From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id BB46E3858419 for ; Mon, 15 Aug 2022 18:52:53 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org BB46E3858419 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-574-agdQUHiUMV2twvBPB-lkdA-1; Mon, 15 Aug 2022 14:52:52 -0400 X-MC-Unique: agdQUHiUMV2twvBPB-lkdA-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1D7C71824600 for ; Mon, 15 Aug 2022 18:52:52 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.2.16.51]) by smtp.corp.redhat.com (Postfix) with ESMTP id E4927492C3B; Mon, 15 Aug 2022 18:52:51 +0000 (UTC) From: David Malcolm To: gcc-patches@gcc.gnu.org Subject: [committed] analyzer: fix direction of -Wanalyzer-out-of-bounds note [PR106626] Date: Mon, 15 Aug 2022 14:52:50 -0400 Message-Id: <20220815185250.140745-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2022 18:52:55 -0000 Fix a read/write typo. Also, add more test coverage of -Wanalyzer-out-of-bounds to help establish a baseline for experiments on tweaking the wording of the warning (PR analyzer/106626). Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Pushed to trunk as r13-2054-g23e8c0b0d99f58. gcc/analyzer/ChangeLog: PR analyzer/106626 * region-model.cc (buffer_overread::emit): Fix copy&paste error in direction of the access in the note. gcc/testsuite/ChangeLog: PR analyzer/106626 * gcc.dg/analyzer/out-of-bounds-read-char-arr.c: New test. * gcc.dg/analyzer/out-of-bounds-read-int-arr.c: New test. * gcc.dg/analyzer/out-of-bounds-write-char-arr.c: New test. * gcc.dg/analyzer/out-of-bounds-write-int-arr.c: New test. Signed-off-by: David Malcolm --- gcc/analyzer/region-model.cc | 4 +- .../analyzer/out-of-bounds-read-char-arr.c | 55 +++++++++++++++++++ .../analyzer/out-of-bounds-read-int-arr.c | 54 ++++++++++++++++++ .../analyzer/out-of-bounds-write-char-arr.c | 55 +++++++++++++++++++ .../analyzer/out-of-bounds-write-int-arr.c | 54 ++++++++++++++++++ 5 files changed, 220 insertions(+), 2 deletions(-) create mode 100644 gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-char-arr.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-int-arr.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-char-arr.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-int-arr.c diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc index a58904c06a8..b05b7097c00 100644 --- a/gcc/analyzer/region-model.cc +++ b/gcc/analyzer/region-model.cc @@ -1447,11 +1447,11 @@ public: print_dec (m_out_of_bounds_range.m_size_in_bytes, num_bytes_past_buf, UNSIGNED); if (m_diag_arg) - inform (rich_loc->get_loc (), "write is %s bytes past the end" + inform (rich_loc->get_loc (), "read is %s bytes past the end" " of %qE", num_bytes_past_buf, m_diag_arg); else - inform (rich_loc->get_loc (), "write is %s bytes past the end" + inform (rich_loc->get_loc (), "read is %s bytes past the end" "of the region", num_bytes_past_buf); } diff --git a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-char-arr.c b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-char-arr.c new file mode 100644 index 00000000000..61cbfc75c11 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-char-arr.c @@ -0,0 +1,55 @@ +char arr[10]; /* { dg-message "capacity is 10 bytes" } */ + +char int_arr_read_element_before_start_far(void) +{ + return arr[-100]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read at byte -100 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +char int_arr_read_element_before_start_near(void) +{ + return arr[-2]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read at byte -2 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +char int_arr_read_element_before_start_off_by_one(void) +{ + return arr[-1]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read at byte -1 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +char int_arr_read_element_at_start(void) +{ + return arr[0]; +} + +char int_arr_read_element_at_end(void) +{ + return arr[9]; +} + +char int_arr_read_element_after_end_off_by_one(void) +{ + return arr[10]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read at byte 10 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): "1 bytes" +} + +char int_arr_read_element_after_end_near(void) +{ + return arr[11]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read at byte 11 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): is the note correct? + // FIXME(PR 106626): "1 bytes" +} + +char int_arr_read_element_after_end_far(void) +{ + return arr[100]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read at byte 100 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): the note seems incorrect (size of access is 1 byte, but magnitude beyond boundary is 90) + // FIXME(PR 106626): "1 bytes" +} diff --git a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-int-arr.c b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-int-arr.c new file mode 100644 index 00000000000..0bb30d24e9f --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-read-int-arr.c @@ -0,0 +1,54 @@ +#include + +int32_t arr[10]; /* { dg-message "capacity is 40 bytes" } */ + +int32_t int_arr_read_element_before_start_far(void) +{ + return arr[-100]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read from byte -400 till byte -397 