public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/109579] New: -Wanalyzer-out-of-bounds false positive in Emacs mapping stack
@ 2023-04-20 21:23 eggert at gnu dot org
2024-02-16 19:33 ` [Bug analyzer/109579] " dmalcolm at gcc dot gnu.org
0 siblings, 1 reply; 2+ messages in thread
From: eggert at gnu dot org @ 2023-04-20 21:23 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109579
Bug ID: 109579
Summary: -Wanalyzer-out-of-bounds false positive in Emacs
mapping stack
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: eggert at gnu dot org
Target Milestone: ---
Created attachment 54895
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54895&action=edit
compressed test program illustrating false positive
This is gcc (GCC) 13.0.1 20230401 (Red Hat 13.0.1-0) on x86-64, and I ran into
this problem when compiling Emacs. Take the attached file ccl1.i.gz and then
run:
gzip -d ccl1.i.gz
gcc -S -fanalyzer -O2 ccl1.i
The incorrect diagnostics are as follows. These diagnostics are wrong since the
two uses of "mapping_stack_pointer--" in lines 33010 and 33011 are protected
due to those lines being in the else-part of "if (mapping_stack_pointer <=
(mapping_stack + 1))", which means mapping_stack_pointer cannot possibly
underrun the buffer simply by subtracting one from it twice.
I can work around this by compiling with -Wno-analyzer-out-of-bounds but this
seems a bit drastic.
Here are the incorrect diagnostics. These diagnostics are a regression since
GCC 12.
-----
ccl1.i: In function ‘ccl_driver’:
ccl1.i:33010:107: warning: buffer under-read [CWE-127]
[-Wanalyzer-out-of-bounds]
33010 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (orig_op) =
mapping_stack_pointer->orig_val; } while (0);
|
~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘Fccl_execute_on_string’: events 1-4
|
|33434 | __attribute__((section (".subrs"))) static union Aligned_Lisp_Subr
Sccl_execute_on_string = {{{ PVEC_SUBR << PSEUDOVECTOR_AREA_BITS }, { .a5 =
Fccl_execute_on_string }, 3, 5, "ccl-execute-on-string", {0}, 0}}; Lisp_Object
Fccl_execute_on_string
| |
^~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(1)
entry to ‘Fccl_execute_on_string’
|......
|33446 | if (! setup_ccl_program (&ccl, ccl_prog))
| | ~
| | |
| | (2) following ‘true’ branch...
|33447 | error ("Invalid CCL program");
|33448 | CHECK_VECTOR (status);
| | ~~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) ...to here
| | (4) calling ‘CHECK_VECTOR’ from ‘Fccl_execute_on_string’
|
+--> ‘CHECK_VECTOR’: events 5-6
|
| 5942 | CHECK_VECTOR (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (5) entry to ‘CHECK_VECTOR’
| 5943 | {
| 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x);
| | ~~~~~~~~~~~
| | |
| | (6) calling ‘VECTORP’ from ‘CHECK_VECTOR’
|
+--> ‘VECTORP’: events 7-8
|
| 5933 | VECTORP (Lisp_Object x)
| | ^~~~~~~
| | |
| | (7) entry to ‘VECTORP’
| 5934 | {
| 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & (
| | ~
| | |
| | (8) inlined call to
‘ASIZE’ from ‘VECTORP’
|
+--> ‘ASIZE’: event 9
|
| 5916 | ((0 <= size) ? (void) 0 :
__builtin_unreachable ());
| |
~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (9) following
‘false’ branch (when ‘size >= 0’)...
|
<------+
|
‘VECTORP’: event 10
|
| 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & (
| | ~~~~~~~~~~~^~~
| | |
| | (10) ...to
here
| 5936 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 5937 | -
| | ~
| 5938 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 5939 | / 2));
| | ~~~~~
|
<------+
|
‘CHECK_VECTOR’: events 11-12
|
| 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x);
| | ~ ^~~~~~~~~~~
| | | |
| | | (11) returning to ‘CHECK_VECTOR’ from
‘VECTORP’
| | (12) inlined call to ‘CHECK_TYPE’ from ‘CHECK_VECTOR’
|
+--> ‘CHECK_TYPE’: event 13
|
| 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (13) following ‘true’ branch...
