public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/111305] New: GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem
@ 2023-09-06 12:18 geoffreydgr at icloud dot com
2024-02-26 22:30 ` [Bug analyzer/111305] [13/14 Regression] " dmalcolm at gcc dot gnu.org
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: geoffreydgr at icloud dot com @ 2023-09-06 12:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111305
Bug ID: 111305
Summary: GCC Static Analyzer -Wanalyzer-out-of-bounds FP and
ICE problem
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: geoffreydgr at icloud dot com
Target Milestone: ---
ICE bug when analyzing the folowing program. And there also is a FP report of
out-of-bounds.
cmd: gcc -O0 -fanalyzer
gcc version: x86-64 gcc (trunk)
see it live:
https://godbolt.org/z/qKxde131e
```
#include <stdio.h>
#include <stdint.h>
struct a {
uint32_t b;
};
union c {
int8_t b;
};
int32_t *d( int32_t *j, int32_t k, struct a l) {
int64_t m[1]= {0};
for (l.b = 0; l.b <= 0; l.b++) {
printf("FLAG\n");
l.b == 12 && m[l.b];
}
}
```
out:
```
<source>: In function 'd':
<source>:15:19: warning: stack-based buffer over-read [CWE-121]
[-Wanalyzer-out-of-bounds]
15 | l.b == 12 && m[l.b];
| ~^~~~~
'd': events 1-10
|
| 12 | int64_t m[1]= {0};
| | ^
| | |
| | (1) capacity: 8 bytes
| 13 | for (l.b = 0; l.b <= 0; l.b++) {
| | ~~~~~~~~
| | |
| | (2) following 'true' branch...
| | (6) following 'true' branch...
| 14 | printf("FLAG\n");
| | ~~~~~~~~~~~~~~~~
| | |
| | (3) ...to here
| | (7) ...to here
| 15 | l.b == 12 && m[l.b];
| | ~~~~~~~~~~~~~~~~~~~
| | | | |
| | | | (9) ...to here
| | | (10) read of 8 bytes at offset 'l.b * 8' exceeds
'm'
| | (4) following 'false' branch...
| | (5) ...to here
| | (8) following 'true' branch...
|
<source>:15:19: note: valid subscripts for 'm' are '[0]' to '[0]'
15 | l.b == 12 && m[l.b];
| ~^~~~~
during IPA pass: analyzer
<source>:15:15: internal compiler error: in decompose, at wide-int.h:990
15 | l.b == 12 && m[l.b];
| ~~~~~~~~~~^~~~~~~~~
0x21af71e internal_error(char const*, ...)
???:0
0x9dd814 fancy_abort(char const*, int, char const*)
???:0
0x185a343 tree_zero_one_valued_p(tree_node*)
???:0
0x214b222 generic_simplify_MULT_EXPR(unsigned int, tree_code, tree_node*,
tree_node*, tree_node*)
???:0
0xce1d05 fold_binary_loc(unsigned int, tree_code, tree_node*, tree_node*,
tree_node*)
???:0
0xce96cd fold_build2_loc(unsigned int, tree_code, tree_node*, tree_node*,
tree_node*)
???:0
0x18f3716 generic_simplify_23(unsigned int, tree_node*, tree_node*, tree_node*,
tree_node**, tree_code)
???:0
0x186889c generic_simplify_PLUS_EXPR(unsigned int, tree_code, tree_node*,
tree_node*, tree_node*)
???:0
0xce1d05 fold_binary_loc(unsigned int, tree_code, tree_node*, tree_node*,
tree_node*)
???:0
0xce96cd fold_build2_loc(unsigned int, tree_code, tree_node*, tree_node*,
tree_node*)
???:0
0x21505bf generic_simplify_MULT_EXPR(unsigned int, tree_code, tree_node*,
tree_node*, tree_node*)
???:0
0xce1d05 fold_binary_loc(unsigned int, tree_code, tree_node*, tree_node*,
tree_node*)
???:0
0xce96cd fold_build2_loc(unsigned int, tree_code, tree_node*, tree_node*,
tree_node*)
???:0
0x14d2c3f ana::region_offset::calc_symbolic_bit_offset(ana::region_model
const&) const
???:0
0x217faff ana::access_range::get_size(ana::region_model const&,
ana::bit_size_expr*) const
???:0
0x218cad3 ana::access_diagram_impl::access_diagram_impl(ana::access_operation
const&, diagnostic_event_id_t, text_art::style_manager&, text_art::theme
const&, ana::logger*)
???:0
0x2180abb ana::access_diagram::access_diagram(ana::access_operation const&,
diagnostic_event_id_t, text_art::style_manager&, text_art::theme const&,
ana::logger*)
???:0
0x2111f43 ana::symbolic_buffer_over_read::emit(rich_location*, ana::logger*)
???:0
0x2139d1e ana::diagnostic_manager::emit_saved_diagnostic(ana::exploded_graph
const&, ana::saved_diagnostic&)
???:0
0x213a520 ana::diagnostic_manager::emit_saved_diagnostics(ana::exploded_graph
const&)
???:0
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
Compiler returned: 1
```
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem
2023-09-06 12:18 [Bug analyzer/111305] New: GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem geoffreydgr at icloud dot com
@ 2024-02-26 22:30 ` dmalcolm at gcc dot gnu.org
2024-03-04 13:01 ` rguenth at gcc dot gnu.org
