public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/114896] New: analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121)
@ 2024-04-30 10:25 hcmh at mailbox dot org
2024-04-30 10:55 ` [Bug analyzer/114896] " hcmh at mailbox dot org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: hcmh at mailbox dot org @ 2024-04-30 10:25 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114896
Bug ID: 114896
Summary: analyzer: false-positive with VLA
(analyzer-out-of-bounds, CWE-121)
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: hcmh at mailbox dot org
Target Milestone: ---
Created attachment 58076
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=58076&action=edit
Preprocessed .i triggering the problem
Hey,
in one of our projects we encountered the following analyzer problem, which I
believe to be a false-positive. The code essentially creates a VLA with a size
n constrained by assert()s and reads from it. The analyzer claims that this
read is out of bounds, with the maximum possible value of the type of n as
offset.
I have tried to make the example as short as possible while avoiding all
warnings with -Wall -Wextra.
GCC version: 14.0.1 20240404 (experimental)
(compiled from commit 1baec8deb014b8a7da58879a407a4c00cdeb5a09 )
System type: Debian 12 running on x86_64
GCC configuration options: --prefix=$HOME/.local/ --program-suffix=-git
--enable-default-pie --disable-multilib --enable-lto --enable-plugin
--enable-shared
Command line: gcc-git -v -save-temps -fanalyzer -Werror -o false_pos
false_pos.c
Compiler output:
=======
Using built-in specs.
COLLECT_GCC=gcc-git
COLLECT_LTO_WRAPPER=/home/cholme/.local/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /home/cholme/git/gcc/configure --prefix=/home/cholme/.local/
--program-suffix=-git --enable-default-pie --disable-multilib --enable-lto
--enable-plugin --enable-shared
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 14.0.1 20240404 (experimental) (GCC)
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-fanalyzer' '-Werror' '-o' 'false_pos'
'-mtune=generic' '-march=x86-64'
/home/cholme/.local/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/cc1 -E -quiet -v
-imultiarch x86_64-linux-gnu false_pos.c -mtune=generic -march=x86-64 -Werror
-fanalyzer -fpch-preprocess -o false_pos.i
ignoring nonexistent directory "/usr/local/include/x86_64-linux-gnu"
ignoring nonexistent directory
"/home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/include-fixed/x86_64-linux-gnu"
ignoring nonexistent directory
"/home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/../../../../x86_64-pc-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
/home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/include
/usr/local/include
/home/cholme/.local/include
/home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/include-fixed
/usr/include/x86_64-linux-gnu
/usr/include
End of search list.
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-fanalyzer' '-Werror' '-o' 'false_pos'
'-mtune=generic' '-march=x86-64'
/home/cholme/.local/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/cc1 -fpreprocessed
false_pos.i -quiet -dumpbase false_pos.c -dumpbase-ext .c -mtune=generic
-march=x86-64 -Werror -version -fanalyzer -o false_pos.s
GNU C17 (GCC) version 14.0.1 20240404 (experimental) (x86_64-pc-linux-gnu)
compiled by GNU C version 14.0.1 20240404 (experimental), GMP version
6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.24-GMP
GGC heuristics: --param ggc-min-expand=30 --param ggc-min-heapsize=4096
Compiler executable checksum: d2ba7c5aec15d00fa77a3643096b9f91
false_pos.c: In function ‘main’:
false_pos.c:39:35: error: stack-based buffer over-read [CWE-121]
[-Werror=analyzer-out-of-bounds]
39 | return entries[hdr.nscans - 1].id;
| ~~~~~~~~~~~~~~~~~~~~~~~^~~
‘main’: event 1
|
|false_pos.c:20:36:
| 20 | assert( -1 != fd);
| | ^
| | |
| | (1) following ‘true’ branch
(when ‘fd != -1’)...
|
‘main’: event 2
|
|false_pos.c:24:19:
| 24 | const ssize_t hdrsz = sizeof hdr;
| | ^~~~~
| | |
| | (2) ...to here
|
‘main’: event 3
|
|false_pos.c:26:36:
| 26 | assert(hdrsz == sr);
| | ^
| | |
| | (3) following ‘true’ branch
(when ‘hdrsz == sr’)...
|
‘main’: event 4
|
|false_pos.c:28:12:
| 28 | assert((0 < hdr.nscans) && (hdr.nscans < 2));
| | ~~~^~~~~~~
| | |
| | (4) ...to here
|
‘main’: event 5
|
|false_pos.c:28:36:
| 28 | assert((0 < hdr.nscans) && (hdr.nscans < 2));
| | ^
| | |
| | (5) following ‘true’ branch...