|
<------+
|
‘CHECK_VECTOR’: event 14
|
| 5945 | }
| | ^
| | |
| | (14) ...to here
|
<------+
|
‘Fccl_execute_on_string’: events 15-16
|
|33448 | CHECK_VECTOR (status);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (15) returning to ‘Fccl_execute_on_string’ from ‘CHECK_VECTOR’
|33449 | if (ASIZE (status) != 9)
| | ~
| | |
| | (16) inlined call to ‘ASIZE’ from ‘Fccl_execute_on_string’
|
+--> ‘ASIZE’: event 17
|
| 5916 | ((0 <= size) ? (void) 0 : __builtin_unreachable ());
| | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (17) following ‘false’ branch
(when ‘size >= 0’)...
|
<------+
|
‘Fccl_execute_on_string’: events 18-21
|
|33449 | if (ASIZE (status) != 9)
| | ^
| | |
| | (18) ...to here
| | (19) following ‘false’ branch (when ‘size == 9’)...
|33450 | error ("Length of vector STATUS is not 9");
|33451 | CHECK_STRING (str);
| | ~~~~~~~~~~~~~~~~~~
| | |
| | (20) ...to here
| | (21) calling ‘CHECK_STRING’ from ‘Fccl_execute_on_string’
|
+--> ‘CHECK_STRING’: events 22-23
|
| 5799 | CHECK_STRING (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (22) entry to ‘CHECK_STRING’
| 5800 | {
| 5801 | CHECK_TYPE (STRINGP (x), builtin_lisp_symbol (1325), x);
| | ~
| | |
| | (23) inlined call to ‘CHECK_TYPE’ from ‘CHECK_STRING’
|
+--> ‘CHECK_TYPE’: event 24
|
| 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (24) following ‘false’ branch...
|
<------+
|
‘CHECK_STRING’: event 25
|
| 5802 | }
| | ^
| | |
| | (25) ...to here
|
<------+
|
‘Fccl_execute_on_string’: events 26-27
|
|33451 | CHECK_STRING (str);
| | ^~~~~~~~~~~~~~~~~~
| | |
| | (26) returning to ‘Fccl_execute_on_string’ from ‘CHECK_STRING’
|33452 | str_chars = SCHARS (str);
| | ~
| | |
| | (27) inlined call to ‘SCHARS’ from
‘Fccl_execute_on_string’
|
+--> ‘SCHARS’: event 28
|
| 5852 | ((0 <= nchars) ? (void) 0 : __builtin_unreachable ());
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (28) following ‘false’ branch
(when ‘nchars >= 0’)...
|
<------+
|
‘Fccl_execute_on_string’: event 29
|
|33453 | str_bytes = SBYTES (str);
| | ^
| | |
| | (29) inlined call to ‘SBYTES’ from
‘Fccl_execute_on_string’
|
+--> ‘SBYTES’: event 30
|
| 5865 | return STRING_BYTES (XSTRING (string));
| | ^
| | |
| | (30) inlined call to ‘STRING_BYTES’ from ‘SBYTES’
|
+--> ‘STRING_BYTES’: event 31
|
| 5858 | ptrdiff_t nbytes = s->u.s.size_byte < 0 ?
s->u.s.size : s->u.s.size_byte;
| | ~~~~~~^~~~~~~~~~
| | |
| | (31) ...to here
|
<-------------+
|
‘Fccl_execute_on_string’: events 32-38
|
|33454 | for (i = 0; i < 8; i++)
| | ~~^~~
| | |
| | (32) following ‘true’ branch (when ‘i != 8’)...
|33455 | {
|33456 | if (NILP (AREF (status, i)))
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (33) ...to here
|......
|33475 | if (__builtin_mul_overflow (buf_magnification, outbufsize,
&outbufsize)
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (34) following ‘false’ branch...
|33476 | || __builtin_add_overflow (256, outbufsize, &outbufsize))
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (35) ...to here
| | (36) following ‘false’ branch...
|......
|33480 | outp = outbuf = xmalloc (outbufsize);
| | ~~~~~~~~~~~~~~~~~~~~
| | |
| | (37) ...to here
|......
