public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "hcmh at mailbox dot org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/114896] New: analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121) Date: Tue, 30 Apr 2024 10:25:10 +0000 [thread overview] Message-ID: <bug-114896-4@http.gcc.gnu.org/bugzilla/> (raw) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114896 Bug ID: 114896 Summary: analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121) Product: gcc Version: 14.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: hcmh at mailbox dot org Target Milestone: --- Created attachment 58076 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=58076&action=edit Preprocessed .i triggering the problem Hey, in one of our projects we encountered the following analyzer problem, which I believe to be a false-positive. The code essentially creates a VLA with a size n constrained by assert()s and reads from it. The analyzer claims that this read is out of bounds, with the maximum possible value of the type of n as offset. I have tried to make the example as short as possible while avoiding all warnings with -Wall -Wextra. GCC version: 14.0.1 20240404 (experimental) (compiled from commit 1baec8deb014b8a7da58879a407a4c00cdeb5a09 ) System type: Debian 12 running on x86_64 GCC configuration options: --prefix=$HOME/.local/ --program-suffix=-git --enable-default-pie --disable-multilib --enable-lto --enable-plugin --enable-shared Command line: gcc-git -v -save-temps -fanalyzer -Werror -o false_pos false_pos.c Compiler output: ======= Using built-in specs. COLLECT_GCC=gcc-git COLLECT_LTO_WRAPPER=/home/cholme/.local/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/lto-wrapper Target: x86_64-pc-linux-gnu Configured with: /home/cholme/git/gcc/configure --prefix=/home/cholme/.local/ --program-suffix=-git --enable-default-pie --disable-multilib --enable-lto --enable-plugin --enable-shared Thread model: posix Supported LTO compression algorithms: zlib zstd gcc version 14.0.1 20240404 (experimental) (GCC) COLLECT_GCC_OPTIONS='-v' '-save-temps' '-fanalyzer' '-Werror' '-o' 'false_pos' '-mtune=generic' '-march=x86-64' /home/cholme/.local/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/cc1 -E -quiet -v -imultiarch x86_64-linux-gnu false_pos.c -mtune=generic -march=x86-64 -Werror -fanalyzer -fpch-preprocess -o false_pos.i ignoring nonexistent directory "/usr/local/include/x86_64-linux-gnu" ignoring nonexistent directory "/home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/include-fixed/x86_64-linux-gnu" ignoring nonexistent directory "/home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/../../../../x86_64-pc-linux-gnu/include" #include "..." search starts here: #include <...> search starts here: /home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/include /usr/local/include /home/cholme/.local/include /home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/include-fixed /usr/include/x86_64-linux-gnu /usr/include End of search list. COLLECT_GCC_OPTIONS='-v' '-save-temps' '-fanalyzer' '-Werror' '-o' 'false_pos' '-mtune=generic' '-march=x86-64' /home/cholme/.local/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/cc1 -fpreprocessed false_pos.i -quiet -dumpbase false_pos.c -dumpbase-ext .c -mtune=generic -march=x86-64 -Werror -version -fanalyzer -o false_pos.s GNU C17 (GCC) version 14.0.1 20240404 (experimental) (x86_64-pc-linux-gnu) compiled by GNU C version 14.0.1 20240404 (experimental), GMP version 6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.24-GMP GGC heuristics: --param ggc-min-expand=30 --param ggc-min-heapsize=4096 Compiler executable checksum: d2ba7c5aec15d00fa77a3643096b9f91 false_pos.c: In function ‘main’: false_pos.c:39:35: error: stack-based buffer over-read [CWE-121] [-Werror=analyzer-out-of-bounds] 39 | return entries[hdr.nscans - 1].id; | ~~~~~~~~~~~~~~~~~~~~~~~^~~ ‘main’: event 1 | |false_pos.c:20:36: | 20 | assert( -1 != fd); | | ^ | | | | | (1) following ‘true’ branch (when ‘fd != -1’)... | ‘main’: event 2 | |false_pos.c:24:19: | 24 | const ssize_t hdrsz = sizeof hdr; | | ^~~~~ | | | | | (2) ...to here | ‘main’: event 3 | |false_pos.c:26:36: | 26 | assert(hdrsz == sr); | | ^ | | | | | (3) following ‘true’ branch (when ‘hdrsz == sr’)... | ‘main’: event 4 | |false_pos.c:28:12: | 28 | assert((0 < hdr.nscans) && (hdr.nscans < 2)); | | ~~~^~~~~~~ | | | | | (4) ...to here | ‘main’: event 5 | |false_pos.c:28:36: | 28 | assert((0 < hdr.nscans) && (hdr.nscans < 2)); | | ^ | | | | | (5) following ‘true’ branch... | ‘main’: event 6 | |false_pos.c:28:21: | 28 | assert((0 < hdr.nscans) && (hdr.nscans < 2)); | | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~ | | | | | (6) ...to here | ‘main’: event 7 | |false_pos.c:30:20: | 30 | struct entry_s entries[hdr.nscans]; | | ^~~~~~~ | | | | | (7) capacity: ‘(sizetype)hdr.nscans * 2’ bytes | ‘main’: event 8 | |false_pos.c:35:36: | 35 | assert(entriessz == sr); | | ^ | | | | | (8) following ‘true’ branch (when ‘entriessz == sr’)... | ‘main’: events 9-10 | |false_pos.c:37:5: | 37 | close(fd); | | ^~~~~~~~~ | | | | | (9) ...to here | 38 | | 39 | return entries[hdr.nscans - 1].id; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) read of 2 bytes at offset ‘hdr.nscans * 2 + 8589934590’ exceeds the buffer | ┌─────────────────┐ │ read of 2 bytes │ └─────────────────┘ ^ │ │ ┌────────────────────────────────┐ ┌─────────────────┐ │buffer allocated on stack at (7)│ │after valid range│ └────────────────────────────────┘ └─────────────────┘ ├───────────────┬────────────────┤├────────┬────────┤├────────┬────────┤ │ │ │ │ │ ╭───────────┴───────────╮ │ │ │⚠ over-read of 2 bytes│ │ │ ╰───────────────────────╯ ╭──────────────┴─────────────╮ ╭────────┴───────╮ │size: ‘hdr.nscans * 2’ bytes│ │8589934590 bytes│ ╰────────────────────────────╯ ╰────────────────╯ cc1: all warnings being treated as errors ======= Preprocessed .i file is attached. Please tell me if you need any more info, or if I should try another version of gcc.
next reply other threads:[~2024-04-30 10:25 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2024-04-30 10:25 hcmh at mailbox dot org [this message] 2024-04-30 10:55 ` [Bug analyzer/114896] " hcmh at mailbox dot org 2024-04-30 20:16 ` dmalcolm at gcc dot gnu.org 2024-05-18 21:08 ` uecker at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-114896-4@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).