[Bug analyzer/113654] New: [14 Regression] -Wanalyzer-allocation-size false positive seen on Linux kernel's drivers/gpu/drm/i915/display/intel_bios.c

[Bug analyzer/113654] New: [14 Regression] -Wanalyzer-allocation-size false positive seen on Linux kernel's drivers/gpu/drm/i915/display/intel_bios.c

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113654

            Bug ID: 113654
           Summary: [14 Regression] -Wanalyzer-allocation-size false
                    positive seen on Linux kernel's
                    drivers/gpu/drm/i915/display/intel_bios.c
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 106358
  Target Milestone: ---

Trunk: https://godbolt.org/z/Y7jYxxhe7
Doesn't seem to affect 13.2

/* Adapted from include/linux/math.h  */
#define __round_mask(x, y) ((__typeof__(x))((y)-1))
#define round_up(x, y) ((((x)-1) | __round_mask(x, y))+1)

/* Reduced from Linux kernel's drivers/gpu/drm/i915/display/intel_bios.c  */
typedef unsigned short u16;
typedef unsigned int u32;
typedef unsigned long __kernel_size_t;
typedef __kernel_size_t size_t;

extern __attribute__((__alloc_size__(1))) __attribute__((__malloc__))
void* kzalloc(size_t size);

typedef struct
{
  u32 reg;
} i915_reg_t;
struct intel_uncore;
struct intel_uncore_funcs
{
  u32 (*mmio_readl)(struct intel_uncore* uncore, i915_reg_t r);
};
struct intel_uncore
{
  void* regs;
  struct intel_uncore_funcs funcs;
};
static inline __attribute__((__gnu_inline__)) __attribute__((__unused__))
__attribute__((no_instrument_function)) u32
intel_uncore_read(struct intel_uncore* uncore, i915_reg_t reg)
{
  return uncore->funcs.mmio_readl(uncore, reg);
}
struct drm_i915_private
{
  struct intel_uncore uncore;
};
struct vbt_header*
spi_oprom_get_vbt(struct drm_i915_private* i915)
{
  u16 vbt_size;
  u32* vbt;
  vbt_size =
    intel_uncore_read(&i915->uncore, ((const i915_reg_t){ .reg = (0x102040)
}));
  vbt_size &= 0xffff;
  vbt = kzalloc(round_up (vbt_size, 4));
  if (!vbt)
    goto err_not_found;
  return (struct vbt_header*)vbt;
err_not_found:
  return ((void*)0);
}


<source>: In function 'spi_oprom_get_vbt':
<source>:46:9: warning: allocated buffer size is not a multiple of the
pointee's size [CWE-131] [-Wanalyzer-allocation-size]
   46 |   vbt = kzalloc(round_up (vbt_size, 4));
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  'spi_oprom_get_vbt': event 1
    |
    |   46 |   vbt = kzalloc(round_up (vbt_size, 4));
    |      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |         |
    |      |         (1) allocated and assigned to 'u32 *' {aka 'unsigned int
*'} here; 'sizeof (u32 {aka unsigned int})' is '4'
    |


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer

[Bug analyzer/113654] [14 Regression] -Wanalyzer-allocation-size false positive seen on Linux kernel's drivers/gpu/drm/i915/display/intel_bios.c

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113654

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |14.0

[Bug analyzer/113654] [14 Regression] -Wanalyzer-allocation-size false positive seen on Linux kernel's drivers/gpu/drm/i915/display/intel_bios.c

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113654

--- Comment #1 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:9f382376660069e49290fdb51861abdec63519c7

commit r14-8627-g9f382376660069e49290fdb51861abdec63519c7
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Jan 30 08:17:47 2024 -0500

    analyzer: fix -Wanalyzer-allocation-size false +ve on Linux kernel's
round_up macro [PR113654]

    gcc/analyzer/ChangeLog:
            PR analyzer/113654
            * region-model.cc (is_round_up): New.
            (is_multiple_p): New.
            (is_dubious_capacity): New.
            (region_model::check_region_size): Move usage of size_visitor into
            is_dubious_capacity.

    gcc/testsuite/ChangeLog:
            PR analyzer/113654
            * c-c++-common/analyzer/allocation-size-pr113654-1.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

[Bug analyzer/113654] [14 Regression] -Wanalyzer-allocation-size false positive seen on Linux kernel's drivers/gpu/drm/i915/display/intel_bios.c

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113654

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by above patch; marking as resolved.