|33489 | if (endp - p == str_chars - consumed_chars)
| | ~
| | |
| | (38) following ‘true’ branch...
|
‘Fccl_execute_on_string’: event 39
|
|cc1:
| (39): ...to here
|
‘Fccl_execute_on_string’: events 40-44
|
|33490 | while (j < 1024 && p < endp)
| | ~~~~~~~~~^~~~~~~~~~~
| | |
| | (40) following ‘false’ branch...
|......
|33495 | consumed_chars += j;
| | ~~
| | |
| | (41) ...to here
|......
|33503 | int max_expansion = NILP (unibyte_p) ? MAX_MULTIBYTE_LENGTH :
1;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| |
(42) following ‘true’ branch (when ‘unibyte_p’ is NULL)...
|33504 | ptrdiff_t offset, shortfall;
|33505 | ccl_driver (&ccl, src, destination, src_size, 1024,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (43) ...to here
| | (44) calling ‘ccl_driver’ from ‘Fccl_execute_on_string’
|33506 | builtin_lisp_symbol (0));
| | ~~~~~~~~~~~~~~~~~~~~~~~~
|
+--> ‘ccl_driver’: events 45-56
|
|32373 | ccl_driver (struct ccl_program *ccl, int *source, int
*destination, int src_size, int dst_size, Lisp_Object charset_list)
| | ^~~~~~~~~~
| | |
| | (45) entry to ‘ccl_driver’
|......
|32388 | if (ccl->buf_magnification == 0)
| | ~
| | |
| | (46) following ‘false’ branch...
|......
|32392 | mapping_stack_pointer = mapping_stack;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (47) ...to here
|......
|32404 | do { EMACS_INT prog_word = XFIXNUM
((ccl_prog)[ic++]); if (! ((((-1 - ((1 << (28 - 1)) - 1))) <= (prog_word)) &
((prog_word) <= (((1 << (28 - 1)) - 1))))) do { ccl->status = 3; goto
ccl_error_handler; } while (0); (code) = prog_word; } while (0);
| |
~
~~~~~~~~~~~~~~~~~~
| |
|
|
| |
(48) following ‘false’ branch...
(49) ...to here
|......
|32975 | if (stack_idx_of_map_multiple <= stack_idx)
| | ~
| | |
| | (50) following ‘false’ branch...
|......
|32984 | stack_idx_of_map_multiple = 0;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (51) ...to here
|......
|32988 | if ((map_set_rest_length > reg[(field1 & 7)]) &&
(reg[(field1 & 7)] >= 0))
| | ~
| | |
| | (52) following ‘true’ branch...
|32989 | {
|32990 | ic += reg[(field1 & 7)];
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (53) ...to here
|......
|33001 | if (mapping_stack_pointer <= (mapping_stack + 1))
| | ~
| | |
| | (54) following ‘false’ branch...
|......
|33010 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (orig_op) =
mapping_stack_pointer->orig_val; } while (0);
| | ~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
|
| | (55) ...to here
(56) out-of-bounds read from byte
-4 till byte -1 but ‘mapping_stack’ starts at byte 0
|
ccl1.i:33010:107: note: valid subscripts for ‘mapping_stack’ are ‘[0]’ to
‘[29]’
33010 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (orig_op) =
mapping_stack_pointer->orig_val; } while (0);
|
~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ccl1.i:33011:59: warning: buffer under-read [CWE-127]
[-Wanalyzer-out-of-bounds]
33011 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (reg[field2]) =
mapping_stack_pointer->orig_val; } while (0);
|
~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘Fccl_execute_on_string’: events 1-4
|
|33434 | __attribute__((section (".subrs"))) static union Aligned_Lisp_Subr
Sccl_execute_on_string = {{{ PVEC_SUBR << PSEUDOVECTOR_AREA_BITS }, { .a5 =
Fccl_execute_on_string }, 3, 5, "ccl-execute-on-string", {0}, 0}}; Lisp_Object
Fccl_execute_on_string
| |
^~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(1)
entry to ‘Fccl_execute_on_string’
|......
|33446 | if (! setup_ccl_program (&ccl, ccl_prog))
| | ~
| | |
| | (2) following ‘true’ branch...