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +int32_t int_arr_read_element_before_start_near(void) +{ + return arr[-2]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read from byte -8 till byte -5 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +int32_t int_arr_read_element_before_start_off_by_one(void) +{ + return arr[-1]; /* { dg-warning "buffer underread" "warning" } */ + /* { dg-message "out-of-bounds read from byte -4 till byte -1 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +int32_t int_arr_read_element_at_start(void) +{ + return arr[0]; +} + +int32_t int_arr_read_element_at_end(void) +{ + return arr[9]; +} + +int32_t int_arr_read_element_after_end_off_by_one(void) +{ + return arr[10]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read from byte 40 till byte 43 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ +} + +int32_t int_arr_read_element_after_end_near(void) +{ + return arr[11]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read from byte 44 till byte 47 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): is the note correct? +} + +int32_t int_arr_read_element_after_end_far(void) +{ + return arr[100]; /* { dg-warning "buffer overread" "warning" } */ + /* { dg-message "out-of-bounds read from byte 400 till byte 403 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "read is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): the note seems incorrect (size of access is 4 bytes, but magnitude beyond boundary is 390-393) +} diff --git a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-char-arr.c b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-char-arr.c new file mode 100644 index 00000000000..47fbc5207ee --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-char-arr.c @@ -0,0 +1,55 @@ +char arr[10]; /* { dg-message "capacity is 10 bytes" } */ + +void int_arr_write_element_before_start_far(char x) +{ + arr[-100] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte -100 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_before_start_near(char x) +{ + arr[-2] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte -2 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_before_start_off_by_one(char x) +{ + arr[-1] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte -1 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_at_start(char x) +{ + arr[0] = x; +} + +void int_arr_write_element_at_end(char x) +{ + arr[9] = x; +} + +void int_arr_write_element_after_end_off_by_one(char x) +{ + arr[10] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte 10 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): "1 bytes" +} + +void int_arr_write_element_after_end_near(char x) +{ + arr[11] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte 11 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): is the note correct? + // FIXME(PR 106626): "1 bytes" +} + +void int_arr_write_element_after_end_far(char x) +{ + arr[100] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write at byte 100 but 'arr' ends at byte 10" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 1 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): the note seems incorrect (size of access is 1 byte, but magnitude beyond boundary is 90) + // FIXME(PR 106626): "1 bytes" +} diff --git a/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-int-arr.c b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-int-arr.c new file mode 100644 index 00000000000..bf9760ee978 --- /dev/null +++ b/gcc/testsuite/gcc.dg/analyzer/out-of-bounds-write-int-arr.c @@ -0,0 +1,54 @@ +#include + +int32_t arr[10]; /* { dg-message "capacity is 40 bytes" } */ + +void int_arr_write_element_before_start_far(int32_t x) +{ + arr[-100] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte -400 till byte -397 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_before_start_near(int32_t x) +{ + arr[-2] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte -8 till byte -5 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_before_start_off_by_one(int32_t x) +{ + arr[-1] = x; /* { dg-warning "buffer underflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte -4 till byte -1 but 'arr' starts at byte 0" "final event" { target *-*-* } .-1 } */ +} + +void int_arr_write_element_at_start(int32_t x) +{ + arr[0] = x; +} + +void int_arr_write_element_at_end(int32_t x) +{ + arr[9] = x; +} + +void int_arr_write_element_after_end_off_by_one(int32_t x) +{ + arr[10] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte 40 till byte 43 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ +} + +void int_arr_write_element_after_end_near(int32_t x) +{ + arr[11] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte 44 till byte 47 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): is the note correct? +} + +void int_arr_write_element_after_end_far(int32_t x) +{ + arr[100] = x; /* { dg-warning "buffer overflow" "warning" } */ + /* { dg-message "out-of-bounds write from byte 400 till byte 403 but 'arr' ends at byte 40" "final event" { target *-*-* } .-1 } */ + /* { dg-message "write is 4 bytes past the end of 'arr'" "note" { target *-*-* } .-2 } */ + // FIXME(PR 106626): the note seems incorrect (size of access is 4 bytes, but magnitude beyond boundary is 390-393) +} -- 2.26.3