|
‘main’: event 6
|
|false_pos.c:28:21:
| 28 | assert((0 < hdr.nscans) && (hdr.nscans < 2));
| | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
| | |
| | (6) ...to here
|
‘main’: event 7
|
|false_pos.c:30:20:
| 30 | struct entry_s entries[hdr.nscans];
| | ^~~~~~~
| | |
| | (7) capacity: ‘(sizetype)hdr.nscans * 2’ bytes
|
‘main’: event 8
|
|false_pos.c:35:36:
| 35 | assert(entriessz == sr);
| | ^
| | |
| | (8) following ‘true’ branch
(when ‘entriessz == sr’)...
|
‘main’: events 9-10
|
|false_pos.c:37:5:
| 37 | close(fd);
| | ^~~~~~~~~
| | |
| | (9) ...to here
| 38 |
| 39 | return entries[hdr.nscans - 1].id;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (10) read of 2 bytes at offset
‘hdr.nscans * 2 + 8589934590’ exceeds the buffer
|
┌─────────────────┐
│ read of 2 bytes │
└─────────────────┘
^
│
│
┌────────────────────────────────┐ ┌─────────────────┐
│buffer allocated on stack at (7)│ │after valid range│
└────────────────────────────────┘ └─────────────────┘
├───────────────┬────────────────┤├────────┬────────┤├────────┬────────┤
│ │ │
│ │ ╭───────────┴───────────╮
│ │ │⚠ over-read of 2 bytes│
│ │ ╰───────────────────────╯
╭──────────────┴─────────────╮ ╭────────┴───────╮
│size: ‘hdr.nscans * 2’ bytes│ │8589934590 bytes│
╰────────────────────────────╯ ╰────────────────╯
cc1: all warnings being treated as errors
=======
Preprocessed .i file is attached.
Please tell me if you need any more info, or if I should try another version of
gcc.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/114896] analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121)
2024-04-30 10:25 [Bug analyzer/114896] New: analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121) hcmh at mailbox dot org
@ 2024-04-30 10:55 ` hcmh at mailbox dot org
2024-04-30 20:16 ` dmalcolm at gcc dot gnu.org
2024-05-18 21:08 ` uecker at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: hcmh at mailbox dot org @ 2024-04-30 10:55 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114896
--- Comment #1 from Christian Holme <hcmh at mailbox dot org> ---
Created attachment 58077
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=58077&action=edit
Unprocessed .c file
As the .i file is very because of the system headers, here is the plain .c
file.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/114896] analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121)
2024-04-30 10:25 [Bug analyzer/114896] New: analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121) hcmh at mailbox dot org
2024-04-30 10:55 ` [Bug analyzer/114896] " hcmh at mailbox dot org
@ 2024-04-30 20:16 ` dmalcolm at gcc dot gnu.org
2024-05-18 21:08 ` uecker at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-04-30 20:16 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114896
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Ever confirmed|0 |1
Last reconfirmed| |2024-04-30
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug.
The reproducer on Compiler Explorer is:
https://godbolt.org/z/4Pc7Wfx8r
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/114896] analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121)
2024-04-30 10:25 [Bug analyzer/114896] New: analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121) hcmh at mailbox dot org
2024-04-30 10:55 ` [Bug analyzer/114896] " hcmh at mailbox dot org
2024-04-30 20:16 ` dmalcolm at gcc dot gnu.org
@ 2024-05-18 21:08 ` uecker at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: uecker at gcc dot gnu.org @ 2024-05-18 21:08 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114896
uecker at gcc dot gnu.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |uecker at gcc dot gnu.org
--- Comment #3 from uecker at gcc dot gnu.org ---
Minimal example:
void foo(void*);
int main(void)
{
unsigned int n;
foo(&n);
int e[n] = { };
return e[n - 1];
}
https://godbolt.org/z/hYPqahYY8
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-05-18 21:08 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-30 10:25 [Bug analyzer/114896] New: analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121) hcmh at mailbox dot org
2024-04-30 10:55 ` [Bug analyzer/114896] " hcmh at mailbox dot org
2024-04-30 20:16 ` dmalcolm at gcc dot gnu.org
2024-05-18 21:08 ` uecker at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).