|33447 | error ("Invalid CCL program");
|33448 | CHECK_VECTOR (status);
| | ~~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) ...to here
| | (4) calling ‘CHECK_VECTOR’ from ‘Fccl_execute_on_string’
|
+--> ‘CHECK_VECTOR’: events 5-6
|
| 5942 | CHECK_VECTOR (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (5) entry to ‘CHECK_VECTOR’
| 5943 | {
| 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x);
| | ~~~~~~~~~~~
| | |
| | (6) calling ‘VECTORP’ from ‘CHECK_VECTOR’
|
+--> ‘VECTORP’: events 7-8
|
| 5933 | VECTORP (Lisp_Object x)
| | ^~~~~~~
| | |
| | (7) entry to ‘VECTORP’
| 5934 | {
| 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & (
| | ~
| | |
| | (8) inlined call to
‘ASIZE’ from ‘VECTORP’
|
+--> ‘ASIZE’: event 9
|
| 5916 | ((0 <= size) ? (void) 0 :
__builtin_unreachable ());
| |
~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (9) following
‘false’ branch (when ‘size >= 0’)...
|
<------+
|
‘VECTORP’: event 10
|
| 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & (
| | ~~~~~~~~~~~^~~
| | |
| | (10) ...to
here
| 5936 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 5937 | -
| | ~
| 5938 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 5939 | / 2));
| | ~~~~~
|
<------+
|
‘CHECK_VECTOR’: events 11-12
|
| 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x);
| | ~ ^~~~~~~~~~~
| | | |
| | | (11) returning to ‘CHECK_VECTOR’ from
‘VECTORP’
| | (12) inlined call to ‘CHECK_TYPE’ from ‘CHECK_VECTOR’
|
+--> ‘CHECK_TYPE’: event 13
|
| 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (13) following ‘true’ branch...
|
<------+
|
‘CHECK_VECTOR’: event 14
|
| 5945 | }
| | ^
| | |
| | (14) ...to here
|
<------+
|
‘Fccl_execute_on_string’: events 15-16
|
|33448 | CHECK_VECTOR (status);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (15) returning to ‘Fccl_execute_on_string’ from ‘CHECK_VECTOR’
|33449 | if (ASIZE (status) != 9)
| | ~
| | |
| | (16) inlined call to ‘ASIZE’ from ‘Fccl_execute_on_string’
|
+--> ‘ASIZE’: event 17
|
| 5916 | ((0 <= size) ? (void) 0 : __builtin_unreachable ());
| | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (17) following ‘false’ branch
(when ‘size >= 0’)...
|
<------+
|
‘Fccl_execute_on_string’: events 18-21
|
|33449 | if (ASIZE (status) != 9)
| | ^
| | |
| | (18) ...to here
| | (19) following ‘false’ branch (when ‘size == 9’)...
|33450 | error ("Length of vector STATUS is not 9");
|33451 | CHECK_STRING (str);
| | ~~~~~~~~~~~~~~~~~~
| | |
| | (20) ...to here
| | (21) calling ‘CHECK_STRING’ from ‘Fccl_execute_on_string’
|
+--> ‘CHECK_STRING’: events 22-23
|
| 5799 | CHECK_STRING (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (22) entry to ‘CHECK_STRING’
| 5800 | {
| 5801 | CHECK_TYPE (STRINGP (x), builtin_lisp_symbol (1325), x);
| | ~
| | |
| | (23) inlined call to ‘CHECK_TYPE’ from ‘CHECK_STRING’
|
+--> ‘CHECK_TYPE’: event 24
|
| 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (24) following ‘false’ branch...
|
<------+
|
‘CHECK_STRING’: event 25
|
| 5802 | }
| | ^
| | |
| | (25) ...to here
|
<------+
|
‘Fccl_execute_on_string’: events 26-27
|
|33451 | CHECK_STRING (str);
| | ^~~~~~~~~~~~~~~~~~
| | |
| | (26) returning to ‘Fccl_execute_on_string’ from ‘CHECK_STRING’
|33452 | str_chars = SCHARS (str);
| | ~
| | |
| | (27) inlined call to ‘SCHARS’ from
‘Fccl_execute_on_string’
|
+--> ‘SCHARS’: event 28
|
| 5852 | ((0 <= nchars) ? (void) 0 : __builtin_unreachable ());
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (28) following ‘false’ branch
(when ‘nchars >= 0’)...
