public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/108432] New: Analyzer fails to detect out-of-bounds issues within loops
@ 2023-01-17 15:27 dmalcolm at gcc dot gnu.org
2023-01-23 12:54 ` [Bug analyzer/108432] " segher at gcc dot gnu.org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-01-17 15:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108432
Bug ID: 108432
Summary: Analyzer fails to detect out-of-bounds issues within
loops
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
Consider:
https://samate.nist.gov/SARD/test-cases/149169/versions/2.0.0
Without optimization, gcc trunk with -fanalyzer fails to report the
out-of-bounds write:
https://godbolt.org/z/brx5cT18o
At -O1 and above (https://godbolt.org/z/PdvcE5MhE), we get:
<source>: In function 'main':
<source>:22:25: warning: iteration 9 invokes undefined behavior
[-Waggressive-loop-optimizations]
22 | bStr[i] = (char)i + 'a';
/* FLAW */
| ~~~~~~~~^~~~~~~~~~~~~~~
<source>:21:23: note: within this loop
21 | for (i = 1; i <= 10; ++i)
| ~~^~~~~
The analyzer probably ought to try to at least check the final iteration of a
loop (I believe it currently will at least detect issues in the initial
iteration of a loop).
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/108432] Analyzer fails to detect out-of-bounds issues within loops
2023-01-17 15:27 [Bug analyzer/108432] New: Analyzer fails to detect out-of-bounds issues within loops dmalcolm at gcc dot gnu.org
@ 2023-01-23 12:54 ` segher at gcc dot gnu.org
2023-01-23 16:34 ` dmalcolm at gcc dot gnu.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: segher at gcc dot gnu.org @ 2023-01-23 12:54 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108432
Segher Boessenkool <segher at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |segher at gcc dot gnu.org
--- Comment #1 from Segher Boessenkool <segher at gcc dot gnu.org> ---
Many warning messages are also dependent on optimisation level. And the
actual generated code is as well ;-)
-O0 means do the least possible work to generate correct code. There is
friction between that and having -fanalyzer do deep inspection of the code.
I think we should document -fanalyzer needs some optimisation enabled (does
it need -O2 in some cases, or just -O1 always, btw?)
The suggestion to at least check the last loop iteration is good of course.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/108432] Analyzer fails to detect out-of-bounds issues within loops
2023-01-17 15:27 [Bug analyzer/108432] New: Analyzer fails to detect out-of-bounds issues within loops dmalcolm at gcc dot gnu.org
2023-01-23 12:54 ` [Bug analyzer/108432] " segher at gcc dot gnu.org
@ 2023-01-23 16:34 ` dmalcolm at gcc dot gnu.org
2023-01-23 18:46 ` segher at gcc dot gnu.org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-01-23 16:34 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108432
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
(In reply to Segher Boessenkool from comment #1)
> Many warning messages are also dependent on optimisation level. And the
> actual generated code is as well ;-)
>
> -O0 means do the least possible work to generate correct code. There is
> friction between that and having -fanalyzer do deep inspection of the code.
> I think we should document -fanalyzer needs some optimisation enabled (does
> it need -O2 in some cases, or just -O1 always, btw?)
>
> The suggestion to at least check the last loop iteration is good of course.
Unfortunately, some analyzer warnings work better with optimization *disabled*.
-fanalyzer runs much later than most other static analyzers.
For example, -Wanalyzer-deref-before-check doesn't work well with optimization,
as the dereference means that that optimized can remove the checks before the
analyzer "sees" them.
I think there's a natural tension between optimization and detecting undefined
behavior, in that -fanalyzer wants to report on possible undefined behavior,
whereas optimization wants to take advantage of undefined behavior.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/108432] Analyzer fails to detect out-of-bounds issues within loops
2023-01-17 15:27 [Bug analyzer/108432] New: Analyzer fails to detect out-of-bounds issues within loops dmalcolm at gcc dot gnu.org
2023-01-23 12:54 ` [Bug analyzer/108432] " segher at gcc dot gnu.org
2023-01-23 16:34 ` dmalcolm at gcc dot gnu.org
@ 2023-01-23 18:46 ` segher at gcc dot gnu.org
2023-01-26 14:47 ` [Bug analyzer/108432] RFE: analyzer could " dmalcolm at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: segher at gcc dot gnu.org @ 2023-01-23 18:46 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108432
--- Comment #3 from Segher Boessenkool <segher at gcc dot gnu.org> ---
(In reply to David Malcolm from comment #2)
> Unfortunately, some analyzer warnings work better with optimization
> *disabled*. -fanalyzer runs much later than most other static analyzers.
