public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute
@ 2023-06-27 4:18 alexhenrie24 at gmail dot com
2023-06-28 15:54 ` [Bug analyzer/110426] " dmalcolm at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: alexhenrie24 at gmail dot com @ 2023-06-27 4:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110426
Bug ID: 110426
Summary: Missing buffer overflow warning with function pointer
that has the alloc_size attribute
Product: gcc
Version: 13.1.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: alexhenrie24 at gmail dot com
Target Milestone: ---
I expected to get a warning when compiling this program with -fanalyzer:
#include <stdlib.h>
extern void* (*my_alloc)(size_t) __attribute__ ((alloc_size (1)));
int main(void)
{
int *x = my_alloc(1);
x[0] = 0; // buffer overflow!
return 0;
}
There is a warning if I call malloc instead of my_alloc.
^ permalink raw reply [flat|nested] 5+ messages in thread* [Bug analyzer/110426] Missing buffer overflow warning with function pointer that has the alloc_size attribute 2023-06-27 4:18 [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute alexhenrie24 at gmail dot com @ 2023-06-28 15:54 ` dmalcolm at gcc dot gnu.org 2023-08-04 20:20 ` cvs-commit at gcc dot gnu.org ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2023-06-28 15:54 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110426 David Malcolm <dmalcolm at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |ASSIGNED Last reconfirmed| |2023-06-28 --- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> --- Thanks for filing this; confirmed. The above reproducer on Compiler Explorer (with x86_64 trunk) is: https://godbolt.org/z/Yq5YrhWPa ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/110426] Missing buffer overflow warning with function pointer that has the alloc_size attribute 2023-06-27 4:18 [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute alexhenrie24 at gmail dot com 2023-06-28 15:54 ` [Bug analyzer/110426] " dmalcolm at gcc dot gnu.org @ 2023-08-04 20:20 ` cvs-commit at gcc dot gnu.org 2023-08-04 20:24 ` dmalcolm at gcc dot gnu.org 2023-08-16 19:25 ` alexhenrie24 at gmail dot com 3 siblings, 0 replies; 5+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2023-08-04 20:20 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110426 --- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:021077b94741c9300dfff3a24e95b3ffa3f508a7 commit r14-3001-g021077b94741c9300dfff3a24e95b3ffa3f508a7 Author: David Malcolm <dmalcolm@redhat.com> Date: Fri Aug 4 16:18:40 2023 -0400 analyzer: handle function attribute "alloc_size" [PR110426] This patch makes -fanalyzer make use of the function attribute "alloc_size", allowing -fanalyzer to emit -Wanalyzer-allocation-size, -Wanalyzer-out-of-bounds, and -Wanalyzer-tainted-allocation-size on execution paths involving allocations using such functions. gcc/analyzer/ChangeLog: PR analyzer/110426 * bounds-checking.cc (region_model::check_region_bounds): Handle symbolic base regions. * call-details.cc: Include "stringpool.h" and "attribs.h". (call_details::lookup_function_attribute): New function. * call-details.h (call_details::lookup_function_attribute): New function decl. * region-model-manager.cc (region_model_manager::maybe_fold_binop): Add reference to PR analyzer/110902. * region-model-reachability.cc (reachable_regions::handle_sval): Add symbolic regions for pointers that are conjured svalues for the LHS of a stmt. * region-model.cc (region_model::canonicalize): Purge dynamic extents for regions that aren't referenced. (get_result_size_in_bytes): New function. (region_model::on_call_pre): Use get_result_size_in_bytes and potentially set the dynamic extents of the region pointed to by the return value. (region_model::deref_rvalue): Add param "add_nonnull_constraint" and use it to conditionalize adding the constraint. (pending_diagnostic_subclass::dubious_allocation_size): Add "stmt" param to both ctors and use it to initialize new "m_stmt" field. (pending_diagnostic_subclass::operator==): Use m_stmt; don't use m_lhs or m_rhs. (pending_diagnostic_subclass::m_stmt): New field. (region_model::check_region_size): Generalize to any kind of pointer svalue by using deref_rvalue rather than checking for region_svalue. Pass stmt to dubious_allocation_size ctor. * region-model.h (region_model::deref_rvalue): Add param "add_nonnull_constraint". * svalue.cc (conjured_svalue::lhs_value_p): New function. * svalue.h (conjured_svalue::lhs_value_p): New decl. gcc/testsuite/ChangeLog: PR analyzer/110426 * gcc.dg/analyzer/allocation-size-1.c: Update expected message to reflect consolidation of size and assignment into a single event. * gcc.dg/analyzer/allocation-size-2.c: Likewise. * gcc.dg/analyzer/allocation-size-3.c: Likewise. * gcc.dg/analyzer/allocation-size-4.c: Likewise. * gcc.dg/analyzer/allocation-size-multiline-1.c: Likewise. * gcc.dg/analyzer/allocation-size-multiline-2.c: Likewise. * gcc.dg/analyzer/allocation-size-multiline-3.c: Likewise. * gcc.dg/analyzer/attr-alloc_size-1.c: New test. * gcc.dg/analyzer/attr-alloc_size-2.c: New test. * gcc.dg/analyzer/attr-alloc_size-3.c: New test. * gcc.dg/analyzer/explode-4.c: New test. * gcc.dg/analyzer/taint-size-1.c: Add test coverage for __attribute__ alloc_size. Signed-off-by: David Malcolm <dmalcolm@redhat.com> ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/110426] Missing buffer overflow warning with function pointer that has the alloc_size attribute 2023-06-27 4:18 [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute alexhenrie24 at gmail dot com 2023-06-28 15:54 ` [Bug analyzer/110426] " dmalcolm at gcc dot gnu.org 2023-08-04 20:20 ` cvs-commit at gcc dot gnu.org @ 2023-08-04 20:24 ` dmalcolm at gcc dot gnu.org 2023-08-16 19:25 ` alexhenrie24 at gmail dot com 3 siblings, 0 replies; 5+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2023-08-04 20:24 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110426 David Malcolm <dmalcolm at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> --- Should be implemented for gcc 14 by the above patch. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug analyzer/110426] Missing buffer overflow warning with function pointer that has the alloc_size attribute 2023-06-27 4:18 [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute alexhenrie24 at gmail dot com ` (2 preceding siblings ...) 2023-08-04 20:24 ` dmalcolm at gcc dot gnu.org @ 2023-08-16 19:25 ` alexhenrie24 at gmail dot com 3 siblings, 0 replies; 5+ messages in thread From: alexhenrie24 at gmail dot com @ 2023-08-16 19:25 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110426 --- Comment #4 from Alex Henrie <alexhenrie24 at gmail dot com> --- I tried out your changes and the warnings look great now. Thank you! ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-08-16 19:25 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-06-27 4:18 [Bug analyzer/110426] New: Missing buffer overflow warning with function pointer that has the alloc_size attribute alexhenrie24 at gmail dot com 2023-06-28 15:54 ` [Bug analyzer/110426] " dmalcolm at gcc dot gnu.org 2023-08-04 20:20 ` cvs-commit at gcc dot gnu.org 2023-08-04 20:24 ` dmalcolm at gcc dot gnu.org 2023-08-16 19:25 ` alexhenrie24 at gmail dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).