From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 1E1173858429; Fri, 9 Sep 2022 21:44:21 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1E1173858429 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1662759861; bh=HfCPqSHyFb0ZYjPiCRwS5Bs7luHyzqGxEcyFew6HVIM=; h=From:To:Subject:Date:In-Reply-To:References:From; b=WC31R/rk6VIh0WzfrhtI67Qcmzx8NJ6NIP5JDyJ+N3GxyRGU4mQY+av5ZCDYmqU8f 6QiO6BAFKB5SLrsraUB1YMEB+d1cx49T1n3nVMml69+4PX+5JCw5D9/RX1l7SB8miR T5KuJbfS7N/0oth6XD3mluW424PTQdKuQ9dnyQ/M= From: "dmalcolm at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/98247] Analyzer fails to detect certain out-of-bounds uses of flexible array members Date: Fri, 09 Sep 2022 21:44:20 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: dmalcolm at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: everconfirmed short_desc cf_reconfirmed_on bug_status version Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D98247 David Malcolm changed: What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Summary|RFE: detect Flexible Array |Analyzer fails to detect |Member misuse in analyzer |certain out-of-bounds uses | |of flexible array members Last reconfirmed| |2022-09-09 Status|UNCONFIRMED |NEW Version|11.0 |13.0 --- Comment #5 from David Malcolm --- The above patch adds test coverage for various uses of the flexible array member idiom, inspired by your test case above (thanks!) It adds one xfail; in test_symbolic_size_oob, where there's a false negativ= e, where it fails to complain about this code: struct str * test_symbolic_size_oob (size_t len) { /* Forgetting to add space for the trailing array. */ struct str *str =3D malloc(sizeof(str)); if (str) { str->len =3D len; memset(str->data, 'x', len); /* { dg-warning "heap-based buffer overflo= w" "PR analyzer/98247" { xfail *-*-* } } */ // TODO(xfail): we don't yet complain about this case, which occurs when len > 0 return str; } return NULL; } I'm going to repurpose this bug to track fixing that false negative; updati= ng subject accordingly.=