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-02-26 22:30 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111305
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2024-02-26
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0 |1
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
ICE happens with GCC 14
False +ve happens with GCC 13 and 14
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem
2023-09-06 12:18 [Bug analyzer/111305] New: GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem geoffreydgr at icloud dot com
2024-02-26 22:30 ` [Bug analyzer/111305] [13/14 Regression] " dmalcolm at gcc dot gnu.org
@ 2024-03-04 13:01 ` rguenth at gcc dot gnu.org
2024-03-07 23:21 ` law at gcc dot gnu.org
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-03-04 13:01 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111305
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |13.3
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem
2023-09-06 12:18 [Bug analyzer/111305] New: GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem geoffreydgr at icloud dot com
2024-02-26 22:30 ` [Bug analyzer/111305] [13/14 Regression] " dmalcolm at gcc dot gnu.org
2024-03-04 13:01 ` rguenth at gcc dot gnu.org
@ 2024-03-07 23:21 ` law at gcc dot gnu.org
2024-03-12 13:25 ` jakub at gcc dot gnu.org
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: law at gcc dot gnu.org @ 2024-03-07 23:21 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111305
Jeffrey A. Law <law at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |law at gcc dot gnu.org
Priority|P3 |P1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem
2023-09-06 12:18 [Bug analyzer/111305] New: GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem geoffreydgr at icloud dot com
` (2 preceding siblings ...)
2024-03-07 23:21 ` law at gcc dot gnu.org
@ 2024-03-12 13:25 ` jakub at gcc dot gnu.org
2024-03-18 22:47 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: jakub at gcc dot gnu.org @ 2024-03-12 13:25 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111305
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P1 |P2
CC| |jakub at gcc dot gnu.org
--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
GCC 13.{1,2} has been released with this bug, so P2.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem
2023-09-06 12:18 [Bug analyzer/111305] New: GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem geoffreydgr at icloud dot com
` (3 preceding siblings ...)
2024-03-12 13:25 ` jakub at gcc dot gnu.org
@ 2024-03-18 22:47 ` cvs-commit at gcc dot gnu.org
2024-03-18 22:53 ` [Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds false postive dmalcolm at gcc dot gnu.org
2024-03-22 13:39 ` law at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-03-18 22:47 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111305
--- Comment #3 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:1579394c9ecf3d1f678daa54b835c7fc3b76fb6d
commit r14-9527-g1579394c9ecf3d1f678daa54b835c7fc3b76fb6d
Author: David Malcolm <dmalcolm@redhat.com>
Date: Mon Mar 18 18:44:34 2024 -0400
analyzer: fix ICEs due to sloppy types in bounds-checking
[PR110902,PR110928,PR111305,PR111441]
Various analyzer ICEs in our bugzilla relate to sloppy use of types
within bounds-checking.
The bounds-checking code works by comparing symbolic *bit* offsets, and
we don't have a good user-facing type that can represent such an offset
(ptrdiff_type_node is for *byte* offsets).
ana::svalue doesn't enforce valid combinations of types for things like
binary operations. When I added the access diagrams for GCC 14, this
could lead to attempts to generate trees for such svalues, leading to
trees with invalid combinations of types (e.g. PLUS_EXPR or MULT_EXPR of
incompatible types), leading to ICEs inside the tree folding logic.
I tried two approaches to fixing this.
My first approach was to fix the type-handling throughout the
bounds-checking code to use correct types, using size_type_node for
sizes, ptrdiff_type_node for byte offsets, and trying ptrdiff_type_node
for bit offsets. I implemented this, and it fixed the crashes, but
unfortunately it led to:
(a) numerous false negatives from the bounds-checking code, due to it
becoming unable to be sure that the accessed offset was beyond the valid
bounds, due to the expressions involved gaining complicated sets of
nested casts.
