From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 331863857B83; Mon, 15 Aug 2022 12:36:05 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 331863857B83 From: "dmalcolm at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/106625] New: RFE: support some symbolic values in -Wanalyzer-out-of-bounds Date: Mon, 15 Aug 2022 12:36:01 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: dmalcolm at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2022 12:36:05 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D106625 Bug ID: 106625 Summary: RFE: support some symbolic values in -Wanalyzer-out-of-bounds Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Currently -Wanalyzer-out-of-bounds only warns when: * the size of the memory access is constant, rather than symbolic, and=20 * the capacity of the underlying memory region being accessed is constant, rather than symbolic, and * the offset of the memory access is constant, rather than symbolic I'd like to eventually generalize the warning so that it can "do something sensible" when at least some of the above are symbolic - for some meaning of "something sensible". I'm not quite sure what subset we can support, but -Wanalyzer-out-of-bounds should probably continue to restrict itself to "definitely out-of-bounds" cases. For example, consider the classic mistake in C of confusing the size vs len= gth of a 0-terminated string: char * test_concat (const char *x, const char *y) { size_t len_x =3D __builtin_strlen (x); size_t len_y =3D __builtin_strlen (y); size_t sz =3D len_x + len_y; // BUG (root cause): forgot to add 1 for terminator; char *result =3D __builtin_malloc (sz); if (!result) return NULL; __builtin_memcpy (result, x, len_x); __builtin_memcpy (result + len_x, y, len_y); result[len_x + len_y] =3D '\0'; // BUG (symptom): off-by-one out-of-bounds write to heap return result; } Currently -Wanalyzer-out-of-bounds doesn't warn for this; it would be great= if void region_model::check_region_bounds could handle this. Specifically, in this case, although the size of the access: result[len_x + len_y] =3D '\0'; is constant (1 byte), the offset of the access is symbolic (len_x + len_y),= and the capacity of "result" is symbolic. That said the symbolic offset of the access and symbolic capacity of the base region are directly related, and t= he former is definitely wrong with respect to the latter.=