public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute
@ 2023-06-27  4:18 alexhenrie24 at gmail dot com
  2023-06-28 15:54 ` [Bug analyzer/110426] " dmalcolm at gcc dot gnu.org
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: alexhenrie24 at gmail dot com @ 2023-06-27  4:18 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110426

            Bug ID: 110426
           Summary: Missing buffer overflow warning with function pointer
                    that has the alloc_size attribute
           Product: gcc
           Version: 13.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: alexhenrie24 at gmail dot com
  Target Milestone: ---

I expected to get a warning when compiling this program with -fanalyzer:

#include <stdlib.h>

extern void* (*my_alloc)(size_t) __attribute__ ((alloc_size (1)));

int main(void)
{
    int *x = my_alloc(1);
    x[0] = 0; // buffer overflow!
    return 0;
}

There is a warning if I call malloc instead of my_alloc.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug analyzer/110426] Missing buffer overflow warning with function pointer that has the alloc_size attribute
  2023-06-27  4:18 [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute alexhenrie24 at gmail dot com
@ 2023-06-28 15:54 ` dmalcolm at gcc dot gnu.org
  2023-08-04 20:20 ` cvs-commit at gcc dot gnu.org
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-06-28 15:54 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110426

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2023-06-28

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this; confirmed.

The above reproducer on Compiler Explorer (with x86_64 trunk) is:
  https://godbolt.org/z/Yq5YrhWPa

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug analyzer/110426] Missing buffer overflow warning with function pointer that has the alloc_size attribute
  2023-06-27  4:18 [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute alexhenrie24 at gmail dot com
  2023-06-28 15:54 ` [Bug analyzer/110426] " dmalcolm at gcc dot gnu.org
@ 2023-08-04 20:20 ` cvs-commit at gcc dot gnu.org
  2023-08-04 20:24 ` dmalcolm at gcc dot gnu.org
  2023-08-16 19:25 ` alexhenrie24 at gmail dot com
  3 siblings, 0 replies; 5+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-08-04 20:20 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110426

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:021077b94741c9300dfff3a24e95b3ffa3f508a7

commit r14-3001-g021077b94741c9300dfff3a24e95b3ffa3f508a7
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Aug 4 16:18:40 2023 -0400

    analyzer: handle function attribute "alloc_size" [PR110426]

    This patch makes -fanalyzer make use of the function attribute
    "alloc_size", allowing -fanalyzer to emit -Wanalyzer-allocation-size,
    -Wanalyzer-out-of-bounds, and -Wanalyzer-tainted-allocation-size on
    execution paths involving allocations using such functions.

    gcc/analyzer/ChangeLog:
            PR analyzer/110426
            * bounds-checking.cc (region_model::check_region_bounds): Handle
            symbolic base regions.
            * call-details.cc: Include "stringpool.h" and "attribs.h".
            (call_details::lookup_function_attribute): New function.
            * call-details.h (call_details::lookup_function_attribute): New
            function decl.
            * region-model-manager.cc
            (region_model_manager::maybe_fold_binop): Add reference to
            PR analyzer/110902.
            * region-model-reachability.cc (reachable_regions::handle_sval):
            Add symbolic regions for pointers that are conjured svalues for
            the LHS of a stmt.
            * region-model.cc (region_model::canonicalize): Purge dynamic
            extents for regions that aren't referenced.
            (get_result_size_in_bytes): New function.
            (region_model::on_call_pre): Use get_result_size_in_bytes and
            potentially set the dynamic extents of the region pointed to by
            the return value.
            (region_model::deref_rvalue): Add param "add_nonnull_constraint"
            and use it to conditionalize adding the constraint.
            (pending_diagnostic_subclass::dubious_allocation_size): Add "stmt"
            param to both ctors and use it to initialize new "m_stmt" field.
            (pending_diagnostic_subclass::operator==): Use m_stmt; don't use
            m_lhs or m_rhs.
            (pending_diagnostic_subclass::m_stmt): New field.
            (region_model::check_region_size): Generalize to any kind of
            pointer svalue by using deref_rvalue rather than checking for
            region_svalue.  Pass stmt to dubious_allocation_size ctor.
            * region-model.h (region_model::deref_rvalue): Add param
            "add_nonnull_constraint".
            * svalue.cc (conjured_svalue::lhs_value_p): New function.
            * svalue.h (conjured_svalue::lhs_value_p): New decl.

    gcc/testsuite/ChangeLog:
            PR analyzer/110426
            * gcc.dg/analyzer/allocation-size-1.c: Update expected message to
            reflect consolidation of size and assignment into a single event.
            * gcc.dg/analyzer/allocation-size-2.c: Likewise.
            * gcc.dg/analyzer/allocation-size-3.c: Likewise.
            * gcc.dg/analyzer/allocation-size-4.c: Likewise.
            * gcc.dg/analyzer/allocation-size-multiline-1.c: Likewise.
            * gcc.dg/analyzer/allocation-size-multiline-2.c: Likewise.
            * gcc.dg/analyzer/allocation-size-multiline-3.c: Likewise.
            * gcc.dg/analyzer/attr-alloc_size-1.c: New test.
            * gcc.dg/analyzer/attr-alloc_size-2.c: New test.
            * gcc.dg/analyzer/attr-alloc_size-3.c: New test.
            * gcc.dg/analyzer/explode-4.c: New test.
            * gcc.dg/analyzer/taint-size-1.c: Add test coverage for
            __attribute__ alloc_size.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug analyzer/110426] Missing buffer overflow warning with function pointer that has the alloc_size attribute
  2023-06-27  4:18 [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute alexhenrie24 at gmail dot com
  2023-06-28 15:54 ` [Bug analyzer/110426] " dmalcolm at gcc dot gnu.org
  2023-08-04 20:20 ` cvs-commit at gcc dot gnu.org
@ 2023-08-04 20:24 ` dmalcolm at gcc dot gnu.org
  2023-08-16 19:25 ` alexhenrie24 at gmail dot com
  3 siblings, 0 replies; 5+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-08-04 20:24 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110426

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be implemented for gcc 14 by the above patch.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug analyzer/110426] Missing buffer overflow warning with function pointer that has the alloc_size attribute
  2023-06-27  4:18 [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute alexhenrie24 at gmail dot com
                   ` (2 preceding siblings ...)
  2023-08-04 20:24 ` dmalcolm at gcc dot gnu.org
@ 2023-08-16 19:25 ` alexhenrie24 at gmail dot com
  3 siblings, 0 replies; 5+ messages in thread
From: alexhenrie24 at gmail dot com @ 2023-08-16 19:25 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110426

--- Comment #4 from Alex Henrie <alexhenrie24 at gmail dot com> ---
I tried out your changes and the warnings look great now. Thank you!

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-08-16 19:25 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-27  4:18 [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute alexhenrie24 at gmail dot com
2023-06-28 15:54 ` [Bug analyzer/110426] " dmalcolm at gcc dot gnu.org
2023-08-04 20:20 ` cvs-commit at gcc dot gnu.org
2023-08-04 20:24 ` dmalcolm at gcc dot gnu.org
2023-08-16 19:25 ` alexhenrie24 at gmail dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).