public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "hcmh at mailbox dot org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/114896] New: analyzer: false-positive with VLA (analyzer-out-of-bounds, CWE-121)
Date: Tue, 30 Apr 2024 10:25:10 +0000 [thread overview]
Message-ID: <bug-114896-4@http.gcc.gnu.org/bugzilla/> (raw)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114896
Bug ID: 114896
Summary: analyzer: false-positive with VLA
(analyzer-out-of-bounds, CWE-121)
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: hcmh at mailbox dot org
Target Milestone: ---
Created attachment 58076
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=58076&action=edit
Preprocessed .i triggering the problem
Hey,
in one of our projects we encountered the following analyzer problem, which I
believe to be a false-positive. The code essentially creates a VLA with a size
n constrained by assert()s and reads from it. The analyzer claims that this
read is out of bounds, with the maximum possible value of the type of n as
offset.
I have tried to make the example as short as possible while avoiding all
warnings with -Wall -Wextra.
GCC version: 14.0.1 20240404 (experimental)
(compiled from commit 1baec8deb014b8a7da58879a407a4c00cdeb5a09 )
System type: Debian 12 running on x86_64
GCC configuration options: --prefix=$HOME/.local/ --program-suffix=-git
--enable-default-pie --disable-multilib --enable-lto --enable-plugin
--enable-shared
Command line: gcc-git -v -save-temps -fanalyzer -Werror -o false_pos
false_pos.c
Compiler output:
=======
Using built-in specs.
COLLECT_GCC=gcc-git
COLLECT_LTO_WRAPPER=/home/cholme/.local/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /home/cholme/git/gcc/configure --prefix=/home/cholme/.local/
--program-suffix=-git --enable-default-pie --disable-multilib --enable-lto
--enable-plugin --enable-shared
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 14.0.1 20240404 (experimental) (GCC)
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-fanalyzer' '-Werror' '-o' 'false_pos'
'-mtune=generic' '-march=x86-64'
/home/cholme/.local/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/cc1 -E -quiet -v
-imultiarch x86_64-linux-gnu false_pos.c -mtune=generic -march=x86-64 -Werror
-fanalyzer -fpch-preprocess -o false_pos.i
ignoring nonexistent directory "/usr/local/include/x86_64-linux-gnu"
ignoring nonexistent directory
"/home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/include-fixed/x86_64-linux-gnu"
ignoring nonexistent directory
"/home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/../../../../x86_64-pc-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
/home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/include
/usr/local/include
/home/cholme/.local/include
/home/cholme/.local/lib/gcc/x86_64-pc-linux-gnu/14.0.1/include-fixed
/usr/include/x86_64-linux-gnu
/usr/include
End of search list.
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-fanalyzer' '-Werror' '-o' 'false_pos'
'-mtune=generic' '-march=x86-64'
/home/cholme/.local/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/cc1 -fpreprocessed
false_pos.i -quiet -dumpbase false_pos.c -dumpbase-ext .c -mtune=generic
-march=x86-64 -Werror -version -fanalyzer -o false_pos.s
GNU C17 (GCC) version 14.0.1 20240404 (experimental) (x86_64-pc-linux-gnu)
compiled by GNU C version 14.0.1 20240404 (experimental), GMP version
6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.24-GMP
GGC heuristics: --param ggc-min-expand=30 --param ggc-min-heapsize=4096
Compiler executable checksum: d2ba7c5aec15d00fa77a3643096b9f91
false_pos.c: In function ‘main’:
false_pos.c:39:35: error: stack-based buffer over-read [CWE-121]
[-Werror=analyzer-out-of-bounds]
39 | return entries[hdr.nscans - 1].id;
| ~~~~~~~~~~~~~~~~~~~~~~~^~~
‘main’: event 1
|
|false_pos.c:20:36:
| 20 | assert( -1 != fd);
| | ^
| | |
| | (1) following ‘true’ branch
(when ‘fd != -1’)...
|
‘main’: event 2
|
|false_pos.c:24:19:
| 24 | const ssize_t hdrsz = sizeof hdr;
| | ^~~~~
| | |
| | (2) ...to here
|
‘main’: event 3
|
|false_pos.c:26:36:
| 26 | assert(hdrsz == sr);
| | ^
| | |
| | (3) following ‘true’ branch
(when ‘hdrsz == sr’)...
|
‘main’: event 4
|
|false_pos.c:28:12:
| 28 | assert((0 < hdr.nscans) && (hdr.nscans < 2));
| | ~~~^~~~~~~
| | |
| | (4) ...to here
|
‘main’: event 5
|
|false_pos.c:28:36:
| 28 | assert((0 < hdr.nscans) && (hdr.nscans < 2));
| | ^
| | |
| | (5) following ‘true’ branch...
|
‘main’: event 6
|
|false_pos.c:28:21:
| 28 | assert((0 < hdr.nscans) && (hdr.nscans < 2));
| | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
| | |
| | (6) ...to here
|
‘main’: event 7
|
|false_pos.c:30:20:
| 30 | struct entry_s entries[hdr.nscans];
| | ^~~~~~~
| | |
| | (7) capacity: ‘(sizetype)hdr.nscans * 2’ bytes
|
‘main’: event 8
|
|false_pos.c:35:36:
| 35 | assert(entriessz == sr);
| | ^
| | |
| | (8) following ‘true’ branch
(when ‘entriessz == sr’)...
|
‘main’: events 9-10
|
|false_pos.c:37:5:
| 37 | close(fd);
| | ^~~~~~~~~
| | |
| | (9) ...to here
| 38 |
| 39 | return entries[hdr.nscans - 1].id;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (10) read of 2 bytes at offset
‘hdr.nscans * 2 + 8589934590’ exceeds the buffer
|
┌─────────────────┐
│ read of 2 bytes │
└─────────────────┘
^
│
│
┌────────────────────────────────┐ ┌─────────────────┐
│buffer allocated on stack at (7)│ │after valid range│
└────────────────────────────────┘ └─────────────────┘
├───────────────┬────────────────┤├────────┬────────┤├────────┬────────┤
│ │ │
│ │ ╭───────────┴───────────╮
│ │ │⚠ over-read of 2 bytes│
│ │ ╰───────────────────────╯
╭──────────────┴─────────────╮ ╭────────┴───────╮
│size: ‘hdr.nscans * 2’ bytes│ │8589934590 bytes│
╰────────────────────────────╯ ╰────────────────╯
cc1: all warnings being treated as errors
=======
Preprocessed .i file is attached.
Please tell me if you need any more info, or if I should try another version of
gcc.
next reply other threads:[~2024-04-30 10:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-30 10:25 hcmh at mailbox dot org [this message]
2024-04-30 10:55 ` [Bug analyzer/114896] " hcmh at mailbox dot org
2024-04-30 20:16 ` dmalcolm at gcc dot gnu.org
2024-05-18 21:08 ` uecker at gcc dot gnu.org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-114896-4@http.gcc.gnu.org/bugzilla/ \
--to=gcc-bugzilla@gcc.gnu.org \
--cc=gcc-bugs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).