public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor
@ 2022-07-07 14:05 dmalcolm at gcc dot gnu.org
2022-07-07 15:48 ` [Bug analyzer/106225] " dmalcolm at gcc dot gnu.org
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-07 14:05 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
Bug ID: 106225
Summary: False positives from -Wanalyzer-tainted-divisor
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
-Wanalyzer-tainted-divisor seems to be using the wrong logic for determining if
a value has been checked for zeroness; consider:
#include <stdio.h>
struct st1
{
int a;
int b;
};
int test_checked_ne_zero (FILE *f)
{
struct st1 s;
fread (&s, sizeof (s), 1, f);
if (s.b)
return s.a / s.b;
else
return 0;
}
for which (with -fanalyzer -fanalyzer-checker=taint) trunk and gcc 12.1
erroneously emit:
<source>: In function 'test_checked_ne_zero':
<source>:14:16: warning: use of attacker-controlled value 's.b' as divisor
without checking for zero [CWE-369] [-Wanalyzer-tainted-divisor]
14 | return s.a / s.b;
| ~~~~^~~~~
'test_checked_ne_zero': events 1-3
|
| 13 | if (s.b)
| | ^
| | |
| | (1) following 'true' branch...
| 14 | return s.a / s.b;
| | ~~~~~~~~~
| | | |
| | | (3) use of attacker-controlled value 's.b' as
divisor without checking for zero
| | (2) ...to here
|
despite the check for zero at line 13.
https://godbolt.org/z/KK4K8h9z3
Reduced from false positive seen on Linux kernel in drivers/tty/vt/vt_ioctl.c:
(function vt_resizex).
^ permalink raw reply [flat|nested] 6+ messages in thread* [Bug analyzer/106225] False positives from -Wanalyzer-tainted-divisor 2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org @ 2022-07-07 15:48 ` dmalcolm at gcc dot gnu.org 2022-07-07 19:56 ` cvs-commit at gcc dot gnu.org ` (3 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2022-07-07 15:48 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225 David Malcolm <dmalcolm at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Last reconfirmed| |2022-07-07 Status|UNCONFIRMED |ASSIGNED Ever confirmed|0 |1 --- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> --- I'm testing a fix for this. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/106225] False positives from -Wanalyzer-tainted-divisor 2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org 2022-07-07 15:48 ` [Bug analyzer/106225] " dmalcolm at gcc dot gnu.org @ 2022-07-07 19:56 ` cvs-commit at gcc dot gnu.org 2022-07-07 20:08 ` dmalcolm at gcc dot gnu.org ` (2 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2022-07-07 19:56 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225 --- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:897b3b31f0a94b8bac59c6061655c6a32646d0a0 commit r13-1562-g897b3b31f0a94b8bac59c6061655c6a32646d0a0 Author: David Malcolm <dmalcolm@redhat.com> Date: Thu Jul 7 15:50:26 2022 -0400 analyzer: fix false positives from -Wanalyzer-tainted-divisor [PR106225] gcc/analyzer/ChangeLog: PR analyzer/106225 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of assignments from division to... (taint_state_machine::check_for_tainted_divisor): ...this new function. Reject warning when the divisor is known to be non-zero. * sm.cc: Include "analyzer/program-state.h". (sm_context::get_old_region_model): New. * sm.h (sm_context::get_old_region_model): New decl. gcc/testsuite/ChangeLog: PR analyzer/106225 * gcc.dg/analyzer/taint-divisor-1.c: Add test coverage for various correct and incorrect checks against zero. Signed-off-by: David Malcolm <dmalcolm@redhat.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/106225] False positives from -Wanalyzer-tainted-divisor 2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org 2022-07-07 15:48 ` [Bug analyzer/106225] " dmalcolm at gcc dot gnu.org 2022-07-07 19:56 ` cvs-commit at gcc dot gnu.org @ 2022-07-07 20:08 ` dmalcolm at gcc dot gnu.org 2022-07-27 21:56 ` cvs-commit at gcc dot gnu.org 2022-07-27 22:08 ` dmalcolm at gcc dot gnu.org 4 siblings, 0 replies; 6+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2022-07-07 20:08 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225 --- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> --- Fixed on trunk for gcc 13 by the above commit. Keeping this open to backport to gcc 12. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/106225] False positives from -Wanalyzer-tainted-divisor 2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org ` (2 preceding siblings ...) 2022-07-07 20:08 ` dmalcolm at gcc dot gnu.org @ 2022-07-27 21:56 ` cvs-commit at gcc dot gnu.org 2022-07-27 22:08 ` dmalcolm at gcc dot gnu.org 4 siblings, 0 replies; 6+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2022-07-27 21:56 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225 --- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The releases/gcc-12 branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:71a4f739c218746df70612eeb844024d1fe206bb commit r12-8638-g71a4f739c218746df70612eeb844024d1fe206bb Author: David Malcolm <dmalcolm@redhat.com> Date: Wed Jul 27 17:38:55 2022 -0400 analyzer: fix false positives from -Wanalyzer-tainted-divisor [PR106225] (cherry picked from r13-1562-g897b3b31f0a94b) gcc/analyzer/ChangeLog: PR analyzer/106225 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of assignments from division to... (taint_state_machine::check_for_tainted_divisor): ...this new function. Reject warning when the divisor is known to be non-zero. * sm.cc: Include "analyzer/program-state.h". (sm_context::get_old_region_model): New. * sm.h (sm_context::get_old_region_model): New decl. gcc/testsuite/ChangeLog: PR analyzer/106225 * gcc.dg/analyzer/taint-divisor-1.c: Add test coverage for various correct and incorrect checks against zero. Signed-off-by: David Malcolm <dmalcolm@redhat.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/106225] False positives from -Wanalyzer-tainted-divisor 2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org ` (3 preceding siblings ...) 2022-07-27 21:56 ` cvs-commit at gcc dot gnu.org @ 2022-07-27 22:08 ` dmalcolm at gcc dot gnu.org 4 siblings, 0 replies; 6+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2022-07-27 22:08 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225 David Malcolm <dmalcolm at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED --- Comment #5 from David Malcolm <dmalcolm at gcc dot gnu.org> --- Backported to gcc 12, so marking as resolved. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-07-27 22:08 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org 2022-07-07 15:48 ` [Bug analyzer/106225] " dmalcolm at gcc dot gnu.org 2022-07-07 19:56 ` cvs-commit at gcc dot gnu.org 2022-07-07 20:08 ` dmalcolm at gcc dot gnu.org 2022-07-27 21:56 ` cvs-commit at gcc dot gnu.org 2022-07-27 22:08 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).