(b) ugly access diagrams full of nested casts (for capacities, gap
measurements, etc)
So my second approach, implemented in this patch, is to accept that we
don't have a tree type for representing bit offsets. The patch
represents bit offsets using "typeless" symbolic values i.e. ones for
which get_type () is NULL_TREE, and implements enough support for basic
arithemetic as if these are mathematical integers (albeit ones for which
concrete values within an expression must fit within a signed wide int).
Such values can't be converted to tree, so the patch avoids such
conversions, instead implementing a new svalue::maybe_print_for_user for
printing them to a pretty_printer. The patch uses ptrdiff_type_node for
byte offsets.
Doing so fixes the crashes, whilst appearing to preserve the behavior of
-Wanalyzer-out-of-bounds in my testing.
gcc/analyzer/ChangeLog:
PR analyzer/110902
PR analyzer/110928
PR analyzer/111305
PR analyzer/111441
* access-diagram.cc: Include "analyzer/analyzer-selftests.h".
(get_access_size_str): Reimplement for conversion of
implmementation of bit_size_expr from tree to const svalue &. Use
svalue::maybe_print_for_user rather than tree printing routines.
(remove_ssa_names): Make non-static.
(bit_size_expr::get_formatted_str): Rename to...
(bit_size_expr::maybe_get_formatted_str): ...this, adding "model"
param and converting return type to a unique_ptr. Update for
conversion of implementation of bit_size_expr from tree to
const svalue &. Use svalue::maybe_print_for_user rather than tree
printing routines.
(bit_size_expr::print): Rename to...
(bit_size_expr::maybe_print_for_user): ...this, adding "model"
param and converting return type to bool. Update for
conversion of implementation of bit_size_expr from tree to
const svalue &. Use svalue::maybe_print_for_user rather than tree
printing routines.
(bit_size_expr::maybe_get_as_bytes): Add "mgr" param and convert
return type from tree to const svalue *; reimplement.
(access_range::access_range): Call strip_types when on
region_offset
intializations.
(access_range::get_size): Update for conversion of implementation
of bit_size_expr from tree to const svalue &.
(access_operation::get_valid_bits): Pass manager to access_range
ctor.
(access_operation::maybe_get_invalid_before_bits): Likewise.
(access_operation::maybe_get_invalid_after_bits): Likewise.
(boundaries::add): Likewise.
(bit_to_table_map::populate): Add "mgr" param and pass it to
access_range ctor.
(access_diagram_impl::access_diagram_impl): Pass manager to
bit_to_table_map::populate.
(access_diagram_impl::maybe_add_gap): Use svalue rather than tree
for symbolic bit offsets. Port to new bit_size_expr
representation.
(access_diagram_impl::add_valid_vs_invalid_ruler): Port to new
bit_size_expr representation.
(selftest::assert_eq_typeless_integer): New.
(ASSERT_EQ_TYPELESS_INTEGER): New.
(selftest::test_bit_size_expr_to_bytes): New.
(selftest::analyzer_access_diagram_cc_tests): New.
* access-diagram.h (class bit_size_expr): Reimplement, converting
implementation from tree to const svalue &.
(access_range::access_range): Add "mgr" param. Call strip_types
on region_offset initializations.
(access_range::get_size): Update decl for reimplementation.
* analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
selftest::analyzer_access_diagram_cc_tests.
* analyzer-selftests.h
(selftest::analyzer_checker_script_cc_tests): Delete this stray
typo.
(selftest::analyzer_access_diagram_cc_tests): New decl.
* analyzer.h (print_expr_for_user): New decl.
(calc_symbolic_bit_offset): Update decl for reimplementation.
(strip_types): New decls.
(remove_ssa_names): New decl.
* bounds-checking.cc (strip_types): New.
(region_model::check_symbolic_bounds): Use typeless svalues.
* region-model-manager.cc
(region_model_manager::get_or_create_constant_svalue): Add "type"
param. Add overload with old signature.
(region_model_manager::get_or_create_int_cst): Support type being
NULL_TREE.
(region_model_manager::maybe_fold_unaryop): Gracefully reject
folding
of casts to NULL_TREE type.
(get_code_for_cast): Use NOP_EXPR for "casting" svalues to
NULL_TREE type.
(region_model_manager::get_or_create_cast): Support "casting"
svalues to NULL_TREE type.
