From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id C57253858CDA for ; Sun, 26 Mar 2023 17:14:19 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C57253858CDA Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1679850859; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gE7ohci/YiQTDQEbRtv1Pi4Jg7tnz1dTuFmE2N+tXfc=; b=Sr+m8cJUwyMuW7TDR+NEbGSChmXaZRNxdasdcB0bzlvrAxYoV1BwMsQoh2w85rk0w123RW 9GAZkQmh8ZoMtVOHfliGJjYAx1pYqT8B3ouDqEHXVZwuoU/dAFt88kt4mbJ6yrOJj33V7g OwnklRvmc3qWRBTfsZS5Su8ToXhHUrg= Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-158-ruqv-tk2PMG4EzIeL1ffsw-1; Sun, 26 Mar 2023 13:14:17 -0400 X-MC-Unique: ruqv-tk2PMG4EzIeL1ffsw-1 Received: by mail-qt1-f199.google.com with SMTP id h6-20020a05622a170600b003e22c6de617so4514251qtk.13 for ; Sun, 26 Mar 2023 10:14:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679850856; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=gE7ohci/YiQTDQEbRtv1Pi4Jg7tnz1dTuFmE2N+tXfc=; b=K7R3LiJJmKSj5dZf+eydPL9wSkKRyHOAFY17CXBStwAx7vRYePs1ewTKQPQZsTf9GB Z62rj4nkMmbBOCVtjccVPXcrq0sV7novJNr/6uTmovTfbzszRpuT59QpCEq6l7Wuq5T1 zTHmNw2tGoyP+9CrQ8WbXPZnF59amWtfBzS6Kx9MHW5f1Aq4dPxFAQ6h0T6SkbxGc1T5 vEgGyZKunNalfKmFOFUhUEVJ+9i5HS9EFq45AzpIuYTK30gEFSpGA2ZmNLKywIVpg54F WcISvaMAaGrW/swDJTJziPdUUamJ8wtPEu2sgBfOYIMo+xG6Zb946V+mdQGO72OeENHj i15Q== X-Gm-Message-State: AO0yUKU4oym9dJAZnY2QQvqXlG27opDnjb+es9IBifXxaEeR4m/nbZP1 26ZDxl59qwhGk2OpVOqrMVfyCQB7h/qh/Nxf82bmWr22ANwLsRJIwbLFyRDhFPD4g2gek4BA0F0 zQ7xRc/o= X-Received: by 2002:ac8:7f10:0:b0:3e3:86d4:5df0 with SMTP id f16-20020ac87f10000000b003e386d45df0mr16366650qtk.55.1679850856222; Sun, 26 Mar 2023 10:14:16 -0700 (PDT) X-Google-Smtp-Source: AK7set/MGpl5BcMfOKX8Cf62OWHiwekkdkE+7vR5g/EvkDzm9QCbhsTT2vcp7P5Y2coglI8z2GxV3w== X-Received: by 2002:ac8:7f10:0:b0:3e3:86d4:5df0 with SMTP id f16-20020ac87f10000000b003e386d45df0mr16366635qtk.55.1679850855946; Sun, 26 Mar 2023 10:14:15 -0700 (PDT) Received: from t14s.localdomain (c-73-69-212-193.hsd1.ma.comcast.net. [73.69.212.193]) by smtp.gmail.com with ESMTPSA id t184-20020ae9dfc1000000b007424239e4casm15948254qkf.117.2023.03.26.10.14.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Mar 2023 10:14:15 -0700 (PDT) Message-ID: Subject: Re: [GSoC][Static Analyzer] First proposal draft and a few more questions/requests From: David Malcolm To: Shengyu Huang Cc: GCC Development Date: Sun, 26 Mar 2023 13:14:14 -0400 In-Reply-To: <0BED8B95-9F1A-4350-A63C-616D31E405C3@gmail.com> References: <960EE623-1B17-4321-B77E-FBCD9496BE1F@gmail.com> <40fbb064f56845908f797400e5d9443b6cf97fe4.camel@redhat.com> <0e6a972dac60ad290d21a82b428cc76c4e8565e9.camel@redhat.com> <4CBE37A2-7D50-4ECC-9B70-951AB7176D9B@gmail.com> <3dfad33dec50c9f8bfb13e42a29cfb41b6aab457.camel@redhat.com> <2344350B-6AD2-46A5-A335-BD3ECBBAA4DF@gmail.com> <0BED8B95-9F1A-4350-A63C-616D31E405C3@gmail.com> User-Agent: Evolution 3.44.4 (3.44.4-1.fc36) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-5.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_SHORT,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Sun, 2023-03-26 at 18:03 +0200, Shengyu Huang wrote: > Hi Dave, >=20 > (I forgot to cc the list in the last email and it was too late to > unsend. Sorry for sending you the same email again.) >=20 > > On 20 Mar 2023, at 23:50, David Malcolm > > > wrote: > >=20 > > I think if you try the patch to sm.cc above, then > > you'll see > > various existing DejaGnu tests below gcc.dg/analyzer will fail with > > state explosions. >=20 > After patching on the latest trunk, the DejaGnu tests report two > cases with state explosion: >=20 > pr93032-mztools-{signed, unsigned}-char.c >=20 > I didn=E2=80=99t see any cases with ICE though. >=20 > In addition, although I did see =E2=80=9Cwarning: terminating analysis fo= r > this program point=E2=80=A6=E2=80=9D in the test log, nothing was reporte= d when I ran > the individual test (with or without gdb)=E2=80=A6Did I miss anything? The warning is coming from -Wanalyzer-too-complex. This is disabled by default with -fanalyzer, so you won't see it if you try to compile the .c file "by hand", but the testsuite enables it by default (in analyzer.exp). >=20 > Just by looking at these test files, it seems that it may have to do > with how the analyzer does path selection, because there are many > nested conditionals in these two files. As I mentioned in the > proposal, it would be curious if this state explosion only happens > for taint analysis, because I don=E2=80=99t think there is anything speci= al > about taint analysis that would cause state explosion (unless there > is some buggy implementation?). I has looked into compiling those files with the patch some time ago; looking at my notes, one issue was with this on-stack buffer: char extra[1024]; declared outside the loop. Inside the loop, it gets modified in various ways: extra[0] =3D '\0'; and if (fread(extra, 1, extsize, fpZip) =3D=3D extsize) { where the latter means "extra" becomes tainted. However "extra" is barely used, and is effectively reset each time through the loop - but the analyzer doesn't figure that out. So the loop analysis explodes, as it tries to keep track of the possibility that "extra" is still tainted from previous iteration(s), despite the fact that it's going to be clobbered before it ever gets used. So one fix might be to extend the state-purging code so that it somehow "sees" that "extra" gets clobbered before it gets used, and thus we can purge the tainted state from it. Hope that makes sense Dave >=20 > I will look at your latest patch. It seems that there are many useful > tips that can help me further investigate the internals of analyzer. > Thanks a lot! >=20 > Best, > Shengyu