* [committed] analyzer: fix ICE when combining taint states has_ub and has_lb
@ 2022-01-14 22:54 David Malcolm
0 siblings, 0 replies; only message in thread
From: David Malcolm @ 2022-01-14 22:54 UTC (permalink / raw)
To: gcc-patches
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to trunk as cc3b67e40140ec79f86e79a96d7fdd169b84faaf.
gcc/analyzer/ChangeLog:
* sm-taint.cc (taint_state_machine::combine_states): Handle combination
of has_ub and has_lb.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/taint-merger.c: New test.
---
gcc/analyzer/sm-taint.cc | 14 +++--
gcc/testsuite/gcc.dg/analyzer/taint-merger.c | 57 ++++++++++++++++++++
2 files changed, 66 insertions(+), 5 deletions(-)
create mode 100644 gcc/testsuite/gcc.dg/analyzer/taint-merger.c
diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index 3a46256b020..357456593ff 100644
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -860,15 +860,19 @@ taint_state_machine::combine_states (state_t s0, state_t s1) const
return s0;
if (s0 == m_tainted || s1 == m_tainted)
return m_tainted;
- if (s0 == m_stop)
- return s1;
- if (s1 == m_stop)
- return s0;
if (s0 == m_start)
return s1;
if (s1 == m_start)
return s0;
- gcc_unreachable ();
+ if (s0 == m_stop)
+ return s1;
+ if (s1 == m_stop)
+ return s0;
+ /* The only remaining combinations are one of has_ub and has_lb
+ (in either order). */
+ gcc_assert ((s0 == m_has_lb && s1 == m_has_ub)
+ || (s0 == m_has_ub && s1 == m_has_lb));
+ return m_tainted;
}
/* Check for calls to external functions marked with
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-merger.c b/gcc/testsuite/gcc.dg/analyzer/taint-merger.c
new file mode 100644
index 00000000000..e4e48f3db03
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-merger.c
@@ -0,0 +1,57 @@
+/* { dg-additional-options "-fanalyzer-checker=taint" } */
+// TODO: remove need for this option
+
+#include "analyzer-decls.h"
+
+int v_start;
+
+__attribute__((tainted_args))
+void test (int v_tainted, int v_has_lb, int v_has_ub, int v_stop)
+{
+ /* Get each var into the 5 different taintedness states. */
+ if (v_has_lb < 10)
+ return;
+ if (v_has_ub > 100)
+ return;
+ if (v_stop < 0 || v_stop > 100)
+ return;
+
+ /* Verify that we have the taintedness states we expect. */
+
+ __analyzer_dump_state ("taint", v_start); /* { dg-warning "state: 'start'" } */
+ __analyzer_dump_state ("taint", v_tainted); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_has_lb); /* { dg-warning "state: 'has_lb'" } */
+ __analyzer_dump_state ("taint", v_has_ub); /* { dg-warning "state: 'has_ub'" } */
+ __analyzer_dump_state ("taint", v_stop); /* { dg-warning "state: 'stop'" } */
+
+ /* Check all combinations of taintedness state. */
+ __analyzer_dump_state ("taint", v_start + v_start); /* { dg-warning "state: 'start'" } */
+ __analyzer_dump_state ("taint", v_start + v_tainted); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_start + v_has_lb); /* { dg-warning "state: 'has_lb'" } */
+ __analyzer_dump_state ("taint", v_start + v_has_ub); /* { dg-warning "state: 'has_ub'" } */
+ __analyzer_dump_state ("taint", v_start + v_stop); /* { dg-warning "state: 'stop'" } */
+
+ __analyzer_dump_state ("taint", v_tainted + v_start); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_tainted + v_tainted); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_tainted + v_has_lb); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_tainted + v_has_ub); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_tainted + v_stop); /* { dg-warning "state: 'tainted'" } */
+
+ __analyzer_dump_state ("taint", v_has_lb + v_start); /* { dg-warning "state: 'has_lb'" } */
+ __analyzer_dump_state ("taint", v_has_lb + v_tainted); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_has_lb + v_has_lb); /* { dg-warning "state: 'has_lb'" } */
+ __analyzer_dump_state ("taint", v_has_lb + v_has_ub); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_has_lb + v_stop); /* { dg-warning "state: 'has_lb'" } */
+
+ __analyzer_dump_state ("taint", v_has_ub + v_start); /* { dg-warning "state: 'has_ub'" } */
+ __analyzer_dump_state ("taint", v_has_ub + v_tainted); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_has_ub + v_has_lb); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_has_ub + v_has_ub); /* { dg-warning "state: 'has_ub'" } */
+ __analyzer_dump_state ("taint", v_has_ub + v_stop); /* { dg-warning "state: 'has_ub'" } */
+
+ __analyzer_dump_state ("taint", v_stop + v_start); /* { dg-warning "state: 'stop'" } */
+ __analyzer_dump_state ("taint", v_stop + v_tainted); /* { dg-warning "state: 'tainted'" } */
+ __analyzer_dump_state ("taint", v_stop + v_has_lb); /* { dg-warning "state: 'has_lb'" } */
+ __analyzer_dump_state ("taint", v_stop + v_has_ub); /* { dg-warning "state: 'has_ub'" } */
+ __analyzer_dump_state ("taint", v_stop + v_stop); /* { dg-warning "state: 'stop'" } */
+}
--
2.26.3
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-01-14 22:54 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-14 22:54 [committed] analyzer: fix ICE when combining taint states has_ub and has_lb David Malcolm
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).