public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor
@ 2022-07-07 14:05 dmalcolm at gcc dot gnu.org
2022-07-07 15:48 ` [Bug analyzer/106225] " dmalcolm at gcc dot gnu.org
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-07 14:05 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
Bug ID: 106225
Summary: False positives from -Wanalyzer-tainted-divisor
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
-Wanalyzer-tainted-divisor seems to be using the wrong logic for determining if
a value has been checked for zeroness; consider:
#include <stdio.h>
struct st1
{
int a;
int b;
};
int test_checked_ne_zero (FILE *f)
{
struct st1 s;
fread (&s, sizeof (s), 1, f);
if (s.b)
return s.a / s.b;
else
return 0;
}
for which (with -fanalyzer -fanalyzer-checker=taint) trunk and gcc 12.1
erroneously emit:
<source>: In function 'test_checked_ne_zero':
<source>:14:16: warning: use of attacker-controlled value 's.b' as divisor
without checking for zero [CWE-369] [-Wanalyzer-tainted-divisor]
14 | return s.a / s.b;
| ~~~~^~~~~
'test_checked_ne_zero': events 1-3
|
| 13 | if (s.b)
| | ^
| | |
| | (1) following 'true' branch...
| 14 | return s.a / s.b;
| | ~~~~~~~~~
| | | |
| | | (3) use of attacker-controlled value 's.b' as
divisor without checking for zero
| | (2) ...to here
|
despite the check for zero at line 13.
https://godbolt.org/z/KK4K8h9z3
Reduced from false positive seen on Linux kernel in drivers/tty/vt/vt_ioctl.c:
(function vt_resizex).
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/106225] False positives from -Wanalyzer-tainted-divisor
2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org
@ 2022-07-07 15:48 ` dmalcolm at gcc dot gnu.org
2022-07-07 19:56 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-07 15:48 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2022-07-07
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0 |1
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
I'm testing a fix for this.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/106225] False positives from -Wanalyzer-tainted-divisor
2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org
2022-07-07 15:48 ` [Bug analyzer/106225] " dmalcolm at gcc dot gnu.org
@ 2022-07-07 19:56 ` cvs-commit at gcc dot gnu.org
2022-07-07 20:08 ` dmalcolm at gcc dot gnu.org
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-07-07 19:56 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:897b3b31f0a94b8bac59c6061655c6a32646d0a0
commit r13-1562-g897b3b31f0a94b8bac59c6061655c6a32646d0a0
Author: David Malcolm <dmalcolm@redhat.com>
Date: Thu Jul 7 15:50:26 2022 -0400
analyzer: fix false positives from -Wanalyzer-tainted-divisor [PR106225]
gcc/analyzer/ChangeLog:
PR analyzer/106225
* sm-taint.cc (taint_state_machine::on_stmt): Move handling of
assignments from division to...
(taint_state_machine::check_for_tainted_divisor): ...this new
function. Reject warning when the divisor is known to be non-zero.
* sm.cc: Include "analyzer/program-state.h".
(sm_context::get_old_region_model): New.
* sm.h (sm_context::get_old_region_model): New decl.
gcc/testsuite/ChangeLog:
PR analyzer/106225
* gcc.dg/analyzer/taint-divisor-1.c: Add test coverage for various
correct and incorrect checks against zero.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/106225] False positives from -Wanalyzer-tainted-divisor
2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org
2022-07-07 15:48 ` [Bug analyzer/106225] " dmalcolm at gcc dot gnu.org
2022-07-07 19:56 ` cvs-commit at gcc dot gnu.org
@ 2022-07-07 20:08 ` dmalcolm at gcc dot gnu.org
2022-07-27 21:56 ` cvs-commit at gcc dot gnu.org
2022-07-27 22:08 ` dmalcolm at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-07 20:08 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Fixed on trunk for gcc 13 by the above commit. Keeping this open to backport
to gcc 12.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/106225] False positives from -Wanalyzer-tainted-divisor
2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org
` (2 preceding siblings ...)
2022-07-07 20:08 ` dmalcolm at gcc dot gnu.org
@ 2022-07-27 21:56 ` cvs-commit at gcc dot gnu.org
2022-07-27 22:08 ` dmalcolm at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-07-27 21:56 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-12 branch has been updated by David Malcolm
<dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:71a4f739c218746df70612eeb844024d1fe206bb
commit r12-8638-g71a4f739c218746df70612eeb844024d1fe206bb
Author: David Malcolm <dmalcolm@redhat.com>
Date: Wed Jul 27 17:38:55 2022 -0400
analyzer: fix false positives from -Wanalyzer-tainted-divisor [PR106225]
(cherry picked from r13-1562-g897b3b31f0a94b)
gcc/analyzer/ChangeLog:
PR analyzer/106225
* sm-taint.cc (taint_state_machine::on_stmt): Move handling of
assignments from division to...
(taint_state_machine::check_for_tainted_divisor): ...this new
function. Reject warning when the divisor is known to be non-zero.
* sm.cc: Include "analyzer/program-state.h".
(sm_context::get_old_region_model): New.
* sm.h (sm_context::get_old_region_model): New decl.
gcc/testsuite/ChangeLog:
PR analyzer/106225
* gcc.dg/analyzer/taint-divisor-1.c: Add test coverage for various
correct and incorrect checks against zero.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/106225] False positives from -Wanalyzer-tainted-divisor
2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org
` (3 preceding siblings ...)
2022-07-27 21:56 ` cvs-commit at gcc dot gnu.org
@ 2022-07-27 22:08 ` dmalcolm at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-27 22:08 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #5 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Backported to gcc 12, so marking as resolved.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-07-27 22:08 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-07 14:05 [Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor dmalcolm at gcc dot gnu.org
2022-07-07 15:48 ` [Bug analyzer/106225] " dmalcolm at gcc dot gnu.org
2022-07-07 19:56 ` cvs-commit at gcc dot gnu.org
2022-07-07 20:08 ` dmalcolm at gcc dot gnu.org
2022-07-27 21:56 ` cvs-commit at gcc dot gnu.org
2022-07-27 22:08 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).