public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c/98247] New: gcc analyzer does not detect Flexible Array Member misuse
@ 2020-12-11 16:32 vince.a.bridgers at gmail dot com
2021-03-19 14:08 ` [Bug analyzer/98247] RFE: detect Flexible Array Member misuse in analyzer dmalcolm at gcc dot gnu.org
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: vince.a.bridgers at gmail dot com @ 2020-12-11 16:32 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98247
Bug ID: 98247
Summary: gcc analyzer does not detect Flexible Array Member
misuse
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: vince.a.bridgers at gmail dot com
Target Milestone: ---
This is more of a query than a bug at this point (or possible "feature
enhancement request"). This initial request follows a similar (but different)
issue filed against clang, see https://bugs.llvm.org/show_bug.cgi?id=48136.
The modified reproducer is shown below. While I understand generally the
compiler cannot know how large a FAM is allocated to be, the question becomes
is there some way gcc analysis can track a beyond bounds memory access at
static analysis time and flag the below case as suspicious? Perhaps this can be
done by constraining the idiom, and indeed that is what some reliable and
secure programming standards do when this matters. Perhaps this is already
covered by gcc, and if so my apologies for missing it - feel free to close this
an invalid with explanation. If there's way to address this already in gcc 11
(or beyond) I'm interested in understanding this.
Thanks
$ gcc --version
gcc (GCC) 11.0.0 20200516 (experimental)
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ gcc -fanalyzer fam.c
$ # no output, interpreted to mean no errors found.
#include <stdlib.h>
#include <string.h>
struct str {
size_t len;
char data[];
};
int main(void)
{
struct str *str = malloc(sizeof(str) + 10);
if (str) {
str->len = 10;
memset(str->data, 'x', 10);
free(str);
}
return 0;
}
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/98247] RFE: detect Flexible Array Member misuse in analyzer
2020-12-11 16:32 [Bug c/98247] New: gcc analyzer does not detect Flexible Array Member misuse vince.a.bridgers at gmail dot com
@ 2021-03-19 14:08 ` dmalcolm at gcc dot gnu.org
2022-08-26 18:00 ` dmalcolm at gcc dot gnu.org
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2021-03-19 14:08 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98247
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|c |analyzer
Summary|gcc analyzer does not |RFE: detect Flexible Array
|detect Flexible Array |Member misuse in analyzer
|Member misuse |
Assignee|unassigned at gcc dot gnu.org |dmalcolm at gcc dot gnu.org
CC| |dmalcolm at gcc dot gnu.org
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug.
-fanalyzer doesn't yet do bounds checking, but I hope to add it eventually, so
retitling this as an "RFE".
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/98247] RFE: detect Flexible Array Member misuse in analyzer
2020-12-11 16:32 [Bug c/98247] New: gcc analyzer does not detect Flexible Array Member misuse vince.a.bridgers at gmail dot com
2021-03-19 14:08 ` [Bug analyzer/98247] RFE: detect Flexible Array Member misuse in analyzer dmalcolm at gcc dot gnu.org
@ 2022-08-26 18:00 ` dmalcolm at gcc dot gnu.org
2022-08-26 18:04 ` dmalcolm at gcc dot gnu.org
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-08-26 18:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98247
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://gcc.gnu.org/bugzill
| |a/show_bug.cgi?id=106000
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Tim implemented some bounds-checking for GCC 13 (-Wanalyzer-out-of-bounds in PR
106000), so this might work now; marking as "See Also" for that bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/98247] RFE: detect Flexible Array Member misuse in analyzer
2020-12-11 16:32 [Bug c/98247] New: gcc analyzer does not detect Flexible Array Member misuse vince.a.bridgers at gmail dot com
2021-03-19 14:08 ` [Bug analyzer/98247] RFE: detect Flexible Array Member misuse in analyzer dmalcolm at gcc dot gnu.org
2022-08-26 18:00 ` dmalcolm at gcc dot gnu.org
@ 2022-08-26 18:04 ` dmalcolm at gcc dot gnu.org
2022-09-09 21:11 ` cvs-commit at gcc dot gnu.org
2022-09-09 21:44 ` [Bug analyzer/98247] Analyzer fails to detect certain out-of-bounds uses of flexible array members dmalcolm at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-08-26 18:04 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98247
--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Seems to work:
Does not warn for provided example:
https://godbolt.org/z/Wa3E8Mdqr
If I increase the memset to access one beyond, it complains:
https://godbolt.org/z/K6Wcneh8Y
with the caveat that the current implementation of -Wanalyzer-out-of-bounds
requires concrete (non-symbolic) sizes (see PR 106625).
