From: David Malcolm <dmalcolm@redhat.com>
To: gcc-patches@gcc.gnu.org
Cc: David Malcolm <dmalcolm@redhat.com>
Subject: [PATCH 13/21] analyzer: fix defaults in compound assignments from non-zero offsets [PR112969]
Date: Thu, 9 May 2024 13:42:28 -0400 [thread overview]
Message-ID: <20240509174236.2278921-14-dmalcolm@redhat.com> (raw)
In-Reply-To: <20240509174236.2278921-1-dmalcolm@redhat.com>
Confusion in binding_cluster::maybe_get_compound_binding about whether
offsets are relative to the start of the region or to the start of the
cluster was leading to incorrect handling of default values, leading
to false positives from -Wanalyzer-use-of-uninitialized-value, from
-Wanalyzer-exposure-through-uninit-copy, and other logic errors.
Fixed thusly.
Backported from commit r14-8428-g6426d466779fa8 (keeping tests
in gcc.dg, rather than c-c++-common).
gcc/analyzer/ChangeLog:
PR analyzer/112969
* store.cc (binding_cluster::maybe_get_compound_binding): When
populating default_map, express the bit-range of the default key
for REG relative to REG, rather than to the base region.
gcc/testsuite/ChangeLog:
PR analyzer/112969
* gcc.dg/analyzer/compound-assignment-5.c (test_3): Remove
xfails, reorder tests.
* gcc.dg/analyzer/compound-assignment-pr112969.c: New test.
* gcc.dg/plugin/infoleak-pr112969.c: New test.
* gcc.dg/plugin/plugin.exp: Add infoleak-pr112969.c to
analyzer_kernel_plugin.c tests.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---
gcc/analyzer/store.cc | 11 +++-
.../gcc.dg/analyzer/compound-assignment-5.c | 29 ++++-------
.../analyzer/compound-assignment-pr112969.c | 35 +++++++++++++
.../gcc.dg/plugin/infoleak-pr112969.c | 52 +++++++++++++++++++
gcc/testsuite/gcc.dg/plugin/plugin.exp | 1 +
5 files changed, 109 insertions(+), 19 deletions(-)
create mode 100644 gcc/testsuite/gcc.dg/analyzer/compound-assignment-pr112969.c
create mode 100644 gcc/testsuite/gcc.dg/plugin/infoleak-pr112969.c
diff --git a/gcc/analyzer/store.cc b/gcc/analyzer/store.cc
index e8c927b9fe9..0acb0a2b186 100644
--- a/gcc/analyzer/store.cc
+++ b/gcc/analyzer/store.cc
@@ -1718,7 +1718,16 @@ binding_cluster::maybe_get_compound_binding (store_manager *mgr,
else
default_sval = sval_mgr->get_or_create_initial_value (reg);
const binding_key *default_key = binding_key::make (mgr, reg);
- default_map.put (default_key, default_sval);
+
+ /* Express the bit-range of the default key for REG relative to REG,
+ rather than to the base region. */
+ const concrete_binding *concrete_default_key
+ = default_key->dyn_cast_concrete_binding ();
+ if (!concrete_default_key)
+ return nullptr;
+ const concrete_binding *default_key_relative_to_reg
+ = mgr->get_concrete_binding (0, concrete_default_key->get_size_in_bits ());
+ default_map.put (default_key_relative_to_reg, default_sval);
for (map_t::iterator iter = m_map.begin (); iter != m_map.end (); ++iter)
{
diff --git a/gcc/testsuite/gcc.dg/analyzer/compound-assignment-5.c b/gcc/testsuite/gcc.dg/analyzer/compound-assignment-5.c
index ccf8fe392bf..e1f42177b08 100644
--- a/gcc/testsuite/gcc.dg/analyzer/compound-assignment-5.c
+++ b/gcc/testsuite/gcc.dg/analyzer/compound-assignment-5.c
@@ -23,7 +23,7 @@ void test_1 (void)
/* Copying from an on-stack array to a global array. */
-struct coord glob_arr[16];
+struct coord glob_arr2[16];
void test_2 (void)
{
@@ -31,32 +31,29 @@ void test_2 (void)
arr[3].x = 5;
arr[3].y = 6;
- glob_arr[7] = arr[3];
+ glob_arr2[7] = arr[3];
- __analyzer_eval (glob_arr[7].x == 5); /* { dg-warning "TRUE" } */
- __analyzer_eval (glob_arr[7].y == 6); /* { dg-warning "TRUE" } */
+ __analyzer_eval (glob_arr2[7].x == 5); /* { dg-warning "TRUE" } */
+ __analyzer_eval (glob_arr2[7].y == 6); /* { dg-warning "TRUE" } */
}
/* Copying from a partially initialized on-stack array to a global array. */
-struct coord glob_arr[16];
+struct coord glob_arr3[16];
void test_3 (void)
{
struct coord arr[16];
arr[3].y = 6;
- glob_arr[7] = arr[3]; // or should the uninit warning be here?
