From patchwork Thu Jan 23 02:10:15 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Malcolm <dmalcolm@redhat.com>
X-Patchwork-Id: 1227586
Return-Path: 
 <gcc-patches-return-518097-incoming=patchwork.ozlabs.org@gcc.gnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131;
	helo=sourceware.org;
	envelope-from=gcc-patches-return-518097-incoming=patchwork.ozlabs.org@gcc.gnu.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=redhat.com
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org
	header.a=rsa-sha1 header.s=default header.b=w/4ZkmXJ;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=redhat.com header.i=@redhat.com
	header.a=rsa-sha256 header.s=mimecast20190719
	header.b=hC8YH1za; dkim-atps=neutral
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4835Mr4Wb0z9sR1
	for <incoming@patchwork.ozlabs.org>;
	Thu, 23 Jan 2020 13:10:30 +1100 (AEDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender:from
	:to:cc:subject:date:message-id:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=MMWO5Cpyxq1sO7jl
	LvjWN+nXCuZbHbvGbkTzUkamDIXKP1g+EihyESJW2RM1Hnpv/UzTODkVeuCLi7VU
	1bamoXOPLpIEaCS66VHJz4ywE1UDODVG31PJOmZ9Qu4h14/FqN//xxr7aHHOuHPx
	14VOB6yiOr7XdKYYEKBQ8EXRwBg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender:from
	:to:cc:subject:date:message-id:mime-version:content-type
	:content-transfer-encoding; s=default; bh=DrG4paCy47OvY4qSFIfy+a
	dMWGM=; b=w/4ZkmXJJIeftaMcK73x1IL2WlgWGD3q3MaP20ZTSASmpJ0UqqCd37
	EFdQyERSTsT1eCIQKHYcn1iLUIvXeQ99MI+N6e1qn+9S8TIt1VZqElMjF2K+pC6/
	cBJfMu+8Gk3+8sZi/5gadD1RprwjPZTWUwbIKFAQi/NMVvVY7PubE=
Received: (qmail 125612 invoked by alias); 23 Jan 2020 02:10:23 -0000
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-patches.gcc.gnu.org>
List-Unsubscribe: 
 <mailto:gcc-patches-unsubscribe-incoming=patchwork.ozlabs.org@gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-help@gcc.gnu.org>
Sender: gcc-patches-owner@gcc.gnu.org
Delivered-To: mailing list gcc-patches@gcc.gnu.org
Received: (qmail 125604 invoked by uid 89); 23 Jan 2020 02:10:23 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-23.3 required=5.0 tests=AWL, BAYES_00,
	GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
	spammy=HX-Languages-Length:2395
X-HELO: us-smtp-1.mimecast.com
Received: from us-smtp-delivery-1.mimecast.com (HELO us-smtp-1.mimecast.com)
	(207.211.31.120) by sourceware.org
	(qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP;
	Thu, 23 Jan 2020 02:10:22 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1579745420;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:	
	to:to:cc:cc:mime-version:mime-version:content-type:content-type:	
	content-transfer-encoding:content-transfer-encoding;
	bh=00L0cUamb/zL7BE85ig5AdB7SxX0xmg4eo0Sgt6uNN4=;
	b=hC8YH1zay0dAB4jqQAZ446MqPjd+Xb6dkrGVdZrgJSJm5dNMcGePCShCICW3WsbihoUDpC
	pz/TpiVTbJL83leqJJ95ohOOrGx6s03KC0qh6CXiLjPw52uGgiTRYvkQsGTfabMPrzOUcX
	3dVHEyw5sB9uum2b9014lcl62g7ABnE=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
	[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP
	id us-mta-273-ROXstB96OlO6j0MZL4wsOw-1;
	Wed, 22 Jan 2020 21:10:17 -0500
Received: from smtp.corp.redhat.com
	(int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11])	(using TLSv1.2 with cipher AECDH-AES256-SHA
	(256/256 bits))	(No client certificate requested)	by
	mimecast-mx01.redhat.com (Postfix) with ESMTPS id
	C1701A0CC9	for <gcc-patches@gcc.gnu.org>;
	Thu, 23 Jan 2020 02:10:16 +0000 (UTC)
Received: from t470.redhat.com (ovpn-117-41.phx2.redhat.com
	[10.3.117.41])	by smtp.corp.redhat.com (Postfix) with ESMTP
	id 59A3585745; Thu, 23 Jan 2020 02:10:16 +0000 (UTC)
From: David Malcolm <dmalcolm@redhat.com>
To: gcc-patches@gcc.gnu.org
Cc: David Malcolm <dmalcolm@redhat.com>
Subject: [committed] analyzer: fix ICE due to sm-state origin being purged
	(PR 93382)
Date: Wed, 22 Jan 2020 21:10:15 -0500
Message-Id: <20200123021015.11408-1-dmalcolm@redhat.com>
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-IsSubscribed: yes

The ICE in PR analyzer/93382 is a validation error.

The global variable "idx" acquires a "tainted" state from local array
n1[0].  When the frame is popped, the svalue for n1[0] is purged, but
the "taint" sm_state_map's entry for "idx" has a svalue_id referencing
the now-purged svalue.  This is caught by program_state::validate as an
assertion failure.

This patch fixes the issue by resetting the origin id within
sm_state_map entries for the case where the origin id has been purged.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu;
pushed to master as  r10-6164-g591b59ebfcd48319452ebbd954267c9a05ba4b78.

gcc/analyzer/ChangeLog:
	PR analyzer/93382
	* program-state.cc (sm_state_map::on_svalue_purge): If the
	entry survives, but the origin is being purged, then reset the
	origin to null.

gcc/testsuite/ChangeLog:
	PR analyzer/93382
	* gcc.dg/analyzer/pr93382.c: New test.
---
 gcc/analyzer/program-state.cc           |  5 +++++
 gcc/testsuite/gcc.dg/analyzer/pr93382.c | 25 +++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr93382.c

diff --git a/gcc/analyzer/program-state.cc b/gcc/analyzer/program-state.cc
index 72daee6428e..ba19ad1490e 100644
--- a/gcc/analyzer/program-state.cc
+++ b/gcc/analyzer/program-state.cc
@@ -453,6 +453,11 @@ sm_state_map::on_svalue_purge (const state_machine &sm,
 
 	  to_remove.safe_push (dst_sid);
 	}
+      else if ((*iter).second.m_origin.as_int () >= first_unused_sid.as_int ())
+	{
+	  /* If the origin svalue is being purged, then reset it to null.  */
+	  (*iter).second.m_origin = svalue_id::null ();
+	}
     }
 
   int i;
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93382.c b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
new file mode 100644
index 00000000000..7d18d16e444
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
@@ -0,0 +1,25 @@
+typedef __SIZE_TYPE__ size_t;
+
+int idx;
+void *fp;
+
+size_t
+fread (void *, size_t, size_t, void *);
+
+void
+ql (void)
+{
+  int n1[1];
+
+  fread (n1, sizeof (n1[0]), 1, fp); /* { dg-message "'n1' gets an unchecked value here" } */
+  idx = n1[0]; /* { dg-message "'idx' has an unchecked value here (from 'n1')" */
+}
+
+int arr[10];
+	
+int
+pl (void)
+{
+  ql ();
+  return arr[idx]; /* { dg-warning "use of tainted value 'idx' in array lookup without bounds checking" } */
+}