|
<------+
|
‘Fccl_execute_on_string’: event 29
|
|33453 | str_bytes = SBYTES (str);
| | ^
| | |
| | (29) inlined call to ‘SBYTES’ from
‘Fccl_execute_on_string’
|
+--> ‘SBYTES’: event 30
|
| 5865 | return STRING_BYTES (XSTRING (string));
| | ^
| | |
| | (30) inlined call to ‘STRING_BYTES’ from ‘SBYTES’
|
+--> ‘STRING_BYTES’: event 31
|
| 5858 | ptrdiff_t nbytes = s->u.s.size_byte < 0 ?
s->u.s.size : s->u.s.size_byte;
| | ~~~~~~^~~~~~~~~~
| | |
| | (31) ...to here
|
<-------------+
|
‘Fccl_execute_on_string’: events 32-38
|
|33454 | for (i = 0; i < 8; i++)
| | ~~^~~
| | |
| | (32) following ‘true’ branch (when ‘i != 8’)...
|33455 | {
|33456 | if (NILP (AREF (status, i)))
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (33) ...to here
|......
|33475 | if (__builtin_mul_overflow (buf_magnification, outbufsize,
&outbufsize)
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (34) following ‘false’ branch...
|33476 | || __builtin_add_overflow (256, outbufsize, &outbufsize))
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (35) ...to here
| | (36) following ‘false’ branch...
|......
|33480 | outp = outbuf = xmalloc (outbufsize);
| | ~~~~~~~~~~~~~~~~~~~~
| | |
| | (37) ...to here
|......
|33489 | if (endp - p == str_chars - consumed_chars)
| | ~
| | |
| | (38) following ‘true’ branch...
|
‘Fccl_execute_on_string’: event 39
|
|cc1:
| (39): ...to here
|
‘Fccl_execute_on_string’: events 40-44
|
|33490 | while (j < 1024 && p < endp)
| | ~~~~~~~~~^~~~~~~~~~~
| | |
| | (40) following ‘false’ branch...
|......
|33495 | consumed_chars += j;
| | ~~
| | |
| | (41) ...to here
|......
|33503 | int max_expansion = NILP (unibyte_p) ? MAX_MULTIBYTE_LENGTH :
1;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| |
(42) following ‘true’ branch (when ‘unibyte_p’ is NULL)...
|33504 | ptrdiff_t offset, shortfall;
|33505 | ccl_driver (&ccl, src, destination, src_size, 1024,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (43) ...to here
| | (44) calling ‘ccl_driver’ from ‘Fccl_execute_on_string’
|33506 | builtin_lisp_symbol (0));
| | ~~~~~~~~~~~~~~~~~~~~~~~~
|
+--> ‘ccl_driver’: events 45-56
|
|32373 | ccl_driver (struct ccl_program *ccl, int *source, int
*destination, int src_size, int dst_size, Lisp_Object charset_list)
| | ^~~~~~~~~~
| | |
| | (45) entry to ‘ccl_driver’
|......
|32388 | if (ccl->buf_magnification == 0)
| | ~
| | |
| | (46) following ‘false’ branch...
|......
|32392 | mapping_stack_pointer = mapping_stack;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (47) ...to here
|......
|32404 | do { EMACS_INT prog_word = XFIXNUM
((ccl_prog)[ic++]); if (! ((((-1 - ((1 << (28 - 1)) - 1))) <= (prog_word)) &
((prog_word) <= (((1 << (28 - 1)) - 1))))) do { ccl->status = 3; goto
ccl_error_handler; } while (0); (code) = prog_word; } while (0);
| |
~
~~~~~~~~~~~~~~~~~~
| |
|
|
| |
(48) following ‘false’ branch...