+ glob_arr3[7] = arr[3]; // or should the uninit warning be here?
- __analyzer_eval (glob_arr[7].x); /* { dg-warning "uninitialized" "uninit" { xfail *-*-* } } */
- /* { dg-bogus "UNKNOWN" "unknown" { xfail *-*-* } .-1 } */
- __analyzer_eval (glob_arr[7].y == 6); /* { dg-warning "TRUE" } */
+ __analyzer_eval (glob_arr3[7].y == 6); /* { dg-warning "TRUE" } */
+ __analyzer_eval (glob_arr3[7].x); /* { dg-warning "uninitialized" "uninit" } */
}
/* Symbolic bindings: copying from one array to another. */
-struct coord glob_arr[16];
-
void test_4 (int i)
{
struct coord arr_a[16];
@@ -77,8 +74,6 @@ void test_4 (int i)
/* Symbolic bindings: copying within an array: symbolic src and dest */
-struct coord glob_arr[16];
-
void test_5a (int i, int j)
{
struct coord arr[16];
@@ -95,8 +90,6 @@ void test_5a (int i, int j)
/* Symbolic bindings: copying within an array: symbolic src, concrete dest. */
-struct coord glob_arr[16];
-
void test_5b (int i)
{
struct coord arr[16];
@@ -113,8 +106,6 @@ void test_5b (int i)
/* Symbolic bindings: copying within an array: concrete src, symbolic dest. */
-struct coord glob_arr[16];
-
void test_5c (int i)
{
struct coord arr[16];
@@ -132,10 +123,12 @@ void test_5c (int i)
/* No info on the subregion being copied, and hence
binding_cluster2::maybe_get_compound_binding should return NULL. */
+struct coord glob_arr6[16];
+
void test_6 (void)
{
struct coord arr[16];
- arr[7] = glob_arr[3];
+ arr[7] = glob_arr6[3];
__analyzer_eval (arr[7].x == 5); /* { dg-warning "UNKNOWN" } */
__analyzer_eval (arr[7].y == 6); /* { dg-warning "UNKNOWN" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/compound-assignment-pr112969.c b/gcc/testsuite/gcc.dg/analyzer/compound-assignment-pr112969.c
new file mode 100644
index 00000000000..4bc037cb7cf
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/compound-assignment-pr112969.c
@@ -0,0 +1,35 @@
+/* Reduced from -Wanalyzer-exposure-through-uninit-copy false positives
+ seen in Linux kernel in drivers/net/ethernet/intel/ice/ice_ptp.c */
+
+#include "analyzer-decls.h"
+
+/* { dg-do compile } */
+
+struct hwtstamp_config
+{
+ int flags;
+ int tx_type;
+ int rx_filter;
+};
+
+struct ice_ptp
+{
+ long placeholder;
+ struct hwtstamp_config tstamp_config;
+};
+
+struct ice_pf
+{
+ struct ice_ptp ptp;
+};
+
+void
+ice_ptp_set_ts_config(struct ice_pf* pf)
+{
+ struct hwtstamp_config config;
+ pf->ptp.tstamp_config.tx_type = 1;
+ pf->ptp.tstamp_config.rx_filter = 2;
+ config = pf->ptp.tstamp_config;
+ __analyzer_eval (config.flags == pf->ptp.tstamp_config.flags); /* { dg-warning "TRUE" } */
+ /* { dg-bogus "use of uninitialized value 'config.flags'" "PR analyzer/112969" { target *-*-* } .-1 } */
+}
diff --git a/gcc/testsuite/gcc.dg/plugin/infoleak-pr112969.c b/gcc/testsuite/gcc.dg/plugin/infoleak-pr112969.c
new file mode 100644
index 00000000000..e78fe365975
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/plugin/infoleak-pr112969.c
@@ -0,0 +1,52 @@
+/* Reduced from -Wanalyzer-exposure-through-uninit-copy false positives
+ seen in Linux kernel in drivers/net/ethernet/intel/ice/ice_ptp.c */
+
+/* { dg-do compile } */
+/* { dg-options "-fanalyzer" } */
+/* { dg-require-effective-target analyzer } */
+
+extern unsigned long
+copy_from_user(void* to, const void* from, unsigned long n);
+
+extern unsigned long
+copy_to_user(void* to, const void* from, unsigned long n);
+
+struct ifreq
+{
+ union
+ {
+ void* ifru_data;
+ } ifr_ifru;
+};
+
+struct hwtstamp_config
+{
+ int flags;
+ int tx_type;
+ int rx_filter;
+};
+
+struct ice_ptp
+{
+ long placeholder;
+ struct hwtstamp_config tstamp_config;
+};
+
+struct ice_pf
+{
+ struct ice_ptp ptp;
+};
+int
+ice_ptp_set_ts_config(struct ice_pf* pf, struct ifreq* ifr)
+{
