org/docs/analyzer/checkers.html#alpha-security-arraybound-c
 
https://clang.llvm.org/docs/analyzer/checkers.html#alpha-security-arrayboundv2-c


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105887
[Bug 105887] [meta-bug] clang analyzer warnings that GCC's -fanalyzer could
implement

[Bug analyzer/106000] RFE: -fanalyzer should complain about definite buffer overflows/underflows

[Painololo at protonmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000

John Klein <Painololo at protonmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Painololo at protonmail dot com

--- Comment #1 from John Klein <Painololo at protonmail dot com> ---
Thanks for the decision. Saw a similar one at
https://www.wildtornado.casino/games/casino_slots/.

[Bug analyzer/106000] RFE: -fanalyzer should complain about definite buffer overflows/underflows

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
See also:
  https://cwe.mitre.org/data/definitions/468.html

[Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|RFE: -fanalyzer should      |RFE: -fanalyzer should
                   |complain about definite     |complain about memory
                   |buffer overflows/underflows |accesses that are
                   |                            |definitely out-of-bounds

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
"out-of-bounds" is more precise than "buffer overflow/underflow" so updating
the title accordingly

[Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000

--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
For example, the "classic test" referred to in section 1.2 of
  https://open-std.org/JTC1/SC22/WG14/www/docs/n3005.pdf

has:

#include <stdio.h>
#include <string.h>
int y=2, x=1;
int main() {
  int *p = &x + 1;
  int *q = &y;
  printf("Addresses: p=%p q=%p\n" ,(void*)p,(void*)q);
  if (memcmp(&p, &q, sizeof(p)) == 0) {
    *p = 11;   // does  this  have  undefined  behaviour?
    printf("x=%d y=%d *p=%d *q=%d\n",x,y,*p,*q);
  }
}

where N3005 notes that "the mere formation of the &x+1 one-past pointer is
explicitly permitted by the ISO standard".

I think -fanalyzer ought to complain with an definite-out-of-bounds warning at
the *p dereference: assuming sizeof(int) == 4, we'd have a decl_region of size
4, where only bytes 0 to 3 are validly accessible, whereas here the code
attempts to accessing bytes 4-7 of the decl_region for x, which is
out-of-bounds.

(I think the memcpy result would be a conjured_svalue, and hence we would
consider both true and false out-edges after the test; if the user is relying
on the two vars to be next to each other in memory we ought to be warning them
about that)

[Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000

--- Comment #5 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Consider also:

   write (fd, "hello world", 200);

where the write call is definitely going to access beyond the string literal.

[Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000

--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tim Lange <tlange@gcc.gnu.org>:

https://gcc.gnu.org/g:7e3b45befdbbf1a1f9ff728fa2bac31b4756907c

commit r13-2029-g7e3b45befdbbf1a1f9ff728fa2bac31b4756907c
Author: Tim Lange <mail@tim-lange.me>
Date:   Fri Aug 12 10:27:16 2022 +0200

    analyzer: out-of-bounds checker [PR106000]

    This patch adds an experimental out-of-bounds checker to the analyzer.

    The checker was tested on coreutils, curl, httpd and openssh. It is mostly
    accurate but does produce false-positives on yacc-generated files and
    sometimes when the analyzer misses an invariant. These cases will be
    documented in bugzilla.
    Regression-tested on Linux x86-64, further ran the analyzer tests with
    the -m32 option.

    2022-08-11  Tim Lange  <mail@tim-lange.me>

    gcc/analyzer/ChangeLog:

            PR analyzer/106000
            * analyzer.opt: Add Wanalyzer-out-of-bounds.
            * region-model.cc (class out_of_bounds): Diagnostics base class
            for all out-of-bounds diagnostics.
            (class past_the_end): Base class derived from out_of_bounds for
            the buffer_overflow and buffer_overread diagnostics.
            (class buffer_overflow): Buffer overflow diagnostics.
            (class buffer_overread): Buffer overread diagnostics.
            (class buffer_underflow): Buffer underflow diagnostics.
            (class buffer_underread): Buffer overread diagnostics.
            (region_model::check_region_bounds): New function to check region
            bounds for out-of-bounds accesses.
            (region_model::check_region_access):
            Add call to check_region_bounds.
            (region_model::get_representative_tree): New function that accepts
            a region instead of an svalue.
            * region-model.h (class region_model):
            Add region_model::check_region_bounds.
            * region.cc (region::symbolic_p): New predicate.
            (offset_region::get_byte_size_sval): Only return the remaining
            byte size on offset_regions.
            * region.h: Add region::symbolic_p.
            * store.cc (byte_range::intersects_p):
            Add new function equivalent to bit_range::intersects_p.
            (byte_range::exceeds_p): New function.
            (byte_range::falls_short_of_p): New function.
            * store.h (struct byte_range): Add byte_range::intersects_p,
            byte_range::exceeds_p and byte_range::falls_short_of_p.

    gcc/ChangeLog:

            PR analyzer/106000
            * doc/invoke.texi: Add Wanalyzer-out-of-bounds.

    gcc/testsuite/ChangeLog:

            PR analyzer/106000
            * g++.dg/analyzer/pr100244.C: Disable out-of-bounds warning.
            * gcc.dg/analyzer/allocation-size-3.c:
            Disable out-of-bounds warning.
            * gcc.dg/analyzer/memcpy-2.c: Disable out-of-bounds warning.
            * gcc.dg/analyzer/pr101962.c: Add dg-warning.
            * gcc.dg/analyzer/pr96764.c: Disable out-of-bounds warning.
            * gcc.dg/analyzer/pr97029.c:
            Add dummy buffer to prevent an out-of-bounds warning.
            * gcc.dg/analyzer/realloc-5.c: Add dg-warning.
            * gcc.dg/analyzer/test-setjmp.h:
            Add dummy buffer to prevent an out-of-bounds warning.
            * gcc.dg/analyzer/zlib-3.c: Add dg-bogus.
            * g++.dg/analyzer/out-of-bounds-placement-new.C: New test.
            * gcc.dg/analyzer/out-of-bounds-1.c: New test.
            * gcc.dg/analyzer/out-of-bounds-2.c: New test.
            * gcc.dg/analyzer/out-of-bounds-3.c: New test.
            * gcc.dg/analyzer/out-of-bounds-container_of.c: New test.
            * gcc.dg/analyzer/out-of-bounds-coreutils.c: New test.
            * gcc.dg/analyzer/out-of-bounds-curl.c: New test.

[Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |FIXED

--- Comment #7 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Tim implemented this in the above patch; marking this as resolved.

[Bug analyzer/106000] RFE: -fanalyzer should complain about memory accesses that are definitely out-of-bounds

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |109432

--- Comment #8 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Adding to -Wanalyzer-out-of-bounds tracker bug to make it easier to find.


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109432
[Bug 109432] [meta-bug] tracker bug for issues with -Wanalyzer-out-of-bounds