(region_model_manager::maybe_fold_binop): Don't crash on inputs
with NULL_TREE type. Handle folding of binops on constants with
NULL_TREE type. Add missing cast from PR analyzer/110902.
Support enough folding of other ops on NULL_TREE type to support
bounds checking.
(region_model_manager::get_or_create_const_fn_result_svalue):
Remove assertion that type is nonnull.
* region-model-manager.h
(region_model_manager::get_or_create_constant_svalue): Add
overloaded decl taking a type.
(region_model_manager::maybe_fold_binop): Make public.
(region_model_manager::constants_map_t): Use
constant_svalue::key_t for the key, rather than just tree.
* region-model.cc (print_expr_for_user): New.
(selftest::test_array_2): Handle casts.
* region.cc (region_offset::calc_symbolic_bit_offset): Return
const svalue & rather than tree, and reimplement accordingly.
(region::calc_offset): Use ptrdiff_type_node for types of byte
offsets.
(region::maybe_print_for_user): New.
(element_region::get_relative_symbolic_offset): Use NULL_TREE for
types of bit offsets.
(offset_region::get_bit_offset): Likewise.
(sized_region::get_bit_size_sval): Likewise for bit sizes.
* region.h (region::maybe_print_for_user): New decl.
* svalue.cc (class auto_add_parens): New.
(svalue::maybe_print_for_user): New.
(svalue::cmp_ptr): Support typeless constant svalues.
(tristate_from_boolean_tree_node): New, taken from...
(constant_svalue::eval_condition): ...here. Handle comparison of
typeless integer svalue constants.
* svalue.h (svalue::maybe_print_for_user): New decl.
(class constant_svalue): Support the type of the svalue being
NULL_TREE.
(struct default_hash_traits<constant_svalue::key_t>): New.
gcc/ChangeLog:
PR analyzer/110902
PR analyzer/110928
PR analyzer/111305
PR analyzer/111441
* selftest.h (ASSERT_NE_AT): New macro.
gcc/testsuite/ChangeLog:
PR analyzer/110902
PR analyzer/110928
PR analyzer/111305
PR analyzer/111441
* c-c++-common/analyzer/out-of-bounds-const-fn.c: New test.
* c-c++-common/analyzer/out-of-bounds-diagram-11.c: Update
expected diagram output.
* c-c++-common/analyzer/out-of-bounds-diagram-pr110928.c: New test.
* c-c++-common/analyzer/out-of-bounds-diagram-pr111305.c: New test.
* c-c++-common/analyzer/out-of-bounds-diagram-pr111441.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds false postive
2023-09-06 12:18 [Bug analyzer/111305] New: GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem geoffreydgr at icloud dot com
` (4 preceding siblings ...)
2024-03-18 22:47 ` cvs-commit at gcc dot gnu.org
@ 2024-03-18 22:53 ` dmalcolm at gcc dot gnu.org
2024-03-22 13:39 ` law at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-03-18 22:53 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111305
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P2 |P3
Summary|[13/14 Regression] GCC |[13/14 Regression] GCC
|Static Analyzer |Static Analyzer
|-Wanalyzer-out-of-bounds FP |-Wanalyzer-out-of-bounds
|and ICE problem |false postive
--- Comment #4 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
ICE should be fixed by the above patch.
False positive still not fixed.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds false postive
2023-09-06 12:18 [Bug analyzer/111305] New: GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem geoffreydgr at icloud dot com
` (5 preceding siblings ...)
2024-03-18 22:53 ` [Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds false postive dmalcolm at gcc dot gnu.org
@ 2024-03-22 13:39 ` law at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: law at gcc dot gnu.org @ 2024-03-22 13:39 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111305
Jeffrey A. Law <law at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P2
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-03-22 13:39 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-06 12:18 [Bug analyzer/111305] New: GCC Static Analyzer -Wanalyzer-out-of-bounds FP and ICE problem geoffreydgr at icloud dot com
2024-02-26 22:30 ` [Bug analyzer/111305] [13/14 Regression] " dmalcolm at gcc dot gnu.org
2024-03-04 13:01 ` rguenth at gcc dot gnu.org
2024-03-07 23:21 ` law at gcc dot gnu.org
2024-03-12 13:25 ` jakub at gcc dot gnu.org
2024-03-18 22:47 ` cvs-commit at gcc dot gnu.org
2024-03-18 22:53 ` [Bug analyzer/111305] [13/14 Regression] GCC Static Analyzer -Wanalyzer-out-of-bounds false postive dmalcolm at gcc dot gnu.org
2024-03-22 13:39 ` law at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).