(49) ...to here
|......
|32975 | if (stack_idx_of_map_multiple <= stack_idx)
| | ~
| | |
| | (50) following ‘false’ branch...
|......
|32984 | stack_idx_of_map_multiple = 0;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (51) ...to here
|......
|32988 | if ((map_set_rest_length > reg[(field1 & 7)]) &&
(reg[(field1 & 7)] >= 0))
| | ~
| | |
| | (52) following ‘true’ branch...
|32989 | {
|32990 | ic += reg[(field1 & 7)];
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (53) ...to here
|......
|33001 | if (mapping_stack_pointer <= (mapping_stack + 1))
| | ~
| | |
| | (54) following ‘false’ branch...
|......
|33010 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (orig_op) =
mapping_stack_pointer->orig_val; } while (0);
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (55) ...to here
|33011 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (reg[field2]) =
mapping_stack_pointer->orig_val; } while (0);
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| |
(56) out-of-bounds read from byte -16 till byte -13 but ‘mapping_stack’ starts
at byte 0
|
ccl1.i:33011:59: note: valid subscripts for ‘mapping_stack’ are ‘[0]’ to ‘[29]’
33011 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (reg[field2]) =
mapping_stack_pointer->orig_val; } while (0);
|
~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ccl1.i:33011:134: warning: buffer under-read [CWE-127]
[-Wanalyzer-out-of-bounds]
33011 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (reg[field2]) =
mapping_stack_pointer->orig_val; } while (0);
|
~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~
‘Fccl_execute_on_string’: events 1-4
|
|33434 | __attribute__((section (".subrs"))) static union Aligned_Lisp_Subr
Sccl_execute_on_string = {{{ PVEC_SUBR << PSEUDOVECTOR_AREA_BITS }, { .a5 =
Fccl_execute_on_string }, 3, 5, "ccl-execute-on-string", {0}, 0}}; Lisp_Object
Fccl_execute_on_string
| |
^~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(1)
entry to ‘Fccl_execute_on_string’
|......
|33446 | if (! setup_ccl_program (&ccl, ccl_prog))
| | ~
| | |
| | (2) following ‘true’ branch...
|33447 | error ("Invalid CCL program");
|33448 | CHECK_VECTOR (status);
| | ~~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) ...to here
| | (4) calling ‘CHECK_VECTOR’ from ‘Fccl_execute_on_string’
|
+--> ‘CHECK_VECTOR’: events 5-6
|
| 5942 | CHECK_VECTOR (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (5) entry to ‘CHECK_VECTOR’
| 5943 | {
| 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x);
| | ~~~~~~~~~~~
| | |
| | (6) calling ‘VECTORP’ from ‘CHECK_VECTOR’
|
+--> ‘VECTORP’: events 7-8
|
| 5933 | VECTORP (Lisp_Object x)
| | ^~~~~~~
| | |
| | (7) entry to ‘VECTORP’
| 5934 | {
| 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & (
| | ~
| | |
| | (8) inlined call to
‘ASIZE’ from ‘VECTORP’
|
+--> ‘ASIZE’: event 9
|
| 5916 | ((0 <= size) ? (void) 0 :
__builtin_unreachable ());
| |
~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (9) following
‘false’ branch (when ‘size >= 0’)...
|
<------+
|
‘VECTORP’: event 10
|
| 5935 | return VECTORLIKEP (x) && ! (ASIZE (x) & (
| | ~~~~~~~~~~~^~~
| | |
| | (10) ...to
here
| 5936 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 5937 | -
| | ~
| 5938 |
(9223372036854775807L)
| |
~~~~~~~~~~~~~~~~~~~~~~
| 5939 | / 2));
| | ~~~~~
|
<------+
|
‘CHECK_VECTOR’: events 11-12
|
| 5944 | CHECK_TYPE (VECTORP (x), builtin_lisp_symbol (1495), x);
| | ~ ^~~~~~~~~~~
| | | |
| | | (11) returning to ‘CHECK_VECTOR’ from
‘VECTORP’
| | (12) inlined call to ‘CHECK_TYPE’ from ‘CHECK_VECTOR’
|
+--> ‘CHECK_TYPE’: event 13
|
| 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (13) following ‘true’ branch...
|
<------+
|
‘CHECK_VECTOR’: event 14
|
| 5945 | }
| | ^
| | |
| | (14) ...to here
|
<------+
|
‘Fccl_execute_on_string’: events 15-16
|
|33448 | CHECK_VECTOR (status);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (15) returning to ‘Fccl_execute_on_string’ from ‘CHECK_VECTOR’
|33449 | if (ASIZE (status) != 9)
| | ~
| | |
| | (16) inlined call to ‘ASIZE’ from ‘Fccl_execute_on_string’
|
+--> ‘ASIZE’: event 17
|
| 5916 | ((0 <= size) ? (void) 0 : __builtin_unreachable ());
| | ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (17) following ‘false’ branch
(when ‘size >= 0’)...
