public inbox for gcc-cvs@sourceware.org help / color / mirror / Atom feed
From: David Malcolm <dmalcolm@gcc.gnu.org> To: gcc-cvs@gcc.gnu.org Subject: [gcc r13-2054] analyzer: fix direction of -Wanalyzer-out-of-bounds note [PR106626] Date: Mon, 15 Aug 2022 18:48:56 +0000 (GMT) [thread overview] Message-ID: <20220815184856.C74AE3858284@sourceware.org> (raw) https://gcc.gnu.org/g:23e8c0b0d99f585499baddda70af6a8b26f49bea commit r13-2054-g23e8c0b0d99f585499baddda70af6a8b26f49bea Author: David Malcolm <dmalcolm@redhat.com> Date: Mon Aug 15 14:47:03 2022 -0400 analyzer: fix direction of -Wanalyzer-out-of-bounds note [PR106626] Fix a read/write typo. Also, add more test coverage of -Wanalyzer-out-of-bounds to help establish a baseline for experiments on tweaking the wording of the warning (PR analyzer/106626). gcc/analyzer/ChangeLog: PR analyzer/106626 * region-model.cc (buffer_overread::emit): Fix copy&paste error in direction of the access in the note. gcc/testsuite/ChangeLog: PR analyzer/106626 * gcc.dg/analyzer/out-of-bounds-read-char-arr.c: New test. * gcc.dg/analyzer/out-of-bounds-read-int-arr.c: New test. * gcc.dg/analyzer/out-of-bounds-write-char-arr.c: New test. * gcc.dg/analyzer/out-of-bounds-write-int-arr.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com> Diff: --- gcc/analyzer/region-model.cc | 4 +- .../gcc.dg/analyzer/out-of-bounds-read-char-arr.c | 55 ++++++++++++++++++++++ .../gcc.dg/analyzer/out-of-bounds-read-int-arr.c | 54 +++++++++++++++++++++ .../gcc.dg/analyzer/out-of-bounds-write-char-arr.c | 55 ++++++++++++++++++++++ .../gcc.dg/analyzer/out-of-bounds-write-int-arr.c | 54 +++++++++++++++++++++ 5 files changed, 220 insertions(+), 2 deletions(-) diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc index a58904c06a8..b05b7097c00 100644 --- a/gcc/analyzer/region-model.cc +++ b/gcc/analyzer/region-model.cc @@ -1447,11 +1447,11 @@ public: print_dec (m_out_of_bounds_range.m_size_in_bytes, num_bytes_past_buf, UNSIGNED); if (m_diag_arg) - inform (rich_loc->get_loc (), "write is %s bytes past the end" + inform (rich_loc->get_loc (), "read is %s bytes past the end" " of %qE", num_bytes_past_buf, m_diag_arg); else - inform (rich_loc->get_loc (), "write is %s bytes past the end" + inform (rich_loc->get_loc (), "read is %s bytes past the end" "of the region", num_bytes_past_buf); } diff --git a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-char-arr.c b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-char-arr.c new file mode 100644 index 00000000000..61cbfc75c11 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-char-arr.c @@ -0,0 +1,55 @@ +char arr[10]; /* { dg-message "capacity is 10 bytes" } */ + +char int_arr_read_element_before_start_far(void) +{ + return arr[-100]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read at byte -100 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +char int_arr_read_element_before_start_near(void) +{ + return arr[-2]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read at byte -2 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +char int_arr_read_element_before_start_off_by_one(void) +{ + return arr[-1]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read at byte -1 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +char int_arr_read_element_at_start(void) +{ + return arr[0]; +} + +char int_arr_read_element_at_end(void) +{ + return arr[9]; +} + +char int_arr_read_element_after_end_off_by_one(void) +{ + return arr[10]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read at byte 10 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): "1 bytes" +} + +char int_arr_read_element_after_end_near(void) +{ + return arr[11]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read at byte 11 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): is the note correct? + // FIXME(PR 106626): "1 bytes" +} + +char int_arr_read_element_after_end_far(void) +{ + return arr[100]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read at byte 100 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): the note seems incorrect (size of access is 1 byte, but magnitude beyond boundary is 90) + // FIXME(PR 106626): "1 bytes" +} diff --git a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-int-arr.c b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-int-arr.c new file mode 100644 index 00000000000..0bb30d24e9f --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-int-arr.c @@ -0,0 +1,54 @@ +#include <stdint.h> + +int32_t arr[10]; /* { dg-message "capacity is 40 bytes" } */ + +int32_t int_arr_read_element_before_start_far(void) +{ + return arr[-100]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read from byte -400 till byte -397 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +int32_t int_arr_read_element_before_start_near(void) +{ + return arr[-2]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read