public inbox for gcc-cvs@sourceware.org
help / color / mirror / Atom feed
* [gcc r13-8758] analyzer: fix ICE and false positive with -Wanalyzer-deref-before-check [PR114408]
@ 2024-05-09 17:12 David Malcolm
  0 siblings, 0 replies; only message in thread
From: David Malcolm @ 2024-05-09 17:12 UTC (permalink / raw)
  To: gcc-cvs

https://gcc.gnu.org/g:96f7a3694c3e4c72af6258cc9b38bce30e609bee

commit r13-8758-g96f7a3694c3e4c72af6258cc9b38bce30e609bee
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Thu May 9 13:09:32 2024 -0400

    analyzer: fix ICE and false positive with -Wanalyzer-deref-before-check [PR114408]
    
    Backported from commit r14-9646-g80a0cb37456c49 (moving testcase to gcc.dg
    and handling conflict in kf.cc)
    
    gcc/analyzer/ChangeLog:
            PR analyzer/114408
            * engine.cc (impl_run_checkers): Free up any dominance info that
            we may have created.
            * kf.cc (class kf_ubsan_handler): New.
            (register_sanitizer_builtins): New.
            (register_known_functions): Call register_sanitizer_builtins.
    
    gcc/testsuite/ChangeLog:
            PR analyzer/114408
            * gcc.dg/analyzer/deref-before-check-pr114408.c: New test.
            * c-c++-common/ubsan/analyzer-ice-pr114408.c: New test.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

Diff:
---
 gcc/analyzer/engine.cc                             |  7 +++++++
 gcc/analyzer/kf.cc                                 | 22 ++++++++++++++++++++++
 .../c-c++-common/ubsan/analyzer-ice-pr114408.c     |  9 +++++++++
 .../gcc.dg/analyzer/deref-before-check-pr114408.c  | 22 ++++++++++++++++++++++
 4 files changed, 60 insertions(+)

diff --git a/gcc/analyzer/engine.cc b/gcc/analyzer/engine.cc
index a5965c2b8ff0..c5aadc41d114 100644
--- a/gcc/analyzer/engine.cc
+++ b/gcc/analyzer/engine.cc
@@ -6163,6 +6163,13 @@ impl_run_checkers (logger *logger)
     eng.get_model_manager ()->dump_untracked_regions ();
 
   delete purge_map;
+
+  /* Free up any dominance info that we may have created.  */
+  FOR_EACH_FUNCTION_WITH_GIMPLE_BODY (node)
+    {
+      function *fun = node->get_fun ();
+      free_dominance_info (fun, CDI_DOMINATORS);
+    }
 }
 
 /* Handle -fdump-analyzer and -fdump-analyzer-stderr.  */
diff --git a/gcc/analyzer/kf.cc b/gcc/analyzer/kf.cc
index 93c46630f361..4389ff917b8f 100644
--- a/gcc/analyzer/kf.cc
+++ b/gcc/analyzer/kf.cc
@@ -987,6 +987,27 @@ region_model::impl_deallocation_call (const call_details &cd)
   kf.impl_call_post (cd);
 }
 
+/* Handle calls to the various __builtin___ubsan_handle_*.
+   These can return, but continuing after such a return
+   isn't likely to be interesting to the user of the analyzer.
+   Hence we terminate the analysis path at one of these calls.  */
+
+class kf_ubsan_handler : public internal_known_function
+{
+  void impl_call_post (const call_details &cd) const final override
+  {
+    if (cd.get_ctxt ())
+      cd.get_ctxt ()->terminate_path ();
+  }
+};
+
+static void
+register_sanitizer_builtins (known_function_manager &kfm)
+{
+  kfm.add (BUILT_IN_UBSAN_HANDLE_NONNULL_ARG,
+	   make_unique<kf_ubsan_handler> ());
+}
+
 /* Populate KFM with instances of known functions supported by the core of the
    analyzer (as opposed to plugins).  */
 
@@ -1028,6 +1049,7 @@ register_known_functions (known_function_manager &kfm)
     kfm.add (BUILT_IN_STRNDUP, make_unique<kf_strndup> ());
     kfm.add (BUILT_IN_STRLEN, make_unique<kf_strlen> ());
 
+    register_sanitizer_builtins (kfm);
     register_varargs_builtins (kfm);
   }
 
diff --git a/gcc/testsuite/c-c++-common/ubsan/analyzer-ice-pr114408.c b/gcc/testsuite/c-c++-common/ubsan/analyzer-ice-pr114408.c
new file mode 100644
index 000000000000..55f918726eed
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/ubsan/analyzer-ice-pr114408.c
@@ -0,0 +1,9 @@
+/* { dg-do run } */
+/* { dg-require-effective-target analyzer } */
+/* { dg-options "-fanalyzer -fsanitize=undefined" } */
+
+int main(){}
+
+int HMAP_unset_copy(const char *key) {
+    return __builtin_strcmp("a", key) + __builtin_strcmp("a", key);
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/deref-before-check-pr114408.c b/gcc/testsuite/gcc.dg/analyzer/deref-before-check-pr114408.c
new file mode 100644
index 000000000000..d55720271d0f
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/deref-before-check-pr114408.c
@@ -0,0 +1,22 @@
+extern void unknown_returns (const char *p);
+extern void unknown_noreturn (const char *p) __attribute__((__noreturn__));
+
+void test_1 (const char *p)
+{
+  if (p)
+    unknown_returns (p);
+  __builtin_strcmp ("a", p); /* { dg-message "pointer 'p' is dereferenced here" "" { target c } } */
+  if (p) /* { dg-warning "check of 'p' for NULL after already dereferencing it" "" { target c } } */
+    unknown_returns (p);
+  __builtin_strcmp ("a", p);  
+}
+
+void test_2 (const char *p)
+{
+  if (p)
+    unknown_noreturn (p);
+  __builtin_strcmp ("a", p);
+  if (p) /* { dg-bogus "check of 'p' for NULL after already dereferencing it" } */
+    unknown_noreturn (p);
+  __builtin_strcmp ("a", p);  
+}

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2024-05-09 17:12 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-05-09 17:12 [gcc r13-8758] analyzer: fix ICE and false positive with -Wanalyzer-deref-before-check [PR114408] David Malcolm

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).