|
<------+
|
‘Fccl_execute_on_string’: events 18-21
|
|33449 | if (ASIZE (status) != 9)
| | ^
| | |
| | (18) ...to here
| | (19) following ‘false’ branch (when ‘size == 9’)...
|33450 | error ("Length of vector STATUS is not 9");
|33451 | CHECK_STRING (str);
| | ~~~~~~~~~~~~~~~~~~
| | |
| | (20) ...to here
| | (21) calling ‘CHECK_STRING’ from ‘Fccl_execute_on_string’
|
+--> ‘CHECK_STRING’: events 22-23
|
| 5799 | CHECK_STRING (Lisp_Object x)
| | ^~~~~~~~~~~~
| | |
| | (22) entry to ‘CHECK_STRING’
| 5800 | {
| 5801 | CHECK_TYPE (STRINGP (x), builtin_lisp_symbol (1325), x);
| | ~
| | |
| | (23) inlined call to ‘CHECK_TYPE’ from ‘CHECK_STRING’
|
+--> ‘CHECK_TYPE’: event 24
|
| 1408 | ((ok) ? (void) 0 : wrong_type_argument (predicate,
x));
| |
~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (24) following ‘false’ branch...
|
<------+
|
‘CHECK_STRING’: event 25
|
| 5802 | }
| | ^
| | |
| | (25) ...to here
|
<------+
|
‘Fccl_execute_on_string’: events 26-27
|
|33451 | CHECK_STRING (str);
| | ^~~~~~~~~~~~~~~~~~
| | |
| | (26) returning to ‘Fccl_execute_on_string’ from ‘CHECK_STRING’
|33452 | str_chars = SCHARS (str);
| | ~
| | |
| | (27) inlined call to ‘SCHARS’ from
‘Fccl_execute_on_string’
|
+--> ‘SCHARS’: event 28
|
| 5852 | ((0 <= nchars) ? (void) 0 : __builtin_unreachable ());
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (28) following ‘false’ branch
(when ‘nchars >= 0’)...
|
<------+
|
‘Fccl_execute_on_string’: event 29
|
|33453 | str_bytes = SBYTES (str);
| | ^
| | |
| | (29) inlined call to ‘SBYTES’ from
‘Fccl_execute_on_string’
|
+--> ‘SBYTES’: event 30
|
| 5865 | return STRING_BYTES (XSTRING (string));
| | ^
| | |
| | (30) inlined call to ‘STRING_BYTES’ from ‘SBYTES’
|
+--> ‘STRING_BYTES’: event 31
|
| 5858 | ptrdiff_t nbytes = s->u.s.size_byte < 0 ?
s->u.s.size : s->u.s.size_byte;
| | ~~~~~~^~~~~~~~~~
| | |
| | (31) ...to here
|
<-------------+
|
‘Fccl_execute_on_string’: events 32-38
|
|33454 | for (i = 0; i < 8; i++)
| | ~~^~~
| | |
| | (32) following ‘true’ branch (when ‘i != 8’)...
|33455 | {
|33456 | if (NILP (AREF (status, i)))
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (33) ...to here
|......
|33475 | if (__builtin_mul_overflow (buf_magnification, outbufsize,
&outbufsize)
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (34) following ‘false’ branch...
|33476 | || __builtin_add_overflow (256, outbufsize, &outbufsize))
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (35) ...to here
| | (36) following ‘false’ branch...
|......
|33480 | outp = outbuf = xmalloc (outbufsize);
| | ~~~~~~~~~~~~~~~~~~~~
| | |
| | (37) ...to here
|......
|33489 | if (endp - p == str_chars - consumed_chars)
| | ~
| | |
| | (38) following ‘true’ branch...
|
‘Fccl_execute_on_string’: event 39
|
|cc1:
| (39): ...to here
|
‘Fccl_execute_on_string’: events 40-44
|
|33490 | while (j < 1024 && p < endp)
| | ~~~~~~~~~^~~~~~~~~~~
| | |
| | (40) following ‘false’ branch...