from byte -8 till byte -5 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +int32_t int_arr_read_element_before_start_off_by_one(void) +{ + return arr[-1]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read from byte -4 till byte -1 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +int32_t int_arr_read_element_at_start(void) +{ + return arr[0]; +} + +int32_t int_arr_read_element_at_end(void) +{ + return arr[9]; +} + +int32_t int_arr_read_element_after_end_off_by_one(void) +{ + return arr[10]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read from byte 40 till byte 43 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ +} + +int32_t int_arr_read_element_after_end_near(void) +{ + return arr[11]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read from byte 44 till byte 47 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): is the note correct? +} + +int32_t int_arr_read_element_after_end_far(void) +{ + return arr[100]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read from byte 400 till byte 403 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): the note seems incorrect (size of access is 4 bytes, but magnitude beyond boundary is 390-393) +} diff --git a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-char-arr.c b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-char-arr.c new file mode 100644 index 00000000000..47fbc5207ee --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-char-arr.c @@ -0,0 +1,55 @@ +char arr[10]; /* { dg-message "capacity is 10 bytes" } */ + +void int_arr_write_element_before_start_far(char x) +{ + arr[-100] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte -100 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_before_start_near(char x) +{ + arr[-2] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte -2 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_before_start_off_by_one(char x) +{ + arr[-1] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte -1 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_at_start(char x) +{ + arr[0] = x; +} + +void int_arr_write_element_at_end(char x) +{ + arr[9] = x; +} + +void int_arr_write_element_after_end_off_by_one(char x) +{ + arr[10] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte 10 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): "1 bytes" +} + +void int_arr_write_element_after_end_near(char x) +{ + arr[11] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte 11 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): is the note correct? + // FIXME(PR 106626): "1 bytes" +} + +void int_arr_write_element_after_end_far(char x) +{ + arr[100] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte 100 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): the note seems incorrect (size of access is 1 byte, but magnitude beyond boundary is 90) + // FIXME(PR 106626): "1 bytes" +} diff --git a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-int-arr.c b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-int-arr.c new file mode 100644 index 00000000000..bf9760ee978 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-int-arr.c @@ -0,0 +1,54 @@ +#include <stdint.h> + +int32_t arr[10]; /* { dg-message "capacity is 40 bytes" } */ + +void int_arr_write_element_before_start_far(int32_t x) +{ + arr[-100] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte -400 till byte -397 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_before_start_near(int32_t x) +{ + arr[-2] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte -8 till byte -5 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_before_start_off_by_one(int32_t x) +{ + arr[-1] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte -4 till byte -1 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_at_start(int32_t x) +{ + arr[0] = x; +} + +void int_arr_write_element_at_end(int32_t x) +{ + arr[9] = x; +} + +void int_arr_write_element_after_end_off_by_one(int32_t x) +{ + arr[10] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte 40 till byte 43 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ +} + +void int_arr_write_element_after_end_near(int32_t x) +{ + arr[11] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte 44 till byte 47 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): is the note correct? +} + +void int_arr_write_element_after_end_far(int32_t x) +{ + arr[100] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte 400 till byte 403 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): the note seems incorrect (size of access is 4 bytes, but magnitude beyond boundary is 390-393) +}
reply other threads:[~2022-08-15 18:48 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220815184856.C74AE3858284@sourceware.org \ --to=dmalcolm@gcc.gnu.org \ --cc=gcc-cvs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).