+ struct hwtstamp_config config;
+ int err;
+ if (copy_from_user(&config, ifr->ifr_ifru.ifru_data, sizeof(config)))
+ return -14;
+ pf->ptp.tstamp_config.tx_type = 0;
+ pf->ptp.tstamp_config.rx_filter = 0;
+ config = pf->ptp.tstamp_config;
+ if (copy_to_user(ifr->ifr_ifru.ifru_data, &config, sizeof(config))) /* { dg-bogus "-Wanalyzer-exposure-through-uninit-copy" "PR analyzer/112969" } */
+ return -14;
+ return 0;
+}
diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp
index 4d6304cd100..6465b3c34bf 100644
--- a/gcc/testsuite/gcc.dg/plugin/plugin.exp
+++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp
@@ -141,6 +141,7 @@ set plugin_test_list [list \
infoleak-CVE-2017-18550-1.c \
infoleak-antipatterns-1.c \
infoleak-fixit-1.c \
+ infoleak-pr112969.c \
infoleak-net-ethtool-ioctl.c \
infoleak-vfio_iommu_type1.c \
taint-CVE-2011-0521-1-fixed.c \
--
2.26.3
next prev parent reply other threads:[~2024-05-09 17:42 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-09 17:42 [pushed 00/21] Various backports to gcc 13 (analyzer, jit, diagnostics) David Malcolm
2024-05-09 17:42 ` [PATCH 01/21] analyzer: add caching to globals with initializers [PR110112] David Malcolm
2024-05-09 17:42 ` [PATCH 02/21] analyzer: Fix allocation size false positive on conjured svalue [PR109577] David Malcolm
2024-05-11 16:43 ` NightStrike
2024-05-09 17:42 ` [PATCH 03/21] testsuite: Add more allocation size tests for conjured svalues [PR110014] David Malcolm
2024-05-11 16:44 ` NightStrike
2024-05-09 17:42 ` [PATCH 04/21] jit: avoid using __vector in testcase [PR110466] David Malcolm
2024-05-09 17:42 ` [PATCH 05/21] jit.exp: handle dwarf version mismatch in jit-check-debug-info [PR110466] David Malcolm
2024-05-09 17:42 ` [PATCH 06/21] analyzer: fix ICE on division of tainted floating-point values [PR110700] David Malcolm
2024-05-09 17:42 ` [PATCH 07/21] analyzer: fix ICE on zero-sized arrays [PR110882] David Malcolm
2024-05-09 17:42 ` [PATCH 08/21] testsuite, analyzer: add test case [PR108171] David Malcolm
2024-05-09 17:42 ` [PATCH 09/21] jit: dump string literal initializers correctly David Malcolm
2024-05-09 17:42 ` [PATCH 10/21] analyzer: fix ICE for 2 bits before the start of base region [PR112889] David Malcolm
2024-05-09 17:42 ` [PATCH 11/21] analyzer: fix deref-before-check false positives due to inlining [PR112790] David Malcolm
2024-05-09 17:42 ` [PATCH 12/21] analyzer: casting all zeroes should give all zeroes [PR113333] David Malcolm
2024-05-09 17:42 ` David Malcolm [this message]
2024-05-09 17:42 ` [PATCH 14/21] analyzer: fix skipping of debug stmts [PR113253] David Malcolm
2024-05-09 17:42 ` [PATCH 15/21] analyzer: fix -Wanalyzer-va-arg-type-mismatch false +ve on int types [PR111289] David Malcolm
2024-05-09 17:42 ` [PATCH 16/21] analyzer: fix -Wanalyzer-deref-before-check false positive seen in loop header macro [PR109251] David Malcolm
2024-05-09 17:42 ` [PATCH 17/21] analyzer: fix ICE due to type mismatch when replaying call summary [PR114473] David Malcolm
2024-05-09 17:42 ` [PATCH 18/21] analyzer: fix ICE and false positive with -Wanalyzer-deref-before-check [PR114408] David Malcolm
2024-05-09 17:42 ` [PATCH 19/21] diagnostics: fix ICE on sarif output when source file is unreadable [PR111700] David Malcolm
2024-05-09 17:42 ` [PATCH 20/21] Fix ICE in -fdiagnostics-generate-patch [PR112684] David Malcolm
2024-05-09 17:42 ` [PATCH 21/21] diagnostics: fix corrupt json/SARIF on stderr [PR114348] David Malcolm
2024-05-13 9:03 ` [pushed 00/21] Various backports to gcc 13 (analyzer, jit, diagnostics) Jakub Jelinek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240509174236.2278921-14-dmalcolm@redhat.com \
--to=dmalcolm@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).