Understood. But some work better with it enabled, right?
> For example, -Wanalyzer-deref-before-check doesn't work well with
> optimization, as the dereference means that that optimized can remove the
> checks before the analyzer "sees" them.
Yes.
> I think there's a natural tension between optimization and detecting
> undefined behavior, in that -fanalyzer wants to report on possible undefined
> behavior, whereas optimization wants to take advantage of undefined behavior.
"Take advantage of"... A program that contains UB is erroneous, has no
defined semantics *at all*, so what the compiler is really doing is assuming
the program is a correct program, and generating more optimal target code
based on that not unreasonable assumption.
This sounds a bit better, right? It still is true that the compiler cannot
detect all UB during compilation (it needs to know the program's input as
well for that, and even then it isn't realistic). Is it even possible to
detect *all* UB at runtime?
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/108432] RFE: analyzer could detect out-of-bounds issues within loops
2023-01-17 15:27 [Bug analyzer/108432] New: Analyzer fails to detect out-of-bounds issues within loops dmalcolm at gcc dot gnu.org
` (2 preceding siblings ...)
2023-01-23 18:46 ` segher at gcc dot gnu.org
@ 2023-01-26 14:47 ` dmalcolm at gcc dot gnu.org
2023-01-27 22:12 ` dmalcolm at gcc dot gnu.org
2023-02-01 14:01 ` dmalcolm at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-01-26 14:47 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108432
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Analyzer fails to detect |RFE: analyzer could detect
|out-of-bounds issues within |out-of-bounds issues within
|loops |loops
--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Retitling this to be an RFE, since handling these cases is an expansion of the
scope of -fanalyzer's bounds-checker.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/108432] RFE: analyzer could detect out-of-bounds issues within loops
2023-01-17 15:27 [Bug analyzer/108432] New: Analyzer fails to detect out-of-bounds issues within loops dmalcolm at gcc dot gnu.org
` (3 preceding siblings ...)
2023-01-26 14:47 ` [Bug analyzer/108432] RFE: analyzer could " dmalcolm at gcc dot gnu.org
@ 2023-01-27 22:12 ` dmalcolm at gcc dot gnu.org
2023-02-01 14:01 ` dmalcolm at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-01-27 22:12 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108432
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jamie.bainbridge at gmail dot com
--- Comment #5 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
*** Bug 107566 has been marked as a duplicate of this bug. ***
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/108432] RFE: analyzer could detect out-of-bounds issues within loops
2023-01-17 15:27 [Bug analyzer/108432] New: Analyzer fails to detect out-of-bounds issues within loops dmalcolm at gcc dot gnu.org
` (4 preceding siblings ...)
2023-01-27 22:12 ` dmalcolm at gcc dot gnu.org
@ 2023-02-01 14:01 ` dmalcolm at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-02-01 14:01 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108432
--- Comment #6 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Another example: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108598#c2
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-02-01 14:01 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-17 15:27 [Bug analyzer/108432] New: Analyzer fails to detect out-of-bounds issues within loops dmalcolm at gcc dot gnu.org
2023-01-23 12:54 ` [Bug analyzer/108432] " segher at gcc dot gnu.org
2023-01-23 16:34 ` dmalcolm at gcc dot gnu.org
2023-01-23 18:46 ` segher at gcc dot gnu.org
2023-01-26 14:47 ` [Bug analyzer/108432] RFE: analyzer could " dmalcolm at gcc dot gnu.org
2023-01-27 22:12 ` dmalcolm at gcc dot gnu.org
2023-02-01 14:01 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).