|......
|33495 | consumed_chars += j;
| | ~~
| | |
| | (41) ...to here
|......
|33503 | int max_expansion = NILP (unibyte_p) ? MAX_MULTIBYTE_LENGTH :
1;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| |
(42) following ‘true’ branch (when ‘unibyte_p’ is NULL)...
|33504 | ptrdiff_t offset, shortfall;
|33505 | ccl_driver (&ccl, src, destination, src_size, 1024,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (43) ...to here
| | (44) calling ‘ccl_driver’ from ‘Fccl_execute_on_string’
|33506 | builtin_lisp_symbol (0));
| | ~~~~~~~~~~~~~~~~~~~~~~~~
|
+--> ‘ccl_driver’: events 45-56
|
|32373 | ccl_driver (struct ccl_program *ccl, int *source, int
*destination, int src_size, int dst_size, Lisp_Object charset_list)
| | ^~~~~~~~~~
| | |
| | (45) entry to ‘ccl_driver’
|......
|32388 | if (ccl->buf_magnification == 0)
| | ~
| | |
| | (46) following ‘false’ branch...
|......
|32392 | mapping_stack_pointer = mapping_stack;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (47) ...to here
|......
|32404 | do { EMACS_INT prog_word = XFIXNUM
((ccl_prog)[ic++]); if (! ((((-1 - ((1 << (28 - 1)) - 1))) <= (prog_word)) &
((prog_word) <= (((1 << (28 - 1)) - 1))))) do { ccl->status = 3; goto
ccl_error_handler; } while (0); (code) = prog_word; } while (0);
| |
~
~~~~~~~~~~~~~~~~~~
| |
|
|
| |
(48) following ‘false’ branch...
(49) ...to here
|......
|32975 | if (stack_idx_of_map_multiple <= stack_idx)
| | ~
| | |
| | (50) following ‘false’ branch...
|......
|32984 | stack_idx_of_map_multiple = 0;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (51) ...to here
|......
|32988 | if ((map_set_rest_length > reg[(field1 & 7)]) &&
(reg[(field1 & 7)] >= 0))
| | ~
| | |
| | (52) following ‘true’ branch...
|32989 | {
|32990 | ic += reg[(field1 & 7)];
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (53) ...to here
|......
|33001 | if (mapping_stack_pointer <= (mapping_stack + 1))
| | ~
| | |
| | (54) following ‘false’ branch...
|......
|33010 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (orig_op) =
mapping_stack_pointer->orig_val; } while (0);
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (55) ...to here
|33011 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (reg[field2]) =
mapping_stack_pointer->orig_val; } while (0);
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
|
| |
(56)
out-of-bounds read from byte -12 till byte -9 but ‘mapping_stack’ starts at
byte 0
|
ccl1.i:33011:134: note: valid subscripts for ‘mapping_stack’ are ‘[0]’ to
‘[29]’
33011 | do { mapping_stack_pointer--; (map_set_rest_length) =
mapping_stack_pointer->rest_length; (reg[field2]) =
mapping_stack_pointer->orig_val; } while (0);
|
~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug analyzer/109579] -Wanalyzer-out-of-bounds false positive in Emacs mapping stack
2023-04-20 21:23 [Bug analyzer/109579] New: -Wanalyzer-out-of-bounds false positive in Emacs mapping stack eggert at gnu dot org
@ 2024-02-16 19:33 ` dmalcolm at gcc dot gnu.org
0 siblings, 0 replies; 2+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-02-16 19:33 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109579
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |WORKSFORME
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug report.
Trunk: unaffected: https://godbolt.org/z/EaeP1e1d5
GCC 13.2: affected: https://godbolt.org/z/WvcKh9s9Y
Presumably fixed by one of my patches to trunk; marking as RESOLVED WORKSFORME.
Feel free to reopen if you can reproduce it with GCC 14 or later.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-02-16 19:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-20 21:23 [Bug analyzer/109579] New: -Wanalyzer-out-of-bounds false positive in Emacs mapping stack eggert at gnu dot org
2024-02-16 19:33 ` [Bug analyzer/109579] " dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).