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/98247] RFE: detect Flexible Array Member misuse in analyzer
2020-12-11 16:32 [Bug c/98247] New: gcc analyzer does not detect Flexible Array Member misuse vince.a.bridgers at gmail dot com
` (2 preceding siblings ...)
2022-08-26 18:04 ` dmalcolm at gcc dot gnu.org
@ 2022-09-09 21:11 ` cvs-commit at gcc dot gnu.org
2022-09-09 21:44 ` [Bug analyzer/98247] Analyzer fails to detect certain out-of-bounds uses of flexible array members dmalcolm at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-09-09 21:11 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98247
--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:084dc9a0c6cec14596093ad077fc3e25c6b99bc3
commit r13-2571-g084dc9a0c6cec14596093ad077fc3e25c6b99bc3
Author: David Malcolm <dmalcolm@redhat.com>
Date: Fri Sep 9 17:10:08 2022 -0400
analyzer: add test coverage for flexible array members [PR98247]
gcc/testsuite/ChangeLog:
PR analyzer/98247
* gcc.dg/analyzer/flexible-array-member-1.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug analyzer/98247] Analyzer fails to detect certain out-of-bounds uses of flexible array members
2020-12-11 16:32 [Bug c/98247] New: gcc analyzer does not detect Flexible Array Member misuse vince.a.bridgers at gmail dot com
` (3 preceding siblings ...)
2022-09-09 21:11 ` cvs-commit at gcc dot gnu.org
@ 2022-09-09 21:44 ` dmalcolm at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-09-09 21:44 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98247
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Summary|RFE: detect Flexible Array |Analyzer fails to detect
|Member misuse in analyzer |certain out-of-bounds uses
| |of flexible array members
Last reconfirmed| |2022-09-09
Status|UNCONFIRMED |NEW
Version|11.0 |13.0
--- Comment #5 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
The above patch adds test coverage for various uses of the flexible array
member idiom, inspired by your test case above (thanks!)
It adds one xfail; in test_symbolic_size_oob, where there's a false negative,
where it fails to complain about this code:
struct str *
test_symbolic_size_oob (size_t len)
{
/* Forgetting to add space for the trailing array. */
struct str *str = malloc(sizeof(str));
if (str) {
str->len = len;
memset(str->data, 'x', len); /* { dg-warning "heap-based buffer overflow"
"PR analyzer/98247" { xfail *-*-* } } */
// TODO(xfail): we don't yet complain about this case, which occurs when
len > 0
return str;
}
return NULL;
}
I'm going to repurpose this bug to track fixing that false negative; updating
subject accordingly.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-09-09 21:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-11 16:32 [Bug c/98247] New: gcc analyzer does not detect Flexible Array Member misuse vince.a.bridgers at gmail dot com
2021-03-19 14:08 ` [Bug analyzer/98247] RFE: detect Flexible Array Member misuse in analyzer dmalcolm at gcc dot gnu.org
2022-08-26 18:00 ` dmalcolm at gcc dot gnu.org
2022-08-26 18:04 ` dmalcolm at gcc dot gnu.org
2022-09-09 21:11 ` cvs-commit at gcc dot gnu.org
2022-09-09 21:44 ` [Bug analyzer/98247] Analyzer fails to detect certain out-of-bounds uses of flexible array members dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).